GAO nudges DHS on high-risk areas

The Department of Homeland Security must keep up the pace in tackling solutions to some of the high-risk management areas, such as IT acquisition and management, that have long concerned the Government Accountability Office.

In a report introduced during a May 7 House Homeland Security Committee hearing, GAO said that although DHS has made progress in management areas that are squarely its responsibility, "work remains to be done."

"DHS has met two and partially met three of GAO's five criteria for removing areas from the high-risk list," the report states.

Every two years, GAO identifies areas that are at risk of fraud, waste, abuse and mismanagement or that are in need of broad reform at DHS and other agencies.

"Unfortunately, some of the programs identified include some of [DHS'] core functions such as acquisition management, financial management, information technology, human capital, and management integration, as well as multi-agency challenges such as information sharing and cybersecurity," Committee Chairman Michael McCaul (R-Texas) said in his opening statement at the hearing.

GAO's report both commended and criticized DHS for its work on the high-risk areas, including its progress on IT acquisition and management. GAO said DHS has taken important steps to define IT investment management processes but needs to speed up implementing those processes across its 13 IT spending portfolios.

The report cites DHS' progress in strengthening its enterprise architecture program, which has guided IT acquisitions toward the added architectural depth and breadth GAO had previously recommended.

Even with that progress, however, DHS must continue making strides in other core IT management areas. That includes taking the necessary steps to enhance its IT security program, the report states. DHS must finalize its annual Information Security Performance Plan and further improve current material weaknesses in information security. Completion of the plan is particularly important in light of a DHS financial auditor's review in December that highlighted flaws in security, such as access controls, contingency planning and segregation.

DHS should also continue identifying IT operational efficiencies, such as the strategy to consolidate 101 data centers into 37 by 2015, the report states. DHS officials have cited cost savings of about $140 million in fiscal 2011 through 2013 and estimated total consolidation savings of about $650 million through fiscal 2019.

In another GAO report released May 8, DHS came up empty in an assessment of how well five agencies have done in establishing policies that address incremental IT development.

All the departments GAO evaluated -- Defense, Health and Human Services, Homeland Security, Transportation and Veterans Affairs -- have set up policies to deal with the issue, GAO said, but those policies usually did not fully address key components for implementing the Office of Management and Budget's guidance.

"Almost three-quarters of the selected investments did not plan to deliver functionality every 6 months, and less than half planned to deliver functionality in 12-month cycles," GAO said.

The result, according to the report, is that "IT expenditures are more likely to continue producing disappointing results."