GAO criticizes HSIN Next Gen management
Government auditors say the $62 million upgrade of the Homeland Security Department’s platform for sharing sensitive but unclassified information with state and local authorities faces risks due to insufficient project management controls.
The Homeland Security Information Network Next Gen, the platform with which DHS plans to replace the existing HSIN, could face “increased project costs, delayed schedules and performance shortfalls” if weaknesses in its planning, requirements development and management, and risk management are not addressed, the Government Accountability Office said.
In a report released Oct. 8, GAO recommended that controls be implemented before DHS starts to migrate users to HSIN Next Gen’s initial operating capability and concluded that “investing money given the current state of management controls puts the project at risk.”
According to GAO, DHS halted further improvements on the original HSIN in September 2007 and has since focused on HSIN Next Gen. In May, DHS awarded a contract worth as much as $62 million to General Dynamics to work on HSIN Next Gen.
DHS plans to begin migrating users to the new version beginning in May 2009. The original network has been criticized for not meeting certain user requirements.
In a written response to GAO’s report, Roger Rufe, director of DHS’ Office of Operations Coordination, said the decision to upgrade to HSIN Next Gen meets the growing needs of HSIN users. He added that the current platform “does not provide the necessary capabilities required to provide the necessary trust and interoperability.”
According to GAO’s report, HSIN does not support role-based access controls and two-factor authentication. The new system is a key part of a portal-consolidation effort aimed at reducing the number of Web-based systems used to share sensitive but unclassified information.
DHS spokesman Russ Knocke acknowledged the challenges associated with the original HSIN, but said the platform has served an important role in sharing information during the Hurricane Katrina emergency, during the current hurricane season and in ongoing efforts to combat gang activities.
He also said GAO’s suggestion that further investment under the current management structure puts the project at risk is illogical. By that logic, he said, every project would have to be perfect before it could go forward. He also said the project already had core management elements in place.
GAO auditors criticized HSIN Next Gen’s acquisition strategy, saying the practice of “engaging a contractor and commencing work before implementing mature controls is not a recipe for success.”
Rufe said in his response that the project would phase in different users at different points based on industry best practices. DHS officials say they are continuing to work with user groups to develop requirements.
The report states that DHS has gathered and analyzed requirements from critical infrastructure users but had not done so for all other HSIN users or developed a process for managing changes to requirements.
GAO said DHS “has initiated some important steps in establishing sound and capable acquisition controls, but much remains to be accomplished before DHS management efforts can be considered effective and thereby minimize the risks associated with HSIN Next Gen delivering promised capabilities and benefits on time and within budget.”
Ben Bain is a reporter for Federal Computer Week.