Homeland Security: Progress Made to Implement IT Reform, but Additional Chief Information Officer Involvement Needed
Highlights
What GAO Found
The Department of Homeland Security (DHS) has fully implemented 28 of the 31 selected Federal Information Technology (IT) Acquisition Reform Act (FITARA) action plans; however, as of December 2016, DHS did not fulfill all aspects of 3 action plans. For example, one action plan is to use an updated process for reviewing troubled programs to provide support to such programs; however, DHS has not finalized its policy for this process. Until DHS ensures that these 3 plans are implemented, it will lack assurance that it is fulfilling FITARA's goals.
DHS faces challenges in implementing certain FITARA provisions:
Chief Information Officer (CIO) approval of contracts and agreements. FITARA requires, among other things, the agency CIO to review and approve IT contracts and agreements associated with major investments (e.g., high cost) prior to award. However, the CIO did not participate in the approval of any of the 48 contracts in GAO's sample associated with major investments. While DHS has made improvements to its review process, until the Office of the CIO determines how to increase its review of contracts and agreements, the CIO will continue to have limited visibility into planned IT expenditures.
CIO evaluation of risk. DHS's Office of the CIO was conducting risk evaluations of major IT investments and updating the ratings on the Office of Management and Budget's (OMB) public website known as the IT Dashboard, as required by FITARA. However, in October 2016, DHS changed its process for evaluating 30 of DHS's 93 major IT investments and, as a result, the CIO is no longer primarily responsible for the evaluations or associated risk ratings that are publicly reported for these investments. Instead, multiple DHS organizations and officials are to evaluate these investments and the CIO's assessment only accounts for about 18 percent of the total score. Further, while under the old process, DHS's CIO was responsible for assessing these 30 investments against criteria that OMB guidance stated CIOs may use, under the new process, the CIO is only to assess these investments against one of OMB's criteria (see table below). This process change challenges the CIO's ability to publicly report risk ratings.
Change in Responsibility for Conducting Chief Information Officer (CIO) Risk Evaluations that Are Reported to the Information Technology (IT) Dashboard for 30 Major IT Investments
|
Office of Management and Budget evaluation criteria |
Primary office responsible under old process |
Primary organization or official responsible under new process |
|
Risk management |
CIO |
Program Accountability and Risk Management, CIO, Chief Financial Officer, and Director of Test and Evaluation |
|
Requirements management |
CIO |
Joint Requirements Council; Office of Systems Engineering; Director of Test and Evaluation |
|
Contractor oversight |
CIO |
Chief Procurement Officer |
|
Historical performance |
CIO |
Not assessed by DHS under new process |
|
Human capital |
CIO |
Program Accountability and Risk Management |
|
Other factors |
CIO |
CIO and any organization or official responsible for assessing any other factor in the evaluation |
Source: GAO analysis of DHS documentation. | GAO-17-284.
Until DHS addresses these challenges, the goal of FITARA to elevate the role of the department CIO in acquisition management will not be fully realized.
Why GAO Did This Study
In 2014, Congress enacted IT reform legislation, referred to as FITARA, which includes provisions related to seven areas of IT acquisition management. In 2015, OMB released FITARA implementation guidance that outlined agency CIO responsibilities and required agencies to develop action plans for implementing the guidance.
This report examines, among other things, the extent to which DHS has implemented selected action plans and the key challenges that DHS has faced in implementing selected FITARA provisions.
To do so, GAO analyzed DHS's efforts to implement a sample of 31 of 109 action plans that DHS had reported as complete and that described later-stage implementation steps. To determine challenges, GAO analyzed and compared DHS documentation, including a random sample of IT-related contracts and agreements, to selected FITARA provisions to identify gaps between what was required by FITARA and what DHS had implemented. These provisions required, among other things, significant coordination between DHS headquarters and five components.
Recommendations
GAO is making 7 recommendations to DHS to ensure that it fully and effectively implements FITARA. Among other things, GAO recommends that DHS fully implement the action plans and address challenges related to CIO contract approval and evaluation of risk. DHS concurred with all 7 recommendations and provided estimated completion dates for implementing each of them.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Homeland Security | 1. To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to finalize the department's TechStat policy. |
In May 2017, the Acting Under Secretary for Management signed and finalized the department's policy on TechStat sessions, which are face-to-face, evidence-based reviews that are intended to provide support to failing or troubled information technology (IT) programs. As a result, the department is better positioned to consistently provide needed support to troubled IT programs.
|
| Department of Homeland Security | 2. To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to update the department's IT Acquisition Review governance process to increase the number of contracts and agreements (associated with both major and non-major investments) that are reviewed by the CIO and appropriate delegates. |
DHS updated its Homeland Security Acquisition Manual, as well as its guidance for its IT acquisition review process, to require that IT acquisitions that (1) have total estimated procurement values of $500,000 or more and (2) are associated with a major investment, be submitted to the DHS CIO for review. These updates have increased the number of IT contracts and agreements that are to be reviewed by the CIO. As a result, the DHS CIO should have increased visibility into the department's planned IT expenditures and should have critical data necessary to make investment decisions.
|
| Department of Homeland Security | 3. To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the specific staff or positions currently within the department's IT acquisition cadre; and (2) assessing whether these staff and positions address all of the specialized skills and knowledge needed, as outlined in OMB's Office of Federal Procurement Policy's guidance for developing an IT acquisition cadre. |
In February 2019, the department completed an assessment that included identifying the specific staff currently within the department's IT acquisition cadre, and determined whether these staff have all of the specialized skills and knowledge needed for their positions. In addition, the department identified certain skills gaps that exist. For example, the department determined that it has gaps related to technical competencies, such as project management and cost-benefit analyses. By completing this assessment and identifying its skills gaps, DHS is better positioned to address these gaps and ensure that its staff have the specialized skills and knowledge needed.
|
| Department of Homeland Security | 4. To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the department's future IT skillset needs as a result of DHS's new delivery model, (2) conducting a skills gap analysis, and (3) resolving any skills gaps identified. |
The DHS Office of the CIO (OCIO) took action to address all three parts of this recommendation. To address the first two parts of this recommendation, DHS identified future IT skillset needs and conducted a skills gap analysis as part of the OCIO's Strategic Workforce Planning initiative. In particular, between 2017 and 2019, the OCIO Strategic Workforce Plan team worked with leadership and subject matter experts to identify the skills needed for its workforce. During this same period, the OCIO also used a four phased approach to assess the skill gaps for all OCIO IT and key support positions. With regard to the third part of the recommendation, DHS officials took actions to resolve the skills gaps that were identified as part of DHS's Strategic Workforce Planning Initiative. For example, members of the DHS headquarters Cloud Center of Excellence hosted training sessions to provide the OCIO workforce with professional training related to cloud computing implementation and management. The OCIO's efforts to identify and address the department's future IT skillset needs should improve the likelihood that the IT workforce will have the necessary skills to perform the new responsibilities associated with the department's shift to acting as a service broker.
|
| Department of Homeland Security | 5. To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update the department's acquisition policies and guidance to be consistent in identifying that the DHS CIO is to certify investments' incremental development activities. |
In response to our recommendation, DHS updated its acquisition policies and guidance to be consistent in identifying that the DHS CIO is to certify investments' incremental development activities. For example, in April 2018, DHS updated its agile development policy to specify that the DHS CIO is responsible for certifying that investments are appropriately implementing incremental development activities. This update is consistent with the Department's Acquisition Management Instruction. In addition, in February 2021, DHS updated its Systems Engineering Life Cycle Instruction to also specify that this certification is the responsibility of the DHS CIO. By taking action to update its policies with consistent guidance, DHS has reduced the risk of excluding the CIO from important investment oversight activities.
|
| Department of Homeland Security | 6. To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update DHS headquarters', Customs and Border Protection's, and U.S. Coast Guard's processes to track, for all contracts and agreements, the IT investment with which each is associated (as applicable). |
DHS headquarters, Customs and Border Protection, and the U.S. Coast Guard implemented processes to track the IT investment associated with each contract and agreement. Specifically, in March 2018, Customs and Border Protection established a new policy that required acquisition programs to use an internal ordering system to identify the investment associated with each of their expenditures. In October 2018, the U.S. Coast Guard implemented an updated tracking mechanism to identify the investment associated with its contracts and agreements. In October 2019, DHS headquarters updated its IT Acquisition Review process to require that the IT investment be identified for all contracts and agreements that are reviewed through their governance process. These actions have improved the department's ability to ensure that contracts and agreements that are associated with an IT investment receive the appropriate level of oversight.
|
| Department of Homeland Security | 7. To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update and implement the process DHS uses for assessing the risks of major IT investments to ensure that the CIO rating reported to the Dashboard fully reflects the CIO's assessment of each major IT investment. |
In May 2020, the Office of the CIO (OCIO) had begun working on establishing and implementing a new quarterly program health assessment process for assessing the risks of major IT investments. According to OCIO officials, they have reassessed each major IT investment using this new process. For example, in June 2020 the OCIO completed its first review of the Homeland Advanced Recognition Technology program using this new process. In November 2020, the department reported updated CIO risk ratings to the Dashboard for each major IT investment, based on this new process. This new heath assessment process should provide Congress and the public with more insight into the assessment of each major investment's risk and performance.
|