News Column

House Homeland Security Subcommittee on Oversight and Management Efficiency Hearing

February 6, 2014



Chairman Duncan, Ranking Member Barber, and Members of the Subcommittee:

I am pleased to be here today to discuss the Department of Homeland Security's (DHS) border enforcement system, known as TECS. n1 TECS has been used since the 1980's for preventing terrorism, providing border security and law enforcement, and sharing information about people who are inadmissible or may pose a threat to the security of the United States, and today still provides traveler processing and screening, investigations, case management, and intelligence functions for multiple federal, state, and local agencies. Over time, however; it has become increasingly difficult and expensive to maintain because of technology obsolescence and its inability to support new mission requirements. DHS estimates that TECS's licensing and maintenance costs are expected to be $40 million to $60 million per year in 2015.

In 2008 the department initiated TECS Modernization (TECS Mod) to modernize existing system functionality, address known capability gaps, and move the program's infrastructure to DHS's new data centers. TECS Mod is managed as two separate programs working in parallel: U.S. Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE) are each modernizing existing functionality specific to their respective roles and missions within the department. Both programs had planned to be fully operational by September 2015.

In December 2013, we reported that DHS needed to strengthen its efforts to modernize these key border enforcement systems. n2 In that report, we issued multiple recommendations aimed at improving DHS's efforts to develop and implement its TECS Mod programs. My testimony today will summarize the results of that report. Specifically, I will cover (1) the scope and status of the two TECS Mod programs, (2) selected CBP and ICE program management practices for TECS Mod, (3) the extent to which DHS is executing effective executive oversight and governance of the two TECS Mod programs, and (4) the importance of addressing our recommendations for improving DHS's development efforts.

The work on which my testimony is based was conducted from December 2012 to December 2013. Further details on the scope and methodology for the previously-issued report are available within that published product. In addition, we analyzed recently-received documentation from DHS on the status of the two TECS Mod programs. All work on which this testimony is based was performed in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives.

Background

TECS is an information technology (IT) and data management system that supports DHS's core border enforcement mission. According to CBP, it is one of the largest, most important law enforcement systems currently in use, and is the primary system available to CBP officers and agents from other departments for use in determining the admissibility of persons wishing to enter the country. In addition, it provides an investigative case management function for activities carried out by ICE agents, including money-laundering tracking and reporting; telephone data analysis; and intelligence reporting and dissemination.

Over time, TECS has evolved into a multifaceted computing platform that CBP describes as a system of systems. This mainframe-based system dates back to the 1980s and interfaces with over 80 other systems from within DHS, other federal departments and their component agencies, as well as state, local, and foreign governments. It contains over 350 database tables, queries and reports (e.g., querying law enforcement records to determine if a traveler appears on a terrorist watch list), and multiple applications (e.g., ICE's existing investigative case management system). CBP agents and other users access TECS via dedicated terminals. The system is managed by CBP's Office of Passenger Systems Program Office and is currently hosted at CBP's datacenter.

On a daily basis, the system is used by over 70,000 users and handles more than 2 million transactions--including the screening of over 900,000 visitors and approximately 465,000 vehicles every day. In addition, federal, state, local, and international law enforcement entities use TECS to create and disseminate alerts and other law enforcement information about "persons of interest." Ten federal departments and their numerous component agencies access the system to perform a part of their missions.

The current TECS system uses obsolete technology, which combined with expanding mission requirements, have posed operational challenges for CBP and others. For example, users may need to access and navigate among several different systems to investigate, resolve, and document an encounter with a passenger. In addition, CBP identified that TECS's search algorithms do not adequately match names from foreign alphabets. TECS's obsolescence also makes it difficult and expensive to maintain and support. Specifically, DHS estimates that TECS's licensing and maintenance costs are expected to be $40 million to $60 million per year in 2015.

In 2008, DHS initiated efforts to modernize TECS by replacing the mainframe technology, developing new applications and enhancing existing applications to address expanding traveler screening mission needs, improving data integration to provide enhanced search and case management capabilities, and improving user interface and data access. DHS's plan was to migrate away from the existing TECS mainframe by September 2015 to avoid significantly escalating support costs. The modernization effort is managed by two program offices--one at CBP and the other at ICE--working in parallel, with each having assumed responsibility for modernizing the parts of the system aligned with their respective missions.

CBP expects that its modernization efforts will yield certain improvements over the existing system, including the following.

. Enhancements to TECS's search algorithms to better match names from foreign alphabets; address gaps in current processes that could result in missing a person of interest. This includes an improved ability for inspectors to update information on travelers at air and sea borders at the time of encounter.

. Improvements in the flow and integration of data between CBP and its partner agencies and organizations. This is intended to aid the agency's inspectors by providing timely, complete, and accurate information about a traveler during the secondary inspection process.

CBP planned to develop, deploy, and implement these capabilities incrementally across five projects from 2008 to 2015.

. Secondary Inspection: This project is to support processing of travelers referred from primary inspection for either enforcement or administrative reasons. According to CBP, this project's functionality was fully deployed to all air and sea ports of entry in 2011, and was fully deployed to all land ports of entry in 2013.

. High Performance Primary Query and Manifest Processing: This project is intended to improve TECS data search results in order to expedite the processing of manifests from individuals traveling to the United States on commercial or private aircraft, and commercial vessels. It is to be fully operational by March 2015.

. Travel Document and Encounter Data: This project is intended to improve CBP's ability to query and validate travel documentation for both passengers and their means of conveyance. It is to be fully operational by March 2015.

. Lookout Record Data and Services: This project is intended to improve the efficiency of existing data screening and analyses capabilities. It is to be fully operational by March 2015.

. Primary Inspection Processes: This project is intended to modernize the overall inspection process and provide support for additional or random screening and communication functions. It is to be fully operational by March 2015.

As part of each of these projects, CBP is also developing an online access portal, called TECS Portal, for authorized users to access information remotely using a modern web browser, along with security and infrastructure improvements, and the migration of data from the current system to databases in the new environment at the DHS datacenter. Ultimately, TECS Mod functionality is to be deployed to over 340 ports of entry across the United States.

ICE's TECS Mod effort is to focus on specific law enforcement and criminal justice functions; tools to support ICE officers' collection of information, data analysis, and management operations; enhanced capabilities to access and create data linkages with information resources from elsewhere in DHS and other law enforcement agencies; and capabilities to better enable investigative and intelligence operations, corresponding management activities, and information sharing. Similar to CBP, ICE intended to deliver functionality in multiple phases:

. Phase 1: Core Case Management: This phase was to encompass all case management functions currently residing in the existing TECS system. ICE planned to develop and deploy these functions in three releases beginning in 2009, and was scheduled to deploy Release 1 by December 2013, with additional releases following about every 12 months, in order to achieve independence from the existing TECS platform by September 2015. Specific capabilities that were to be provided include:

. basic electronic case management functions, including opening cases, performing supervisory review of cases, and closing cases within the system;

. development of reports for use as evidentiary material in court proceedings arising from ICE agents' investigations;

. maintenance of records relating to the subjects of ICE investigations; and

. audit capabilities to monitor system usage.

. Phase 2: Comprehensive Case Management: This phase was to expand on the features delivered as part of phase one and to be delivered in four increments starting in 2016, with an estimated completion date in fiscal year 2017.

DHS Oversight of Major IT Programs

DHS's Office of the Chief Information Officer (CIO) and the Office of the Under Secretary for Management are to play key roles in overseeing major acquisition programs like TECS Mod. For example, the CIO's responsibilities include setting departmental IT policies, processes, and standards; and ensuring that IT acquisitions comply with DHS IT management processes, technical requirements, and approved enterprise architecture, among other things. Within the Office of the CIO, the Enterprise Business Management Office has been given primary responsibility for ensuring that the department's IT investments align with its missions and objectives. As part of its responsibilities, this office periodically assesses IT investments like TECS Mod to gauge how well they are performing through a review of program risk, human capital, cost and schedule, and requirements.

In October 2011, DHS's Under Secretary for Management established the Office of Program Accountability and Risk Management. This office is to ensure the effectiveness of the overall program execution governance process and has the responsibility for developing and maintaining DHS's Acquisition Management Directive. n3 It is also responsible for periodically providing independent assessments of major investment programs-- called Quarterly Program Accountability Reports--as well as identifying emerging risks and issues that DHS needs to address.

In December 2011, DHS introduced a new initiative to improve and streamline the department's IT program governance. This initiative established a tiered governance structure for program execution. Among other things, this new structure includes a series of governance bodies, each chartered with specific decision-making responsibilities for each major investment. Among these are executive steering committees, which serve as the primary decision-making authorities for DHS's major acquisition programs. ICE chartered its steering committee in September 2011 and it has been meeting since December of that year. CBP established its steering committee in early 2013 and it held its first meeting in February.

Schedule and Cost of Both TECS Modernization Programs Are Unclear

CBP has begun delivering functionality to its users; however, its schedule and cost commitments continue to change and are still being revised. Specifically, CBP intends to modernize the functionality, data, and aging infrastructure of legacy TECS and move it to DHS's data centers. CBP plans call for developing, deploying, and implementing these capabilities in five distinct projects that are to be delivered by 2015. To date, CBP has completed one of these five projects, having completed its deployment of functionality to improve its secondary inspection processes to air, sea, and land ports of entry in 2013. CBP is in the process of revising its schedule baseline for the second time in under a year, making it unclear when the program ultimately intends to deliver needed functionality.

Exacerbating this situation is the fact that CBP has not developed its master schedule sufficiently to effectively manage work activities or monitor the program's progress. n4 Specifically, the program has not linked all the work activities in the individual project schedules, nor has it defined dependencies that exist between projects in the master schedule: approximately 65 percent of CBP's remaining work activities were not linked with other associated work activities. Thus, any delays early in the schedule do not "ripple" (i.e., transmit delays) to activities later in the schedule, meaning that management will be challenged to determine how a slip in the completion date of a particular task may affect the overall schedule. In our report, we also noted that CBP had not yet developed a detailed schedule for significant portions of the program. CBP reported in January 2014 that it has now completed that work.

Program officials stated these deficiencies existed because the program has only two staff members with skills needed to properly develop and maintain the schedules, and that fully documenting all the dependencies would be time consuming, and in their view, not sufficiently important to warrant the additional resources necessary to complete them. However, without a complete and integrated master schedule that includes all program work activities and associated dependencies, CBP is not in a position to accurately determine the amount of time required to complete its TECS modernization effort and develop realistic milestones.

The program's cost estimates have also changed as a result of rebaselining and are also being revised. The program's baselined life-cycle cost estimate as of September 2013 n5 was approximately $724 million, including $31 million for planning management, $212 million for development, and $481 million for operations and maintenance. As of August 2013, the program reported that it had expended about $226 million. However, as previously stated, the program is in the process of revising its estimate, and thus, it is unclear how much it will cost to complete the program. In January 2014, CBP reported that its revised estimates should be approved internally and submitted to DHS for its approval by the end of January 2014.

Meanwhile, ICE is replanning its $818 million TECS Mod program, having determined in June 2013 that the system under development was not technically viable and could not support ICE's needs--this coming after having already reduced the scope of its initial program installment by about 70 percent due to protracted technical difficulties and schedule delays. Specifically, ICE determined that, after spending approximately $19 million, the system under development could not be fielded as part of ICE's eventual solution due to ongoing technical difficulties with the user interface, access controls, and case-related data management. Instead of continuing with the existing technical solution, the program manager explained that ICE would scrap a significant portion of the work done to date and start over. As a result, ICE halted most development work in June 2013 and has since been assessing different design and technical alternatives. In January 2014, ICE reported that it had rebaselined its program requirements and that it anticipates having its revised cost and schedule estimates finalized this coming spring. Nevertheless, given the time lost in developing the current technical solution, as well as the already reduced program scope, ICE cannot say what specific features it will release to users, when this functionality will be delivered, or how much such efforts will cost. As such, ICE is at significant risk of not achieving independence from the existing system by 2015.

TECS Modernization's Risk Management Is Generally Consistent with Leading Practices, but Requirements Management Has Had Mixed Results

Both CBP and ICE implemented risk management practices that are generally--though not fully--consistent with leading practices, and both had mixed results in managing program requirements. Of four leading practices associated with effective risk management, CBP and ICE each fully implemented two (establishing documented risk management processes and assigning roles and responsibilities for managing risks) and partially implemented the other two (capturing all known risks and managing risk mitigation efforts through to completion). Specifically, neither program identified all known risks, nor escalated them for timely review by senior management.

Further, of four leading practices for managing program requirements, CBP fully implemented three (establishing a requirements management process, assigning roles and responsibilities for requirements development and management activities, and defining a change control process) while partially implementing the one other (eliciting user needs). However, CBP began executing key requirements activities before such practices were established, and as a result, CBP officials reported that some TECS Mod requirements were not as consistently well-formed or detailed because their process during that time lacked rigor. In ICE's case, management weaknesses and the lack of appropriate guidance for the program's requirements management process led to technical issues, testing failures, and ultimately, the deferral and/or deletion of about 70 percent of the program's original requirements. ICE issued new requirements guidance for the program in March 2013 that is consistent with leading practices, but has yet to demonstrate that these have been fully implemented.

DHS's Governance Bodies Have Taken Actions Aligned with Leading Practices, but Incomplete and Inaccurate Data Have Limited Their Effectiveness

DHS's governance bodies have taken actions to oversee the two TECS Mod programs that are generally aligned with leading practices. Specifically, they have monitored TECS Mod performance and progress and have ensured that corrective actions have been identified and tracked. However, a lack of complete, timely, and accurate data have affected the ability of these governance bodies to make informed and timely decisions, thus limiting their effectiveness. For example:

. Steering committees. In an April 2013 meeting, the CBP program manager briefed the steering committee on its target milestone dates; even though the agency told us a month later that it had not fully defined its schedule, raising questions about the completeness and accuracy of the proposed milestone dates upon which the committee based its oversight decisions.

. The Office of the CIO. In its most recent program health assessments, the Enterprise Business Management Office partially based its rating of moderately low risk on CBP's use of earned value management; however, the program manager stated to us that the CBP program is not utilizing earned value management because neither it nor its development contractor had the capability to do so. Similarly, even though ICE had not reported recent cost or schedule data for its program--an issue that may signal a significant problem-- the Office of the CIO rated ICE's program as medium risk. The reliance on incomplete and inaccurate data raises questions about the validity of the risk ratings.

. Office of Program Accountability and Risk Management. In the July 2013 Quarterly Program Accountability Report, DHS's Office of Program Accountability and Risk Management rated both TECS Mod programs as high value with low risk. However, CBP's low-risk rating was based in part on the quality of the program's master schedule and acquisition program baseline; however, as we stated earlier, problems with the agency's schedule raise questions about the validity and quality of those milestones. Further, the low-risk rating it issued for ICE was based, in part, on its assessment of ICE's performance between April and September 2012, which rated the program's cost performance with the lowest possible risk score. Yet, during that same time period, program documents show that ICE TECS Mod's cost and schedule performance was declining and varied significantly from its baseline. For example, program documents show that, as of June 2012, ICE TECS Mod had variances of 20 percent from its cost baseline and 13 percent from its schedule baseline.

Moreover, the Quarterly Program Accountability Report is not issued in a timely basis, and as such, is not an effective tool for decision-makers. For example, the most recent report was published on July 7, 2013, over 9 months after the reporting period ended and therefore did not reflect that, since then, ICE has experienced the issues with its technical solution described earlier in this report. As discussed, these issues have caused the program to halt development and replan its entire acquisition. Consequently, the newly-issued issued report is not reflective of ICE's current status, and thus is not an effective tool for management's use in providing oversight.

Until these governance bodies base their reviews of performance on timely, complete, and accurate data, they will be limited in their ability to effectively provide oversight and to make timely decisions.

Implementation of Recommendations Could Improve DHS's Efforts to Develop and Implement Its TECS Mod Programs

In our report, we made several recommendations to improve DHS's efforts to develop and implement its TECS Mod programs. Specifically, we recommended that the Secretary of Homeland Security direct the CBP Commissioner to: (1) develop an integrated master schedule that accurately reflects all of the program's work activities, as well as the timing, sequencing, and dependencies between them; (2) ensure that all significant risks associated with the TECS Mod acquisition are documented in the program's risk and issue inventory--including acquisition risks mentioned in our report--and are briefed to senior management, as appropriate; (3) revise and implement the TECS Mod program's risk management strategy and guidance to include clear thresholds for when to escalate risks to senior management, and implement as appropriate; and (4) revise and implement the TECS Mod program's requirements management guidance to include the validation of requirements to ensure that each is unique, unambiguous, and testable. In January 2014, CBP provided documentation that it had taken steps to begin addressing the second, third, and fourth recommendations.

We further recommended that the Secretary of Homeland Security direct the Acting Director of ICE to: (1) ensure that all significant risks associated with the TECS Mod acquisition are documented in the program's risk and issue inventory--including the acquisition risks mentioned in our report--and briefed to senior management, as appropriate; (2) revise and implement the TECS Mod program's risk management strategy and guidance to include clear thresholds for when to escalate risks to senior management, and implement as appropriate; and (3) ensure that the newly developed requirements management guidance and recently revised guidance for controlling changes to requirements are fully implemented.

We also recommended that the Secretary of Homeland Security direct the Under Secretary for Management and acting Chief Information Officer to ensure that data used by the department's governance and oversight bodies to assess the progress and performance of major IT acquisition programs are complete, timely, and accurate.

DHS concurred with all but one of our recommendations, disagreeing with the recommendation regarding the weaknesses in CBP's schedule. In response, DHS stated that CBP's scheduling efforts for TECS Mod were sound. However, given the weaknesses in CBP's master schedule, we continue to believe that management will be unable to determine how a slip in the completion date of a particular task may affect the overall project or program schedule, and thus, absent any changes, continuing to use it as a tool to track progress will remain ineffective.

In conclusion, after spending nearly a quarter billion dollars and over 4 years on its two TECS Mod programs, it remains unclear when DHS will deliver them and at what cost. While CBP's program has delivered one of the five major projects that comprise the program, its commitments are being revised again and the master schedule used by the program to manage its work and monitor progress has not been fully developed. Moreover, ICE's program has made little progress in deploying its system, and is now completely overhauling its original design and program commitments, placing the program in serious jeopardy of not meeting the 2015 deadline and delaying system's deployment. The importance of having updated cost and schedule estimates for both the CBP and ICE programs cannot be understated, as this important management information will provide Congress and DHS with visibility into the performance of these vital border security investments. Further, while both agencies have defined key practices for managing risks and requirements, it is important that the programs fully implement these critical practices to help ensure that they deliver the functionally needed to meet mission requirements and minimize the potential for additional costly rework. Finally, until DHS's governance bodies are regularly provided complete and accurate data for use in their performance monitoring and oversight duties, their decisions may be flawed or of limited effectiveness.

Chairman Duncan, Ranking Member Barber, and Members of the Subcommittee, this concludes my statement. I would be happy to answer any questions at this time.

n1 TECS was created as a system of the Customs Service, which was then a component within the Department of the Treasury. The term TECS initially was the abbreviation for the Treasury Enforcement Communications System. When the Customs Service became part of DHS under the Homeland Security Act, TECS became a DHS system, and thereafter has simply been known as TECS.

n2 GAO, Border Security: DHS's Efforts to Modernize Key Enforcement Systems Could be Strengthened, GAO-14-62 (Washington, D.C.: Dec. 5, 2013).

n3 The Acquisition Management Directive provides the overall policy and structure for acquisition management within the department and is used in planning and executing acquisitions.

n4 Our research has identified, among other things, that a key element associated with a complete and useful schedule or roadmap for executing a program such as TECS Mod is to logically sequence all work activities so that start and finish dates of future activities, as well as key events based on the status of completed and in-progress activities, can be reliably forecasted. See GAO, GAO Schedule Assessment Guide: Best Practices for Project Schedules, Exposure Draft, GAO-12-120G (Washington, D.C.: May 2012).

n5 This estimate is in the program's November 2012 acquisition program baseline.

Read this original document at: http://docs.house.gov/meetings/HM/HM09/20140206/101720/HHRG-113-HM09-Wstate-PownerD-20140206.pdf


For more stories covering the world of technology, please see HispanicBusiness' Tech Channel



Source: Congressional Documents & Publications


Story Tools