While the Department of Homeland Security (DHS) has made “significant progress … over the last 3 years, [it] continues to face long-standing, persistent challenges overseeing and managing its homeland security mission,” DHS’s Inspector General outlined in its annual report, Major Management and Performance Challenges Facing the Department of Homeland Security.
“These challenges,” the IG stated, “affect every aspect of the mission, from preventing terrorism and protecting our borders and transportation systems to enforcing our immigration laws, ensuring disaster resiliency and securing cyberspace.”
The IG said DHS “is continually tested to work as one entity to achieve its complex mission.”
Consequently, this IG’s unusually scathing annual report disturbingly emphasized that, “Absent structural changes to ensure streamlined oversight, communication, responsibility and accountability — changes that must be enshrined in law — the risk of DHS backsliding on the progress made to date is very real.”
Thisyear, the IG said, “To better inform and assist the department … we are presenting a broader picture of management challenges by highlighting those we have repeatedly identified over several years,” noting it remains “concerned about the systemic nature of these challenges, some of which span multiple administrations and changes in department leadership.”
“Overcoming these challenges demands unified action; a motivated and engaged workforce; rigorous, sustained management of acquisitions and grants; and secure information technology (IT) systems that protect sensitive information, all of which must be based on the management fundamentals of data collection, cost-benefit analysis, and performance measurement.”
In response, DHS Secretary Jeh Johnson said in a statement in response to the IG’s report that, “day-to-day and every day, the men and women across the Department of Homeland Security do an outstanding job protecting our homeland — on land, at the borders, at sea, in the air and in cyberspace. Continued focus by leadership on (in addition to our vital missions) improving the manner in which the department conducts business is essential to support these men and women on the front lines, and the public we are all committed to protecting.”
The IG said that as it has from its creation, “DHS’s primary challenge moving forward is transitioning from an organization of 22 semi-independent components, each conducting its affairs without regard to, and often without knowledge of, other DHS components’ programs and operations, to a more cohesive entity focused on the central mission of protecting the homeland.”
The IG said “A lack of coordination and unity … in all aspects of DHS’s programs — planning, programing, budgeting and execution [that] leads to waste and inefficiency.”
As Homeland Security Today has repeatedly reported, the IG stated its “previous audit and inspection reports are replete with examples of the consequences of failing to act as a single entity. Whether it is decisions on maintaining similar helicopters used by different components, harmonizing aviation maintenance management software, managing a vast vehicle fleet, coordinating protection of the maritime border, aligning immigration policies and data collection, sharing information, communicating on a common radio channel or combating tunnels on the Southwest border, DHS’s challenges in this area are well documented. We are not alone in pointing out that the promise of a unified department — the purpose of its creation — has not yet been realized. Congress, the Government Accountability Office (GAO) and interested third-party observers have all noted the challenge.”
While progress has indeed been made “both in tone and substance,” the IG reported, it noted, “In the last 3 years, DHS leadership has taken steps to forge multiple components into a single organization. New policies and directives have been created to ensure cohesive budgeting planning and execution, including ensuring a joint requirements process. The department also has a process to identify and analyze its mission responsibilities and capabilities, with an eye toward understanding how components fit together and how each adds value to the enterprise. A new method for coordinating operations, the Southern Border and Approaches Campaign, was created to try to reduce the silos and redundancy.”
“This progress,” the IG noted, “has been the result of the force of will of a small team within the department’s leadership. Future leaders may not have the focus, capability or desire to engage in the often coercive task of culture change. Unity of effort needs to be more than a slogan and an initiative. Ensuring continued progress requires the constant attention of senior leaders.”
Since its inception, the IG reiterated what it, GAO and internal government surveys have found: “DHS has suffered poor employee morale and a dysfunctional work environment. These issues are likelyconnected to challenges we repeatedly identify — the department’s failure to develop, implement and widely disseminate clear and consistent guidance; a lack of communication between staff and management; and insufficient training. DHS has also had problems determining how to assign staff appropriately and hiring and retaining enough people to handle a reasonable workload while maintaining a work-life balance. At times, DHS employees’ jobs are made more difficult by the lack of needed support, such as useful IT systems and up-to-date technology.”
While the DHS secretary “has made improving employee morale one of his top priorities and some progress has been made … the department continues to rank last among large agencies, which means leadership must sustain its focus on addressing this challenge.”
Acquisition management is also a major problem addressed by the IG, noting it’s “critical to fulfilling all DHS missions, is inherently complex, high risk and challenging. Since its inception in 2003, the department has spent tens of billions of dollars annually on a broad range of assets and services — from ships, aircraft, surveillance towers and nuclear detection equipment to IT systems for financial management and human resources. DHS’s yearly spending on contractual services and supplies, along with acquisition of assets, exceeds $25 billion. There continue to be DHS major acquisition programs that cost more than expected, take longer to deploy than planned or deliver less capability than promised. Although DHS has made much progress, it has not yet coalesced into one entity working toward a common goal. The department still lacks uniform policies and procedures, a dedicated core of acquisition professionals, as well as component commitment to adhere to departmental acquisition guidance, adequately define requirements, develop performance measures and dedicate sufficient resources to contract oversight.”
DHS has instituted major reforms to its acquisition process and has put forth significant leadership to “gain control of an unruly and wasteful process,” the IG said, “However, we worry that these reforms, if not continuously supported and enforced, could be undone. As DHS continues to build its acquisition management capabilities, it will need stronger departmental oversight and authority, increased commitment by the department and components, as well as skilled personnel to effect real and lasting change.”
In October, GAO reported “DHS’s Joint Requirements Council’s (JRC) structure and management approach—informed by assessments of requirements processes, guidance and lessons learned from DHS components and the Department of Defense—are generally consistent with key practices for mergers and organizational transformations. However, although 24 of DHS’s 36 major acquisitions are information technology programs, the department’s Office of the Chief Information Officer (OCIO) serves as a non-voting advisor to the JRC. Because GAO previously identified poor requirements definition as a factor in failed information technology programs, a more formal and consistent role for the OCIO could help minimize the risk that programs will begin with poorly developed requirements. In addition, some components lack the capacity to develop sound capability and requirements documents to present to the JRC. DHS officials are aware of this issue and are planning to take steps to address it, but it will likely take some time to do so.”
Nick Nayak, DHS’s former chief procurement officer, told Homeland Security Today that, “developing a cross-agency decision making process such as the JRC is a much bigger endeavor than just getting the process right. A parallel focus on workforce development and succession planning must exist, so that the process is survived and continually refined by successive generations of DHS leaders. The newly-revived JRC will undoubtedly experience growing pains, which may be frustrating for the current participants, but it may also be one of the most impactful legacies to leave behind in a federal executive’s career. I agree that the CIO should be on the JRC as well as the department’s” Office of Chief Procurement Officer and Directorate for Management’s Office of the Chief Human Capital Officer.
[Editor’s note: Read Nayak’s Homeland Security Today reports, Service Acquisition Outcome Enhancement, and, Partnering with Industry is Key to Improving Acquisition Outcomes]
The IG’s annual audit goes on to point out that “the entire layer of oversight intended to monitor the billions of dollars awarded by Federal Emergency Management Agency (FEMA) in disaster assistance grants is ineffective, inefficient and vulnerable to fraud, waste and abuse,” as IG audits have repeatedly documented. “Of the $1.55 billion in disaster grant funds we audited last year, we found $457 million in questioned costs, such as duplicate payments, unsupported costs, improper procurement practices and unauthorized expenditures. This equates to a 29 percent questioned-cost rate, which far exceeds industry norms and illustrates FEMA’s continued failure to adequately manage grants.”
The IG also disclosed “examples of inadequate grant management in preparedness grants. In an overarching audit of OIG recommendations related to preparedness grants, we reported that FEMA had not adequately analyzed recurring recommendations to implement changes to improve its oversight of these grants. This occurred because FEMA did not clearly communicate internal roles and responsibilities and did not have policies and procedures to conduct substantive trend analyses of audit recommendations.”
While FEMA has been responsive to the IG’s recommendations for administrative actions and for putting unspent funds to better use, the IG said, “FEMA has not sufficiently held grant recipients financially accountable for improperly spending disaster relief funds. As of September 27, 2016, FEMA had taken sufficient action to close 130 of our 154 FY 2015 disaster grant audit report recommendations. However, the 24 recommendations that remained open contained 90 percent ($413 million) of the $457 million we recommended FEMA disallow that grant recipients spent improperly or could not support. Further, in FYs 2009 through 2014, FEMA allowed grant recipients to keep 91 percent of the contract costs we recommended for disallowance for noncompliance with federal procurement regulations, such as those that require opportunities for disadvantaged firms (e.g., small, minority and women) to bid on federally funded work.”
“It is critically important that FEMA officials examine regulations, policies and procedures and assess the need for more robust changes throughout all grant programs,” the IG reported, noting, “FEMA should refocus its efforts to identify systemic issues and develop solutions to address the cause and not just the symptoms. FEMA needs to improve its oversight of state grantees and proactively engage with states to improve management and guidance of subgrantees. Nurturing positive relationships that emphasize accountability for results and resource stewardship will set a clear tone for all stakeholders of FEMA grants.”
When it comes to cybersecurity, the IG said its annual Federal Information Security Modernization Act of 2014 (FISMA) reviews revealed “incremental DHS progress in establishing an enterprise-wide information security program. However, the department is challenged to provide central oversight to make sure all components secure their networks.”
The IG found “significant vulnerabilities,” including:
- Ensuring personal identity verification card implementation data, pursuant to Homeland Security Presidential Directive 12, is implemented and reported;
- Performing required weakness remediation reviews;
- Ensuring each system has a documented authority to operate;
- Taking adequate action to address security deficiencies;
- Implementing all DHS baseline configuration settings;
- Continuously maintaining information security programs;
- Continuously monitoring Secret and Top Secret systems; and
- Discontinuing use of unsupported operating systems (e.g., Windows XP and Windows Server 2003).
Under FISMA, DHS is responsible for administering implementation of Office of Management and Budget information security policies and practices government-wide. “In line with this responsibility, DHS implemented EINSTEIN 1 and 2 to provide an automated process for collecting security information and detecting the presence of malicious activity on federal networks, [but] DHS has yet to deploy EINSTEIN 3 Accelerated across all federal government networks to expand intrusion prevention capabilities to counteract emerging threats.”
GAO reported in January 2016 that only 5 of 23 agencies were receiving intrusion prevention services, but DHS was working to overcome policy and implementation challenges.
“Further,” the IG stated, “agencies had not taken all the technical steps needed to implement the system, such as ensuring that all network traffic is routed through EINSTEIN sensors. Within DHS, the National Protection and Programs Directorate has the overwhelming task of fulfillingthe department’s national, non-law enforcement cyber security missions as well as providing crisis management, incident response and defense against cyber-attacks for Federal.gov networks.”
Secretary responds
DHS Secretary Johnson put his best spin on the IG’s report, pointing out the IG noted ‘significant progress’ [has been] made since I’ve been secretary to address DHS’s many management challenges.”
“The report goes on to note, correctly, that ‘[t]his progress has been the result of the force of will of a small team within the department’s leadership,” and that there is a risk that “[f]uture leaders may not have the focus, capability or desire to engage in the coercive task of cultural change.”
Johnson said, “It is my profound hope that the incoming administration will continue to focus on the management reform of DHS, conceding at 13 years after its creation, “DHS, as a collective entity, is still a work in progress. We are the third largest and newest cabinet-level department of the US government, and likely the most decentralized and diverse in its mission set.”
“Through our Unity of Effort initiative launched in 2014, we have in fact improved decision-making around budgets and acquisitions, stood up joint task forces for border security, improved the hiring and promotion process, financed a new headquarters and raised employee morale,” Johnson continued. “For the first time, we now have a unifying mission statement for our 22-component, 232,000-person workforce, with honor and integrity, we will safeguard the American people, our homeland and our values.”
