Homeland Security:

Progress Made to Implement IT Reform, but Additional Chief Information Officer Involvement Needed

GAO-17-284: Published: May 18, 2017. Publicly Released: May 18, 2017.

Additional Materials:

Contact:

Carol C. Harris
(202) 512-4456
HarrisCC@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Department of Homeland Security (DHS) has fully implemented 28 of the 31 selected Federal Information Technology (IT) Acquisition Reform Act (FITARA) action plans; however, as of December 2016, DHS did not fulfill all aspects of 3 action plans. For example, one action plan is to use an updated process for reviewing troubled programs to provide support to such programs; however, DHS has not finalized its policy for this process. Until DHS ensures that these 3 plans are implemented, it will lack assurance that it is fulfilling FITARA's goals.

DHS faces challenges in implementing certain FITARA provisions:

Chief Information Officer (CIO) approval of contracts and agreements. FITARA requires, among other things, the agency CIO to review and approve IT contracts and agreements associated with major investments (e.g., high cost) prior to award. However, the CIO did not participate in the approval of any of the 48 contracts in GAO's sample associated with major investments. While DHS has made improvements to its review process, until the Office of the CIO determines how to increase its review of contracts and agreements, the CIO will continue to have limited visibility into planned IT expenditures.

CIO evaluation of risk. DHS's Office of the CIO was conducting risk evaluations of major IT investments and updating the ratings on the Office of Management and Budget's (OMB) public website known as the IT Dashboard, as required by FITARA. However, in October 2016, DHS changed its process for evaluating 30 of DHS's 93 major IT investments and, as a result, the CIO is no longer primarily responsible for the evaluations or associated risk ratings that are publicly reported for these investments. Instead, multiple DHS organizations and officials are to evaluate these investments and the CIO's assessment only accounts for about 18 percent of the total score. Further, while under the old process, DHS's CIO was responsible for assessing these 30 investments against criteria that OMB guidance stated CIOs may use, under the new process, the CIO is only to assess these investments against one of OMB's criteria (see table below). This process change challenges the CIO's ability to publicly report risk ratings.

Change in Responsibility for Conducting Chief Information Officer (CIO) Risk Evaluations that Are Reported to the Information Technology (IT) Dashboard for 30 Major IT Investments

Office of Management and Budget evaluation criteria

Primary office responsible under old process

Primary organization or official responsible under new process

Risk management

CIO

Program Accountability and Risk Management, CIO, Chief Financial Officer, and Director of Test and Evaluation

Requirements management

CIO

Joint Requirements Council; Office of Systems Engineering; Director of Test and Evaluation

Contractor oversight

CIO

Chief Procurement Officer

Historical performance

CIO

Not assessed by DHS under new process

Human capital

CIO

Program Accountability and Risk Management

Other factors

CIO

CIO and any organization or official responsible for assessing any other factor in the evaluation

Source: GAO analysis of DHS documentation. | GAO-17-284.

Until DHS addresses these challenges, the goal of FITARA to elevate the role of the department CIO in acquisition management will not be fully realized.

Why GAO Did This Study

In 2014, Congress enacted IT reform legislation, referred to as FITARA, which includes provisions related to seven areas of IT acquisition management. In 2015, OMB released FITARA implementation guidance that outlined agency CIO responsibilities and required agencies to develop action plans for implementing the guidance.

This report examines, among other things, the extent to which DHS has implemented selected action plans and the key challenges that DHS has faced in implementing selected FITARA provisions.

To do so, GAO analyzed DHS's efforts to implement a sample of 31 of 109 action plans that DHS had reported as complete and that described later-stage implementation steps. To determine challenges, GAO analyzed and compared DHS documentation, including a random sample of IT-related contracts and agreements, to selected FITARA provisions to identify gaps between what was required by FITARA and what DHS had implemented. These provisions required, among other things, significant coordination between DHS headquarters and five components.

What GAO Recommends

GAO is making 7 recommendations to DHS to ensure that it fully and effectively implements FITARA. Among other things, GAO recommends that DHS fully implement the action plans and address challenges related to CIO contract approval and evaluation of risk. DHS concurred with all 7 recommendations and provided estimated completion dates for implementing each of them.

For more information, contact Carol C. Harris at (202) 512-4456 or HarrisCC@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to finalize the department's TechStat policy.

    Agency Affected: Department of Homeland Security

  2. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to update the department's IT Acquisition Review governance process to increase the number of contracts and agreements (associated with both major and non-major investments) that are reviewed by the CIO and appropriate delegates.

    Agency Affected: Department of Homeland Security

  3. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the specific staff or positions currently within the department's IT acquisition cadre; and (2) assessing whether these staff and positions address all of the specialized skills and knowledge needed, as outlined in OMB's Office of Federal Procurement Policy's guidance for developing an IT acquisition cadre.

    Agency Affected: Department of Homeland Security

  4. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to direct the Chief Information Officer to establish time frames and implement a plan for (1) identifying the department's future IT skillset needs as a result of DHS's new delivery model, (2) conducting a skills gap analysis, and (3) resolving any skills gaps identified.

    Agency Affected: Department of Homeland Security

  5. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update the department's acquisition policies and guidance to be consistent in identifying that the DHS CIO is to certify investments' incremental development activities.

    Agency Affected: Department of Homeland Security

  6. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update DHS headquarters', Customs and Border Protection's, and U.S. Coast Guard's processes to track, for all contracts and agreements, the IT investment with which each is associated (as applicable).

    Agency Affected: Department of Homeland Security

  7. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To ensure that DHS effectively implements FITARA, the Secretary of Homeland Security should direct the Under Secretary for Management to update and implement the process DHS uses for assessing the risks of major IT investments to ensure that the CIO rating reported to the Dashboard fully reflects the CIO's assessment of each major IT investment.

    Agency Affected: Department of Homeland Security

 

Explore the full database of GAO's Open Recommendations »

May 18, 2017

May 3, 2017

May 1, 2017

Apr 13, 2017

Apr 6, 2017

Apr 4, 2017

Mar 23, 2017

Mar 8, 2017

Looking for more? Browse all our products here