The DHS Chief Information Officer (CIO), and most component CIOs, are required to conduct strategic planning activities to help prioritize legacy IT systems or infrastructure for modernization to better accomplish mission goals. The DHS 2019–2023 IT strategic plan includes two distinct department-wide IT modernization initiatives: to adopt cloudbased computing and to consolidate data centers.
However, an Office of Inspector General (OIG) review found that not all components have complied with or fully embraced these efforts due to a lack of standard guidance and funding. Without consistent implementation of these efforts, OIG says DHS components remain hindered in their ability to provide personnel with more enhanced, up-to-date technology.
Over the last nine years, OIG has issued at least 10 reports on DHS’ ongoing challenges with information technology systems. It has repeatedly stressed that all seven of DHS’ operational components rely heavily on outdated technology for increasingly complex mission operations. Examples include:
1. In 2010 and 2017, OIG reported ICE had not finalized its information technology strategic plan to ensure IT capabilities were aligned with mission requirements. Further, OIG noted that ICE’s legacy IT systems were not integrated to effectively support visa-tracking operations.
2. In 2011, OIG reported Coast Guard’s aging systems and infrastructure were insufficient to support mission requirements and needed improvement.
3. In 2011, 2015, and 2018 OIG reported FEMA’s IT infrastructure did not effectively support emergency disaster-response mission operations.
4. In 2011, OIG reported that Secret Service had made progress in implementing a modernization program, but encountered challenges in reaching its objectives.
5. In 2013, OIG reported that the TSA CIO faced challenges in ensuring TSA’s IT environment fully supported TSA’s mission needs.
6. In 2014 and 2016, OIG reported USCIS struggled to modernize its stovepiped, paper-based immigration benefits processing to a more centralized and automated environment.
7. In 2017, OIG reported CBP’s IT systems and infrastructure did not fully support its border security objectives. The watchdog found that the slow performance of a critical pre-screening system reduced the ability to identify passengers who may have posed security concerns. Frequent system outages required CBP officers to rely on backup systems that weakened the screening process.
In addition, the Government Accountability Office (GAO) reported in 2019 the need to develop IT modernization plans to address critical legacy systems across the Federal Government. Specifically, GAO found many legacy IT systems had unsupported hardware and software and were operating with known security vulnerabilities. GAO reported that without complete modernization plans, agencies will be at an increased risk of cost overruns, schedule delays, and project failures.
To support its mission operations, DHS’ FY 2019 IT budget represents approximately 14 percent, or $7 billion, of DHS’ overall budget of approximately $49 billion. Each operational component maintains a significant investment in IT, ranging from $118 million to $1.7 billion. Despite this, OIG found that DHS still maintains and operates many legacy IT systems that are too outdated or deficient to perform critical functions effectively.
In its latest review, OIG said DHS has not reduced its dependency on legacy technology and identified three legacy IT systems with significant operational challenges that negatively affected critical DHS functions.
These systems are:
DHS-wide Human Resources IT (HRIT), which facilitates the hiring, training, servicing, evaluation, and improvement of DHS’ workforce.
DHS Legacy Major IT Financial System, which serves as Coast Guard and TSA’s financial system of record.
FEMA Grants Management Mission Domain and Operational Environment, which facilitates the awarding of federal assistance and grants for disaster related events.
HRIT is 17 years old and the others are over 20 years old. OIG says DHS has not made sufficient progress in replacing or augmenting these IT systems due to ineffective planning and inexperience in executing complex IT modernization efforts. Additionally, the DHS CIO has not performed mandated oversight of legacy IT to mitigate and reduce risks associated with outdated systems.
OIG also noted in its report that DHS has not yet leveraged the Modernizing Government Technology Act to accelerate its IT modernization efforts. DHS and its components questioned whether the benefits of the Act outweighed the additional effort needed to use the resources the Act provided.
As of April 2019, each of DHS’ six operational components (excluding Secret Service) were in various stages of investing and migrating their systems to the cloud. Specifically, six components had met the cloud migration goals, while Secret Service performed its own internal evaluation and determined that it would not commit to migrating any of its systems to the cloud.
Although migration goals were met, DHS has struggled to ensure systems remain operational at the same level of performance in the cloud. DHS officials reported approximately 41 percent of the seven operational components’ systems were migrated to the cloud; but, only about 24 percent of these systems were actually operational in the cloud. For example, at the time of OIG’s review, TSA had 38 systems using or adopting cloud, but only six of these were operational in the cloud.
Overall, OIG found DHS still needs to overcome its longstanding IT deficiencies to ensure its technology systems and infrastructure support 24 x 7 mission-critical operations and timely response to evolving threats. The watchdog therefore recommends DHS develop department-wide guidance for implementing cloud technology and migrating legacy IT systems to the cloud; coordinate with components to develop and finalize a data center migration approach to accomplish strategic goals for reducing the footprint of DHS IT infrastructure; and establish a process to assign risk ratings for major legacy IT investments, as required by the Federal Information Technology Acquisition Reform Act. DHS concurred and stated it has commenced submitting updated risk ratings for IT programs, including legacy programs, to the Federal IT Dashboard.