The Department of Homeland Security (DHS) needs to address ‘significant shortcomings’ in its new biometric program, the Government Accountability Office (GAO) says, a sentiment echoed by the Office of Inspector General in two recently issued reports.
Since 2016, DHS has been working to replace its outdated biometric identity management system that matches fingerprints and facial features. DHS expects the new centralized department-wide system, known as the Homeland Advanced Recognition Technology (HART) program, to store hundreds of millions of identities.
But a GAO review has found that the system is way behind schedule and costs more than estimated, even after readjusting the schedule and cost estimates twice. The government watchdog also said DHS needs to do much more to protect the privacy of individuals whose information is in this new system.
As a department-wide system, HART is intended to have many uses across DHS and as such, the relevant DHS components play a key role in shaping the program and its eventual rollout. For example, among other things, the Department of State is expected to use HART to support biometric identification and verification of international travelers seeking U.S. visas to help determine if visas should be issued. The Transportation Security Administration (TSA) is expected to rely on the system to retrieve identity information for trusted travelers scheduled to fly within the next 24 hours for use in identity verification at airport security checkpoints. In addition, U.S. Customs and Border Protection (CBP) is expected to use HART to support biometric identification and verification of in-scope travelers entering and exiting the U.S. through air, sea, and land ports of entry.
In its Biometrics Roadmap, TSA said it and CBP would work with DHS’ Office of Biometric Identity Management (OBIM) to create an integration roadmap to HART. According to the Roadmap, TSA will integrate existing biometric holdings and newly-collected biometric data with HART and will explore opportunities to more effectively use existing information within HART for domestic travel purposes.
DHS currently provides biometric identity management services through the Automated Biometric Identification System (IDENT), which became operational over 29 years ago. In 2011, DHS reported that IDENT had significant shortcomings such as system capacity constraints, a lack of ability to handle multiple types of biometric information, and limitations on accuracy and assurance. The Department therefore initiated HART in 2016, but the program has been hit by schedule and cost breaches.
After rebaselining in 2019, the HART program declared a second schedule breach and its first cost breach in 2020. Accordingly, DHS rebaselined the program again. This extended the schedule for delivering the initial capabilities to replace the legacy system by an additional 33 months beyond the 2019 plan. The 2022 rebaseline did not include an estimate for completing the program.
Regarding costs, GAO found that the program’s 2022 rebaseline increased its estimated costs by $354 million. In April 2023, program officials stated that they needed to rebaseline HART’s schedule a third time due to, among other things, higher than expected software defects and performance issues. GAO believes that until established best practices are followed in program management, the HART cost and schedule estimates will continue to be unreliable. In turn, this could impair the ability of senior leadership to make informed decisions regarding the program’s future.
In December 2022, Congress rejected a funding increase for HART and directed DHS to initiate an independent evaluation of the program by an entity outside of DHS that follows the National Institute of Standards and Technology requirements for independent verification and validation.
As well as cost and schedule breaches, Congress, GAO and civil liberties groups, have voiced concern over the protection of biometric data. In 2022, GAO reported that the potential for breaches of biometric information, such as facial images and iris scans, at federal agencies could result in this sensitive information being revealed to unauthorized entities.
During the course of its latest HART review, GAO found that DHS fully implemented five of 12 selected Office of Management and Budget privacy requirements. For example, the program addressed the requirement to appropriately encrypt information by demonstrating encryption settings for information at rest and in transit. However, DHS was found to have gaps in the remaining seven requirements. For example, the program’s privacy impact assessment, which is intended to analyze how personal information is collected, shared, and managed, was missing key information. Specifically, the assessment was missing information on individuals whose data will be stored in the system and the partners with whom the system will share information. In addition, GAO found that the program did not have assurances that partners that provide information to the system will appropriately retain and dispose of personally identifiable information. Ultimately, GAO says DHS lacks assurance that the hundreds of millions of individuals’ personally identifiable information that will be stored and shared by HART will be appropriately protected.
DHS is in a critical situation with regards to biometrics, given that the existing IDENT program is not designed for today’s needs and technologies, and the replacement HART program continues to suffer delays. To help move the program forward, GAO is making nine recommendations to DHS. The department concurred with the recommendations and said it expects to complete work to meet some of these by the end of September 2023. Other actions, such as the appropriate disposal of personally identifiable information, are expected to be completed by September 2024.
In addition to GAO’s findings, the Office of Inspector General (OIG) has carried out its own audit that found DHS’ existing biometric strategic framework did not accurately reflect the current state of biometrics across the Department, such as the use of facial recognition verification and identification. This audit, the results of which were published on September 22, also found DHS had not implemented department-wide policy for the consistent collection and use of biometric information. And echoing another of GAO’s concerns, OIG also noted that DHS does not have a transition plan to integrate U.S. Customs and Border Protection’s Biometric Entry-Exit system with HART.
In response, DHS said it is updating its biometric strategic framework, which it expects to do by the beginning of March 2024. In addition, the Biometric Capabilities Executive Steering Committee will consolidate component plans into a DHS Biometric Roadmap. The committee will also coordinate efforts to develop a plan to transition CBP’s Biometric Entry-Exit system to HART. The timeline and roadmap to integrate the Entry-Exit system with HART will depend on HART meeting CBP requirements.
Previously, OIG issued a report on September 19, which contains further recommendations to ensure that HART’s privacy risks are mitigated. OIG said OBIM should mitigate all privacy risks associated with how information is characterized, collected, corrected, retained, and shared in HART. However, the audit found that DHS’ Privacy Office did not ensure that DHS systems that supply biometric and biographic data to HART had current Privacy Impact Assessments as required by DHS policy. OIG determined that two of 22 systems did not have current privacy compliance documentation.
As a result of those findings, OIG is recommending that the DHS Chief Privacy Officer ensure DHS component systems that use and provide data to HART have current and up-to-date Privacy Impact Assessments. DHS concurred and stated that the Privacy Office is working with OBIM’s Privacy and Policy Branch to better define the landscape of systems providing data and receiving data from HART and will continue to coordinate and collaborate with DHS components and offices to complete the applicable updates for the covered systems. DHS estimates this work will be completed by July 31, 2024.
OIG also reported that DHS does not plan to update existing sharing agreements once HART is deployed. Instead, the department plans to use the existing agreements created for IDENT. As part of OIG’s review, inspectors sampled 10 agreements with four federal agencies and found all 10 were either issued under the no-longer-existing United States Visitor and Immigrant Status Indicator Technology (US-VISIT) program or for IDENT. Additionally, three of the agreements OIG reviewed were more than 15 years old.
Consequently, OIG is recommending that the DHS Chief Privacy Officer in consultation with the DHS Office of Strategy, Policy, and Plans, issue guidance for when to review, update, or issue new information sharing and access agreements when upgrading or deploying new technologies that collect personally identifiable information. However, DHS said administrative changes do not pass the threshold to warrant an update to the sharing and access agreements when no functionality changes to data, users, or uses have occurred.