[House Hearing, 113 Congress] [From the U.S. Government Publishing Office] PREVENTING WASTE, FRAUD, ABUSE, AND MISMANAGEMENT IN HOMELAND SECURITY--A GAO HIGH-RISK LIST REVIEW ======================================================================= HEARING before the COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED THIRTEENTH CONGRESS SECOND SESSION __________ MAY 7, 2014 __________ Serial No. 113-67 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.gpo.gov/fdsys/ __________ U.S. GOVERNMENT PRINTING OFFICE 89-762 PDF WASHINGTON : 2014 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800 DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC 20402-0001 COMMITTEE ON HOMELAND SECURITY Michael T. McCaul, Texas, Chairman Lamar Smith, Texas Bennie G. Thompson, Mississippi Peter T. King, New York Loretta Sanchez, California Mike Rogers, Alabama Sheila Jackson Lee, Texas Paul C. Broun, Georgia Yvette D. Clarke, New York Candice S. Miller, Michigan, Vice Brian Higgins, New York Chair Cedric L. Richmond, Louisiana Patrick Meehan, Pennsylvania William R. Keating, Massachusetts Jeff Duncan, South Carolina Ron Barber, Arizona Tom Marino, Pennsylvania Dondald M. Payne, Jr., New Jersey Jason Chaffetz, Utah Beto O'Rourke, Texas Steven M. Palazzo, Mississippi Filemon Vela, Texas Lou Barletta, Pennsylvania Eric Swalwell, California Richard Hudson, North Carolina Vacancy Steve Daines, Montana Vacancy Susan W. Brooks, Indiana Scott Perry, Pennsylvania Mark Sanford, South Carolina Vacancy Brendan P. Shields, Staff Director Michael Geffroy, Deputy Staff Director/Chief Counsel Michael S. Twinchek, Chief Clerk I. Lanier Avant, Minority Staff Director C O N T E N T S ---------- Page Statements The Honorable Michael T. McCaul, a Representative in Congress From the State of Texas, and Chairman, Committee on Homeland Security: Oral Statement................................................. 1 Prepared Statement............................................. 2 The Honorable Bennie G. Thompson, a Representative in Congress From the State of Mississippi, and Ranking Member, Committee on Homeland Security: Oral Statement................................................. 3 Prepared Statement............................................. 4 Witnesses Mr. Alejandro N. Mayorkas, Deputy Secretary, U.S. Department of Homeland Security: Oral Statement................................................. 6 Prepared Statement............................................. 6 Mr. Gene L. Dodaro, Comptroller General of the United States, Government Accountability Office: Oral Statement................................................. 13 Prepared Statement............................................. 14 Mr. John Roth, Inspector General, U.S. Department of Homeland Security: Oral Statement................................................. 28 Prepared Statement............................................. 29 Appendix Questions From Chairman Michael T. McCaul for Alejandro N. Mayorkas....................................................... 55 Question From Honorable Patrick Meehan for Alejandro N. Mayorkas. 58 Questions From Honorable Tom Marino for Alejandro N. Mayorkas.... 59 Question From Chairman Michael T. McCaul and Ranking Member Bennie G. Thompson for Gene L. Dodaro.......................... 61 Question From Honorable Yvette D. Clarke for Gene L. Dodaro...... 62 Question From Chairman Michael T. McCaul for Gene L. Dodaro...... 62 Question From Honorable Jeff Duncan for Gene L. Dodaro........... 63 Question From Honorable Tom Marino for Gene L. Dodaro............ 65 Questions From Chairman Michael T. McCaul for John Roth.......... 65 Question From Honorable Jeff Duncan for John Roth................ 67 PREVENTING WASTE, FRAUD, ABUSE, AND MISMANAGEMENT IN HOMELAND SECURITY--A GAO HIGH-RISK LIST REVIEW ---------- Wednesday, May 7, 2014 U.S. House of Representatives, Committee on Homeland Security, Washington, DC. The committee met, pursuant to call, at 10:09 a.m., in Room 311, Cannon House Office Building, Hon. Michael T. McCaul [Chairman of the committee] presiding. Present: Representatives McCaul, Broun, Duncan, Hudson, Sanford, Thompson, Clarke, Richmond, Payne, and O'Rourke. Chairman McCaul. Committee on Homeland Security will come to order. Committee is meeting today to examine testimony regarding the prevention of waste, fraud, abuse, and mismanagement at the Department of Homeland Security. I recognize myself for an opening statement. While the Department of Homeland Security's mission is critical, it is also critical that it keeps its finances in check because in order to protect the homeland we must maximize every dollar spent. Almost as soon as the Department's creation, the Government Accountability Office placed some of DHS's programs on its high-risk list, and today many remain. This list is developed every 2 years by watchdogs at GAO to identify areas in the Federal Government that are high-risk to fraud, waste, abuse, and mismanagement, or are in the most need of broad reform. It is intended to draw attention to these areas to force agency leaders to improve. Unfortunately some of the programs identified include some of the Department's core functions such as acquisitions, management, financial management, information technology, human capital and management integration, as well as multi-agency challenges such as information sharing and cybersecurity. While the Department has devoted time to addressing GAO's high-risk areas, these reports continue to show examples of programs ignoring best practices and putting taxpayer dollars at risk. Recent GAO findings have identified challenges with the Arizona Border Surveillance Technology Plan, TSA body scanners, modernization of key border enforcement system known as TECS, and the Department's acquisition funding plans. All levels of DHS must be fully committed to make the Department more efficient and effective. To this end, this committee has taken action to address specific issues highlighted in GAO's high-risk report. H.R. 3696, the National Cybersecurity and Critical Infrastructure Protection Act, and H.R. 4228, the DHS Acquisition Accountability and Efficiency Act both passed out of this committee unanimously and are important pieces of legislation to increase our Nation's cybersecurity and improve the Department's management of its acquisition programs. Additionally, our recent bipartisan report on the Boston bombings highlighted the need for improved information sharing, which addresses another high-risk item. Finally, while I am encouraged by the steps taken by DHS in recent years to address these issues, including achieving a clean audit opinion in 2013, there is clearly much more work to be done. In the short time since they have assumed their new positions, Secretary Johnson and Deputy Secretary Mayorkas have both already endeavored to fix the management problems at DHS. Today I look forward to hearing from them on their plans to improve the Department. However, assurances from the top and putting plans in place only go so far. It will take time and follow-up and continued oversight to ensure improved outcomes are sustained over multiple years. To that end I look forward to Comptroller General Dodaro and recently-confirmed DHS Inspector General Roth's testimony today. Their recommendations to make DHS a more effective and efficient organization are essential to making Americans safer. Ultimately every dollar wasted on mismanagement is one less that can go to the men and women protecting our borders, targeting terrorists, securing our airports, and patrolling our shores. That is why this hearing and DHS's commitment to getting its house in order is so important. [The statement of Chairman McCaul follows:] Statement of Chairman Michael T. McCaul May 7, 2014 While the Department of Homeland Security's mission is critical, it is also critical that it keeps its finances in check, because in order to protect the homeland we must maximize every dollar spent. Almost as soon as the Department's creation, the Government Accountability Office (GAO) placed some of DHS's programs on its ``High-Risk List,'' and today, many remain. This list is developed every 2 years by the watchdogs at GAO to identify areas in the Federal Government that are at high risk to fraud, waste, abuse, and mismanagement or are in most need of broad reform, and it is intended to draw attention to these areas to force agency leaders to improve. Unfortunately, some of the programs identified include some of the Department's core functions such as acquisition management, financial management, information technology, human capital, and management integration, as well as, multi-agency challenges such as information sharing and cybersecurity. While the Department has devoted time to addressing GAO's High-Risk areas, these reports continue to show examples of programs ignoring best practices and putting taxpayer dollars at risk. Recent GAO findings have identified challenges with the Arizona Border Surveillance Technology Plan, TSA body scanners, modernization of a key border enforcement system known as TECS, and the Department's acquisition funding plans. All levels of DHS must be fully committed to making the Department more efficient and effective. To this end, this committee has taken action to address specific issues highlighted in GAO's High-Risk report. H.R. 3696, the National Cybersecurity and Critical Infrastructure Protection Act, and H.R. 4228, the DHS Acquisition Accountability and Efficiency Act--both passed out of this committee unanimously--are important pieces of legislation to increase our Nation's cybersecurity and improve the Department's management of its acquisition programs. Additionally, our recent bipartisan report on the Boston bombings highlighted the need for improved information sharing, which addresses another High-Risk item. Finally, while I am encouraged by the steps DHS has taken in recent years to address these issues including achieving a clean audit opinion in 2013, there is clearly much more work to be done. In the short time since they've assumed their new positions, Secretary Johnson and Deputy Secretary Mayorkas have both already endeavored to fix the management problems at DHS, and today I look forward to hearing more from them on his plan for improving the Department. However, assurances from the top and putting plans in place only go so far. It will take time and follow-up and continued oversight to ensure improved outcomes are sustained over multiple years. To that end, I look forward to Comptroller General Dodaro and recently confirmed DHS Inspector General Roth's testimony today. Their recommendations to make DHS a more effective and efficient organization are essential to making Americans safer. Ultimately, every dollar wasted on mismanagement is one less that can go to the men and women protecting our borders, targeting terrorists, securing our airports, and patrolling our shores. That's why this hearing, and DHS' commitment to getting its house in order, is so important. Chairman McCaul. With that the Chairman now recognizes the Ranking Member, Mr. Thompson. Mr. Thompson. Thank you, Mr. Chairman. I thank you for holding today's hearing. I also want to thank the comptroller general, deputy secretary, and inspector general for their testimonies today. Today's hearing is to examine the Department of Homeland Security's management functions deemed high-risk by the Government Accountability Office, and the steps that the Department is taking to improve in these areas. At the beginning of each Congress the GAO releases its high-risk update, which focuses on agencies and programs that are vulnerable to waste, fraud, and abuse. Understandably when the Department was formed in 2003 it was placed on the high-risk list because of the challenges associated on transforming 22 legacy agencies into one new Federal department. It was also put on the high-risk list because its failures to effectively do so could present National security risks. Unfortunately, more than a decade after its inception the Department remains on the high-risk list. One reason is that the Department has struggled to integrate its management functions across all components. These integration challenges present diverse operational and management problems at the Department at all levels. There has been general acceptance of the One DHS concept advanced by the last Secretary of Homeland Security. But what is needed at this pivotal moment is a leader who will animate that slogan and put structures and procedures in place to fully integrate the Department. Secretary Johnson may well be that leader, but any reforms will be at the mercy of an entrenched and unhappy workforce and the clock. I look forward to working with Secretary Johnson to bring about needed reforms. For the first time since its inception, however, the Department received its first clean audit of all its financial statements for fiscal year 2013. As commendable as this may be, we must not overlook that the independent auditor did find continued weaknesses in the Department's financial controls. Another challenging area for the Department is its IT acquisitions and management. Over the years the Department has had varying success acquiring and implementing information technology systems. Some systems have performed as promised, while others have failed to deliver capabilities and mission benefit. There is a need for the Department to strengthen its internal IT governance. GAO has noted that the Department has more work to do to fully address its IT management challenges such as finalizing policies and procedures associated with its new governance structure. Finally, the Department spends approximately a quarter of its annual budget procuring goods and services in support of its homeland security missions. Yet since its inception, managing acquisitions has been a significant challenge for the Department. The management framework put in place by the prior DHS leadership has the potential for improving DHS acquisition management in significant ways. That is why I am pleased that this committee was able to come together in a bipartisan fashion last week and pass H.R. 4228, the DHS Acquisition Accountability and Efficiency Act, which seeks to codify what has been deemed by the comptroller general and other watchdogs as successful, and seeks to close other gaps that exist. Mr. Chairman, I look forward to more ways that this committee can work to help advance the Department and help it achieve the goals of being fully integrated with clean financial audits and internal management and oversight controls in its information technology and acquisition departments. Given the pivotal role the Department has in protecting and preparing America, management challenges become a distraction and have grave consequences for our National security. Hence, it is my hope that the Department can continue to progress, and we can see a date when it is not a part of the GAO high-risk list. With that, Mr. Chairman, I yield back. Thank you. [The statement of Ranking Member Thompson follows:] Statement of Ranking Member Bennie G. Thompson May 7, 2014 Today's hearing is to examine the Department of Homeland Security's management functions deemed high-risk by the Government Accountability Office and the steps that the Department is taking to improve in these areas. At the beginning of each Congress, the GAO releases its ``High-Risk Update'' which focuses on agencies and programs that are vulnerable to waste, fraud, and abuse. Understandably, when the Department was formed in 2003, it was placed on the ``high-risk list'' because of the challenges associated with transforming 22 legacy agencies into one new Federal Department. It was also put on the ``high-risk list'' because its failure to effectively do so could present National security risks. Unfortunately, more than a decade after its inception, the Department remains on the ``high-risk list.'' One reason is that the Department has struggled to integrate its management functions across all the components. These integration challenges present diverse operational and management problems at the Department at all levels. There has been general acceptance of the ``One DHS'' concept advanced by the last Secretary of Homeland Security but what is needed at this pivotal moment is a leader who will animate that slogan and put structures and procedures in place to fully integrate the Department. Secretary Johnson may well be that leader but any reforms will be at the mercy of an entrenched and unhappy workforce and the clock. I look forward to working with Deputy Secretary Mayorkas and Secretary Johnson to bring about needed reforms. For the first time since its inception, the Department received its first clean audit on all its financial statements for fiscal year 2013. As commendable as this may be, we must not overlook that the independent auditor did find continued weakness in the Department's financial controls. Another challenging area for the Department is IT acquisitions and management. Over the years, the Department has had varying success acquiring and implementing information technology systems; some systems have performed as promised while others have failed to deliver capabilities and mission benefits. There is a need for the Department to strengthen its internal IT governance. GAO has noted that the Department has more work to do to fully address its IT management challenges such as finalizing policies and procedures associated with its new governance structure. Finally, the Department spends approximately a quarter of its annual budget procuring goods and services in support of its homeland security missions. Yet, since its inception, managing acquisitions has been a significant challenge for the Department. The management framework put in place by the Obama administration has the potential for improving DHS acquisitions management in significant ways. That is why I am pleased that this committee was able to come together in a bipartisan fashion last week and passed H.R. 4228, the ``DHS Acquisition Accountability and Efficiency Act,'' which seeks to codify what has been deemed by the Comptroller General and other watchdogs as successful and seeks to close other gaps that exist. I look forward to more ways that this committee can work to help advance the Department and help it achieve the goals of being fully integrated, with clean financial audits, and internal management and oversight controls in its information technology and acquisitions departments. Given the pivotal role the Department has in protecting and preparing America, management challenges become a distraction and have grave consequences for our National security. Hence, it is my hope that the Department can continue to progress and we can see a day when it is not a part of the GAO High-Risk list. Chairman McCaul. I thank the Ranking Member. Other Members I remind they may submit an opening statement for the record. We are pleased to have here today a distinguished panel of witnesses; first, the Honorable Alejandro Mayorkas, who was sworn in as deputy secretary of the Department of Homeland Security in December 2013. Prior to his appointment he served as director of the Department's United States Citizenship and Immigration Services. He led a workforce of 18,000 employees throughout more than 250 offices world-wide rector of the Department's United States Citizenship and Immigration Services. Before joining DHS Mr. Mayorkas was a partner at a law firm. In 1998 he was appointed as the United States Attorney for the Central District of California. Thanks for being here today. Next we have the Honorable Gene Dodaro, who became the eighth comptroller general of the United States, and head of the United States Government Accountability Office. In December 2010, after serving in the capacity of ``acting'' since March 2008 as comptroller general he has helped oversee the development and issuance of hundreds of reports and testimonies each year to various committees and individual Members of Congress. These and other GAO products have led to hearings and legislation, billions of dollars in taxpayer savings, and improvements to a wide range of Government programs and services. Then last but not least, the Honorable John Roth. Let me mention it is Mr. Dodaro's birthday today, and we wish you a happy birthday, as well. Then last, Mr. John Roth, who assumed the post of inspector general for the Department of Homeland Security in March 2014. Previously he served as director of the Office of Criminal Investigations at the Food and Drug Administration. Prior to that, he had a long and distinguished record and career with the Department of Justice beginning in 1987 as Assistant U.S. Attorney for the Eastern District of Michigan. It is great to see so many brethren DOJ on this panel. Their full written statements will appear on the record. The Chairman now recognizes Deputy Secretary Mayorkas for 5 minutes. STATEMENT OF ALEJANDRO N. MAYORKAS, DEPUTY SECRETARY, U.S. DEPARTMENT OF HOMELAND SECURITY Mr. Mayorkas. Thank you very much, Mr. Chairman. Mr. Chairman and distinguished Members of this committee. I very much appreciate the opportunity to testify before you today. I feel privileged to appear before you as the deputy secretary of Homeland Security. I pledged to this committee an open, transparent, and fully cooperative Department. We deeply appreciate the work of this committee and have profound respect for it. Strong oversight drives good Government, and we recognize and appreciate that. I also want to thank my fellow witnesses before you today, Mr. Dodaro and Mr. Roth, for the work that they perform and that their teams perform. We share a common goal of making the Department everything that it should be. Mr. Chairman, Ranking Member Thompson, and distinguished Members, I submitted to this committee written testimony, and I will not repeat it now. I do want to underscore one overriding fact, and that is my immense pride in working alongside the men and women of the Department of Homeland Security. Those incredibly dedicated individuals deserve a Department and deserve management functions and processes and institutions that bring out the best in them and enable them to do their jobs at the highest levels of excellence to which they aspire. With that I look forward to the opportunity to answer whatever questions you might have. Thank you. [The prepared statement of Mr. Mayorkas follows:] Prepared Statement of Alejandro N. Mayorkas May 7, 2014 Chairman McCaul, Ranking Member Thompson, and distinguished Members of the committee, thank you for the opportunity to appear before you as the deputy secretary of Homeland Security to testify on the subject of management at this important hearing entitled ``Preventing Waste, Fraud, Abuse and Mismanagement in Homeland Security--a GAO High-Risk List Review.'' I, along with Secretary Johnson, appreciate and welcome the committee's continued focus on this subject and for the oversight you exercise. It is my firmly-held belief that good oversight not only delivers accountability critical to good government, but that it also drives innovation. Thank you, and thank you to the members of your staff. I also wish to express my gratitude to the U.S. Government Accountability Office (GAO). Under Comptroller General Gene Dodaro's leadership, GAO has spent considerable time and energy providing our Department with its valued, independent assessment of our work in areas critical to the effective management of our resources and execution of our responsibilities. GAO has issued recommendations to our Department that, collectively, help provide a blueprint for success. It is in response to GAO's independent reviews and recommendations that in January 2011 our Department issued the first Integrated Strategy for High Risk Management, an operational framework to address GAO's recommendations. Since we issued the Integrated Strategy, we have updated it twice yearly to document the progress our Department has made in addressing GAO's recommendations. It pleases me to note that we have come far in the last 5 years; today the Department eagerly engages with GAO about outstanding recommendations. We seek out GAO. Like the responsibility of the GAO to provide its independent assessment of the Department's execution of responsibilities, it is the duty of the Office of the Inspector General to deliver its own independent and high-quality review of Departmental functions. I am grateful to testify before you today alongside the Department's new inspector general, John Roth. I look forward to supporting the work of Inspector General Roth and to ensuring the Department's transparency and full cooperation as he and I work to improve and strengthen the Department in our respective roles. When I became the deputy secretary of DHS in late December 2013, the first action I took was to schedule a meeting with Comptroller General Dodaro. In our meeting I had the opportunity to also meet George Scott, the managing director of GAO's Homeland Security and Justice team. Mr. Scott and I have met on several occasions since then, and he and his team are outstanding in their commitment to improving our Department. With Mr. Scott's and his team's independent efforts, with the oversight of GAO and that of this committee, DHS will mature and improve. The number of open GAO recommendations to DHS has decreased steadily and, significantly, in GAO's latest High-Risk List update it narrowed the subject from ``Implementing and Transforming DHS'' to ``Strengthening DHS Management Functions.'' Additionally noteworthy is the fact that GAO stated in that update that our Department's Integrated Strategy, ``if implemented and sustained, provides a path for DHS to be removed from GAO's High-Risk List.'' DHS has made significant progress. At the same time, DHS has additional work to do. Since I became the deputy secretary I have invested considerable time in working with GAO and with my very talented and dedicated DHS colleagues to ensure that this additional work is done as effectively and swiftly as possible. Earlier this year, we developed specific action plans to address the 30 key outcomes GAO identified in the areas of management integration, human capital, information technology, financial management, and acquisitions. Our action plans now provide month-to-month goals that provide a better road map to success. Our development of these action plans provided us with the opportunity to freshly review our previous efforts and, in certain critical areas, to accelerate our time tables materially. strengthening department of homeland security management functions Before discussing the work that DHS has undertaken to make progress on key GAO High-Risk List areas, I wish to highlight the actions we have recently taken that speak to our Departmental commitment to sound management practices. On April 22, 2014, the Secretary sent a memorandum to Department leadership entitled, ``Strengthening Departmental Unity of Effort.'' The purpose of this effort is to capitalize on the many strengths of the Department, starting with the professionalism, skill, and dedication of its people and the rich history and tradition of its components, while identifying ways to enhance the cohesion of the Department as a whole. The Secretary's guidance is targeted at improvements to four main lines of effort: Inclusive senior leader discussion and decision-making forums that provide an environment of trust and transparency; strengthened fundamental and critical management processes for investment (including requirements, budget, and acquisition processes) that look at cross- cutting issues across the Department; focused, collaborative Departmental strategy, planning, and analytic capability that support more effective DHS-wide decision-making and operations; and, enhanced coordinated operations to harness the significant resources of the Department more effectively. Many of the elements of this effort are described below, as they cut across the several management areas discussed in GAO's High-Risk List. GAO's High-Risk List focus on ``Strengthening DHS Management Functions'' identified the need to achieve progress in key management areas, including human capital management, financial management, acquisitions, information technology, and management integration. The Department's Integrated Strategy for High-Risk Management provides the framework for our efforts to address GAO's recommendations and integrate and strengthen our management infrastructure across the Department; our monthly action plans help ensure that we have goals and time lines to help us deliver success in timely fashion. I would like to share with you our efforts in each key area of focus. Human Capital Management The Department of Homeland Security's greatest asset is its dedicated and talented workforce. GAO has identified areas in which the Department must mature its human capital systems to ensure that its workforce is properly equipped and supported to achieve the Department's challenging missions. The Department, in turn, has accelerated time lines in its monthly action plans to achieve success in this critical area. The low employee morale in several parts of the Department is an area of particular focus. Under the direction of Secretary Johnson, I am taking a series of steps to address the root causes of the low morale and to deliver for the workforce the Department it deserves. I have formed a steering committee comprised of personnel from each of the Department's component agencies and from Department headquarters to focus on, among other things, the following areas that the workforce has identified in the Federal Employee Viewpoint Survey and in other feedback vehicles as ones in which the Department can improve:The hiring and promotion process. DHS employees have expressed concerns that the hiring and promotion process is sometimes opaque. The Department can build greater employee confidence in the process through greater transparency and communication and by setting clear hiring and promotion standards. Training and professional development. DHS employees have expressed a desire for enhanced training opportunities to ensure they are equipped to perform their jobs at the highest levels of excellence. They also have sought professional development opportunities that will enable them to achieve the promotions or new opportunities to which they aspire. Rewards and recognition. DHS employees perform extraordinary acts of patriotism and courage each and every day throughout the Nation and the world. They deserve to be recognized, rewarded, and championed for their achievements. The Department is reintroducing the Secretary's annual awards to recognize outstanding individual and team achievements from across the Department. In addition, the Department will institutionalize the practice of regularly championing its workforce and rewarding them when appropriate. Performance management. Performance management is a critical tool in promoting priorities and values and driving accountability. The steering committee will focus on ensuring that each component and office in the Department has a performance management system that reflects the appropriate measures of success and drives each employee to achieve that success. Financial Management In fiscal year 2013, DHS achieved an historic unqualified clean audit opinion of all five financial statements, a confirmation of DHS's on-going commitment to sound financial management practices. This benchmark represented a huge accomplishment for the many DHS employees who work every day to increase transparency and accountability for the taxpayer resources entrusted to the Department. Americans have the right to expect that we will be responsible stewards of every homeland security dollar with which we are entrusted. The Department expects to sustain this progress and receive its second clean audit opinion for fiscal year 2014. In the past 4 years, DHS has also eliminated 10 audit qualifications, reduced Department- wide material weaknesses in internal controls over financial reporting from 10 to 4, and significantly reduced the number of component conditions contributing to material weaknesses from 25 to 2. The Department is executing a multi-year plan to achieve an unqualified clean opinion for internal control of financial reporting by fiscal year 2016. Financial system modernization is a priority area for the Department. DHS is executing specific modernization efforts in order to meet the Department's mission while minimizing and eliminating spending in duplicative systems. The current strategy conforms to guidance from the Office of Management and Budget to use shared services where possible and to split modernization projects into smaller, simpler segments with clear deliverables. One of our challenges in the shared services domain is that no one Federal agency has sufficient capacity to house all of the Department's financial management data. As a result, we are evaluating the capabilities of the Federal agencies who offer shared services arrangements. The DHS Chief Financial Officer has established enterprise-wide standards for each component to follow and has prioritized a deployment strategy based on those components with the highest business needs. Acquisitions Management The strategic decisions of the Department's senior leadership are only as good as the processes that support and give effect to those decisions in investments and in the conduct of operations. Historically, DHS has generally developed and executed component- centric requirements, which has resulted in inefficient use of limited resources. Much work has been done to date in the areas of joint requirements analysis, program and budget review, and acquisition oversight, including an effort over the past 4 years by the DHS Management Directorate to improve the Department's overall acquisitions process and reform even the earliest phase of the investment life cycle where requirements are first conceived and developed. The Secretary's April 22, 2014 memorandum on ``Strengthening Departmental Unity of Effort'' focuses and reinforces existing structures and creates new capability, where needed, as identified in the recent Integrated Investment Life Cycle Management (IILCM) pilot study and other process analyses that examined the linkages between these inter-related planning processes and operations. These analyses underscored the need to further strengthen all elements of the process, particularly the up- front development of strategy, planning, and joint requirements, and to ensure through collaborative, inclusive senior leadership dialogue and decision that they function in a way that considers DHS-wide missions and functions, rather than focusing on those of an individual component. As an example, I am leading the Deputies Management Action Group in an expedited review to provide strategic alternatives for enhancing the current DHS joint requirements process. This review will include options for developing and facilitating a DHS component-driven, joint requirements process, including a program for oversight of a development test and evaluation capability, to identify priority gaps and overlaps in Departmental capability needs, provide feasible technical alternatives to meet capability needs, and recommend to me the creation of joint programs and joint acquisitions to meet Department-wide mission needs. This enhanced process will be used in expanding the mission portfolios studied in the IILCM pilot, which included Cybersecurity, Biodefense, and Screening and Vetting, to include Border Security and Air Domain. DHS recently announced two important decisions that speak to our commitment to responsible and cost-effective acquisitions. First, DHS cancelled the BioWatch acquisition of autonomous detection technology (also known as Gen-3). Currently deployed in more than 30 metropolitan areas across the country, BioWatch provides public health officials with a warning of a biological agent release before potentially exposed individuals develop symptoms of illness. While autonomous detection is an important capability, the Gen-3 acquisition did not reflect the best use of resources in our current fiscal environment. DHS remains committed to the BioWatch program and will ensure that current BioWatch operations continue as part of our layered approach to biodefense. Second, DHS is putting on hold a FEMA Logistics Supply Chain Management System contract until further review. FEMA's Logistics Supply Chain Management System was developed to provide full disaster supply chain management capability and visibility to FEMA and its partners. The Department has determined that the program has not met all of its operational requirements and that it needs to be reviewed in the context of broader logistical operations. That review is underway, which will include a third-party evaluation of the most cost-effective manner. These decisions are in line with the Department's focus on efficiency, ensuring that we continue to pursue cost-effective acquisition without compromising our security. The Secretary and I will continue to hold our acquisition programs accountable to ensure they are responsible and cost-effective. Additionally, the DHS Chief Financial Officer has strengthened and enhanced the Department's programming and budgeting process by incorporating the results of strategic analysis and joint requirements planning into portfolios for review by issue teams. Using this approach, substantive, large-scale alternative choices will be presented to the Deputies Management Action Group as part of the annual budget development. This review process will also include the Department's existing programmatic and budgetary structure, not just new investments. It will include the ability for DHS to project the impact of current decisions on resource issues such as staffing, capital acquisitions, operations and maintenance, and similar issues that impact the Department's future ability to fulfill its mission responsibilities. As its first task, the Deputies Management Action Group will focus this enhanced programming and budgeting process on the development of options for the fiscal year 2016 budget request. In the oversight phase, we will continue to leverage the Component Acquisition Executive structure and enhanced business intelligence to proactively identify performance problems with existing programs throughout their life cycle. While there is work to be done to sustain our progress, we are encouraged by an Office of the Inspector General report that stated that DHS has significantly strengthened our acquisition management oversight. We have also made significant progress in strengthening the document review process. In 2013, the under secretary for management issued a decision memorandum stating that no new program can proceed without the approved acquisition documentation, including life-cycle cost estimates, mission needs statements, test and evaluation plans, and operational requirements documents. To ensure we have an adequately staffed and trained acquisition workforce, the Department has engaged on multiple fronts to enhance acquisition staffing and training. The DHS Acquisition Professional Career Program (APCP) is sponsored by the chief procurement officer and provides a steady pipeline of entry-level contracting and procurement talent to the components. APCP interns are hired into career ladder positions and engage in a 3-year program where they receive quality training and rotate between components to gain valuable on-the-job training. In fiscal year 2013 alone, 63 interns graduated and have been placed in components. Thus far in fiscal year 2014, an additional 60 interns have been placed. The Department's Homeland Security Acquisition Institute continues to serve as the principal training academy for the DHS acquisition workforce. In fiscal year 2013, over 9,400 DHS acquisition professionals completed classroom or on-line training courses contributing to the issuance of over 3,200 acquisition certifications. Thus far in fiscal year 2014, an additional 1,300 acquisition certifications have been issued. To date, DHS has issued 10,732 certifications across nine acquisition disciplines, including Contracting, Program Management, Systems Engineering, Test and Evaluation, Cost Estimating, Life Cycle Logistics Management, Program Financial Management, Ordering Official, and Contracting Officer's Representative. DHS continues to support small businesses around the country. In recognition of its performance, the Department has received an ``A'' rating for 5 consecutive years from the Small Business Administration in the areas of prime contracting, small business subcontracting, and a written progress plan. Information Technology Management In the Information Technology (IT) area, DHS has made substantial progress to drive efficiencies through consolidation of data centers. To date, 18 primary data centers have been consolidated, with an additional two consolidations scheduled for completion in fiscal year 2014. Migrations from commercial data centers resulted in annual cost savings of 43%, and migrations from Federal data centers resulted in an average annual cost savings of 12% for similar capabilities. Recognizing that information technology is constantly improving and changing and that our own IT organization has matured, we are working to increase the integration of previously fragmented Departmental oversight reviews into a defined, efficient governance process that is tailored to the size and criticality of each program. This will result in improved project tracking and oversight and will also help DHS meet our IT-related mission needs. Security of internal IT systems and networks also remains a priority. DHS continues to enhance the IT security of the Department's internal systems and networks through periodic upgrades to software. In addition, IT staff performs independent validation and verification of implemented corrective actions to address material weaknesses related to financial systems security. All components are implementing a desktop image based on the United States Government Configuration Baseline (USGCB) settings. Management Integration Management Integration refers to the development and implementation of consistent and consolidated processes within and across the management functional areas discussed above. From individual performance evaluations to the Department's most costly investment decisions, we have the obligation to operate efficiently and in a manner that best enables us to meet our mission. The Management Integration area has made substantial progress in the past 3 years, reflected by the fact that both DHS and GAO agree that the majority of the outcomes in the Management Integration area are fully addressed. DHS has made considerable progress towards integrating management across the enterprise. As an example, we have strengthened the delegations of authority to clarify the roles of and enhance oversight between Headquarters and components, and we have implemented the pilot phase of the IILCM to ensure we base investment decisions on closing capability gaps and meeting mission goals and outcomes. Based on the lessons learned from the pilot, the Secretary has determined, through the Unity of Effort initiative, to focus immediate attention on further maturing the Strategy and Capabilities & Requirements phases. Secretary Johnson and I are committed to integrating all phases of our investment life cycle as we prepare for the fiscal year 2016 budget submission. Advancing the IILCM framework, which is a principal tenet of the Department's overall integration strategy, continues to be a major initiative that builds on the progress we have made. In the near future, as I referenced above, I will oversee a re-constituted Joint Requirements Council as we evaluate fiscal year 2016 resource allocation plans and attempt to harmonize and unify requirements across the DHS enterprise. The Secretary and I are capitalizing on these previous efforts and broadening them in our ``Strengthening Departmental Unity of Effort'' initiative. This effort focuses on improving our planning, programming, budgeting, and execution processes through strengthened Departmental structures and increased capability. In making these changes, we will have better traceability between strategic objectives, budgeting, acquisition decisions, operational planning, and mission execution to improve Departmental cohesiveness and operational effectiveness. We are in the final stages of evolving our business intelligence capability by consolidating management data systems onto a common platform. This effort allows for more current and integrated data across all lines of business, both at headquarters and into DHS's many components. other dhs high-risk list areas We recognize the critical role that strengthened management functions have in the Department's ability to achieve success. GAO has identified other areas of Department responsibilities that also play an integral role in our mission delivery and, while these non-management areas are not the focus of this hearing, I hope it will be beneficial to this committee for me to provide a brief overview of our work in a few of these areas. Establishing Effective Mechanisms for Sharing and Managing Terrorism- Related Information to Protect the Homeland DHS is a key participant in the Federal Information Sharing Environment and continues to develop policies and technical solutions across Sensitive but Unclassified, Secret, and Top Secret/Sensitive Compartmented Information networks that enhance safeguarding and sharing of information with a wide variety of Federal, State, local, and private-sector stakeholders. In January 2013 and immediately following the release of the National Strategy for Information Sharing and Safeguarding, the Department issued the DHS Information Sharing and Safeguarding Strategy focused on goals to share, safeguard, manage, and govern risk, and measure performance. Through a detailed Implementation Plan, the Department has identified key priority objectives with synchronized milestones to effectively execute the Strategy, and has prepared an Implementation Guide that defines the processes to identify gaps, root causes, performance measures, risks, and resourcing for its top information-sharing and safeguarding initiatives. National Flood Insurance Program The National Flood Insurance Program (NFIP) serves as the foundation for National efforts to reduce the loss of life and property from flood disasters. NFIP remains on the High-Risk List largely because it does not generate sufficient revenues to repay the billions of dollars borrowed from the U.S. Department of the Treasury to cover claims from the 2005 and 2012 hurricanes or from future catastrophic losses. The lack of sufficient revenues has highlighted structural weaknesses in how the program is funded, including statutorily-mandated subsidies. DHS and FEMA have been working with GAO to address the challenges identified in GAO's recommendations to improve management and operations. FEMA changed the process for Write Your Own (WYO) company performance under the WYO Financial Control plan, implemented procedures to select statistically representative samples of all claims for conducting claims re-inspections, and requested an independent audit of the NFIP's financial statements. FEMA's focus on implementing GAO recommendations in areas including Strategic Planning, Management and Oversight of the NFIP, and modernizing the NFIP IT system, have resulted in the closure of many of GAO's recommendations. We are actively engaged on those GAO recommendations that remain open. With the passage of the Biggert-Waters Flood Insurance Act of 2012 and the Homeowners Flood Insurance Affordability Act of 2014, the NFIP now has authority to phase in actuarial rates for some policies and charge policyholders a surcharge, which will improve the financial and operational position of the program over time; however, as a result, policyholders will not pay actuarial rates. Specifically, these two laws raise the statutory limit on annual rate increases, mandate premium increases for certain subsidized policies, establish a reserve fund that will allow the NFIP to build surplus capital to pay losses in a greater-than-average loss year, and mandate a $25 annual surcharge for most policyholders and a $250 annual surcharge for non-residential properties and residential properties that are not a primary residence, until actuarial rates are reached. Protecting the Federal Government's Information Systems and the Nation's Cyber Critical Infrastructures I appreciate GAO's continued engagement on Federal agency cybersecurity and the cybersecurity of critical infrastructure. Since 2009, the Department has managed this area actively, and each subsequent update to the GAO High-Risk List has recognized DHS efforts. The Department works closely with the White House and interagency partners to ensure a whole-of-Government approach to cybersecurity. At the same time, DHS is committed to working with Congress as it explores legislative proposals. DHS directly supports Federal civilian departments and agencies in developing capabilities that will improve their own cybersecurity posture through the Continuous Diagnostics and Mitigation (CDM) program. One hundred eight departments and agencies are currently covered by Memoranda of Agreement with the CDM program, encompassing over 97 percent of all Federal civilian personnel. In fiscal year 2014, DHS issued the first delivery order for CDM sensors and awarded a contract for the CDM dashboard. The National Cybersecurity Protection System (NCPS), a key component of which is referred to as EINSTEIN, is an integrated intrusion detection, analytics, information sharing, and intrusion- prevention system designed to support DHS responsibilities for protecting Federal civilian agency networks. These current capabilities, and future capabilities such as CDM, are used by the Department's National Cybersecurity and Communications Integration Center, in concert with its analysis, warning, and incident response capabilities, to protect Federal civilian agencies and assist them when incidents occur. In July 2013, NCPS's EINSTEIN 3 Accelerated (E3A) became operational and provided services to the first Federal agency. With the adoption of E3A, DHS will assume an active role in defending .gov network traffic and significantly reduce the threat vectors available to malicious actors seeking to harm Federal networks. NCPS continues to expand intrusion prevention, information sharing, and cyber analytic capabilities at Federal agencies, marking a critical shift from a passive to an active role in cyber defense and the delivery of enterprise cybersecurity services to decision makers across cybersecurity communities. With respect to critical infrastructure, the Department continues to grow the critical infrastructure Cyber Information Sharing and Collaboration Program, which is a unique voluntary environment for public-private information sharing and collaboration. In addition, we recently launched the Critical Infrastructure Cyber Community or C3 (``C Cubed'') Voluntary Program to assist critical infrastructure owners and operators as they build cybersecurity into their risk management approaches. Much work remains to be completed and we are committed to actively managing this High-Risk area. When I met with Comptroller General Dodaro, we agreed to develop a set of detailed criteria that GAO and the Department can use to strengthen the Nation's cybersecurity and critical infrastructure resilience. As part of that process, I will receive monthly status updates from DHS components that we will share with GAO. conclusion It is our fundamental responsibility to manage the Department of Homeland Security effectively and efficiently. Sound management is critical to our ability to execute our mission successfully, and it is incumbent upon us as guardians of the public trust to be careful and scrupulous in our expenditure of public funds. You have my commitment that I will continue to focus intensely on strengthening the Department's management functions, and that I will work closely with this committee and with GAO to achieve that goal. Thank you for the opportunity and the privilege to appear before you. Chairman McCaul. Thank you, Deputy Secretary. The Chairman now recognizes Mr. Dodaro for an opening statement. STATEMENT OF GENE L. DODARO, COMPTROLLER GENERAL OF THE UNITED STATES, GOVERNMENT ACCOUNTABILITY OFFICE Mr. Dodaro. Thank you very much, Mr. Chairman. Good morning to you, Ranking Member Thompson, distinguished Members of the committee. I appreciate the opportunity to be here today to discuss GAO's designations and high-risk areas regarding the Department of Homeland Security. With regard to the management functions that we initially placed on the list in 2003, I am pleased to report that the Department is well on its way to satisfying two of the five criteria for coming off the list. One is leadership commitment, and I am very satisfied with the deputy secretary and the Secretary's engagement on this issue. I believe that we have an open, constructive dialogue, which is the first step toward resolving some of these problems. They also have a pretty good integrated plan for coming off the high-risk list. However, they still need to demonstrate the capacity to make the changes, to have a monitoring effort to make sure that the changes are implemented properly. Most importantly and lastly is they need to demonstrate progress in making sure that they have actually fixed some of the underlying problems that have plagued them in the past. With regard to the acquisition area, for example, they have designated acquisition components at the component level and organized some centers to bring together some core expertise to help in the acquisitions area. But they need to have governance mechanisms in place to look at the entire acquisition portfolio and set priorities across the Department. Then to make sure that individual acquisitions operate effectively and are more consistently meeting the Department's policies. For example, 46 percent of the major acquisitions do not have approved baseline cost. About 77 percent do not have yet approved life-cycle cost estimates. So I believe the H.R. 4228 that this committee passed is a very important contribution step forward to putting disciplined acquisition policies in place and having more transparency and accountability for the Department. With regard to financial management, they have received the clean opinion that both the Chairman and Ranking Member recognized this morning for fiscal year 2013 financial statements. However, to meet our list to get off the list they need to sustain the clean opinion. They need to get a clean opinion on internal controls, which they are not able to do at this point because of a number of material weaknesses in their systems. They also need to effectively put in modern financial management systems in the components, particularly the Coast Guard, FEMA, ICE, and Customs and Border Patrol. With regard to human capital management they have put together a plan to guide them in this area. But they must address the root causes that are at the heart of the employee morale issues that have plagued the Department for a number of years. Also to focus on processes to identify skill gaps and to remedy those skill gaps across the Department. In the IT area we are pleased they have had an enterprise architecture in place, which is a good first step. But they need to finalize their policy governance structure for IT investments, and to expand that policy to cover all 13 portfolios. Right now they have it only covering five of 13. They need to fix their information security weaknesses, which are a major control problem for the Department. Now with regard to other areas we have on the high-risk list--cybersecurity and critical infrastructure protection that DHS is part of, National Flood Insurance Program, and information sharing in the terrorist information sharing--I would be happy to answer any questions on those areas at the appropriate time. I would just say with regard to cybersecurity there has been a lot of attention to this area, but more needs to be done. I am very supportive of the H.R. 3696 legislation that you have initiated. I think the Department has been given responsibility for cybersecurity across the Federal Government without the authority. That authority should be codified and put into law. Also giving them additional guidance in the critical infrastructure protection area and additional codification is a really good step forward. So I commend this committee both for the acquisition legislation and the cybersecurity and critical infrastructure legislation. So, I would be happy to answer questions at the appropriate point in time. I again very much appreciate the opportunity to be here today to discuss our efforts to help the Department reach its full potential. [The prepared statement of Mr. Dodaro follows:] Prepared Statement of Gene L. Dodaro May 7, 2014 Chairman McCaul, Ranking Member Thompson, and Members of the committee: I am pleased to be here today to discuss our work on the Department of Homeland Security's (DHS) on-going efforts to improve the efficiency of its operations and unity of the Department, with a particular focus on DHS's progress and remaining challenges addressing GAO's high-risk designations. In the 11 years since the Department's creation, DHS has implemented key homeland security operations, achieved important goals and milestones, and grown to more than 240,000 employees and approximately $60 billion in budget authority. During that time, our work has identified several areas where DHS needs to address gaps and weaknesses in its current operational and implementation efforts, as well as strengthen the efficiency and effectiveness of those efforts. Since 2003, we have made approximately 2,100 recommendations to DHS to strengthen program management, performance measurement efforts, and management processes, among other things. DHS has implemented more than 65 percent of these recommendations and has actions under way to address others. We also report regularly to the Congress on Government operations that we identified as high-risk because of their greater vulnerability to fraud, waste, abuse, and mismanagement, or the need for transformation to address economy, efficiency, or effectiveness challenges. DHS has sole or critical responsibility for four GAO high- risk areas--(1) Strengthening DHS Management Functions, (2) National Flood Insurance Program (NFIP), (3) Protecting the Federal Government's Information Systems and the Nation's Cyber Critical Infrastructures, and (4) Establishing Effective Mechanisms for Sharing and Managing Terrorism-Related Information to Protect the Homeland. DHS has made progress addressing areas we have identified as high-risk, but needs to continue to strengthen its efforts in order to more efficiently and effectively achieve its homeland security missions. In particular: In 2003, we designated implementing and transforming DHS as high-risk because DHS had to transform 22 agencies--several with major management challenges--into one department, and failure to address associated risks could have serious consequences for U.S. National and economic security.\1\ While challenges remain across its missions, DHS has made considerable progress in transforming its original component agencies into a single department. As a result, in our 2013 high-risk update, we narrowed the scope of the high-risk area to focus on strengthening DHS management functions (human capital, acquisition, financial management, and information technology [IT]).\2\ --------------------------------------------------------------------------- \1\ GAO, High-Risk Series: An Update, GAO-03-119 (Washington, DC: January 2003). \2\ GAO, High-Risk Series: An Update, GAO-13-283 (Washington, DC: February 2013). For additional information, see our high-risk list key issues page at http://www.gao.gov/highrisk/overview. --------------------------------------------------------------------------- In 2006, we added the NFIP--a key component of the Federal Government's efforts to limit the damage and financial impact of floods--to the GAO high-risk list because the program faced significant on-going financial and management challenges.\3\ In particular, the NFIP, which is managed by DHS's Federal Emergency Management Agency (FEMA), is unlikely to generate sufficient revenue to cover future catastrophic losses or repay billions of dollars borrowed from the Department of the Treasury to cover insurance claims from previous disasters. --------------------------------------------------------------------------- \3\ GAO, GAO's High-Risk Program, GAO-06-497T (Washington, DC: Mar. 15, 2006). --------------------------------------------------------------------------- In 1997, we designated Federal information security as a Government-wide high-risk area, and we expanded the area in 2003 to include systems supporting critical infrastructure such as power distribution, communications, banking and finance, water supply, National defense, and emergency services.\4\ The effective security of these systems and the data they contain is essential to National security, economic well-being, and public health and safety. DHS is responsible for securing its own information systems and data and also plays a pivotal role in Government-wide cybersecurity efforts. --------------------------------------------------------------------------- \4\ GAO-03-119. --------------------------------------------------------------------------- In 2005, we designated the sharing of terrorism-related information as high-risk because of the significant challenges the Federal Government faces in sharing this information in a timely, accurate, and useful manner.\5\ The sharing of terrorism-related information is a Government-wide effort that involves numerous Federal departments and agencies. DHS plays a critical role in this sharing given its homeland security missions and responsibilities. --------------------------------------------------------------------------- \5\ GAO, High-Risk Series: An Update, GAO-05-207 (Washington, DC: Jan. 1, 2005). --------------------------------------------------------------------------- In November 2000, we published our criteria for removing areas from the high-risk list.\6\ Specifically, agencies must have (1) a demonstrated strong commitment and top leadership support to address the risks; (2) a corrective action plan that identifies the root causes, identifies effective solutions, and provides for substantially completing corrective measures in the near term, including but not limited to steps necessary to implement solutions we recommended; (3) the capacity (that is, the people and other resources) to resolve the risks; (4) a program instituted to monitor and independently validate the effectiveness and sustainability of corrective measures; and (5) the ability to demonstrate progress in implementing corrective measures. When legislative, administration, and agency actions, including those in response to our recommendations, result in significant progress toward resolving a high-risk problem, we remove the high-risk area. --------------------------------------------------------------------------- \6\ GAO, Determining Performance and Accountability Challenges and High Risks, GAO-01-159SP (Washington, DC: Nov. 1, 2000). --------------------------------------------------------------------------- My testimony today discusses our observations on DHS's progress and work remaining in addressing: (1) High-risk areas for which DHS has sole responsibility, and (2) high-risk areas for which DHS has critical, but shared, responsibility. This statement is based on GAO's 2013 high-risk update as well as reports and testimonies we issued from March 2013 through April 2014.\7\ For the past products, among other things, we analyzed DHS strategies and other documents related to the Department's efforts to address its high-risk areas; reviewed our past reports issued since DHS began its operations in March 2003; and interviewed DHS officials. More detailed information on the scope and methodology of our prior work can be found within each specific report. This statement is also based on analyses from our on-going assessment of DHS's efforts to address its high-risk areas since February 2013. We expect to report final results from this work in our 2015 high-risk update. For our analyses, among other things, we analyzed DHS documentation, such as Departmental guidance, and met with DHS officials, including the deputy secretary and under secretary for management, to discuss DHS's efforts to address its high-risk areas. With respect to the Strengthening DHS Management Functions high-risk area, on May 1, 2014, DHS provided us with an updated version of its Integrated Strategy for High-Risk Management. We plan to analyze this update as part of our on-going assessment of DHS's progress in addressing this high-risk area. --------------------------------------------------------------------------- \7\ GAO-13-283. --------------------------------------------------------------------------- We conducted the work on which this statement is based in accordance with generally accepted Government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. high-risk areas for which dhs has sole responsibility DHS has made progress in addressing high-risk areas for which it has sole responsibility, but significant work remains. Strengthening DHS Management Functions DHS has made important progress in implementing, transforming, strengthening, and integrating its management functions in human capital, acquisition, financial management, and IT. This has included taking numerous actions specifically designed to address our criteria for removing areas from the high-risk list. However, as we reported in our February 2013 high-risk update, this area remains high-risk because the Department has significant work ahead.\8\ As shown in Table 1, DHS has met two of our criteria for removal from the high-risk list (leadership commitment and a corrective action plan), and has partially met the remaining three criteria (a framework to monitor progress; capacity; and demonstrated, sustained progress). --------------------------------------------------------------------------- \8\ GAO-13-283. TABLE 1.--ASSESSMENT OF DEPARTMENT OF HOMELAND SECURITY (DHS) PROGRESS IN ADDRESSING THE STRENGTHENING DHS MANAGEMENT FUNCTIONS HIGH-RISK AREA, AS OF MAY 2014 ------------------------------------------------------------------------ Criterion for Removal From the Partially Met Not Met High-Risk List Met \1\ \2\ \3\ ------------------------------------------------------------------------ Leadership commitment........... X ............. .......... Corrective action plan.......... X ............. .......... Capacity........................ ........... X .......... Framework to monitor progress... ........... X .......... Demonstrated, sustained progress ........... X .......... --------------------------------------- Total..................... 2 3 0 ------------------------------------------------------------------------ Source: GAO analysis of DHS documents, interviews, and prior GAO reports. \1\ ``Met'': There are no significant actions that need to be taken to further address this criterion. \2\ ``Partially met'': Some but not all actions necessary to generally meet the criterion have been taken. \3\ ``Not met'': Few, if any, actions toward meeting the criterion have been taken. Leadership commitment (met).--The Secretary and deputy secretary of Homeland Security, the under secretary for management at DHS, and other senior officials have continued to demonstrate commitment and top leadership support for addressing the Department's management challenges. They have also taken actions to institutionalize this commitment to help ensure the long-term success of the Department's efforts. For example, in May 2012, the Secretary of Homeland Security modified the delegations of authority between the Management Directorate and its counterparts at the component level to clarify and strengthen the authorities of the under secretary for management across the Department. In addition, in April 2014, the Secretary of Homeland Security issued a memorandum committing to improving DHS's planning, programming, budgeting, and execution processes through strengthened Departmental structures and increased capability. This memorandum identified several initial areas of focus intended to build organizational capacity.\9\ Senior DHS officials have also routinely met with us over the past 5 years to discuss the Department's plans and progress in addressing this high-risk area, during which we provided specific feedback on the Department's efforts. According to these officials, and as demonstrated through their progress, the Department is committed to demonstrating measurable, sustained progress in addressing this high-risk area. It will be important for DHS to maintain its current level of top leadership support and sustained commitment to ensure continued progress in successfully executing its corrective actions through completion. --------------------------------------------------------------------------- \9\ DHS, Secretary of Homeland Security, Strengthening Departmental Unity of Effort, Memorandum for DHS Leadership (Washington, DC: April 22, 2014). --------------------------------------------------------------------------- Corrective action plan (met).--DHS established a plan for addressing this high-risk area. In a September 2010 letter to DHS, we identified and DHS agreed to achieve 31 actions and outcomes that are critical to addressing the challenges within the Department's management areas and in integrating those functions across the Department. In January 2011, DHS issued its initial Integrated Strategy for High-Risk Management, which included key management initiatives and related corrective action plans for addressing its management challenges and the outcomes we identified. DHS provided updates of its progress in implementing these initiatives and corrective actions in its later versions of the strategy. In March 2014, we made updates to the actions and outcomes in collaboration with DHS to reduce overlap and ensure their continued relevance and appropriateness. These updates resulted in a reduction from 31 to 30 total actions and outcomes. DHS's strategy and approach to continuously refining actionable steps to implementing the outcomes, if implemented effectively and sustained, provide a path for DHS to be removed from GAO's high-risk list. Capacity (partially met).--In May 2014, DHS identified that it had resources needed to implement 7 of the 11 initiatives the Department had under way to address the actions and outcomes, but did not identify sufficient resource needs for the 4 remaining initiatives. In our analysis of DHS's June 2013 update, which similarly did not identify sufficient resource needs for all initiatives, we found that this absence of complete resource information made it difficult to fully assess the extent to which DHS has the capacity to implement its initiatives. In addition, our prior work has identified specific capacity gaps that could undermine achievement of management outcomes. For example, in September 2012, we reported that 51 of 62 acquisition programs faced workforce shortfalls in program management, cost estimating, engineering, and other areas, increasing the likelihood that the programs will perform poorly in the future.\10\ Since that time, DHS has appointed component acquisition executives at the components and made progress in filling staff positions. In April 2014, however, we reported that DHS needed to increase its cost-estimating capacity, and that the Department had not approved baselines for 21 of 46 major acquisition programs.\11\ These baselines--which establish cost, schedule, and capability parameters--are necessary to accurately assess program performance. --------------------------------------------------------------------------- \10\ GAO, Homeland Security: DHS Requires More Disciplined Investment Management to Help Meet Mission Needs, GAO-12-833 (Washington, DC: Sept. 18, 2012). \11\ GAO, Homeland Security Acquisitions: DHS Could Better Manage Its Portfolio to Address Funding Gaps and Improve Communications with Congress, GAO-14-332 (Washington, DC: Apr. 17, 2014). --------------------------------------------------------------------------- DHS needs to continue to identify resources for the remaining initiatives; determine that sufficient resources and staff are committed to initiatives; work to mitigate shortfalls and prioritize initiatives, as needed; and communicate to senior leadership critical resource gaps. Framework to monitor progress (partially met).--DHS established a framework for monitoring its progress in implementing the corrective actions it identified for addressing the 30 actions and outcomes. In the June 2012 update to the Integrated Strategy for High-Risk Management, DHS included, for the first time, performance measures to track its progress in implementing all of its key management initiatives. DHS continued to include performance measures in its May 2014 update. Additionally, in March 2014, the deputy secretary began meeting monthly with the DHS management team to discuss DHS's progress in strengthening its management functions. According to senior DHS officials, as part of these meetings, attendees discuss a report that senior DHS officials update each month, which identifies corrective actions for each outcome, as well as projected and actual completion dates. However, there are opportunities for DHS to strengthen this framework. For example, as we reported in September 2013, DHS components need to develop performance and functionality targets for assessing their proposed financial systems.\12\ This would include having an independent validation and verification program in place to ensure the modernized financial systems meet expected targets. Moving forward, DHS will need to closely track and independently validate the effectiveness and sustainability of its corrective actions and make mid-course adjustments, as needed. --------------------------------------------------------------------------- \12\ GAO, DHS Financial Management: Additional Efforts Needed to Resolve Deficiencies in Internal Controls and Financial Management Systems, GAO-13-561 (Washington, DC: Sept. 30, 2013). --------------------------------------------------------------------------- Demonstrated, sustained progress (partially met).--Key to addressing the Department's management challenges is DHS demonstrating the ability to achieve sustained progress across the 30 actions and outcomes we identified and DHS agreed were needed to address the high- risk area. These actions and outcomes include, among others, validating required acquisition documents in accordance with a Department- approved, knowledge-based acquisition process, and sustaining clean audit opinions for at least 2 consecutive years on Department-wide financial statements and internal controls. As illustrated by the examples below, DHS has made important progress in implementing corrective actions across its management functions, but it has not demonstrated sustainable, measurable progress in addressing key challenges that remain within these functions and in the integration of those functions.\13\ --------------------------------------------------------------------------- \13\ For our assessments of DHS's progress in addressing the 30 outcomes, ``fully addressed'' means the outcome is fully addressed; ``mostly addressed'' means progress is significant and a small amount of work remains; ``partially addressed'' means progress is measurable, but significant work remains; and ``initiated'' means activities have been initiated to address outcomes, but it is too early to report progress. --------------------------------------------------------------------------- Human capital management.--DHS has mostly addressed 1 of the 7 human capital management outcomes and partially addressed the remaining 6. For example, as we reported in December 2012, DHS has developed and demonstrated progress in implementing a strategic human capital plan.\14\ This plan, among other things, is integrated with broader organizational strategic planning, and mostly addresses this outcome. However, DHS needs to improve other aspects of its human capital management. --------------------------------------------------------------------------- \14\ GAO, DHS Strategic Workforce Planning: Oversight of Department-wide Efforts Should Be Strengthened, GAO-13-65 (Washington, DC: Dec. 3, 2012). For example: --------------------------------------------------------------------------- As we reported in December 2013, the Office of Personnel Management's 2013 Federal Employee Viewpoint Survey data showed that DHS employee satisfaction was 36th of 37 Federal agencies and had decreased 7 percentage points since 2011, which is more than the Government-wide decrease of 4 percentage points over the same time period.\15\ As a result, the gap between average DHS employee satisfaction and the Government-wide average widened to 7 percentage points.\16\ Accordingly, DHS has considerable work ahead to improve its employee morale. --------------------------------------------------------------------------- \15\ The Federal Employee Viewpoint Survey measures employees' perceptions of whether and to what extent conditions characterizing successful organizations are present in their agencies. \16\ GAO, Department of Homeland Security: DHS's Efforts to Improve Employee Morale and Fill Senior Leadership Vacancies, GAO-14-228T (Washington, DC: Dec. 12, 2013). --------------------------------------------------------------------------- Further, according to senior DHS officials, the Department has efforts under way intended to link workforce planning efforts to strategic and program-specific planning efforts to identify current and future human capital needs, including the knowledge, skills, and abilities needed for the Department to meet its goals and objectives. According to these officials, the Department is in the process of finalizing competency gap assessments to identify potential skills gaps within its components that collectively encompass almost half of the Department's workforce. These assessments focus on occupations DHS identifies as critical to its mission, including emergency management specialists and cyber-focused IT management personnel. DHS plans to analyze the results of these assessments and develop plans to address any gaps the assessments identify by the end of fiscal year 2014. This is a positive step, as identifying skills gaps could help the Department to better identify current and future human capital needs and ensure the Department possesses the knowledge, skills, and abilities needed to meet its goals and objectives. Given that DHS is finalizing these assessments, it is too early to assess their effectiveness. Acquisition management.--DHS has mostly addressed one of the five acquisition management outcomes, partially addressed one, and initiated activities to address the remaining three. DHS has made the most progress in increasing component-level acquisition capability by, for example, establishing a component acquisition executive in each DHS component to provide oversight and support programs within its portfolio. DHS has also taken steps to enhance its acquisition workforce by establishing centers of excellence for cost estimating, systems engineering, and other disciplines to promote best practices and provide technical guidance. However, DHS needs to improve its acquisition management. For example: DHS initiated a governance body in 2013 to review and validate acquisition programs' requirements and identify and eliminate any unintended redundancies, but it considered trade- offs only across acquisition programs within the Department's cybersecurity portfolio. DHS acknowledged that the Department has no formal structure in place to consider trade-offs DHS- wide, but DHS anticipates chartering such a body by the end of May 2014. DHS also has initiated efforts to validate required acquisition documents in accordance with a knowledge-based acquisition process, but this remains a major challenge for the Department. A knowledge-based approach provides developers with information needed to make sound investment decisions, and it would help DHS address significant challenges we have identified across its acquisition programs.\17\ DHS's acquisition policy largely reflects key acquisition management practices, but the Department has not implemented it consistently. In March 2014, we reported that the Transportation Security Administration does not collect or analyze available information that could be used to enhance the effectiveness of its advanced imaging technology.\18\ In March 2014, we also found that U.S. Customs and Border Protection (CBP) did not fully follow DHS policy regarding testing for the integrated fixed towers being deployed on the Arizona border.\19\ As a result, DHS does not have complete information on how the towers will operate once they are fully deployed. --------------------------------------------------------------------------- \17\ In our past work examining weapon acquisition issues and best practices for product development, we have found that leading commercial firms pursue an acquisition approach that is anchored in knowledge, whereby high levels of product knowledge are demonstrated by critical points in the acquisition process. \18\ GAO, Advanced Imaging Technology: TSA Needs Additional Information Before Procuring Next-Generation Systems, GAO-14-357 (Washington, DC: March 31, 2014). \19\ GAO, Arizona Border Surveillance Technology Plan: Additional Actions Needed to Strengthen Management and Assess Effectiveness, GAO- 14-368 (Washington, DC: Mar. 3, 2014). --------------------------------------------------------------------------- Finally, DHS does not have the acquisition management tools in place to consistently demonstrate whether its major acquisition programs are on track to achieve their cost, schedule, and capability goals. About half of major programs lack an approved baseline, and 77 percent lack approved life- cycle cost estimates. DHS stated in its 2014 update that it will take time to demonstrate substantive progress in this area. We have recently initiated two reviews to examine DHS's progress in these high-risk areas. In addition, the House Homeland Security committee recently introduced a DHS acquisition reform bill that reinforces the importance of key acquisition management practices, such as establishing cost, schedule, and capability parameters, and includes requirements to better identify and address poor-performing acquisition programs, which could aid the Department in addressing its acquisition management challenges. Financial management.--DHS has made progress toward improving its financial management and has fully addressed 1 of 8 high-risk financial management outcomes--ensuring its financial statements are accurate and reliable.\20\ However, a significant amount of work remains to be completed on the other 7 outcomes related to DHS's financial statements, internal control over financial reporting, and modernizing financial management systems. --------------------------------------------------------------------------- \20\ The financial management outcomes have twice been revised since September 2010 when they were initially established. The most recent revision occurred in March 2014 when GAO and DHS agreed to revise the outcomes to clarify certain requirements and eliminate overlap among the outcomes and between the outcomes and GAO's high-risk removal criteria. --------------------------------------------------------------------------- DHS produced accurate and reliable financial statements for the first time in fiscal year 2013, in part through management's commitment to improving its financial management process. As of May 2014, DHS is working toward sustaining this key achievement. DHS has also made some progress toward implementing effective internal control over financial reporting, in part by implementing a corrective action planning process aimed at addressing internal control weaknesses. For example, the Department took corrective actions to reduce the material weakness in environmental and other liabilities to a significant deficiency.\21\ However, DHS needs to eliminate all material weaknesses at the Department level before its financial auditor can assert that the controls are effective. For example, one of the material weaknesses involves deficiencies in property, plant, and equipment. DHS plans to achieve this outcome for fiscal year 2016. To meet another outcome, DHS needs to sustain these efforts for 2 years. --------------------------------------------------------------------------- \21\ Environmental liabilities consist of environmental remediation, clean-up, and decommissioning. A significant deficiency is a deficiency, or combination of deficiencies, in internal control important enough to merit attention by those charged with governance. A material weakness is a significant deficiency, or a combination of significant deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of the entity's financial statements will not be prevented, or detected and corrected, on a timely basis. --------------------------------------------------------------------------- DHS also needs to effectively manage the modernization of financial management systems at the U.S. Coast Guard (USCG), U.S. Immigration and Customs Enforcement (ICE), and the Federal Emergency Management Agency (FEMA). Both USCG and ICE have made some progress toward modernizing their systems and foresee moving to a Federal shared service provider and completing their efforts in the latter part of 2016 and 2017.\22\ Because of critical stability issues with its legacy financial system that were resolved in May 2013, FEMA postponed its modernization efforts and has not restarted them. --------------------------------------------------------------------------- \22\ A shared service provider is a third-party entity that manages and distributes software-based services and solutions to customers across a wide area network from a central data center. --------------------------------------------------------------------------- IT Management.--DHS has fully addressed 1 of the 6 IT management outcomes and partially addressed the remaining 5. In particular, the Department has strengthened its enterprise architecture program (or blueprint) to guide IT acquisitions by, among other things, largely addressing our prior recommendations aimed at adding needed architectural depth and breadth, thus fully addressing this outcome. However, the Department needs to continue to demonstrate progress in strengthening other core IT management areas. For example, While the Department is taking the necessary steps to enhance its IT security program, such as finalizing its annual Information Security Performance Plan, further work will be needed for DHS to eliminate the Department's current material weakness in its information security. It will be important for the Department to fully implement its plan, since DHS's financial statement auditor reported in December 2013 that flaws in the security controls such as access controls, contingency planning, and segregation of duties were a material weakness for financial reporting purposes. While important steps have been taken to define IT investment management processes generally consistent with best practices, work is needed to demonstrate progress in implementing these processes across DHS's 13 IT investment portfolios.\23\ In July 2012, we recommended that DHS finalize the policies and procedures associated with its new tiered IT governance structure and continue to implement key processes supporting this structure.\24\ DHS agreed with these recommendations; however, as of April 2014, the Department had not finalized the key IT governance directive, and the draft structure has been implemented across only 5 of the 13 investment portfolios. \25\ --------------------------------------------------------------------------- \23\ The 13 portfolios are intelligence, domain awareness, securing, screening, law enforcement, information sharing and safeguarding, continuity-of-operations planning, benefits administration, incident management, enterprise business services, enterprise financial management, enterprise IT services, and enterprise human capital. \24\ GAO, Information Technology: DHS Needs to Further Define and Implement Its New Governance Process,GAO-12-818 (Washington, DC: July 25, 2012). \25\ The draft structure has been implemented across the following five portfolios: Intelligence, screening, information sharing and safeguarding, enterprise IT services, and enterprise human capital. --------------------------------------------------------------------------- Fully addressing these actions would also help DHS to address key IT operations efficiency initiatives, as well as to more systematically identify other opportunities for savings. For example, as part of the Office of Management and Budget's data center consolidation initiative, we reported that DHS planned to consolidate from 101 data centers to 37 data centers by December 2015.\26\ Further, DHS officials told us that the Department had achieved actual cost savings totaling about $140 million in fiscal years 2011 through 2013, and that it estimates total consolidation cost savings of approximately $650 million through fiscal year 2019. --------------------------------------------------------------------------- \26\ GAO, Data Center Consolidation: Agencies Making Progress on Efforts, but Inventories and Plans Need to Be Completed, GAO-12-742 (Washington, DC: July 19, 2012). --------------------------------------------------------------------------- DHS has also made progress in establishing and implementing sound IT system acquisition processes, but continued efforts are needed to ensure that the Department's major IT acquisition programs are applying these processes and obtaining more predictable outcomes. In 2013, DHS's Office of the Chief Information Officer led an assessment of its major IT programs (against industry best practices in key IT system acquisition process areas) to determine its capability strengths and weaknesses, and has work under way to track programs' progress in addressing identified capability gaps, such as requirements management and risk analysis. While this gap analysis and approach for tracking implementation of corrective actions are important steps, DHS will need to show that these actions are resulting in better, more predictable outcomes for its major IT system acquisitions. Demonstrated progress in closing these gaps is especially important in light of our recent reports on major DHS IT programs experiencing significant challenges largely because of system acquisition process shortfalls, including DHS's major border security system modernization, known as TECS-Mod.\27\ --------------------------------------------------------------------------- \27\ GAO, Border Security: DHS's Efforts to Modernize Key Enforcement Systems Could be Strengthened, GAO-14-62 (Washington, DC: Dec. 5, 2013). --------------------------------------------------------------------------- Management integration.--DHS has made substantial progress integrating its management functions, fully addressing 3 of the 4 outcomes we identified as key to the Department's management integration efforts. For example, DHS issued a comprehensive plan to guide its management integration efforts--the Integrated Strategy for High-Risk Management--in January 2011, and has generally improved upon this plan with each update. In addition, in April 2014, the Secretary of Homeland Security issued a memorandum committing to improving DHS's planning, programming, budgeting, and execution processes through strengthened Departmental structures and increased capability.\28\ To achieve the last and most significant outcome--implement actions and outcomes in each management area to develop consistent or consolidated processes and systems within and across its management functional areas--DHS needs to continue to demonstrate sustainable progress integrating its management functions within and across the Department and its components and take additional actions to further and more effectively integrate the Department. --------------------------------------------------------------------------- \28\ DHS, Secretary of Homeland Security, Strengthening Departmental Unity of Effort, Memorandum for DHS Leadership (Washington, DC: April 22, 2014). --------------------------------------------------------------------------- For example, recognizing the need to better integrate its lines of business, in February 2013, the Secretary of Homeland Security signed a policy directive establishing the principles of the Integrated Investment Life-Cycle Management to guide planning, executing, and managing critical investments Department-wide. DHS's June 2013 Integrated Strategy for High-Risk Management identified that Integrated Investment Life-Cycle Management will require significant changes to DHS planning, executing, and managing critical investments. At that time, DHS was piloting elements of the framework to inform a portion of the fiscal year 2015 budget. DHS's May 2014 strategy update states that the Department plans to receive an independent analysis of the pilots in May 2014. Given that these efforts are under way, it is too early to assess their impact. As we reported in March 2013, to more fully address the Strengthening DHS Management Functions high-risk area, DHS needs to continue implementing its Integrated Strategy for High-Risk Management and show measurable, sustainable progress in implementing its key management initiatives and corrective actions and achieving outcomes.\29\ In doing so, it will be important for DHS to: --------------------------------------------------------------------------- \29\ GAO, High-Risk Series, Government-wide 2013 Update and Progress Made by the Department of Homeland Security, GAO-13-444T (Washington, DC: March 21, 2013). --------------------------------------------------------------------------- maintain its current level of top leadership support and sustained commitment to ensure continued progress in executing its corrective actions through completion; continue to implement its plan for addressing this high-risk area and periodically report its progress to Congress and GAO; monitor the effectiveness of its efforts to establish reliable resource estimates at the Department and component levels, address and work to mitigate any resource gaps, and prioritize initiatives as needed to ensure it has the capacity to implement and sustain its corrective actions; closely track and independently validate the effectiveness and sustainability of its corrective actions and make midcourse adjustments, as needed; and make continued progress in addressing the 30 actions and outcomes--for the majority of which significant work remains-- and demonstrate that systems, personnel, and policies are in place to ensure that progress can be sustained over time.\30\ --------------------------------------------------------------------------- \30\ GAO-13-444T. --------------------------------------------------------------------------- We will continue to monitor DHS's efforts in this high-risk area to determine if the actions and outcomes are achieved and sustained. National Flood Insurance Program FEMA has made progress in all of the areas required for removal of the NFIP from the high-risk list, but needs to initiate or complete additional actions; also, recent legislation has created challenges for FEMA in addressing the financial exposure created by the program. FEMA leadership has displayed a commitment to addressing these challenges and has made progress in a number of areas, such as financial reporting and continuity planning. While FEMA has plans for addressing and tracking progress on our specific recommendations, it has yet to address many of them. For example, FEMA has not completed actions in certain areas, such as modernizing its claims and policy management system and overseeing compensation of insurers that sell NFIP policies. Completing such actions will likely help improve the financial stability and operations of the program. Table 2 summarizes DHS's progress in addressing the NFIP high-risk area. TABLE 2.--ASSESSMENT OF DEPARTMENT OF HOMELAND SECURITY PROGRESS IN ADDRESSING THE NATIONAL FLOOD INSURANCE PROGRAM HIGH-RISK AREA, AS OF MAY 2014 ------------------------------------------------------------------------ Criterion for Removal From the Partially Met Not Met High-Risk List Met \1\ \2\ \3\ ------------------------------------------------------------------------ Leadership commitment........... ........... X .......... Corrective action plan.......... ........... X .......... Capacity........................ ........... X .......... Framework to monitor progress... ........... X .......... Demonstrated, sustained progress ........... X .......... --------------------------------------- Total..................... 0 5 0 ------------------------------------------------------------------------ Source: GAO analysis of Federal Emergency Management Agency documents, interviews, and prior GAO reports. \1\ ``Met'': There are no significant actions that need to be taken to further address this criterion. \2\ ``Partially met'': Some but not all actions necessary to generally meet the criterion have been taken. \3\ ``Not met'': Few, if any, actions toward meeting the criterion have been taken. Leadership commitment (partially met). FEMA officials responsible for the NFIP have shown a commitment to taking a number of actions to implement our recommendations, which are designed to improve both the financial stability and operations of the program. For example, they have indicated a commitment to implementing our recommendations and have been proactive in clarifying and taking the actions needed to do so. In addition, FEMA officials have met with us to discuss outstanding recommendations, the actions they have taken to address them, and additional actions they could take. Further, a DHS official said that FEMA holds regular meetings to discuss the status of open recommendations. Recent legislative changes, however, have presented challenges for FEMA in addressing the financial exposure created by the NFIP. For example, in July 2012, the Biggert-Waters Flood Insurance Reform Act of 2012 (Biggert-Waters Act) was enacted, containing provisions to help strengthen the future financial solvency and administrative efficiency of NFIP, including phasing out almost all discounted insurance premiums (commonly referred to as subsidized premiums).\31\ In July 2013, we reported that FEMA was starting to implement some of the required changes.\32\ However, on March 21, 2014, the Homeowner Flood Insurance Affordability Act of 2014 (2014 Act) was enacted, reinstating certain premium subsidies and restoring grandfathered rates removed by the Biggert-Waters Act.\33\ The 2014 Act addresses affordability concerns for certain property owners, but may also increase NFIP's long-term financial burden on taxpayers.\34\ --------------------------------------------------------------------------- \31\ Pub. L. No. 112-141, Div. F, Title II, Subtit. A, 126 Stat. 405, 916 (July 6, 2012). \32\ GAO, Flood Insurance: More Information Needed on Subsidized Properties, GAO-13-607 (Washington, DC: July 3, 2013). \33\ Pub. L. No. 113-89, 128 Stat. 1020 (Mar. 21, 2014). \34\ GAO, Flood Insurance: Strategies for Increasing Private Sector Involvement, GAO-14-127 (Washington, DC: Jan. 22, 2014). --------------------------------------------------------------------------- Corrective action plan (partially met).--While FEMA developed corrective action plans for implementing the recommendations in individual GAO reports, it has not developed a comprehensive plan to address the issues that have placed the NFIP on GAO's high-risk list. While addressing our recommendations is part of such a plan, a comprehensive plan also defines the root causes, identifies effective solutions, and provides for substantially completing corrective measures near term. According to a DHS official, the individual action plans collectively represent their plan for addressing these issues, as the recommendations cover steps needed to improve the program's financial stability as well as its administration. The official added that DHS has developed more comprehensive plans for other high-risk areas, which have been helpful, and could consider doing so for the NFIP, but such plans require a lot of work. Such a plan could help FEMA ensure that all important issues, and all aspects of those issues, are addressed. For example, while our recommendations regarding the NFIP's financial stability have focused on the extent of subsidized rates and the rate-setting process, financial stability could include other important areas, such as debt management. As of December 2013, FEMA owed the Treasury $24 billion--primarily to pay claims associated with Superstorm Sandy (2012) and Hurricane Katrina (2005)--and had not made a principal payment since 2010. Capacity (partially met).--FEMA faces several challenges in improving the program's financial stability and operations. First, recent legislative changes permit certain premium subsidies and restore grandfathered rates removed by the Biggert-Waters Act. These provisions, along with others, may weaken the potential for improved financial soundness of the NFIP program. Second, while FEMA is establishing a reserve fund as required by the Biggert-Waters Act, it is unlikely to initially meet the act's annual targets for building up the reserve, partly because of statutory limitations on annual premium increases. Third, while FEMA has begun taking some actions to improve its administration of the NFIP, it is unclear how the resources required to implement both the Biggert-Waters Act and the 2014 Act will affect its ability to continue and complete these efforts. For example, the Acts require FEMA to complete multiple studies and take a number of actions within the next several years, which will require resources FEMA would normally have committed to other efforts. Monitoring Progress (partially met).--FEMA has a process in place to monitor progress in taking actions to implement our recommendations related to the NFIP. For example, the status of efforts to address the recommendations is regularly discussed both within the Flood Insurance and Mitigation Administration, which administers the NFIP, and at the DHS level, according to a DHS official. However, it does not have a specific process for independently validating the effectiveness or sustainability of those actions. Instead, according to a DHS official, once a recommendation related to the NFIP is implemented, the effects of the actions taken to do so are not tracked separately, but are evaluated as part of regular reviews of the effectiveness of the entire program. Broader monitoring of the effectiveness and sustainability of its actions would help ensure that appropriate corrective actions are being taken. Demonstrated, sustained progress (partially met).--FEMA has begun to take actions to improve the program's financial stability, such as initiating actions to improve the accuracy of full-risk rates.\35\ However, these efforts are not complete, and FEMA does not have some information, such as the number and location of existing grandfathered properties and information necessary to appropriately revise premium rates for previously subsidized properties.\36\ Similarly, FEMA has taken a number of actions to improve areas of the program's operations, such as financial reporting and continuity planning.\37\ However, some important actions, such as modernizing its policy and claims management system and ensuring the reasonableness of compensation to insurance companies that sell and service most NFIP policies, remain to be completed.\38\ Sustained progress will be needed for FEMA to address the financial and operational issues facing NFIP. --------------------------------------------------------------------------- \35\ GAO, Flood Insurance: FEMA's Rate-Setting Process Warrants Attention, GAO-09-12 (Washington, DC: Oct. 31, 2008). \36\ GAO-13-607. \37\ GAO, FEMA: Action Needed to Improve Administration of the National Flood Insurance Program, GAO-11-297 (Washington, DC: June 9, 2011). \38\ GAO, Flood Insurance: Opportunities Exist to Improve Oversight of the WYO Program, GAO-09-455 (Washington, DC: Aug. 21, 2009) and GAO- 11-297. --------------------------------------------------------------------------- government-wide high-risk areas in which dhs plays a critical role Progress has been made in the Government-wide high-risk areas in which DHS plays a critical role, but significant work remains. Information Security and Cyber Critical Infrastructure Protection As we reported in our February 2013 high-risk update, the White House and Federal agencies, including DHS, have taken a variety of actions that were intended to enhance Federal and critical infrastructure cybersecurity. For example, the Government issued numerous strategy-related documents over the past decade and established agency performance goals and a mechanism to monitor performance in three cross-agency priority areas of strong authentication, Trusted Internet Connections, and continuous monitoring.\39\ --------------------------------------------------------------------------- \39\ Strong authentication involves increasing the use of Federal smartcard credentials such as Personal Identity Verification and Common Access Cards that provide multi-factor authentication and digital signature and encryption capabilities, authorizing users to access Federal information systems with a higher level of assurance. Trusted Internet Connections is an initiative to consolidate external telecommunication connections and ensure a set of baseline security capabilities for situational awareness and enhanced monitoring. Continuous monitoring of Federal information systems includes transforming the otherwise static security control assessment and authorization process into a dynamic risk mitigation program that provides essential, near-real-time security status and remediation, increasing visibility into system operations and helping security personnel make risk management decisions based on increased situational awareness. --------------------------------------------------------------------------- In addition, since the February 2013 high-risk update, the administration has continued its cyber-related efforts. In February 2013, the President issued Presidential Policy Directive 21 on critical infrastructure security and resilience \40\ and Executive Order 13636 on improving critical infrastructure cybersecurity.\41\ These documents assign specific actions to particular individuals and agencies with specific time frames for completion. --------------------------------------------------------------------------- \40\ The White House, Presidential Policy Directive/PPD-21, Critical Infrastructure Security and Resilience (Feb. 12, 2013). \41\ Exec. Order No. 13,636, 78 Fed. Reg. 11,739 (Feb. 19, 2013). --------------------------------------------------------------------------- However, more efforts are needed by Federal organizations, including the White House, DHS, and other agencies, to address a number of areas. To illustrate the scope and persistence of this challenge, in fiscal year 2013, inspectors general at 21 of the 24 agencies cited information security as a major management challenge for their agencies,\42\ and 18 agencies reported that information security control deficiencies were either a material weakness or a significant deficiency in internal controls over financial reporting in fiscal year 2013.\43\ --------------------------------------------------------------------------- \42\ The 24 major departments and agencies are the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, National Science Foundation, Nuclear Regulatory Commission, Office of Personnel Management, Small Business Administration, Social Security Administration, and U.S. Agency for International Development. \43\ A control deficiency exists when the design or operation of a control does not allow management or employees, in the normal course of performing their assigned functions, to prevent or detect and correct misstatements on a timely basis. --------------------------------------------------------------------------- DHS's Role in Federal Information Security and Cyber Critical Infrastructure Protection In addition to having responsibilities for securing its own information systems and data, DHS plays a pivotal role in Government- wide cybersecurity efforts. In particular, in July 2010, the Director of the Office of Management and Budget (OMB) and the White House Cybersecurity Coordinator issued a joint memorandum that transferred several key OMB responsibilities under the Federal Information Security Management Act of 2002 (FISMA) to DHS.\44\ Specifically, DHS is to exercise primary responsibility within the Executive branch for overseeing and assisting with the operational aspects of cybersecurity for Federal systems that fall within the scope of FISMA. --------------------------------------------------------------------------- \44\ See Pub. L. No. 107-347, Dec. 17, 2002; 44 U.S.C. 3541, et seq. --------------------------------------------------------------------------- We agree that DHS should play a role in the operational aspects of Federal cybersecurity. We suggested in February 2013 that Congress consider legislation that would clarify roles and responsibilities for implementing and overseeing Federal information security programs and for protecting the Nation's critical cyber assets.\45\ --------------------------------------------------------------------------- \45\ GAO, Cybersecurity: National Strategy, Roles, and Responsibilities Need to Be Better Defined and More Effectively Implemented, GAO-13-187 (Washington, DC: Feb. 14, 2013). --------------------------------------------------------------------------- Regarding cyber critical infrastructure protection, a fundamental component of DHS's efforts is its partnership approach, whereby it engages in partnerships among Government and industry stakeholders. Such an approach is essential because the majority of critical infrastructure in the United States is owned and operated by the private sector. In 2006, DHS issued the National Infrastructure Protection Plan. The plan, subsequently updated several times, provides the overarching approach for integrating the Nation's critical infrastructure protection and resilience activities into a single National effort.\46\ Congress is considering several bills that would address cyber information sharing and the cybersecurity posture of the Federal Government and the Nation. For example, H.R. 3696, the National Cybersecurity and Critical Infrastructure Protection Act of 2014, would address DHS's role and responsibilities in protecting Federal civilian information systems and critical infrastructure from cyber threats.\47\ --------------------------------------------------------------------------- \46\ See, most recently, Department of Homeland Security, NIPP 2013: Partnering for Critical Infrastructure Security and Resilience. \47\ H.R. 3696, 113th Cong. (2013). --------------------------------------------------------------------------- Specific laws, Executive Orders, and directives have further guided DHS's role in cyber critical infrastructure protection. For example, Executive Order 13636 directs DHS to, among other things, establish a voluntary program to support the adoption of a cybersecurity framework by private-sector partners;\48\ coordinate the establishment of a set of incentives designed to promote participation in the voluntary program; and incorporate privacy and civil liberties protections into every initiative called for by the Executive Order. --------------------------------------------------------------------------- \48\ As required by Executive Order 13636, the National Institute of Standards and Technology (NIST) issued the first version of the cybersecurity framework in February 2014. See NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0 (Feb. 12, 2014). --------------------------------------------------------------------------- Securing Federal Systems In carrying out its role in overseeing and assisting Federal agencies in implementing information security requirements, DHS has begun performing several activities. These include: conducting ``CyberStat'' reviews, which are intended to hold agencies accountable and offer assistance in improving their information security posture; holding interviews with agency chief information officers and chief information security officers on security status and issues; establishing a program to enable Federal agencies to expand their continuous diagnostics and mitigation capabilities; and, refining performance metrics that agencies use for FISMA reporting purposes. In February 2014, as part of our continued dialogue with DHS regarding progress and what remains to be accomplished in this high- risk area, we identified and communicated to DHS actions critical to addressing its efforts to oversee and assist agencies in improving information security practices.\49\ This included the following: --------------------------------------------------------------------------- \49\ We provided DHS detail on the actions that need to be taken and outcomes that need to be achieved to address the Federal information security and cyber critical infrastructure protection high- risk area. The information we provided DHS was based on our full body of work in this area. --------------------------------------------------------------------------- Expand CyberStat reviews to all major Federal agencies.--DHS has conducted CyberStat sessions with several of the 24 major Federal agencies. According to DHS officials, the current approach focuses on providing CyberStat reviews for the lowest- performing agencies. However, expanding the reviews to include all 24 agencies could lead to an improved security posture. Enhance FISMA reporting metrics.--In September 2013, we reported that the metrics issued by DHS for gauging the implementation of priority security goals and other important controls did not address key security activities and did not always include performance targets.\50\ We recommended that OMB and DHS collaborate to develop improved metrics, and the agencies stated that they plan to implement the recommendation by September 2014. --------------------------------------------------------------------------- \50\ GAO, Federal Information Security: Mixed Progress in Implementing Program Components; Improved Metrics Needed to Measure Effectiveness, GAO-13-776 (Washington, DC: Sept. 26, 2013). --------------------------------------------------------------------------- Develop a strategic implementation plan.--DHS's Office of Inspector General reported in June 2013 that the Department had not developed a strategic implementation plan describing its cybersecurity responsibilities and a clear plan of action for fulfilling them. According to DHS officials, it has developed this plan and is awaiting closure of the inspector general recommendation. We will review the status of this plan as part of our on-going review of this high-risk area. Continue to develop continuous diagnostics and mitigation capabilities and assist agencies in developing and acquiring them.--This effort is intended to protect networks and enhance an agency's ability to see and counteract day-to-day cyber threats. The successful implementation of these actions should result in outcomes such as enhanced DHS oversight and assistance through CyberStat, improved metrics and other outcomes, improved situational awareness, and enhanced capabilities for assisting agencies in responding to cyber incidents. In conjunction with needed actions by Federal agencies, this could contribute to improved information security Government-wide. Protecting Cyber Critical Infrastructure DHS, in conjunction with other Executive branch entities, has taken steps to enhance the protection of cyber critical infrastructure. For example, according to DHS, it has: expanded the capacity of its National Cybersecurity and Communications Integration Center to facilitate coordination and information sharing among Federal and private-sector stakeholders; established the Information Sharing Working Group and a mechanism for creating cyber threat reports that can be shared with private-sector partners; and, set up a voluntary program to encourage critical infrastructure owners and operators to use the cybersecurity framework developed by the National Institute of Standards and Technology, as required by Executive Order 13636. In February 2014, we identified and communicated to DHS actions critical to addressing cyber critical infrastructure protection, including the following: expand the Enhanced Cybersecurity Services program, which is intended to provide Classified cyber threat and technical information to eligible critical infrastructure entities, to all critical infrastructure sectors as required by Executive Order 13636; enhance coordination efforts with private-sector entities to facilitate improvements to the cybersecurity of critical infrastructure; and, identify a set of incentives designed to promote implementation of the NIST cybersecurity framework. Completing these efforts could assist in achieving a flow of timely and actionable cybersecurity threat and incident information among Federal stakeholders and critical infrastructure entities, adoption of the cybersecurity framework by infrastructure owners and operators, and effective implementation of security controls over a significant portion of critical cyber assets. As we reported in March 2014, more needs to be done to accelerate the progress made in bolstering the cybersecurity posture of the Nation and Federal Government. The administration and Executive branch agencies need to implement the hundreds of recommendations made by GAO and agency inspectors general to address cyber challenges, resolve known deficiencies, and fully implement effective information security programs. Until then, a broad array of Federal assets and operations will remain at risk of fraud, misuse, and disruption, and the Nation's most critical Federal and private-sector infrastructure systems will remain at increased risk of attack from our adversaries.\51\ --------------------------------------------------------------------------- \51\ GAO, Government Efficiency and Effectiveness: Views on the Progress and Plans for Addressing Government-wide Management Challenges, GAO-14-436T (Washington, DC: March 12, 2014). --------------------------------------------------------------------------- Enhancing the Sharing of Terrorism-Related Information DHS has made significant progress in enhancing the sharing of information on terrorist threats and in supporting Government-wide efforts to improve such sharing.\52\ Our work on assessing the high- risk area on sharing terrorism-related information has primarily focused on Federal efforts to implement the Information Sharing Environment, as called for in the Intelligence Reform and Terrorism Prevention Act of 2004.\53\ The Information Sharing Environment is a Government-wide effort to improve the sharing of terrorism-related information across Federal agencies and with State, local, territorial, Tribal, private-sector, and foreign partners. When assessing progress, we review the activities of both the program manager for the Information Sharing Environment--a position established under the 2004 Act with responsibility for information sharing across the Government-- as well as efforts of DHS and other key entities, including the Departments of Justice, State, and Defense, and the Office of the Director of National Intelligence.\54\ Accordingly, DHS itself is not on the high-risk list nor can DHS's efforts fully resolve the high-risk issue. Nevertheless, DHS plays a critical role in Government-wide sharing given its homeland security missions and responsibilities. --------------------------------------------------------------------------- \52\ Terrorism-related information includes homeland security, terrorism, and weapons of mass destruction information. See 6 U.S.C. 482(f)(1), 485(a)(1), (5)-(6). \53\ See Pub. L. No. 108-458, 1016, 118 Stat. 3638, 3664-70 (2004) (codified as amended at 6 U.S.C. 485). \54\ The Office of the Director of National Intelligence was established in 2004 to manage the efforts of the intelligence community. See 50 U.S.C. 3023. Its mission is to lead intelligence integration and forge an intelligence community that delivers the most insightful intelligence possible. --------------------------------------------------------------------------- Overall, the Federal Government has made progress in addressing the terrorism-related information-sharing high-risk area. As we reported in our February 2013 update, the Federal Government is committed to establishing effective mechanisms for managing and sharing terrorism- related information, and has developed a National strategy, implementation plans, and methods to assess progress and results. While progress has been made, the Government needs to take additional action to mitigate the potential risks from gaps in sharing information, such as ensuring that it is leveraging individual agency initiatives to benefit all partners and continuing work to develop metrics that measure the homeland security results achieved from improved sharing. We are currently conducting work with the program manager and key entities to determine their progress in meeting the criteria since the 2013 high-risk report. DHS's Role in the Sharing of Terrorism-Related Information Separately, in response to requests from this committee and other Congressional committees, we have assessed or are currently assessing DHS's specific efforts to enhance the sharing of terrorism-related information. As discussed below, this work includes DHS efforts to: (1) Support State and major urban area fusion centers,\55\ (2) coordinate with other Federal agencies that support task forces and other centers in the field that share information on threats as part of their activities, (3) achieve its own information-sharing mission, and (4) share information related to the Department's intelligence analysis efforts. --------------------------------------------------------------------------- \55\ In general, fusion centers are collaborative efforts of two or more agencies that provide resources, expertise, and information to the center with the goal of maximizing their ability to detect, prevent, investigate, and respond to criminal and terrorist activity. See 6 U.S.C. 124h(j)(1). There are 78 fusion centers in the United States. --------------------------------------------------------------------------- Fusion centers.--A major focus of the high-risk area and Information Sharing Environment has been to improve the sharing of terrorism-related information among the Federal Government and State and local security partners, which is done in part through State and major urban area fusion centers. DHS is the Federal lead for supporting these centers and has made significant strides. For example, DHS has deployed personnel to centers to serve as liaisons to the Department and help centers develop capabilities (such as the ability to analyze and disseminate information), provided grant funding to support center activities, provided access to networks disseminating Classified and Unclassified information, and helped centers identify and share reports on terrorism-related suspicious activities. DHS has been very responsive to a recommendation in our 2010 report that calls for establishing metrics to determine what return the Federal Government is getting for its investments in centers.\56\ We have an on-going review of DHS's efforts to assess center capabilities, manage Federal grant funding, and determine the contributions centers make to enhance homeland security, and expect to issue a report later this year. --------------------------------------------------------------------------- \56\ GAO, Information Sharing: Federal Agencies Are Helping Fusion Centers Build and Sustain Capabilities and Protect Privacy, but Could Better Measure Results, GAO-10-972 (Washington, DC: Sept. 29, 2010). --------------------------------------------------------------------------- Field-based entities that share information.--DHS is also taking steps to measure the extent to which fusion centers are coordinating and sharing information with other field-based task forces and centers--such as Federal Bureau of Investigation Joint Terrorism Task Forces--and assess opportunities to improve coordination.\57\ In April 2013, we reported that fusion centers and other field-based entities had overlapping activities, but the agencies that support them had not held the entities accountable for coordinating and collaborating or assessed opportunities to enhance coordination, and recommended that the agencies develop mechanisms to do so.\58\ In response, DHS began tracking collaboration mechanisms, such as which fusion centers have representatives from the other entities on their executive boards, are colocated with other entities, and issue products jointly developed with other entities. --------------------------------------------------------------------------- \57\ The five types of entities we reviewed are State and major urban area fusion centers, Joint Terrorism Task Forces, Field Intelligence Groups, Regional Information Sharing Systems Centers, and High-Intensity Drug Trafficking Area Investigative Support Centers. DHS, the Department of Justice, and the Office of National Drug Control Policy oversee or otherwise support these entities. \58\ GAO, Information Sharing: Agencies Could Better Coordinate to Reduce Overlap in Field-Based Activities, GAO-13-471 (Washington, DC: Apr. 12, 2013). --------------------------------------------------------------------------- DHS's efforts can help avoid unnecessary overlap in activities, which in turn can help entities leverage scarce resources. To fully address our recommendation, however, the other Federal agencies must take steps to better hold their respective field entities accountable for such collaboration. In addition, these agencies must work with DHS to collectively assess Nation-wide any opportunities for field entities to further implement collaboration mechanisms. DHS information-sharing mission.--In September 2012, we reported that DHS had made progress in achieving its own information-sharing mission, but could take additional steps to improve its efforts.\59\ Specifically, DHS had demonstrated leadership commitment by establishing a governance board to serve as the decision-making body for DHS information-sharing issues. The board has enhanced collaboration among DHS components and identified a list of key information-sharing initiatives to pursue, among other things. We found, however, that 5 of DHS's top 8 priority initiatives faced funding shortfalls. We also reported that DHS had taken steps to track its information-sharing efforts, but had not fully assessed how such efforts had improved sharing. We recommended that DHS: (1) Revise its policies and guidance to include processes for identifying information- sharing gaps; analyzing root causes of those gaps, and identifying, assessing, and mitigating risks of removing incomplete initiatives from its list, and (2) better track and assess the progress of key initiatives and the Department's overall progress in achieving its information-sharing vision. DHS has since taken actions--such as issuing revised guidance and developing new performance measures--to address all of these recommendations. --------------------------------------------------------------------------- \59\ GAO, Information Sharing: DHS Has Demonstrated Leadership and Progress, but Additional Actions Could Help Sustain and Strengthen Efforts, GAO-12-809 (Washington, DC: Sept. 18, 2012). --------------------------------------------------------------------------- Sharing intelligence analysis. We are finalizing a report on DHS's intelligence analysis capabilities, which are a key part of the Department's efforts in securing the Nation. Within DHS, the Office of Intelligence and Analysis has a lead role for intelligence analysis, but other operational components--such as CBP and ICE--also perform their own analysis activities and are part of the DHS Intelligence Enterprise. Our report, expected to be issued later this month, will address: (1) The extent to which the intelligence analysis activities of the enterprise are integrated to support Departmental strategic intelligence priorities, and are unnecessarily overlapping or duplicative; (2) the extent to which Office of Intelligence and Analysis customers report that they find products and other analytic services to be useful, and what steps, if any, the office has taken to address any concerns customers report; and (3) challenges the Office of Intelligence and Analysis has faced in maintaining a skilled analytic workforce and steps it has taken to address these challenges. We are planning to make recommendations to help DHS enhance its intelligence analysis capabilities and related sharing of this information.\60\ --------------------------------------------------------------------------- \60\ The Office of Intelligence and Analysis' five customer groups are: (1) DHS leadership; (2) DHS operational components; (3) intelligence community members; (4) State, local, Tribal, and territorial partners; and (5) private critical infrastructure sectors. --------------------------------------------------------------------------- Overall, DHS's continued progress in enhancing the sharing of terrorism-related information and responding to our findings and recommendations will be critical to supporting Government-wide sharing and related efforts to secure the homeland. Chairman McCaul, Ranking Member Thompson, and Members of the committee, this completes my prepared statement. I would be happy to respond to any questions you may have at this time. Chairman McCaul. Well, thank you, sir. We thank you for your comments as well. Chairman now recognizes Mr. Roth. STATEMENT OF JOHN ROTH, INSPECTOR GENERAL, U.S. DEPARTMENT OF HOMELAND SECURITY Mr. Roth. Good morning, Chairman McCaul, Ranking Member Thompson, and Members of the committee. Thank you for inviting me here today to discuss some of the high-risk areas that DHS faces. My testimony here today will focus on acquisition management. In particular, as our work has shown, DHS is not as effective and efficient as it could be in this area. We find that it stems from three main areas. First, DHS's unique mission requires complicated acquisitions. Whether it is acquiring a fleet of helicopters, building a border fence over hundreds of miles of varied terrain, integrating and managing systems from diverse legacy agencies, or purchasing technologically-complex airport screening machines are, under the best of circumstances, high- risk acquisitions. Second, DHS, as has been noted this morning, is working towards a transparent acquisition governance process, which if it is fully followed would lead to better and smarter acquisitions. Unfortunately, the DHS components engaged in the acquisitions often do not follow the DHS procurement policies, and DHS lacks a means to enforce compliance. Third, components acquisition decisions often work against the Department's stated goal of One DHS. DHS components, in a word, operate in a vacuum. They fail to take into account other components' needs or they fail to leverage other assets or other acquisitions that are already underway. We have done a number of audits that give examples of this. Those are in my written testimony. But I would like just to talk about one single audit that we did with regard to using acquisitions to have One DHS. DHS's stated goal is to ensure interoperability of communications. We want to make sure that the first responders and other law enforcement agencies--agents, particularly within DHS, can talk to each other through a common channel in the event of a terrorist event or a crisis of some sort. DHS has about 123,000 radio field users within eight different components, and DHS has invested about $430 million in equipment, infrastructure, and other resources to ensure interoperability. We conducted an audit in late 2012 and asked 479 DHS field radio users to access and use the specified channel to communicate. Out of those 479 people we asked to do so, only a single user could use the common channel. In other words, DHS had a failure rate of 99.8 percent. Seventy-two percent of the users didn't even realize that there was--didn't even know the existence of a common channel. The remainder just couldn't find it. Of the radios we examined only 20 percent of them were properly set up to use the common channel. This test happened 11 years after 9/11. Without an effective governing structure DHS cannot achieve its goal of a Department-wide radio interoperability. As we sit here today the Department's plans to do so are still a work in progress. In closing I would like to note that DHS has taken steps to implement our recommendations and to progress towards a unity of effort. However, the Department is persistently challenged in acting in an integrated single entity. This concludes my prepared statement. I am happy to take questions from the committee. Thank you. [The prepared statement of Mr. Roth follows:] Prepared Statement of John Roth May 7, 2014 Good morning Chairman McCaul, Ranking Member Thompson, and Members of the committee. Thank you for inviting me here today to discuss high- risk areas at DHS identified by GAO. In its report, High-risk Series: An Update (GAO-13-283, February 2013), GAO identified high-risk areas in the Federal Government, including areas of particular concern at DHS. My testimony today will focus on some high-risk areas that we also identified in our December 2013 report, Major Management and Performance Challenges Facing the Department of Homeland Security (OIG-14-17), particularly in managing acquisitions. Our work has shown that DHS' management of its acquisitions is not as effective and efficient as it could be. This problem stems from three main issues: First, DHS' unique mission requires multi-faceted and sophisticated acquisitions. Whether acquiring a fleet of helicopters, building a border fence over hundreds of miles of varied terrain, or integrating and managing systems from diverse legacy agencies, DHS' requirements increase the complexity and risk of its acquisitions. Second, DHS is working toward a transparent, authoritative governing process--the Acquisition Life-cycle Framework (ALF)-- which, if fully implemented, would lead to better oversight and guidance of acquisitions. Unfortunately, DHS components often do not follow this governing process (or any other) in carrying out their acquisitions, and DHS has had difficulty enforcing compliance. Third, the components' acquisition decisions often work counter to the Department's stated goal of ``One DHS.'' In planning and managing acquisitions, components often operate in a vacuum; they fail to take into account the needs of other components or they fail to leverage other assets or acquisitions already underway. We have made recommendations to improve the efficiency and effectiveness of DHS' programs and operations, and DHS has taken some steps to implement our recommendations. However, the Department continues to struggle with acting as an integrated, single entity to accomplish its mission. nature of the risk Acquisition management at DHS is inherently complex and high-risk. It is further challenged by the magnitude and diversity of the Department's procurements. In fiscal year 2013, DHS' Major Acquisition Oversight List included 123 programs; 88 (72 percent) of the programs were Level 1 or Level 2. Level 1 and Level 2 programs have life-cycle costs of $300 million or more or have special Departmental interest. Some examples of Level 1 and Level 2 acquisitions include: The United States Coast Guard's HC-144A Maritime Patrol Aircraft, a twin engine turboprop airplane designed for superior situational awareness, a reduced workload, and increased crew safety. Life-cycle cost estimate--$24.9 billion; U.S. Customs and Border Protection's (CBP) Automated Commercial Environment, a system to enable CBP to interact, manage, and oversee import and export data, and manage custodial revenue and enforcement systems. Life-cycle cost estimate--$4.5 billion; TSA's Screening Partnership Program, procures screening services from private companies at TSA airports. Life-cycle cost estimate--$2.4 billion; CBP's Mission Support Facilities to develop, plan, execute, and sustain facilities and infrastructure inventory to support CBP's Mission Support Offices Nation-wide. Facilities include administrative offices, training centers, laboratories, and warehouses. Life-cycle cost estimate--$2 billion; CBP's Integrated Fixed Towers, a system for automated, persistent wide area surveillance to detect, track, identify, and classify illegal entries. Life-cycle cost estimate--$842 million. combating the risk: acquisition management framework Effective acquisition management requires careful planning and oversight of processes, solid internal controls, and compliance with laws and regulations. Acquisitions must be planned and managed through their entire life cycle to ensure that they are procured, deployed, and used efficiently and effectively. DHS has developed a comprehensive acquisition framework of policies, procedures, and entities to streamline its acquisition practices and ensure that procured goods and services meet mission needs cost-efficiently. This system should lead to informed investment decisions on goods and services that fulfill DHS' mission. Acquisition Phases DHS has adopted the Acquisition Life-Cycle Framework (ALF), composed of the following four phases, to determine whether to proceed with an acquisition: 1. Need--identify the need that the acquisition will address; 2. Analyze/Select--analyze the alternatives to satisfy the need and select the best option; 3. Obtain--develop, test, and evaluate the selected option and determine whether to approve production; and 4. Produce/Deploy/Support--produce and deploy the selected option and support it throughout the operational life cycle. Each phase of the ALF leads to an ``Acquisition Decision Event'' (ADE), a predetermined point at which the acquisition is reviewed before it can move to the next phase. The reviews are intended to ensure alignment of needs with DHS' strategic direction and adequate planning for upcoming phases. The figure below shows the four phases of the ALF and each ADE. [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] ADE-0 Identify the need ADE-1 Validate the need ADE-2A Approve the program ADE-2B Approve projects within the program ADE-2C Approve low rate initial production ADE-3 Approve full rate production and deployment ADE 4* Project transition--a milestone unique to the Coast Guard, authorizes the project to move to sustainment The ALF is a rigorous, disciplined process designed to result in cost-efficient acquisitions that can meet the Department's needs and help accomplish its mission. Acquisition Entities, Policies, and Procedures DHS' Office of Program Accountability and Risk Management (PARM) administers the ALF and oversees all major DHS acquisitions. PARM reports directly to the under secretary for management and manages and implements the Department's Acquisition Management Directive. PARM is also responsible for independently assessing major investment programs and monitoring programs between formal reviews to identify issues. DHS has established the following mechanisms to govern acquisitions: The Acquisition Review Board (ARB).--A cross-component board composed of senior-level decisionmakers. The ARB determines whether a proposed acquisition meets requirements and can proceed to the next phase and eventual production and deployment. Before every ADE, components must submit acquisition documents to the ARB for review, including a mission needs statement, capability development plan, and an acquisition plan. Quarterly Program Accountability Report.--Provides a comprehensive, high-level analysis of a program's vital signs provided to DHS leadership, component acquisition executives, and program managers. A Joint Requirements Council.--Reviews high-dollar acquisitions and recommends savings opportunities to the ARB. Centers of Excellence.--Two have been set up under PARM: Program Management Center of Excellence and Cost Estimating & Analysis Center of Excellence. Leadership staff and subject- matter experts at the centers provide proven practices, guidance, and counsel on program management and cost estimating and analysis. The Decision Support Tool.--A web-based central dashboard to assess and track the health of major acquisition projects, programs, and portfolios. The Department's goal is to improve program accountability and make sound strategic decisions throughout the life-cycle of major acquisitions. Comprehensive Acquisition Status Report.--Provides information on the status of major acquisitions. Reports include information such as the current acquisition phase, the date of last review, life-cycle cost estimate, and key events and milestones. failing to follow the framework results in problematic acquisitions However, as our work has shown, this process is not always followed. Several of our audits have highlighted DHS' challenge in establishing an overarching structure that fully integrates the components into overall governance, unified decision making, and collective analysis. CBP's Acquisition of H-60 Helicopters In May 2013, we issued DHS' H-60 Helicopter Programs (Revised) (OIG-13-89), which illustrates the risks of deviating from the ALF. Although the Department had some processes and procedures to govern its aviation assets and provide oversight, the acquisition was not fully coordinated and acquisition costs, schedules, and performance were not controlled. CBP did not take into account guidance from the DHS Office of the Chief Procurement Officer (OCPO) in its H-60 acquisition planning. In 2007, CBP's Office of Air and Marine submitted its Congressionally- mandated acquisition plan, which outlined how its aviation assets and acquisitions would support its mission. CBP leadership approved the plan to acquire 38 new and converted medium-lift helicopters and submitted it to the DHS OCPO. On March 3, 2008, OCPO expressed its concerns about the program in a memo to CBP. According to OCPO, CBP needed to address substantive issues in the acquisition plan. CBP should have had two separate H-60 plans, and both should move independently through the acquisition review process, including ARB review. OCPO was also concerned that CBP-- Had not clearly defined the acquisition's period of performance; Did not have a complete life-cycle cost estimate; Had not completed a cost-benefit analysis to compare upgrading its existing fleet to purchasing new helicopters; and Had not used various contracting best practices. Just 3 days after receiving the memo from OCPO, CBP nevertheless continued with the H-60 acquisition by signing an agreement with the U.S. Army. In March 2010, the ARB concluded that both CBP and the Coast Guard were pursuing H-60 conversions and directed the Coast Guard to collaborate with CBP, report on possible helicopter program synergies, and present a joint review within 75 days. The Coast Guard was not able to complete the review because CBP did not provide the needed information. Subsequent attempts to push the acquisition into the ALF failed. We recommended that DHS direct CBP to apply all ALF requirements to all its aviation-related acquisitions. DHS concurred with this recommendation, and CBP was directed to submit its plans to acquire aviation assets to PARM. According to DHS, the ARB would review and decide on CBP's aviation programs and projects as they progressed through the ALF. Information Technology Investments In August 2012, we issued CBP Acquisition of Aviation Management Tracking System (Revised) (OIG-12-104). We reported that although CBP had a joint strategy to unify its aviation logistics and maintenance system with those of the Coast Guard, it planned to purchase a new, separate system. This system would not be coordinated with the Coast Guard's already operational system. We concluded that the acquisition did not comply with the Secretary's efforts to improve coordination and efficiencies among DHS components. Acquiring the new system would also be a continuation of components' past practices of obtaining disparate systems that cannot share information. If CBP instead transitioned to the Coast Guard's system, it would improve tracking of aviation management and cost less than purchasing a new system. DHS Governance of Aviation Assets DHS historically has had little formal structure to govern the Department's aviation assets and no specific senior official to provide expert independent guidance on aviation issues to DHS senior management. The Department has intermittently issued policies and established various entities to oversee its aviation assets and operations, but it has not sustained these efforts. For example, DHS set up an Aviation Management Council in 2005, but oversight was inconsistent, and the council stopped meeting in 2007. In 2009, Department-level oversight of DHS' aviation assets resumed. An Aviation Issue Team led by the Office of Program Analysis and Evaluation reviewed potentially co-locating component aviation facilities, finding commonality in component aviation assets, and combining component aviation-related information technology systems. In 2011, the deputy secretary established an Aviation Working Group, but the group did not have a charter, defined roles and responsibilities, or an independent aviation expert. It collected data on CBP and USCG missions, aircraft inventories, flight hours, and aviation resources; reviewed components' funding plans and opportunities for joint acquisitions; and considered an organizational structure for a Department-wide aviation office. However, according to senior officials, without an authoritative expert, DHS was relying on unverified information from components to make aviation-related decisions. In addition to challenges in establishing a structure to govern aviation assets, DHS has had difficulty bringing aviation-related acquisitions into the ALF. For example, CBP's Strategic Air and Marine Plan (STAMP) has an estimated life-cycle cost of about $1.5 billion. STAMP encompasses all of CBP's aviation-related acquisitions used to detect, interdict, and prevent acts of terrorism near and across or across U.S. borders. CBP does not believe that STAMP should be subject to the ALF because the program existed before DHS established the framework. We contend (and have recommended) that individual programs and projects under STAMP should go through the ALF separately. Unmanned Aircraft In CBP's Use of Unmanned Aircraft Systems in the Nation's Border Security (OIG-12-85, May 2012), we reported that CBP had not adequately planned the resources needed to support its unmanned aircraft. CBP's plans to use the unmanned aircraft did not include processes to ensure that: (1) Each launch and recovery site had the required operational equipment; (2) stakeholders submitted mission requests; (3) mission requests were prioritized; and (4) it obtained reimbursement for missions flown on stakeholders' behalf. Because these were not included, CBP risked having invested substantial resources in a program that underutilized resources and limited its ability to achieve its mission goals. Specifically, our audit showed that CBP had not achieved its scheduled or desired levels of flight hours for the unmanned aircraft. We estimated that 7 unmanned aircraft should support 10,662 flight hours per year to meet the minimum capability and 13,328 flight hours to meet desired capability. However, staffing and equipment shortages, coupled with FAA and other restrictions, limited actual flight hours to 3,909--37 percent of the unmanned aircraft's mission availability threshold and 29 percent of its mission availability objective. CBP's Advanced Training Center Acquisition In February 2014, we issued U.S. Customs and Border Protection's Advanced Training Center Acquisition (OIG-14-47). We reported that CBP did not effectively oversee and manage the fourth phase of the acquisition of its Advanced Training Center. Although not subject to the ALF, CBP did not comply with Federal and Departmental regulations governing acquisitions. CBP did not develop and execute the $55.7 million agreement with its service provider, the U.S. Army Corps of Engineers, according to Federal, Departmental, and component requirements. In particular, CBP did not develop, review, or approve a required independent Government cost estimate and acquisition plan prior to entering into the agreement. Key documentation supporting the agreement with the Corps of Engineers was either missing or incomplete. CBP also approved millions of dollars worth of contract modifications to the agreement without first ensuring the need and reasonableness of the modifications. In addition, CBP improperly used reimbursable work authorizations to transfer money for this project, as well as other construction projects. During our audit, CBP began taking action to ensure future compliance with all statutory requirements; CBP concurred with all our recommendations. TSA's Advanced Imaging Technology We issued Transportation Security Administration's Deployment and Use of Advanced Imaging Technology (Revised) (OIG-13-120) in March 2014. We reported that the Transportation Security Administration (TSA) did not develop a comprehensive deployment strategy for using advanced imaging technology (AIT) units--procured at a cost of nearly $150 million--at airports. Because TSA did not have reliable data to determine whether the units were effectively deployed, TSA decision makers could not implement efficiency improvements. This occurred because TSA did not have a policy or process requiring program offices to prepare strategic acquisition or deployment plans for new technology that aligned with the overall goals of the Passenger Screening Program. The AIT units did not undergo a stand-alone acquisition review, but were instead reviewed as part of the Passenger Screening Program. Because the AIT units met the Level 1 acquisition threshold, they should have gone through all the steps required for that level. TSA should also have developed a deployment strategy for the AIT units, but it only developed a deployment schedule. Without documented, approved, and comprehensive plans, as well as accurate data on the use of AIT, TSA continued to screen the majority of passengers with walkthrough metal detectors. This potentially reduced AIT's security benefits, and TSA may have used resources inefficiently to purchase and deploy AIT units that were underused. failing to use acquisitions to forge ``one dhs'' In addition to failing to manage high-risk acquisitions through a governing process, DHS acquisitions often miss opportunities to ensure DHS acts in a concerted and efficient manner. DHS has struggled to become fully integrated. With 22 components and a range of missions, cooperation, and coordination continue to be a challenge. The Department's structure sometimes leads to ``stovepiping''--components operating independently and management often not cooperating and sharing information to benefit ``One DHS.'' In an April 2014 memorandum for DHS leadership, the Secretary reiterated the need to strengthen the Department's ``unity of effort.'' During our recent audits, we identified several programs in which there was little or no cross-component coordination and communication and weak Department-level authority. These led to cost inefficiencies and ineffective program management. Therefore, we made recommendations to enhance collaboration to improve both efficiency and effectiveness and prevent waste and abuse. DHS Radio Equipment Program DHS manages about 197,000 pieces of radio equipment and 3,500 infrastructure sites, with a reported value of more than $1 billion. We issued a pair of reports that highlighted the problematic nature of some of the acquisition processes for communications equipment. In one of our audits, DHS' Oversight of Interoperable Communications (OIG-13-06, November 2012), we tested DHS radios to determine whether DHS components could talk to each other in the event of a terrorist event or other emergency. They could not. Only 1 of 479 radio users we tested--or less than one-quarter of 1 percent--could access and use the specified common channel to communicate. Further, of the 382 radios tested, only 20 percent (78) contained all the correct program settings for the common channel. In other words, DHS components could not talk to each other using $430 million worth of radios purchased nearly a decade after the 9/11 Commission highlighted the problem. They could not do so because DHS did not establish an effective governing structure with the authority and responsibility to ensure it achieved Department-wide, interoperable radio communications. We also reported that without an effective governing structure and a concerted effort to attain interoperability, the Department's progress would remain limited. DHS' plans to achieve interoperability are still in progress. The Department has drafted, but not finalized, a DHS Communications Interoperability Plan; it has extended the date of signature from April to September of this year. In August 2013, we issued DHS Needs to Manage Its Radio Communication Program Better (OIG-13-113). We reported that without sound investment decisions on radio equipment and supporting infrastructure, DHS could not effectively manage its radio communication program. DHS had not implemented a governance structure with authority to establish policy, budget and allocate resources, and hold components accountable for managing radio programs and related inventory. Components were still independently managing their current radio programs with no formal coordination with the Department. They used different systems to record and manage personal property inventory data, including radio equipment. The components' inventory data also indicated they did not record radio equipment consistently in personal property systems. As a result, DHS was making management and investment decisions for the radio communication program using inconsistent, incomplete, and inaccurate real and personal property data. We concluded that a Department-wide inventory would help DHS prioritize its needs, plan its investments, and help plan future acquisitions and manage communication networks. DHS also needs a strong governance structure over its radio communication program. Thus, we recommended that the Department develop a single portfolio for radio equipment and infrastructure and establish a Department-level point of accountability. In response to our recommendations, DHS said that because of budget constraints, it would include a time line and resources for portfolio management in its fiscal year 2016 Resource Allocation Plan. The Department was collecting data to develop a single profile of assets, infrastructure, and services; reviewing existing policies and procedures; and planning to revise its personal property manual by June 30, 2014. Cross-Border Tunnel Program In our audit of CBP's and U.S. Immigration and Customs Enforcement's (ICE) efforts to monitor and detect illegal cross-border tunnels (CBP's Strategy to Address Illicit Cross-Border Tunnels, OIG- 12-132, September 2012), we reported that although CBP is creating a program to address capability gaps in countering the cross-border tunnel threat, it had not demonstrated how its detection strategy would consider ICE's needs. CBP and ICE need coordination and oversight in developing these technologies because the Border Patrol's mission objective is to prevent illegal traffic from crossing the border while ICE's objective is to investigate and dismantle criminal organizations. Without taking into account both components' needs, the Department risks not being able to disrupt criminal organizations that engage in cross-border smuggling. We made recommendations to improve consideration of CBP's and ICE's needs and to improve DHS' coordination and oversight of counter-tunnel efforts. CBP took action on our recommendations, including formation of an Integrated Product Team, which includes relevant stakeholders. It also planned to draft required acquisition planning documents and submit the program to the ARB. Aviation Our audit of CBP's H-60 helicopter program showed that CBP did not properly oversee and manage the conversion and modification of its H-60 helicopters, which affected the cost-effectiveness and timely delivery of the converted and modified H-60s. We noted that increased cooperation between CBP and the Coast Guard in managing the conversion and modification of its H-60 helicopters would reduce redundancies and potentially save millions of dollars. Specifically, if CBP were to complete the conversions and modifications at a Coast Guard facility, it would save about $126 million and H-60s would fly 7 years sooner. The Department's own independent study confirmed that CBP would realize substantial savings by using the Coast Guard facility. Specifically, DHS estimated CBP could save at least $36 million and as much as $132 million in the cost of conversion alone. According to DHS, it could not be more precise because CBP did not provide sufficient data. Mr. Chairman, this concludes my prepared statement. I welcome any questions you or other Members of the committee may have. Appendix Major Management and Performance Challenges Facing the Department of Homeland Security, OIG-14-17, December 2013 Independent Auditors' Report on DHS' FY 2013 Financial Statements and Internal Control over Financial Reporting, OIG-14-18, December 2013 DHS' H-60 Helicopter Programs (Revised), OIG-13-89, May 2013 U.S. Customs and Border Protection's Management of the Purchase and Storage of Steel in Support of the Secure Border Initiative, OIG-12-05, November 2011 Transportation Security Administration's Deployment and Use of Advanced Imaging Technology, OIG-13-120, March 2014 DHS Needs to Manage Its Radio Communication Program Better, OIG-13-113, August 2013 United States Customs and Border Protection's Radiation Portal Monitors at Seaports, OIG-13-26, January 2013 DHS' Oversight of Interoperable Communications, OIG-13-06, November 2012 CBP's Strategy to Address Illicit Cross-Border Tunnels, OIG-12-132, September 2012 CBP's Use of Unmanned Aircraft Systems in the Nation's Border Security, OIG-12-85, May 2012 Unclassified Summary of Information Handling and Sharing Prior to the April 15, 2013 Boston Marathon Bombings, April 10, 2014 DHS Uses Social Media to Enhance Information Sharing and Mission Operations, But Additional Oversight and Guidance Is Needed, OIG-13- 115, September 2013 DHS Can Make Improvements to Secure Industrial Control Systems, OIG-13- 39, February 2013 CBP's and USCG's Controls Over Exports Related to Foreign Military Sales, OIG-13-118, September 2013 U.S. Customs and Border Protection Has Taken Steps to Address Insider Threat but Challenges Remain, OIG-13-118, Redacted, September 2013 DHS Needs to Strengthen Information Technology Continuity and Contingency Planning Capabilities, OIG-13-110, Redacted, August 2013 DHS Can Take Actions to Address its Additional Cybersecurity Responsibilities, OIG-13-95, June 2013 DHS' Efforts to Coordinate the Activities of Federal Cyber Operations Centers, OIG-14-02, October 2013 Homeland Security Information Network Improvements and Challenges, OIG- 13-98, June 2013 Chairman McCaul. Thank you, Mr. Roth. The Chair now recognizes himself for 5 minutes. Mr. Mayorkas, let me first commend you for the clean audit, for getting more items off the high-risk list, for your efforts in DHS acquisition. The memo that came out recently by you and the Secretary actually mirrors our legislation that we passed unanimously out of committee. So I do commend you for that. But I do have to raise an issue that happened last Thursday when the Secretary of Homeland Security placed the former acting inspector general, Mr. Edwards, under leave after a Senate report came out alleging among other things that Mr. Edwards intentionally changed and withheld information in some IG reports to accommodate the administration's political appointees, and that he sought outside legal advice, compromising the IG's independence. Now, I don't know if these allegations are accurate. But if they are, this is the internal watchdog. This is sort-of like the old adage the fox guarding the henhouse. I know you are concerned about this, as I am. But can you tell me, has the Department launched an investigation into these allegations? Mr. Mayorkas. Thank you very much, Mr. Chairman. I would like to make two points in response to your very important question, one specific to the announcement to which you refer last Thursday. That is that the Secretary took swift and strong action in placing the former inspector general on administrative leave, and made the very important point that as additional facts are learned, appropriate action will be taken. So this is a matter that is under process. I don't think it would be appropriate for me to speak in more depth about a personnel matter. The overarching point that I would like to make is the following, and it is a very simple but a very important message. That is that the highest degree of ethics and integrity are conditions of employment in the Department of Homeland Security. Chairman McCaul. So after this came out the Secretary placed him on administrative leave and the inspector general has been tasked to investigate the current inspector general, who is with us today. Is that correct or not? Mr. Mayorkas. I am actually not certain as to who is conducting that investigation, Mr. Chairman. Perhaps my colleagues here know. Chairman McCaul. Leads me to my next question. Mr. Roth, are you investigating these allegations? Mr. Roth. We are not. What we have is within the Inspector General Act a process by which allegations against either the inspector general or people within reporting to the inspector general, allegations with regard to misconduct get investigated. There is the entity called the Committee of IGs for Integrity and Efficiency that has a special investigative committee. They have received a complaint--a series of complaints really, with regard to the former acting inspector general. That has now been farmed out to a different inspector general to ensure objectivity and you know to ensure that it is an independent and objective review of that. My understanding is that that investigation is being conducted by the inspector general from the Department of Transportation. Chairman McCaul. Because these allegations are so serious the decision was made not to go with the IG within DHS, but rather farm it out to the IG at the Department of Transportation. Mr. Roth. That is correct. Again, we followed the Inspector General Act, which basically dictates how these things should work. Chairman McCaul. I mean does it concern you about these allegations involving allegations out of Cartagena with the Secret Service, or a report for $650,000 that was never disclosed on accountability and risk management? Mr. Roth. It deeply concerns me. Essentially the morning after I read the report I ordered that those reports be taken down from our public website. I have tasked a senior lawyer from our Office of General Counsel, that is our Office of General Counsel, not the Department's Office of General Counsel, to conduct an internal investigation to talk to the career auditors who actually researched and wrote those reports to find out exactly what was changed, why it was changed, to restore those reports to its original condition and then repost it and report the results of it, not only to the committee but to the public. Chairman McCaul. Well, we look forward to hearing the results of that investigation. I also appreciate your testimony about the lack of interoperability at a 99.8 percent failure rate, which is astounding to me. The final question to Mr. Dodaro, and that is you mentioned information sharing with respect to terrorism threats and cybersecurity, two issues very important to me and to this committee. After the Boston report have you done an analysis of the failure of information sharing? Mr. Dodaro. No, we have not been asked to take a look at that particular situation. Chairman McCaul. But you still mention that is high-risk in the DHS list. Mr. Dodaro. Oh yes, definitely. It looks at not only DHS but the five other--or four other agencies that are involved. It is a Government-wide high-risk designation in terms of information sharing. DHS is an important part of it. But we do look at the program manager at the DNI, the Director for National Intelligence, as well as the coordination with the Treasury and Justice and DHS. Chairman McCaul. Of course we know the inspector generals for the ICE and Department of Justice and DHS all came out with their report, which was, I think, a very candid assessment about what happened that day and what failed that day. With that, the Chairman now recognizes the Ranking Member. Mr. Thompson. Thank you, Mr. Chairman. Following that line of questions from the Chairman, Mr. Dodaro, do you foresee any time in the near future that DHS will get off the high-risk list? Mr. Dodaro. I think there is ample opportunity for continued progress. They need to meet the criteria for coming off the list, particularly getting another year of a clean opinion on the financial statements, but also on internal controls. There is a statutory requirement that they have an opinion on internal controls, which is rather unique in the Federal Government, but nonetheless it is there and their current time frame for doing that and modernizing their financial systems is 2016 and beyond. They need to also demonstrate that they need to--that they can bring some of these acquisitions in within budget, scheduled on time and deliver a functionality that was originally intended by those acquisitions. So you know those are only two areas. I mean there are milestones within the other ones as well. So I think it is achievable in a relatively short-term, but it is going to take a while to actually produce these results. I am committed to working with the Department constructively. But I am not going to take anything off the high-risk list until the problems have been resolved. Mr. Thompson. Well, you referenced some material weaknesses within Coast Guard, FEMA, ICE, and CBP. What has been the response from those agencies when you shared those weaknesses with them? Mr. Dodaro. They have listened to what we have had to say. But there needs to be agreement not only in the Department-- within the components, excuse me, but also at the Department- wide level. I mean part of the time that has been lost there in the financial management systems, which is what I was specifically talking about, is the Department pursued two efforts at least to have a Department-wide financial management system. Both of those efforts failed. Now they have tried to have a component- oriented approach to doing this, which can work, but it needs to have Department leadership. So we are going to be looking more carefully at this financial management modernization effort that they have under way. But it is still in its early stages. FEMA is the one that is furthest behind. Mr. Thompson. To the extent, Mr. Roth, you kind-of highlighted some of this in terms of the acquisitions and other things we have experienced within DHS. Explain what--you said that somehow DHS is in charge but that the components don't follow the regulations. I think you were saying we have DHS up here and we have got these other people under here and the people down here kind-of do what they want to do. The people up top just kind-of observe them. So, who is really in charge? Mr. Roth. That is exactly the issue that we see. I mean right now the Department has something called the Acquisition Life-Cycle Framework, which is a, sort-of a framework that is there to ensure that acquisitions are well thought-out, that there are trigger points for review by high-level Department officials to ensure that we are spending money in the right way. It is a good program. It is run by the under secretary for management in a group called the Program Accountability and Risk Management Section within the under secretary's office. It works when it is used because it is deliberate. It is objective. It allows money to be spent in the right way. The difficulty is it was only set up in 2011. So you have some of these very high-dollar acquisitions. For example, the Customs' Air and Marine program, basically the ships and the helicopters and the airplanes that Customs purchases, all high-risk acquisitions, all big-dollar acquisitions, something like $1.5 billion life-cycle costs for these things, are not part of that system because they pre- existed. What we believe ought to happen is that the leadership, the Secretary and the deputy secretary need to, candidly, be firmer with the components to ensure that these kinds of acquisitions get forced into the framework that DHS has set up. Mr. Thompson. I yield back. Chairman McCaul. Chairman recognizes Dr. Broun from Georgia. Mr. Broun. Thank you, Mr. Chairman. Let me wish Mr. Dodaro a happy birthday myself too. So I hope you have a great day, sir. It is a great way to spend it is with us. Mr. Dodaro. Well, I am ending it on the Senate. Mr. Broun. Well, I wish you well over there too. I think we are nicer than they are over there. But my first question to you guys is that we have, as Members of this committee, struggled with the jurisdiction issues. It seems to me that when any entity has multiple bosses then they have absolutely nobody in charge and no true boss. I am concerned about where we are going. We look at the high-risk issues and what is happening with acquisition and with cybersecurity and with all the other areas that you all have brought forward as being problem areas. I will start with Mr. Dodaro. Would you comment as to the issue of jurisdiction? Is this--is jurisdictional problems part of why the DHS is struggling so much and has all these high- risk areas? If so, what would you recommend? How would you recommend to rectify that? Mr. Dodaro. I don't believe jurisdictional issues are a factor in these high-risk designations, particularly with management functions within the Department. I think it is just a matter of the Department having to get the processes in place and execute properly. I mean in many cases they have the right policies in place. They are just not executing them appropriately. It is just a matter of the Department having to work more to provide guidance to the components and use the power of the purse, if you will, to not let them spend money unless they have approved baselines for acquisitions and they have done proper testing. I mean they shouldn't be able to move forward without that. I mean the prescription for success in this area is very clear in following best practices. But they are just not following it. You could--you know, the jurisdictional issues I don't believe are at play here. It is just a manner of good management and follow-through and discipline. Mr. Broun. So this is a management problem then within the Department itself? Mr. Dodaro. Yes, for the management areas on the high-risk list definitely. Mr. Broun. How far up the chain does that go as far as management problems? Mr. Dodaro. Well, I think it goes to the highest levels in the---- Mr. Broun. As far as the Secretary? Mr. Dodaro. Yes. I think everybody has to be engaged. I think the Secretary's memo that he just announced in April to have more integrated planning and budgeting and requirements management and putting structures in place in the environment that work effectively would be a great step forward if they can get that done. Now, in the other areas in the cybersecurity and the information-sharing area, those are Government-wide high-risk areas. So the Department itself can't address those issues. Theirs were I don't think jurisdictional issues at play, but it requires broader oversight by the Congress because it is a Government-wide area. Those areas I think some joint hearings and some other efforts with other committees that have responsibility, and the House and Senate working together would be helpful, particularly in passing legislation, which we have called for to clarify DHS's role and responsibilities as it relates to Federal oversight of computer security and critical infrastructure protection. There I think you need more parts of the Congress working together to help DHS get the proper authorities in place. Mr. Broun. Well, you say it is a Government-wide problem and overall in some of those areas. But that is not an excuse though that one department, DHS, which we have jurisdiction over shouldn't be solving that problem. Is that correct? Mr. Dodaro. Oh, that is absolutely correct. We have been looking at whether DHS even within the Department is sharing information. We have a report that will be coming out soon on the Office of Intelligence Analysis as to whether or not DHS, within its own organization, is sharing information properly. That is exactly right, Congressman Broun. Mr. Broun. Mr. Roth, do you have any comment on acquisition just very quickly? I have got 30 seconds left to my time. So if you would be expeditious in your answer. Mr. Roth. I think Mr. Dodaro summed it up. We know what to do. We know the process that can be used to make smarter, better acquisitions. The question is forcing the components to follow that process. Mr. Broun. This is a long-standing problem. This is not just with this current Secretary or the past Secretary. It has been really ever since it has been stood up is my understanding. Is that correct? Mr. Roth. That is correct. Again, this process was only stood up in 2011 to try to integrate everything under the under secretary. Mr. Broun. Very good. Thank you, Mr. Chairman. My time is expired. Chairman McCaul. Thank you. Just to follow up my colleague's comments, when we are talking about jurisdiction though in the Congress, not within the Department but within the Congress, when the Secretary has to report to over 100 committees and subcommittees, doesn't that detract from the core mission of protecting the American people, Mr. Dodaro? Mr. Dodaro. Well, we have not looked at that issue. But it is not uncommon in many departments and agencies for the Department of Defense, for example, to have multiple committees to report to. I think early on, and I am going back to the creation of the Department, there wasn't enough transparency in working with the Congress and having open communication. That I think fostered a set of relationships that have to be overcome, and are being overcome over a period of time. So I think if there was more transparency and the Department was actually producing the plans, the jurisdictional issues wouldn't be as acute as they have been because of that I would say getting off on the wrong foot in its relationship with the Congress. Chairman McCaul. Well, again, this is not an issue I fault the Department on. I actually fault the Congress on this one because we can't pass any legislation without multiple referrals to multiple committees. It becomes dysfunctional within the Congress. Then it takes time and attention away from senior leadership that need to be doing their job to report to over 100 committees and subcommittees. The Aspen Institute came out with a report talking about it. We need to--it was one of the top recommendations of the 9/ 11 Commission was to have the DHS report to a single oversight committee. That recommendation has never been followed by Congress. I think we need to change that. I am a little disappointed in the answer. I think Mr. Mayorkas may disagree with you on that. Do you? Mr. Mayorkas. Mr. Chairman, I think the Secretary has addressed you and other Members of the Congress expressing his deep concern with respect to the jurisdictional issue and the position it places the Department in. Chairman McCaul. It detracts from the core mission. With that, the Chairman now recognizes Mr. Richmond from Louisiana. Mr. Richmond. Thank you, Mr. Chairman. Mr. Dodaro, now I want to talk about the National Flood Insurance Program. I see that you have made several comments or recommendations regarding it. Do you have any concerns that their current capacity or these notations that you made will affect their implementation of the new Homeowner Flood Insurance Affordability Act? Mr. Dodaro. I think there are a number of recommendations that we have made, for example in modernizing their claims management system that need to be put in place. The implementation of the Act will be a new challenge for them that could detract from some of the implementation of these recommendations. But I think it is very important for them to continue their efforts to modernize the claims system and oversee the contractors that write the policies for the Flood Insurance Program. Mr. Richmond. Well, that is exactly where I wanted to go because you used the term the reasonableness of compensation to the insurance companies that sell and service most of the NFIP policies. Do we think their compensation is on the unreasonable side in terms of high or low? Or is it something that we need to look into? Mr. Dodaro. You definitely need to look into that issue. I mean I think that that is an important question and that is something that we think requires more oversight and whether or not the compensation is appropriate. Mr. Richmond. Our numbers, and I don't know if your numbers would say the same things, in that through the life of the Flood Insurance Program that the amount of money in premiums that have gone in almost equals the amount of money that is going out, except that you have all the administrative expenses that any insurance company would have. But everywhere we can reduce those administrative costs or the costs that the insurance companies are charging for either servicing or the commissions that they receive, we make the program more stable. We can directly save the taxpayers money on those. Have you looked at---- Mr. Dodaro. Yes. I think the administrative costs need to be under constant review to make sure that they are at the minimum necessary to operate the program. However, the premiums in our opinion have not been sufficient to cover the costs of the programs. I mean currently the National Flood Insurance Program owes the Treasury $24 billion and hasn't made a principal payment since 2010 on that issue. So it is not really actuarially sound going into the future. So that is one of the reasons it is on the high-risk list. Mr. Richmond. Right. I don't think that we will ever get to actuarially sound and maintain a sense of affordability for the 5 million homeowners who participate in the program. But I think the goal should be that where we can save money we should save money. Where we can be more efficient we should be more efficient. So that is my concern when we talk about the efficiency of the management of the program and making sure that the people who service the program are being as efficient, and we are very diligent in terms of what we are paying them. So the other thing you mentioned was the debt management and how that could offer us some cost savings. Mr. Dodaro. Well, I think it is important that they figure out how to both build a reserve for the future potential cost, but also how to figure out how to repay the Treasury Department for the amount of money that they owe. That is going to be a tall order for them given the current statutory framework on which they have to operate under. So I think additional action will be needed by the Congress to help them in order to put the program on a firmer financial footing. Mr. Richmond. Then I guess we can have the whole philosophical debate. But we have to get it on firm financial footing. But actuarial rates is probably not the way to do it considering that many of these homes were built before there was a requirement for flood insurance. To go back and change it in our area we saw rates increasing from $500 and $600 to $10,000 a year, which will cause another mortgage collapse and all of those things. Mr. Dodaro. So I agree with you. I think--I mean there has to be a balance between affordability and fiscal responsibility and accountability and in this case transparency because if the homeowners aren't paying for the insurance that means the general taxpayers are. It is not really clear what the subsidies are. I am particularly concerned about the future. We have put also on the high-risk list limiting the Federal Government's exposure by better managing climate change risks. With the potential for climate change and other additional issues in the offing, I mean this program is one that requires I think constant scrutiny and more transparency about who is paying for what in the program. But I agree with you, affordability has to be a policy priority. Mr. Richmond. Mr. Chairman, I see my time is expired. I was just going to ask Mr. Mayorkas if he had a response. I am not requiring one. Mr. Mayorkas. I do not. I do not, Mr. Congressman. Mr. Richmond. Thank you, Mr. Chairman. Yield back. Mr. Mayorkas. Mr. Chairman, may I make a point if I may, even though there is no question pending to me I feel compelled to share something with the committee because my colleagues have expressed concern that components do not necessarily follow the direction that a best practice would require to address a management challenge. I think it is very important to communicate to this committee very clearly to ensure that there is no misimpression that the components are willfully disobeying guidance. It is not an issue of that. But it is rather an issue of putting the structures and the mechanisms in place to drive everyone in the same direction and to ensure a disciplined and rigorous adherence to best practices. It is really a matter of accountability. I know there was a reference made that we don't have appropriate accountability mechanisms in place, and I would respectfully disagree with that. Quite frankly, if there is a failure of a component to adhere to a best practice in the service of addressing a management challenge, I am ultimately accountable for that. Of course the Secretary is. But I am overseeing the management of the Department on behalf of the Secretary, and that accountability regime rests with me. Chairman McCaul. Well, I appreciate you taking responsibility for that. I hope to see some good results. Chairman recognizes Mr. Duncan. Mr. Duncan. Thank you, Chairman, for this valuable hearing today. I want to thank the panelists for the comments that they made about H.R. 4228 and the acquisition reform bill. You know the goal is to improve discipline accountability and transparency and acquisition program management and a lot of things that I am hearing on all the topics today come down to just those basic disciplines of doing best practices and all of the acquisition reform. So I heard Secretary--I mean Comptroller Dodaro say this. But deputy secretary, have you had a chance to review H.R. 4228? Mr. Mayorkas. I have, sir. Mr. Duncan. Okay. Do you believe it will aid DHS in addressing acquisition management challenges? Mr. Mayorkas. I do, sir. I should inform you and this committee that in reviewing the proposed legislation that this committee passed I have drawn some practices that we should adopt and not await the passage of the legislation. Mr. Duncan. Thank you. I agree. Whether we have to have Congressional legislation passed or not it is the right thing for the Department to do. I think the Secretary agrees with us as well. So thanks for saying that. With the most recent GAO high-risk report citing the Department's continued management challenges, and with our country being $17.5 trillion in debt, do you think it is wise for DHS to continue to spend scarce spending on unnecessary green initiatives and costly renovations on a project such as St. Elizabeth's that won't be complete until 2026, and will cost the American taxpayer about $4.5 billion or more, deputy secretary? Mr. Mayorkas. Mr. Congressman, as a general principle of course no expenditure of funds should be permitted that does not yield an effective and efficient delivery of service on behalf of the American people. The Secretary is reviewing the St. Elizabeths project, and we are as a Department with all components involved taking a look at what our resource investment should be in light of the cost and our current budget environment. It was as recently as yesterday that all the components met with the Secretary and me on that very subject. Mr. Duncan. Well, I think that is great. I appreciate the Secretary reviewing that. I just don't believe that--you know in a utopian society rainwater flush toilets are awesome. But when you are $17.5 trillion in debt and you are accountable to every taxpayer dollar, I think you need to start questioning that and maybe the use of the hardest wood from Brazil for the decking when you could use a composite material that will last just as long and save the taxpayer dollars. So I appreciate your efforts and I look forward to that. I ask the comptroller general about St. Elizabeths and the cost overruns. I know GAO has looked at that. Do you care to comment on saving taxpayer dollars and that? Mr. Dodaro. Well, certainly we support the effort to do any program activity at the least cost possible. We are currently looking at the St. Elizabeths situation and we will be happy to share our report with this committee as soon as it is complete. Mr. Duncan. We look forward to that as well. So deputy secretary, given the large number of programs still lacking Department-approved documents and experiencing cost overruns and schedule delays, what do you believe is the biggest challenge with regard to the high-risk list, the biggest challenge in doing effective oversight of DHS major acquisition programs? Throw out some challenges that you have got. There might be another nugget in there that we can pursue from the Congressional side. Mr. Mayorkas. Thank you, Mr. Congressman. I think that my colleagues Mr. Dodaro and Mr. Roth have identified issues with respect to our acquisition program. The Secretary, through the Unity of Effort memorandum that he issued, to which the Chairman referenced, puts in place a structure to drive better acquisition oversight and management. I lead under the Unity of Effort, a paradigm, I lead the deputy's Management Action Group where we are all--components and headquarters--together in ensuring that capabilities are identified, the needs are properly identified. The gaps are therefore disclosed. We don't close those gaps without establishing effective requirements, understanding our budget constraints, being effective and efficient in the use of our money, and ensuring that the delivery of service takes all of those factors into account. Mr. Duncan. I am about out of time. I will say that hearings like this are refreshing. What I am hearing from all the gentlemen is that it seems that the Department is moving in the right direction. I would attribute the Chairman's leadership and this committee for helping nudge the Department in the right direction with regard to acquisition management and addressing a lot of the concerns that were brought about by the gentleman from Louisiana and the gentleman from Georgia. So I want to applaud the Department for continuing to move in that direction. I can tell you we are going to be right behind you to make sure that the trend continues. With that, Chairman, I yield back. Chairman McCaul. We also commend your leadership as Chairman of the Oversight Subcommittee. You have done a fantastic job. Chairman recognizes Mr. O'Rourke from Texas. Mr. O'Rourke. Thank you, Mr. Chairman. I would like to present the panel with two current acquisition projects and then get your comments. The first is one that we had a hearing on within the last month, the Arizona Border Surveillance Technology Plan, which essentially would spend between $500 million to $700 million to put a series of fixed towers along the Arizona-Mexico border with a high-tech surveillance system there, obviously to try to apprehend people who might cross into the country illegally. This is on the heels of the failed SBInet program that spent a billion dollars and achieved almost nothing at great taxpayer cost and Government waste. In that hearing we learned from someone on your team at the GAO that there were several significant findings that the GAO had made, including no clear metrics and no clear life-cycle costs for that program. So that is one that comes to mind. The second in El Paso, Texas is a half-mile stretch of currently unfenced border between El Paso and Juarez, an area where in the last 4 years without there being a fence total crossings have dropped year after year and they are at a fraction of what they were even 4 or 5 years ago. It is also a very historical crossing point. DonJuan De Onate in the 16th Century crossed there. The sensitivity is so great that not only have I but the other Congressman representing the area, one of our U.S. Senators, the city council, the State senators, the State delegation have all pleaded with CBP not to construct that wall there at a cost of $5.5 million. But we were told by the acting commissioner at the time that the wheel is already in motion and it is too hard to stop this. So with those two examples my question is: When is it an appropriate time to put on the brakes? I would think that those major findings that the GAO made after the failure of SBInet we should stop before proceeding with this Arizona Border Surveillance Technology Initiative. The $5.5 million in El Paso may not sound like a lot, but $5.5 million here, $5.5 million there soon it adds up and becomes real money. So I would like to get your thoughts on how we get greater control on spending when there are findings, when there are concerns raised by this committee or the GAO, when it might be appropriate to pause and rethink some of those projects. Mr. Mayorkas, we will start with you. Mr. Mayorkas. Thank you very much, Congressman. I have, in the short time that I have been in office I have visited the Texas-Mexico border as well as the Arizona-Mexico border. I will tell you that visiting--there is no substitute for visiting the border because one understands first-hand the challenges that it presents. The lesson that I learned there is certainly it is not a one-size-fits-all model. There have to be different technological and operational solutions to address the very different and very diverse challenges that the Southwest Border presents. You ask a very fact-specific question, which is: When is it right to pull out of a project when the project isn't going well? I think that---- Mr. O'Rourke. Not just pausing the project. We could use Arizona--the border surveillance plan there. Would it not make sense for DHS to stop spending until those GAO concerns are resolved? Mr. Mayorkas. Congressman, as a general matter I find it untenable to continue to pour money into a project when one doesn't have a level of confidence in the effectiveness and efficiency of the undertaking. So that is a general principle. In fact we have executed on that general principle over the last few months. We have paused. We have suspended discrete projects because we have not had confidence in the stability of the undertaking. So there is no shyness. There is no hesitation to do that in order to make sure that we do not develop something that is ineffective by the time it is deployed---- Mr. O'Rourke. Right. Mr. Mayorkas [continuing]. And we create more work for our oversight---- Mr. O'Rourke. Sorry to interrupt, but I have little time left. You have paused in other projects. Will you pause in this project? Mr. Mayorkas. I--as I sit here today, Mr. Congressman, I am not aware of a reason why the Integrated Fixed Towers Project should be paused. I will tell you that is---- Mr. O'Rourke. I gave you two. Mr. Mayorkas. I will have to look into the second one, which is the wall that---- Mr. O'Rourke. I gave you two reasons on that Arizona Border Surveillance. No life-cycle costs and no clear metrics for what that is supposed to achieve after spending up to $700 million. Could I hear from Mr. Dodaro on this and Mr. Roth if there is time? Mr. Dodaro. Yes. Our report focused on the fact their cost estimates and the schedule estimates weren't complete or reliable. There was limited testing planned on there as well as the fact that there weren't metrics tying it to the particular problem. The Department agreed with most of the recommendations. Except I was disappointed they didn't agree to do more testing on this. I think this is important given the past history and some of those other activities. So I think it is important that these issues be addressed before they proceed into full-scale production. Mr. O'Rourke. If the Chairman will allow, I would love to hear from Mr. Roth on this, if you have any comments. Mr. Roth. Yes. The entire life-cycle--acquisition life- cycle framework requires in fact certain stopping points where an examination is done by independent senior leadership to ensure that it should go forward in a timely way or in a rational way. So there are stop points all the way along, and it is perfectly appropriate during an acquisition to hold off and address concerns. Mr. O'Rourke. Okay. Thank you. Thank you, Mr. Chairman. Chairman McCaul. Chairman recognizes Mr. Sanford from South Carolina. Mr. Sanford. I thank the Chairman. I apologize for getting here late. So I did not get to hear the entirety of your testimony. I was caught up in another meeting. But I jotted in a note in looking at preliminary brief. There was a GAO report that said, DHS could better manage its portfolio, address funding gaps and improve communication with Congress. One of the findings was basically that there was a gap between acquisition of programs and the overall Homeland Security strategy. That at several different junctures this gap was seen between acquisition and strategy. I have got a quote here. I am beginning to lose my eyesight. But it says ``GAO goes on to say in its report that none of the reports that DHS put out consistently identified how individual acquisition programs would help DHS to achieve its goals.'' Then there is some more verbiage from there. So I guess I would turn to the GAO, to you, Mr. Dodaro. Thoughts on that? What else did you see with regard to this gap between a time strategy and individual acquisition programs? Mr. Dodaro. There really are two types of gaps. One is the one that you mentioned. But the second is a funding gap issue in terms of whether or not you have enough money there. I mentioned earlier in my opening statement that of the major acquisitions, 46% don't have approved baseline costs and 77% don't have life-cycle costs. Now, even with that limitation the Department undertook an effort a year or 2 ago to identify what the gap would be if all these acquisitions would cost certain amount of money and the Department had certain amount of resources. They have figured that there was 30% gap between what these acquisitions will cost and what they were likely going to have money for, which means they need to set priorities. Of course in setting priorities you have to go with what your overall strategies are and what kind of priorities are in your strategy. So they need a governance structure at the Department to set these priorities across the Department because they are not going to have, you know, enough money to be able to deal with these issues. This is a similar issue we brought to the Department of Defense's attention. It will particularly be true if sequestration resumes in 2016 through 2022. So it is very important that they deal with this. I know they have some plans to do it. But they are in the very early stages. Mr. Sanford. Couldn't it be said of pretty much any Government agency that there is always a gap between what they would like to have and what they would get? I mean so isn't that---- Mr. Dodaro. Well---- Mr. Sanford. I mean it may---- Mr. Dodaro. Well, but---- Mr. Sanford [continuing]. The issue within Homeland Security or DOD, but---- Mr. Dodaro. Right. Mr. Sanford [continuing]. That seems to be a consistent refrain. Mr. Dodaro. Well, there is a difference between what you-- how much money you are going to have and what you would like to have a lot of money, as opposed to how many projects you have already started down the road that you are not going to be able to complete. That is a different situation. I am saying in that case they are spending money to get these projects up and running, and they are not going to have enough to finish, the money, so that those projects that aren't finished will be not optimal use of the taxpayers' money. As opposed to, we are not going to have this amount of money, here is the priority we want to do. We need to stop this acquisition or we need to redirect our funds to other areas. So it is very important to do that, particularly given the rather poor track record that they have in delivering their acquisitions with functionality, within cost and on time. Mr. Sanford. If you were just waving a magic wand and as you look at this agency in particular, are there other things that perhaps didn't make your report but things that entered your mind? Or that you all evaluated but found too controversial and maybe left off, where you would say this is an area of opportunity that Homeland Security ought to look at in terms of better optimizing taxpayer dollar in maybe a way that they aren't? Mr. Dodaro. No. I think our report is pretty complete. I mean we put everything out there that we have identified. Since the Department has been created we have made over 2,000 recommendations to the Department. About 65% of them they have implemented. They have efforts underway in other areas to implement. So we--I think we have been pretty thorough in pointing out all the major areas that need attention. Mr. Sanford. I suspect you might have a counterpoint to some of this and I therefore would offer the floor to you in the few seconds that I have got left. Mr. Mayorkas. Congressman, I think I actually will not have a counterpoint. I think, quite frankly, that the work of Mr. Dodaro and his team has helped make us better, and identified gaps that we need to fill. I think I can say the same for the work of Mr. Roth and his team. You used the word opportunity. Fortunately I am an optimist and so I look at the challenges we have as opportunities, opportunities to be better. Mr. Dodaro referred to the fact that a governance structure presents some hope, some cause for optimism, but it is at the nascent stage. That is true. Both the Secretary and I are new. The Secretary has put in place a governance structure and we will drive to achieve its aspiration. Mr. Sanford. I burned through my time. Thank you, Mr. Chairman. Yield back. Chairman McCaul. Chairman recognizes Mr. Payne. Mr. Payne. Thank you, Mr. Chairman. Mr. Roth, you know the findings in the November 2012 IG report on interoperable communications at DHS are very concerning. I have introduced legislation to DHS Interoperable Communications Act that aims to address the problems, you know, related to the Government structure and strategy identified in the report. In your testimony you mentioned that the Department has developed but not finalized DHS Communications and Interoperability Plan. Have you seen drafts of this plan? Mr. Roth. I have. Mr. Payne. Okay. What do you think to this point? Mr. Roth. We made our primary recommendation after doing the audit that had the 99.8% failure rate, was that there ought to be an interagency structure that had an individual or group with true power to be able to require the components to get interoperable systems. The Department, inexplicably in my mind, non-concurred with that, and instead went forward with what we consider to be a lesser proposal requiring essentially cooperation among the components. We think that is the wrong way to go. We think showing strong leadership is the way to go, and essentially forcing compliance by the components. Mr. Payne. Yes. Well, you know it is clear based on information I have that this legislation, you know, is crucial to finally get Department-wide interoperability. I was shocked to hear that in your testimony, you know in your test case, only 1 out of 479 first responders were able to get on a common channel. You know 1 out of 479. What is it going to take to achieve interoperability? As you say, the Department is obviously not following recommendations that have been made. That you say have decided to go with a lesser plan. What is it going to take to get to interoperability? Mr. Roth. Well, certainly hearings like this I think highlight the problem. Accountability by this committee and other committees and the American people to ensure that the purposes behind DHS, which was to have all these disparate agencies under one roof so they could in fact talk to each other is a good thing. But again, it is a promise that has not yet been kept. Mr. Payne. Okay. You said many didn't even know that the common channel existed. Is it going to take more training or as you said more hearings like this and a concerted effort on us to push them in that direction? Mr. Roth. To be fair, this test took place in 2012 before the current administration within DHS was appointed. We are hearing good things from the Secretary and the deputy secretary with regard to unity of effort. I am optimistic that we can get there. But I am frankly concerned that as we speak today a Secret Service agent in New York can't get on his radio and talk to a Federal Protective Service officer in New York or a CBP officer in El Paso can't talk to a Homeland Security Investigations Agent in the same city. Mr. Payne. Okay. Thank you, Mr. Chairman. I yield back. Chairman McCaul. Let me just state for the record, Mr. Payne, your bill on interoperability will be part of our mark- up in May coming up soon. So we thank you for that. Chairman now recognizes the gentlelady from New York, Ms. Clarke. Ms. Clarke. Thank you, Mr. Chairman. Thank you, Ranking Member. My first question is to you, Mr. Mayorkas. I want to talk about the Department's transition to a large portion of its information technology to the cloud, and a couple of questions with regard to that. Does the CIO work with the Department cybersecurity and privacy experts to ensure that proper protections are in place for cloud-based technologies? How does this improve efficiency? Do you anticipate this move to the cloud resulting in cost savings? What steps are being taken to ensure that the private cloud utilized by the Department is secure? Mr. Mayorkas. Thank you very much, Congresswoman, for the question. The answer is yes. The head of information technology, Luke McCormack, does work very closely with our NPPD, our directorate, and Susanne Spaulding. It is made to ensure that the use of the cloud passes cyber-hygiene, if you will. What the cloud provides is the ability for the Department to essentially pull on an as-needed basis certain technological capabilities. So with that nimbleness and surgical use of IT not only do we gain effectiveness, but we also gain cost savings. Ms. Clarke. Well, there has been a lot of talk here on the Hill. We have turned our attention to immigration reform and proposals such as the DREAM Act may create a pathway for many millions of youngsters becoming American citizens. This could create a major influx of applications coming to the USCIS system. Would the limitations of current paper-based system that I am sure you know all too well, how will USCIS handle this increased caseload? Are there any activities underway at the headquarters level to address this impending issue? Mr. Mayorkas. Thank you very much for that question, Congresswoman. We of course remain committed to comprehensive immigration reform. I think there are two streams of activity that are responsive to your question. One is to develop the technological capabilities to accept a large influx of new applicants in an electronic or on-line environment. That effort is under way. It is a very significant and challenging effort, but we are making progress in it. It is called transformation to move from a paper-based agency to an on-line environment on the one hand. On the other hand, U.S. Citizenship and Immigration Services, which I was very proud to be a part of for 4 years, is extraordinarily adept at handling surges in the number of individuals coming before it. It has exhibited that nimbleness and that adeptness in the last 2 years in taking on a huge surge in previously unanticipated applicants. Ms. Clarke. So you believe that the transformative nature of the new technologies that you are currently sort-of testing would be able to manage potentially, you know, tens of thousands if not millions of individuals seeking to apply for-- through for immigration reform and the personnel commensurate with that is sort-of trained and gearing up as well? Mr. Mayorkas. Congresswoman, the goal of transformation is to be able to do that. We are working towards that. It is a challenging undertaking, but we are working towards that on the one hand. On the other hand, to be able to address an increase in applications of, for example, 11.5 million people, there is an infrastructure that needs to be built. We have communicated very clearly to the bipartisan committee that passed the Senate bill last year. They understood and legislated accordingly that there needs to be some ramp-up time so that the agency could in fact build the infrastructure to take on that significant new workload. But not just personnel, but facilities, IT infrastructure and the like, but we are prepared with time and funding to meet that challenge. Ms. Clarke. Very well. Then I just wanted to quickly--my time is winding down--talk about disciplinary practices. There are a lot of folks who believe that there are some--it is inequitable and oftentimes arbitrary. For example, there is no Department-wide standard for penalties. The same offense can engender different results without any sound reason for this discrepancy. Would you agree that the Department could benefit from standardized disciplinary processes? How not having these processes in place can have an impact on low morale, for instance? Is a Department-wide standard for penalties under consideration? If not, why? Mr. Mayorkas. That is a very interesting question, Congresswoman. When I was the director of U.S. Citizenship and Immigration Services, we actually had that infirmity within the agency that we did not have really a cohesive and consistent discipline regime, and we implemented one during the course of my tenure. Whether there should be a Department-wide standard is a question that I would actually like to give thought to because I will tell you that there are different dynamics at play within each component of the Department. There are different unions, union leadership, union relationships. I think at a general level my immediate reaction is that we should have standardized processes and we should have consistency in the response--in the disciplinary response to similar behaviors. I would like to actually give further study, and quite frankly speak with my colleagues here to my left with respect to your question. Ms. Clarke. My time is run out, but if the Chairman gives another round, we will---- Chairman McCaul. Well, if you would like to hear other witnesses---- Ms. Clarke. Oh, certainly. Chairman McCaul. This is our final round. Ms. Clarke. Okay. Thank you, Mr. Chairman. Well then, gentlemen, would you please give me your opinion on these disciplinary actions? Mr. Roth. Thank you. We have not done an audit with regard to this except with the Secret Service, which did not have a table of penalties. We found that that was a problematic issue with regard to some of the issues that occurred in the Secret Service. I think I would join Mr. Mayorkas in indicating that that is a broader issue that we would probably need to study in a more thoughtful way. Mr. Dodaro. Yes. We have looked recently at TSA employee misconduct issues and how that is handled. I would be happy to provide that for the record and any other thoughts that we have on this matter. Ms. Clarke. Very well. I appreciate that, gentlemen. Thank you all for your testimony here today. Thank you, Mr. Chairman. I yield back. Chairman McCaul. Thank you. I want to thank the witnesses. Chairman recognizes the Ranking Member. Mr. Thompson. I just want to thank the Chairman for this hearing and the witnesses for their candid comments in response to the questions. The thing that continues to bother me, though, is we put the Department of Homeland Security under one roof. But it just appears that there are some outliers within the Department that continue to do as they please. We have reports after reports that continue to highlight those do-as-you-please efforts that cost money. What I have taken away is that you continue to highlight it, but somehow it doesn't get implemented. I guess I am struggling for--can you, each one of you witnesses provide us in writing what you think it would take for the Department to run seamlessly, all the components within DHS using one standard for procurement and other things? Right now procurement, personnel, a lot of issues continue to be different. I think if we have One DHS, if we have this now Unity of Effort approach, how can we actually accomplish that if we still have Coast Guard, FEMA, CBP, ICE kind-of doing what they want to do? I am just kind-of concerned about that, that we should just have a standard system. Now, obviously there are some exceptions. But I think those exceptions can be noted. But I would like to see something from our witnesses since they have been so good that could help give this committee some direction on how we can come up with one system, whether it is IT system or whatever, in those categories that have been outlined. I yield back. Chairman McCaul. I concur with the Ranking Member. We would like to see that, if you could respond maybe in writing after the hearing. I know Ms. Clarke and I have worked on the iCloud concept in terms of bringing the One DHS together. I think that is an interesting concept as well. I did have one last question for Mr. Roth. The Secret Service has mentioned, know you are reviewing your predecessor's report, the allegations involving drunkenness during Presidential protection. Very serious concern on the part of this committee that that conduct is still on-going within Secret Service. I know you are reviewing those currently. When do you anticipate that your report will come out? Mr. Roth. We are looking at the current reports. We are not engaged in a further audit or inspection of that. But what we are doing is in light of the Senate subcommittee's report we are looking to ensure that any of the conclusions within the report were untainted by any sort-of political or other improper considerations. We are doing that as expeditiously as possible, but we want to get it right. I am hopeful in the next few weeks we will be able to get it out. But right now I can't give you---- Chairman McCaul. Will you be providing any guidance to the director of the Secret Service in terms of--you mentioned there are no real sort of disciplinary procedures in place. Mr. Roth. At the time of our audit there were no disciplinary procedures. There were no tables of penalties. That has been fixed. In the series of audits we did, we did a look-back to see what the internal investigation looked like. We also did what was known as the so-called culture report. In the culture report we had a series of recommendations that we asked the Secret Service to do. They are in the process of complying with each of those. I am happy to give a interim report as to, sort-of, how they are doing with regard to responding to our recommendations. Chairman McCaul. I would appreciate that. Protecting the President is one of the highest duties---- Mr. Roth. Yes. Chairman McCaul [continuing]. Within the Department. So we thank the witnesses for testifying here today. The record will be open for 10 days. You may have additional questions. With that, without objection, committee stands adjourned. [Whereupon, at 11:31 a.m., the committee was adjourned.] A P P E N D I X ---------- Questions From Chairman Michael T. McCaul for Alejandro N. Mayorkas Question 1. According to a December 2013 GAO report, CBP and ICE continue to struggle with large portions of their TECS modernization which could result in cost overruns and delay its 2015 deployment deadline. TECS is critical to the Department's border security and law enforcement missions. Describe the management direction you are providing this project and please give the committee an update on the TECS modernization efforts and whether or not ICE and CBP will deliver its planned functionality by 2015 as originally scheduled. Answer. DHS has a tiered governance structure that includes oversight at the senior leadership level, the component level, and the program level. At the highest level, the Department is actively monitoring both programs by way of Executive Steering Committee (ESC) meetings made up of senior-level executives, including Headquarters and Component Chief Information Officers, Chief Acquisition Executives, and Chief Financial Officers. Executive Steering Committees are decision- making bodies that provide governance and oversight for all of the Department's IT Major investments. Currently, due to the program's high risk, the U.S. Immigration and Customs Enforcement (ICE) TECS Modernization has a monthly ESC meeting and bi-weekly deep-dive meetings with the Department's Chief Information Officer and management acquisition team. The U.S. Customs and Border Protection (CBP) TECS Modernization has bi-monthly ESC meetings. The CBP TECS Modernization has been deploying modernized functionality incrementally since 2009 and is on track to deliver the majority of modernized capability by September 2015, as originally planned. This program has multiple releases of which 80% have been delivered. The remaining 20% will be delivered on schedule by September 2015. The ICE TECS Modernization is in the technical evaluation phase of procuring an application vendor, with an anticipated award in September 2014. The program is currently a high-risk program due to its schedule and cost risks. Mitigation plans are in place to address the program risks. The program meets regularly with Headquarters leadership to review status and progress toward milestone events. The program is engaged with the CBP parallel effort to execute the coordinated strategy for both agencies to obtain mainframe independence from the shared legacy TECS system. Question 2a. Does DHS believe that they are full partners in the FirstNet effort? Answer. Yes, DHS is a full partner and one of three permanent board members in the FirstNet effort. The Department appreciates the importance of the FirstNet network to the overall security and resilience of our Nation's public safety communications infrastructure. Question 2b. What is DHS doing to support FirstNet? Answer. DHS is taking an active role in supporting FirstNet by providing the following products and services: FirstNet Consultation Preparation Workshops.--DHS has delivered on-site workshops in 54 of 56 States/Territories to help prepare for the FirstNet consultation process. The remaining two States/Territories will be completed this year. Broadband Tools.--DHS has developed a mobile data survey tool to help States determine the current use of commercial and private data systems within their jurisdiction that is being leveraged by FirstNet. FirstNet Coordination.--In early 2013, FirstNet asked DHS to participate with the National Telecommunications and Information Administration and FirstNet staff to coordinate outreach and data collection with public safety efforts. Since that time, DHS has participated in weekly calls, as well as periodic strategic planning meetings with FirstNet Board members and staff. Federal Broadband Coordination.--The Emergency Communications Preparedness Center, which is a DHS-led Federal coordination committee to improve emergency communications interoperability, has been leveraged by FirstNet for Federal outreach and planning. Tribal Coordination.--DHS provided Tribal subject matter expertise to assist FirstNet in establishing its Tribal Working Group, as well as facilitating meetings with key Tribal representatives. Cyber and Physical Risk Assessment.--DHS identified possible threats to and vulnerabilities of cyber infrastructure in the Nation-wide Public Safety Broadband Network that could threaten the network's reliability and security. Public Safety Broadband Requirements.--DHS helped develop first responders requirements for the Nation-wide public safety broadband network. 700 MHz Demonstration Network.--DHS helped create a 700 MHz Demonstration Network at the National Institute for Standards and Technology Boulder Labs to assist with performance, conformance, and interoperability testing of infrastructure, devices, and applications. This public safety demonstration network and environment for testing allows public safety to better understand the new capabilities and challenges created by broadband technologies. Modeling and Analysis for Public Safety Broadband.--DHS is conducting modeling and simulation research on the deployment of a Nation-wide public safety broadband network. This research will provide FirstNet with insight needed to make more informed procurement-related decisions. Question 3. The Office of Program Accountability and Risk Management (PARM) is responsible for DHS' overall acquisition management across the Department, and has work under way to implement an Acquisition Life-Cycle framework for major acquisitions. Among other things, this framework outlines key decision events over the life of a program. This ``waterfall'' approach may be fine for most types of acquisitions; but for IT acquisitions, it promotes longer time frames for delivering capabilities (often 5-7 years) and increased risk of cost, schedule, and performance issues. The Office of the Chief Information Officer (OCIO) is responsible for IT investment governance, including IT systems development. OCIO has work under way to modify, finalize, and implement systems acquisition policies and processes in line with an incremental development approach, which calls for breaking programs into smaller increments and delivering capabilities in 6-12 month releases. It will be important for PARM and OCIO to collaborate on a way forward to define roles and responsibilities, and modify the Acquisition Framework as needed to accommodate an incremental development approach to IT. How efficiently and effectively do DHS's acquisition and IT governance processes work in concert with one another to ensure that major IT investments are delivered within cost and schedule, and meet mission needs? Answer. DHS's integrated acquisition and IT governance processes work together in an efficient and effective manner. Management Directive 102-01 establishes the Department's acquisition governance framework for both IT and non-IT programs. The Management Directorate's Office of Program Accountability and Risk Management coordinates effective integration and collaboration across the Department's lines of business, including the Office of the Chief Information Officer, to implement acquisition oversight. Further, the Secretary's ``Strengthening Unity of Effort'' initiative is enhancing the coordination of Departmental planning, programming, budgeting, and execution processes through strengthened requirements processes and decision-making. Question 4a. Component agencies of DHS are increasingly using the Government Printing Office (GPO) for the production of secure credentials. Some have expressed concern that component agencies are inappropriately using Title 44 of the United States Code as a means to enter into sole-source agreements with GPO to circumvent the normal fair and open competitive procurement process. Is there any formal or informal guidance from DHS to component agencies on the use of the GPO versus open competition? Answer. DHS follows the requirements of Federal Acquisition Regulation 8.802, which requires printing to be done by or through GPO unless an exception applies. DHS utilizes a form (DHS 500-7) for its components to use to obtain printing services through the designated central printing authority or to seek a waiver. There is no additional acquisition guidance regarding printing. Question 4b. What is the opinion of DHS Office of General Counsel on Title 44 of the United States Code and FAR 48 Subpart 8.8 as it relates to public printing services and use of GPO for secure credentials? Answer. The Department recognizes the statutory and regulatory requirements related to the Government Printing Office. Question 4c. What risk/security analysis has been done to make sure that secure credentials being used by DHS are durable, secure, and virtually counterfeit-proof? Answer. A risk/security analysis of the secure credentials used by DHS was conducted by the General Services Administration (GSA), as the executive agent for acquisition of Homeland Security Presidential Directive--12 products and services. GSA ensures that secure credentials meet the standards of the National Institute of Standards and Technology (NIST). To further deter counterfeiting of the secure credentials being used by DHS, the Department has gone beyond the NIST requirements by requiring visual security features with micro-text bands, the use of transparent and gradient effects, optically variable ink, and holographic images in the security laminate. Question 4d. What alternatives analysis or analysis of alternatives (including cost and security analysis) has been done to support secure credential programs? Answer. During an analysis of alternatives conducted by the DHS Office of the Chief Security Officer, it was determined that GPO met standards for secure credentials. GPO delivered added value with strict adherence to a secure Government supply chain requirement and smart card product manufacturing. GPO also demonstrated oversight of security in the transportation of raw materials and finished goods, and the physical security of the card manufacturer's plant and information technology systems. Question 4e. How much has DHS obligated and expended in fiscal year 2010-fiscal year 2013 for secure credentials printed by GPO? How much does DHS plan to spend on secure credentials in fiscal year 2014? Answer. DHS has obligated and expended a total of $7,494,875 between fiscal year 2010-fiscal year 2013. The breakdown per fiscal year is as follows: Fiscal year 2010: $1,769,962.00 Fiscal year 2011: $1,891,963.00 Fiscal year 2012: $2,432,350.00 Fiscal year 2013: $1,400,600.00 Fiscal year 2014 Plan: $2,491,125.00. Question 5a. According to news reports from early April, top hiring officials at CBP broke Federal civil service laws when they tried to hire three politically connected but unqualified candidates who were favored by the agency's then-commissioner Alan Bersin. Shortly before arriving at CBP, Mr. Bersin allegedly gave the human resources staff three names and told them he wanted to hire the individuals as political appointees. However, the slots for those jobs, known as Schedule C positions, were filled. The staff then attempted to hire them into open civil service positions at the GS-13 level, as management and policy analysts. Who were the people seeking career positions in these reported cases? Are they employed by CBP currently? If so, under what hiring authorities? Answer. The Office of Special Counsel (OSC) has released a press statement regarding its complaint for disciplinary action before the Merit Systems Protection Board (MSPB), filed against Katherine Coffman. The OSC has not yet made the complaint a public document and DHS is not a party to the litigation. Further, in accordance with DHS practice, and per OSC preference, DHS does not comment on pending litigation. DHS does not wish to impede the current adjudication of this case by releasing specific information relevant to the MSPB proceeding, or by providing opinions regarding any specific allegations or evidence that may be contained within the complaint as described in the public press statement. Therefore, in this and subsequent responses, DHS will only answer as to matters not at issue in the litigation. Question 5b. Who within the DHS Office of the Chief Human Capital Officer rejected most of the career conversion requests and approved the one OPM later rejected? Please provide necessary documents asking for and rejecting these personnel actions. Answer. Please see above. Question 5c. Since Ms. Katherine Coffman is in the position to hire individuals across CBP, does she assert inappropriate influence over the career civil service hiring process? Did she or does she seek to hire others who fit ``political criteria'' favored by her or Mr. Bersin? Answer. Please see above. Question 5d. What was the role of the Office of the White House Liaison at DHS in these career conversions? Is the Office of the White House Liaison involved in interviewing or vetting other career candidates for Federal employment? Answer. DHS has inquired of the relevant individuals and reviewed the relevant files and has no reason to believe the Office of the White House Liaison was involved in the attempted conversion from political appointments to career appointments for the three individuals whom it is alleged Mr. Bersin wanted to hire at CBP. I am informed it is not. Question 5e. Since January 21, 2009, how many political appointees have been converted to career employees? If any, please identify them along with their titles and the office in which they are working. Answer. Prior to January 2010, Federal agencies had to seek OPM's approval of conversions to competitive service positions only during Presidential election years. As a result, DHS did not maintain DHS-wide records specific to such conversions and cannot readily access this information for the time period between January 21, 2009 and December 31, 2009. Beginning on January 1, 2010, OPM required agencies to seek prior approval from OPM before appointing a current or recent political appointee to a competitive or non-political excepted service position at any level under the provisions of title 5, United States Code. OPM provided DHS with information based on OPM's records which establish that since January 2009, six political appointees have been converted to career positions. In 2009, an individual was appointed to a GS-14 policy analyst position in the Office of Civil Rights & Civil Liberties. In 2011, an individual was appointed to a Senior Executive Service position in the Office of Science and Technology. In 2012, an individual was appointed to a Senior Executive Service position in the Federal Emergency Management Agency and another individual was appointed to a GS-13 external affairs specialist position, also in FEMA. In 2013, two individuals were appointed to two different Senior Executive Services positions; one in the United States Coast Guard and another in the Office of the General Counsel. Question 5f. Given the allegations in this matter, do you have confidence in Mr. Bersin as a senior leader of DHS? Have you considered putting Mr. Bersin or Ms. Coffman on administrative leave while these allegations are fully investigated by the Office of Special Counsel and the Merit Systems Protections Board? Answer. Yes, the leadership of the Department has full confidence in Mr. Bersin. Neither the Office of the Special Counsel (OSC) nor the Merit Systems Protection Board (MSPB) has suggested such an action, and DHS has determined not to take such action at this time. The current posture of the proceedings is that the OSC has completed its investigation and filed complaints seeking disciplinary action against three CBP career officials. The MSPB has jurisdiction over the complaints. DHS is not aware that OSC or the MSPB will conduct any further investigation. Question From Honorable Patrick Meehan for Alejandro N. Mayorkas Question. I submitted a question for the record following Secretary Johnson's first appearance before the committee that remains unanswered regarding EAGLE II, an information technology multiple-award contract vehicle potentially worth $22 billion over 5 to 7 years. It is my understanding that companies were notified of additional awards being made in early May on highly protested functional category one of the vehicle. The announcement appears to cut both ways--more vendors means more competition, but also more proposals to evaluate thus slowing down the acquisition selection process. What information have you received about this procurement and what is your impression of how this acquisition was conducted? How is DHS going to make sure that programs actually use this vehicle and that proposals received per task order will be evaluated in a timely manner? Answer. As Deputy Secretary, I was not personally involved in this procurement and therefore have only had access to publicly-available information in accordance with Federal regulation. I have been made aware of the award information and am informed that the procurement was conducted in an open and transparent manner, employing Federal procurement best practices and in accordance with the Federal Acquisition Regulation. Like its predecessor, EAGLE II attracted significant interest from industry. I am further informed that, since the EAGLE II competition received a robust industry response, completing a fair and detailed evaluation of each of the proposals required a significant amount of time and resources. Protests are part of the procurement process for these large competitions. The DHS personnel responsible for the EAGLE II procurement participated transparently and professionally in the protest process to ensure all companies had an opportunity to have their concerns addressed in an impartial forum. To date, several protests have been dismissed and contract awards have been made to large, small, service-disabled veteran-owned, HUBZone, and 8(a) American companies. Task orders have already been placed by several DHS components. Task Order awards to date include 18 awards made to various small business totaling $16.5 million with a total value of $63.8 million if all option periods are exercised. The Office of the Chief Procurement Officer is monitoring EAGLE II spending. DHS continues to increase its use of strategic sourcing vehicles such as EAGLE II because they provide a streamlined and efficient process for obtaining services and result in cost savings for the programs. It is the Department's policy that the EAGLE II contracts be used unless there is an alternative that will yield a lower price or better support the DHS small business program. To streamline task order competitions and evaluations, DHS offers training on the use of EAGLE II for all components and has generated an ordering guide that includes guidance, templates, and points of contact for users. This guidance ensures that task order proposals are evaluated promptly and accurately. DHS has a task order ombudsman available to assist any EAGLE II contractor that becomes concerned that a task order proposal evaluation has been delayed. Questions From Honorable Tom Marino for Alejandro N. Mayorkas Question 1a. What percentage of NFIP claims from Superstorm Sandy contained fraudulent losses? Can you quantify that with a dollar amount? Answer. FEMA takes seriously its responsibility to be a good steward of Federal funds, which include not only tax dollars but also flood insurance premiums. Reducing, investigating, and ultimately eliminating waste, fraud, and abuse is an important part of that responsibility. When FEMA becomes aware of evidence of potential fraud on the part of NFIP policyholders, building repair contractors, or others, the FEMA Office of Chief Counsel and the Office of the Chief Security Officer's FEMA Fraud Unit work with the Office of the Inspector General to investigate. While the FEMA Fraud Unit and the Office of the Inspector General work closely in developing cases, FEMA is typically not informed of results as a matter of practice, since the issue at hand may be a criminal matter. While legally distinct from fraud, FEMA also tracks improper payments pursuant to the Improper Payments Act. The tracking does not differentiate underpayments, overpayments, or fraud. The results are as follows: ------------------------------------------------------------------------ Improper Fiscal Year Payment Rate ------------------------------------------------------------------------ 2008.................................................... 6.38% 2009.................................................... 2.22% 2010.................................................... 1.21% 2011.................................................... 0.75% 2012.................................................... 0.02% ------------------------------------------------------------------------ No, for the same reason explained in the answer above: FEMA is typically not informed of investigative results as a matter of practice, since the issue at hand may be a criminal matter. Question 1b. What is the policy for ensuring that claims are legitimate before releasing funds for rebuilding? Answer. There are a number of checks involved in the claims handling process. After a claim is filed, the NFIP insurer assigns an independent adjuster, who is certified as an NFIP adjuster and has knowledge of the coverage and exclusions under the Standard Flood Insurance Policy. The independent adjuster will inspect the insured property, preferably together with the insured to validate that the adjuster reviews all of the components of the property that the insured believes had been damaged by flood. The adjuster describes the claim process to the policyholder and provides a copy of the NFIP Flood Insurance Claims Handbook, which is a tool developed by FEMA to explain the claims process to policyholders after a loss. During this inspection, the adjuster measures, photographs, and notes elements of flood damage. The adjuster then prepares a detailed room-by-room, line- by-line estimate of the damage caused by flood. A report documenting the observed damage is then provided for review by the insurer, which is responsible for identifying covered losses and making payment. Unless there is an express written waiver, within 60 days after the loss the insured is required to provide a proof of loss, which is the insured's sworn statement of the amount being claimed. Question 1c. Additionally, what tools does the agency have to ``claw-back'' funds released to homeowners who submitted fraudulent claims? Answer. All forms of the Standard Flood Insurance Policy (``SFIP'') have provisions governing improper activities by the insured and void the policy in the event of fraud or misrepresentation. If the policy is void, the NFIP is authorized to recoup payments and can do so through a Debt Collection action or affirmative litigation. In addition, the United States has available civil and criminal remedies, including the False Claims Act, to recoup fraudulently-claimed funds and to seek civil and criminal penalties. The DHS Office of Inspector General and other Federal law enforcement, including a FEMA Fraud unit, are available to investigate allegations of fraud, and FEMA also will work with State and local law enforcement in appropriate circumstances to investigate and prosecute fraud. Question 2. DHS is over 10 years old and it seems that we are only now getting to understand what a ``high-risk'' program is. This is unacceptably long. What took so long and what assurances can you give that we won't have more oversight failures going forward? Answer. DHS has a clear understanding of its ``high-risk'' programs, as defined on a biennial basis by the Government Accountability Office (GAO) through publication of its GAO High-Risk List. We work closely with GAO to address the areas where DHS remains on the High-Risk List. When I became deputy secretary of DHS in late December 2013, the first action I took was to schedule a meeting with GAO Comptroller General Dodaro. DHS and GAO meet regularly to discuss progress on our High-Risk designation, and I have been able to participate in several of those productive meetings. In 2011, DHS published the Integrated Strategy for High-Risk Management (Strategy), to address our High-Risk designation. DHS continues to make progress towards High-Risk List removal and publishes an updated Strategy on a semiannual basis. Of note is the fact that GAO has stated in its most recent High-Risk List update that our Department's Strategy, ``if implemented and sustained, provides a path for DHS to be removed from GAO's High-Risk List.'' Further, earlier this year we developed specific action plans to address the 30 key outcomes GAO identified as part of the management High-Risk area. Our action plans provide month-to-month goals that offer a road map to success. Our development of these action plans provided us with the opportunity to freshly review our previous efforts and, in certain critical areas, to accelerate our time tables materially. Question 3. Many of the DHS operating agencies like CBP, TSA, and the Coast Guard came with internal inspection capabilities when DHS was created. Yet it appears the senior levels have been slow to organize Department-wide oversight. It appears that these agencies are not a ``part of the whole'' from the management perspective. When will DHS- wide management controls be in place? Answer. To further Department-wide management integration, Secretary Johnson directed the ``Strengthening Departmental Unity of Effort'' initiative in April 2014. In this initiative, the Secretary directs specific activities across four main lines of effort: Inclusive senior leader discussion and decision-making forums that provide an environment of trust and transparency; strengthened management processes for investment, including requirements, budget, and acquisition processes, that look at cross-cutting issues across the Department; focused, collaborative Departmental strategy, planning, and analytic capability that supports more effective DHS-wide decision- making and operations; and enhanced coordinated operations to harness the significant resources of the Department more effectively. The goal is better understanding of the broad and complex DHS mission space and empowering DHS components to effectively execute their operations. To that end, the Secretary, in a June 26, 2014 memorandum to DHS leadership, established the DHS Joint Requirements Council to ``look at cross-component requirements and develop recommendations for investment, as well as changes to training organization, laws, and operational processes and procedures.'' This component-led, component- driven body will be organized around the five DHS primary mission areas and begin to tackle issues involving information-based screening and vetting; chemical, biological, radiological, and nuclear surveillance and detection; aviation commonality; cybersecurity; and information sharing with potential impacts beginning as early as the DHS budget submission to OMB this September. Other unity-of-effort initiative pieces, including strengthened budget and acquisition process, will also lead to greater management control. Question 4. Referring to your technology programs across DHS, there is strong criticism from the private-sector suppliers that DHS fails to provide multi-year plans that would guide private R&D investment. Why can't DHS seem to get forward planning for major programs right? Answer. A primary challenge in developing and executing optimal multi-year plans to guide private R&D investment is the reality of fiscal uncertainty: The Department is not assured of sustained funding streams for long-term efforts. DHS has worked hard to create a sustainable process to validate Department-wide requirements across the DHS primary mission areas to inform investment decisions and drive acquisitions. The Secretary's June 26, 2014 memorandum to DHS leadership establishing a DHS Joint Requirements Council to ``look at cross-component requirements and develop recommendations for investment, as well as changes to training organization, laws, and operational processes and procedures'' will help us to achieve that goal. By studying requirements across components and developing ``joint'' solutions from a range of potential alternative capabilities, the Department should be able to more predictably interface with the private sector earlier in order to better partner to meet the challenges faced by the Nation in securing the homeland. Further, the Department's increased focus on looking at full life- cycle program costs across the entire 5-year Homeland Security budget should increase awareness and reduce uncertainty for our private industry partners. To this end, newly-confirmed Under Secretary for Science and Technology Dr. Reginald Brothers has also prioritized development of an updated Science and Technology Directorate (S&T) Strategic Plan complemented by technology roadmaps in S&T's major investment areas. These types of products are fundamental for communicating S&T's direction and vision to industry in order to better align and incentivize private R&D investment in DHS and Homeland Security Enterprise needs and priorities. Moving forward, S&T's Strategic Plan and roadmaps, along with a revamped approach to creating and sharing project requirements, will help strengthen and energize the Department's and S&T's partnership with the Homeland Security Industrial Base. Question From Chairman Michael T. McCaul and Ranking Member Bennie G. Thompson for Gene L. Dodaro Question. Please provide us in writing what you think it would take for the Department of Homeland Security (DHS) to run seamlessly, all the components within the Department using one standard for procurement and other things. Answer. DHS could enhance its overall efficiency and effectiveness by continuing to implement and strengthen key management initiatives, including fully achieving key management outcomes that we and DHS have agreed are necessary for addressing our designation of DHS management functions as high-risk. Achieving some of these outcomes will entail implementing Department-wide standards, such as standards pertaining to information technology (IT) and acquisition management. Specifically, DHS needs to demonstrate continued progress in implementing and strengthening key management initiatives and addressing corrective actions and outcomes in human capital management, acquisition management, financial management, and IT. This includes taking steps to implement certain common standards Department-wide. For example, As we reported in May 2014, DHS's acquisition policy largely reflects key acquisition management practices, but the Department has not implemented the policy consistently.\1\ For example, in March 2014, we found that the Transportation Security Administration (TSA) does not collect or analyze available information that could be used to enhance the effectiveness of its advanced imaging technology.\2\ In March 2014, we also found that U.S. Customs and Border Protection (CBP) had not fully followed DHS policy regarding testing for the integrated fixed towers being deployed on the Arizona border.\3\ We recommended that CBP revise its testing plan in accordance with DHS acquisition guidance, among other things. DHS did not concur with our recommendation and stated that the existing test plan will provide much, if not all, of the insight contemplated by the intent of the recommendation. We continue to believe that revising the test plan to include more robust testing to determine operational effectiveness and suitability could better position CBP to evaluate integrated fixed-tower capabilities before moving to full production for the system, help provide CBP with information on the extent to which the towers satisfy the Border Patrol's user requirements, and help reduce potential program risks. --------------------------------------------------------------------------- \1\ GAO, Department of Homeland Security: Progress Made; Significant Work Remains in Addressing High-Risk Areas, GAO-14-532T (Washington, DC: May 7, 2014). \2\ GAO, Advanced Imaging Technology: TSA Needs Additional Information Before Procuring Next-Generation Systems, GAO-14-357 (Washington, DC: Mar. 31, 2014). \3\ GAO, Arizona Border Surveillance Technology Plan: Additional Actions Needed to Strengthen Management and Assess Effectiveness, GAO- 14-368 (Washington, DC: Mar. 3, 2014). Integrated fixed towers are to consist of surveillance equipment (for example, ground surveillance radars and surveillance cameras) mounted on fixed, that is, stationary towers, and power generation and communication equipment to support the towers. --------------------------------------------------------------------------- In May 2014, we also reported that work is needed to demonstrate progress in implementing IT investment management processes across DHS's 13 IT investment portfolios.\4\ In July 2012, we recommended that DHS finalize the policies and procedures associated with its new tiered IT governance structure and continue to implement key processes supporting this structure.\5\ DHS agreed with these recommendations; however, as of April 2014, the Department had not finalized the key IT governance directive, and the draft structure had been implemented across only 5 of the 13 investment portfolios.\6\ --------------------------------------------------------------------------- \4\ GAO-14-532T. \5\ GAO, Information Technology: DHS Needs to Further Define and Implement Its New Governance Process, GAO-12-818 (Washington, DC: July 25, 2012). \6\ The draft structure had been implemented across the following five portfolios: Intelligence, screening, information sharing and safeguarding, enterprise IT services, and enterprise human capital. --------------------------------------------------------------------------- More uniformly implementing these common standards across the Department and showing measurable, sustainable progress in implementing other key management initiatives can help DHS more fully address GAO's high-risk designation. We are continuing to review DHS's progress in these areas and will update our assessment of DHS's efforts to address our high-risk designation early next year. Question From Honorable Yvette D. Clarke for Gene L. Dodaro Question. Some individuals believe that DHS disciplinary practices are inequitable and oftentimes arbitrary. For example, there is no Department-wide standard for penalties, and the same offense can engender different results without any sound reason for this discrepancy. Would you agree that the Department could benefit from standardized disciplinary processes? Does not having these processes in place have an impact on low morale, for instance? If not, why? Answer. We have not specifically assessed the standardization of disciplinary practices at DHS, but our work has found that TSA could strengthen its monitoring of allegations of employee misconduct. In July 2013, we found that TSA could strengthen its monitoring of allegations of employee misconduct.\7\ Specifically, we found that: --------------------------------------------------------------------------- \7\ GAO, Transportation Security: TSA Could Strengthen Monitoring of Allegations of Employee Misconduct, GAO-13-624 (Washington, DC: July 30, 2013). --------------------------------------------------------------------------- According to TSA employee misconduct data that we analyzed, TSA investigated and adjudicated approximately 9,600 cases of employee misconduct from fiscal years 2010 through 2012. While TSA had taken steps to help manage the investigations and adjudication process, such as providing training to TSA staff at airports, we found that additional procedures could help TSA better monitor the investigations and adjudications process. For example, TSA did not have a process for conducting reviews of misconduct cases to verify that TSA staff at airports were complying with policies and procedures for adjudicating employee misconduct. We concluded that without a review process, it is difficult to determine the extent to which deficiencies, if any, exist in the adjudications process. Further, we found that TSA did not record all misconduct case outcomes, including outcomes in cases that resulted in corrective action or no penalty, in its centralized case management system because the agency had not issued guidance requiring the recording of all outcomes. We concluded that issuing guidance to TSA staff at airports about recording all case outcomes in the database would emphasize management's view of the importance of staff including such information to provide a more complete record of adjudication decisions. We recommended, among other things, that TSA establish a process to conduct reviews of misconduct cases to verify that TSA staff at airports are complying with policies and procedures for adjudicating employee misconduct, and develop and issue guidance to the field clarifying the need for TSA officials at airports to record all misconduct case outcomes in the centralized case management system. DHS concurred with the recommendations, and TSA is taking actions in response, such as increased auditing of disciplinary records to help ensure that airport staff are complying with policies and procedures for adjudicating employee misconduct. Question From Chairman Michael T. McCaul for Gene L. Dodaro Question. Please elaborate on your comments regarding Congressional committees with a jurisdiction on homeland security issues. Specifically, to what extent have repetitive or redundant hearings and briefings (i.e., those involving substantially the same subject matter but provided separately to more than one committee) led to inefficiencies and inhibited progress by the Department to address items on the High-Risk List? Have these particular hearings and briefings increased over time, in comparison to previous Congresses? Does the fact that multiple components at the Department lacking authorizations (which have not been enacted due to jurisdictional battles) have any effect on the ability of these components and DHS Headquarters to enact necessary reforms, since potential necessary authorities are not codified? Answer. GAO has not analyzed the impact of hearings and briefings on DHS's ability to address items on GAO's high-risk list, trends in the number of DHS-related hearings and briefings, or the potential effects of the lack of authorizing legislation on DHS's ability to carry out necessary reforms. In December 2002, we did report that the creation of DHS had raised questions regarding how the Congress could best meet its oversight responsibilities, and that DHS would be overseen by numerous Congressional committees.\8\ At the time we observed that the Congress may wish to explore ways to facilitate conducting its responsibilities in a more consolidated and integrated manner, and noted that whether the Congress did so could have an impact on the effective implementation and oversight of DHS. --------------------------------------------------------------------------- \8\ GAO, Homeland Security: Management Challenges Facing Federal Leadership, GAO-03-260 (Washington, DC: Dec. 20, 2002). --------------------------------------------------------------------------- In 2003 we designated implementing and transforming the Department of Homeland Security as high-risk because DHS had to transform 22 agencies--several with major management challenges--into one department, and failure to address associated risks could have serious consequences for U.S. National and economic security.\9\ It is noteworthy to recognize, however, that since 2003, DHS has made considerable progress in transforming its original component agencies into a single department. As a result, in our 2013 high-risk update, we narrowed the scope of the high-risk area to focus on strengthening DHS management functions.\10\ --------------------------------------------------------------------------- \9\ GAO, High-Risk Series: An Update, GAO-03-119 (Washington, DC: Jan. 1, 2003). \10\ GAO, High-Risk Series: An Update, GAO-13-283 (Washington, DC: Feb. 14, 2013). --------------------------------------------------------------------------- DHS remains on the high-risk list because the Department has not made sufficient progress addressing GAO's high-risk removal criteria, such as having a framework to monitor progress, capacity (having sufficient resources), and demonstrating clear, sustained progress. Specifically, our work at DHS has found that the Department has made progress strengthening its management functions, including developing policies that provide a framework for addressing management challenges. However, we have found in our past work that DHS does not always adhere to its own policies. For example, DHS's acquisition policy largely reflects key acquisition management practices, but in September 2012, we found that the Department has not implemented the practices consistently. Further, we found that DHS has made progress in initiating efforts to validate required acquisition documents.\11\ However, the Department does not have the acquisition management tools in place to consistently demonstrate whether its major acquisition programs are on track to achieve their cost, schedule, and capability goals. Accordingly, about half of DHS's major programs lack an approved baseline, and 77 percent lack approved life-cycle cost estimates. --------------------------------------------------------------------------- \11\ GAO, Homeland Security: DHS Requires More Disciplined Investment Management to Help Meet Mission Needs, GAO-12-833 (Washington, DC: Sept. 18, 2012). --------------------------------------------------------------------------- Question From Honorable Jeff Duncan for Gene L. Dodaro Question. The Office of Program Accountability and Risk Management (PARM) is responsible for DHS's overall acquisition management across the Department, and has work underway to implement an Acquisition Life Cycle framework for major acquisitions. Among other things, this framework outlines key decision events over the life of a program. This ``waterfall'' approach may be fine for most types of acquisitions; but for IT acquisitions, it promotes longer time frames for delivering capabilities (often 5-7 years) and increased risk of cost, schedule, and performance issues. The Office of the Chief Information Officer (OCIO) is responsible for IT investment governance, including IT systems development. OCIO has work underway to modify, finalize, and implement systems acquisition policies and processes in line with an incremental development approach, which calls for breaking programs into smaller increments and delivering capabilities in 6-12 month releases. It will be important for PARM and OCIO to collaborate on a way forward to define roles and responsibilities, and modify the Acquisition Framework as needed to accommodate an incremental development approach to IT. How efficiently and effectively do DHS's acquisition and IT governance processes work in concert with one another to ensure that major IT investments are delivered within cost and schedule, and meet mission needs? Answer. We have found in our prior work that DHS has not yet fully established or finalized its acquisition and IT governance processes; however, we found that these processes, as defined and implemented thus far, may be leading to slowed IT development work, as well as ineffective or redundant executive oversight reviews. For example: Slowed IT development work.--In our May 2014 report on agencies' IT incremental development policies and approaches, we found that DHS OCIO officials had cited inefficient governance and oversight processes as one common factor, among others, inhibiting incremental development during a 6-month period.\12\ To illustrate, those officials said that it can take up to 2 months to schedule a meeting with DHS review boards prior to releasing functionality. However, we also reported that a Program Accountability and Risk Management (PARM) official disagreed with that statement, maintaining that DHS's acquisition review boards perform reviews very quickly, and that any delays in completing these reviews are attributable to investments being unprepared. Further, DHS OCIO officials suggested that oversight of programs using an Agile development methodology should be performed at the lowest practicable level of the organization.\13\ Regardless of the cause, these inefficiencies are hampering DHS's ability to deploy IT capabilities in 6-month increments. Accordingly, we recommended that DHS consider factors that either enable or inhibit incremental development when updating the Department's policies governing incremental IT development. DHS concurred with our recommendation and stated that it plans to include strategies in its guidance to minimize factors identified as inhibiting incremental development. It will be important for DHS's OCIO and PARM offices to work collaboratively to effectively address this recommendation. --------------------------------------------------------------------------- \12\ GAO, Information Technology: Agencies Need to Establish and Implement Incremental Development Policies, GAO-14-361 (Washington, DC: May 1, 2014). \13\ Agile development calls for the delivery of software in small, short increments rather than in the typically long, sequential phases of a traditional waterfall approach. More a philosophy than a methodology, Agile emphasizes early and continuous software delivery, as well as using collaborative teams and measuring progress with working software. The Agile approach was first articulated in a 2001 document called the Agile Manifesto, which is still used today. The manifesto has four values: (1) Individuals and interactions over processes and tools, (2) working software over comprehensive documentation, (3) customer collaboration over contract negotiation, and (4) responding to change over following a plan. --------------------------------------------------------------------------- Ineffective or redundant executive oversight reviews.--In December 2013, we reported on the effectiveness of the executive governance and oversight of the Department's two TECS modernization (TECS Mod) border security programs.\14\ While we found that OCIO and PARM had taken actions to oversee the two programs, the lack of complete, timely, and accurate data had affected their ability to make informed and timely decisions, thus limiting their effectiveness in several cases. For example, we found that OCIO had rated one of the programs as moderately low-risk in its most recent program health assessment, based partially on U.S. Customs and Border Protection's use of earned value management. However, the program manager told us that the other program was not using this management technique. In addition, PARM had rated the other program as low-risk in its most recent Quarterly Program Accountability Report based in part on outdated cost and schedule estimates. Accordingly, we made a recommendation to improve the data used by these governing bodies for major IT acquisition programs. DHS concurred and stated that it has taken steps to ensure that the data used by the IT program acquisition programs are accurate and complete, such as implementing a decision support tool. However, we identified instances where DHS governance and oversight bodies were acting on information that was not complete, timely, or accurate, despite the presence of such a tool. --------------------------------------------------------------------------- \14\ GAO, Border Security: DHS's Efforts to Modernize Key Enforcement Systems Could Be Strengthened, GAO-14-62 (Washington, DC: Dec. 5, 2013). --------------------------------------------------------------------------- In addition, while both PARM and OCIO have responsibility for ensuring that IT system acquisition programs are on track, it is not always clear whether these roles are distinct. Our December 2013 review also showed overlap in the program assessments conducted by PARM and OCIO--in particular, with regard to risk and requirements management, and cost and schedule performance. We recently initiated a review to, among other things, assess PARM's coordination efforts with DHS components (including OCIO) to conduct oversight of major acquisitions. Additionally, as we testified in May 2014, the Department has yet to finalize its key IT governance directive, and the draft structure has been implemented across only 5 of the 13 IT investment portfolios.\15\ It will be critical for DHS to complete these actions in order to ensure that all IT investments are appropriately aligned with the Department's enterprise architecture (i.e., to avoid acquiring duplicative or overlapping systems), adequately overseen to ensure that key IT management controls (e.g., requirements management) are being properly implemented and monitored, and delivered as planned. Because both PARM and OCIO play important roles in ensuring that IT investments are effectively acquired and implemented, these two organizations will need to work closely together to ensure that IT projects are delivered incrementally and often and that DHS finalizes the IT governance directive. --------------------------------------------------------------------------- \15\ GAO, Department of Homeland Security: Progress Made; Significant Work Remains in Addressing High-Risk Areas, GAO-14-532T (Washington, DC: May 7, 2014). --------------------------------------------------------------------------- Question From Honorable Tom Marino for Gene L. Dodaro Question. In your testimony you mention that the National Flood Insurance Program (NFIP) has not made a single payment on the principal borrowed from the Department of the Treasury since 2010. Under current law, could you estimate when the NFIP would, or could, fully repay the amount owed to the Treasury? Answer. We have not made our own estimates of how long the Federal Emergency Management Agency (FEMA) would need to repay the $24 billion it has borrowed from Treasury for the NFIP. Nevertheless, information from a report we issued in April 2014 provides some insight into FEMA's prospects for repayment.\16\ In that report, we noted that the Biggert- Waters Flood Insurance Reform Act of 2012 (Biggert-Waters Act) requires FEMA to issue a report to Congress setting forth options to repay FEMA's total debt to Treasury within 10 years.\17\ Although the report was due in January 2013, FEMA has not yet issued such a report. FEMA officials told us that before the enactment of the Homeowner Flood Insurance Affordability Act of 2014 (2014 Act), they had conducted preliminary analysis assessing FEMA's repayment ability under scenarios that use different assumptions about future NFIP losses.\18\ The officials said the assessment showed that, under FEMA's planned implementation of the Biggert-Waters Act, the agency would not reach the 10-year repayment goal under any of the scenarios. Implementation of the 2014 Act may further reduce the likelihood of repayment within 10 years because the Act reduces future program premium revenue by reinstating subsidized and grandfathered rates the Biggert-Waters Act had eliminated. --------------------------------------------------------------------------- \16\ GAO, Economic Development: Overview of GAO's Past Work on the National Flood Insurance Program, GAO-14-297R (Washington, DC: Apr. 9, 2014). \17\ Pub. L. No. 112-141, 100213(b), 126 Stat. 405, 924. \18\ See Pub. L. No. 113-89, 128 Stat. 1020. --------------------------------------------------------------------------- Our April 2014 report also noted that, according to FEMA officials, in some years the agency has not had sufficient funds to make principal payments and, in other years, could have made principal payments but chose to preserve its cash balances to help avoid the need for future borrowing. A key factor affecting FEMA's future borrowing needs and ability to repay its debt is future losses. However, the frequency and severity of future flood losses are difficult to predict. Questions From Chairman Michael T. McCaul for John Roth Question 1. In your testimony, you highlighted a November 2012 audit where the Department of Homeland Security (DHS) Office of Inspector General (OIG) tested DHS radios to determine whether DHS components could talk to each other in the event of a terrorist event or other emergency. Only 1 of 479 radio users tested--or less than one- quarter of 1 percent--could access and use the specified common channel to communicate. Further, of the 382 radios tested, only 20 percent (78) contained all the correct program settings for the common channel. You testified that the reason the response rate was so low was that DHS did not establish an effective governing structure with the authority and responsibility to ensure it achieved Department-wide, interoperable radio communications. What is needed for DHS to establish an effective governing structure to solve this problem? What progress has DHS made since the report in ensuring operators know how to properly use their radio? Answer. According to the Office of Management and Budget, an effective governing structure includes clearly-defined areas of responsibility, appropriately delegated authority, and a suitable hierarchy for reporting. DHS created working groups, committees, and offices to explore Department-wide communication issues, including interoperability. However, none had the authority to implement and enforce their recommendations. DHS must establish a structure that has actual authority to enforce recommendations. DHS prepared a draft DHS Communications Interoperability Plan (DCIP). As of today, the DCIP is still in draft. According to the DCIP, as we pointed out in our report, governance is the critical foundation of all efforts to address communication interoperability. Also according to the DCIP, existing agreements governing interoperability do not sufficiently support DHS' current needs. The Joint Wireless Program Management Office (JWPMO) and the One DHS Emergency Communications Committee are coordinating to determine appropriate roles and responsibilities. According to DHS, on March 17, 2013, the DCIP was briefed to the One DHS Emergency Communications Committee. It was approved and signed by the Assistant Secretary for the National Protection and Programs Directorate; however, the DCIP is on hold, pending a review of the Tactical Communications Executive Steering Committee (TacCom ESC) and the outcome of H.R. 4289, the Department of Homeland Security Interoperable Communications Act. Wording in H.R. 4289 may lead to a redefinition of interoperability and reassignment of interoperable responsibilities. The estimated date of DCIP signature has been extended from April 14, 2014, to the end of fiscal year 2014 (September 30, 2014). This will allow time for the TacCom ESC meeting to be scheduled and completed, as well as allow time for any requested, additional follow-up briefings. Historically, the JWPMO and its predecessor organizations have not had success in achieving interoperability. Question 2. It appears that the technology is available to achieve interoperable communications. Does DHS have the proper infrastructure to use their IT network as a way to connect radios and other devices, such as smartphones, in both a command center and an operational environment? Answer. DHS does not currently have the IT infrastructure to support a broadband network in the operational environment. We have not done any work specifically looking at this capability, but the available body of knowledge provides the following insights. A broadband network could improve incident response, by providing video and data not currently available on Land Mobile Radio (LMR) systems; Nation-wide access; and interoperability. The Government Accountability Office (GAO) and public safety organizations and officials indicate that mission- critical voice communication will not likely be available on broadband networks for many years. There is disagreement among industry experts about how soon mission-critical voice capability could be available-- some industry experts predict voice capabilities will be available within a few years, while others project it will not be available for at least a decade. Long-term Evolution (LTE), the Federal Communications Commission standard for public safety broadband communication, is not currently designed to support mission-critical voice communication, such as push-to-talk. GAO has reported other communication limitations associated with broadband networks, such as limited network access inside large buildings or underground. GAO has reported that any new broadband network could require up to 10 times the number of towers as current LMR systems because, as a cellular network, broadband would use a series of lower power towers to transmit signals and reduce interference. Additional towers for the broadband network would also need to be hardened to withstand disasters, such as hurricanes. GAO has reported that a broadband network would supplement, rather than replace, LMR systems for the foreseeable future. Also, until there is mission-critical voice communication, a public safety broadband network will not resolve interoperability issues exacerbated by past emergency responses. DHS approved its TacNet program in March 2011 and directed establishment of the JWPMO to coordinate the program. TacNet, a new DHS acquisition program, seeks to leverage public safety broadband and commercial networks to develop a single network capable of supporting voice, video, and data capabilities through DHS subscriptions to LTE public safety and commercial broadband networks. In collaboration with the JWPMO, the DHS Science & Technology Directorate plans to award $7.5 million in contracts this fiscal year for a technology demonstrator program that will offer mission-critical voice capabilities and accommodate DHS video and data needs on a broadband, LTE network. DHS plans to limit upgrading and modernizing its current LMR systems, based on DHS priorities and mission-critical needs, to address equipment obsolescence, Federal narrowband and security requirements, and interoperability standards. DHS has estimated that full modernization of its legacy radio systems to meet these requirements would cost about $3.2 billion. In March 2012, DHS awarded a $3 billion Department-wide contract to acquire equipment and services needed to maintain, upgrade, and modernize its legacy LMR system. Question From Honorable Jeff Duncan for John Roth Question. According to an AP news report in 2012, Suzanne Barr, a senior Obama administration political appointee at Immigration and Customs Enforcement (ICE), resigned amid allegations of inappropriate sexual behavior and cultivating a ``frat house'' atmosphere at ICE. Prior to her resignation, Suzanne Barr was serving as chief of staff to former ICE Director John Morton. It appears that an OIG investigation was started, but did not continue after Barr resigned. As the newly- confirmed DHS inspector general, please explain to the committee what became of this investigation and why it appears that the investigation did not continue. Answer. The Office of Investigations, Office of Inspector General, did not open an investigation into allegations of misconduct by Suzanne Barr in 2012. We conducted a preliminary inquiry as we were made aware of the allegations. We established there was an on-going Title VII civil suit filed by an Immigration and Customs Enforcement special agent in charge in New York City claiming harassment and retaliation. This litigation overlapped with the allegations we were aware of. Additionally, Suzanne Barr resigned in September 2012. Any Office of Inspector General administrative investigation would have been rendered moot as she was no longer a DHS employee. With regards to an allegation we received in November 2011, in December 2011 the Office of Inspector General issued a Report of Investigation to then-Immigration and Customs Enforcement Director John Morton. The investigation was initiated based on a referral from Immigration and Customs Enforcement, Office of Professional Responsibility alleging that Suzanne Barr and Tracey Bardoff, assistant director, Immigration and Customs Enforcement misused Government funds to pay for their July 20, 2011 official travel to Mexico City, Mexico and a subsequent personal trip to Cancun, Mexico on July 22, 2011. The allegation further stated neither attended the official meetings in Mexico City, Mexico. The investigation developed no evidence that either Barr or Bardoff misused Government funds. [all]