The Department of Homeland Security (DHS) still faces challenges in implementing certain Federal Information Technology (IT) Acquisition Reform Act (FITARA) provisions, according to a new Government Accountability Office (GAO) audit report.
GAO said while DHS “has fully implemented 28 of the 31 selected FITARA action plans … as of December 2016 DHS did not fulfill all aspects of 3 action plans. For example, one action plan is to use an updated process for reviewing troubled programs to provide support to such programs; however, DHS has not finalized its policy for this process. Until DHS ensures that these 3 plans are implemented, it will lack assurance that it is fulfilling FITARA’s goals.”
In 2015, the Office of Management and Budget (OMB) released FITARA implementation guidance outlining agency Chief Information Officer (CIO) responsibilities, and required agencies to develop action plans for implementing the guidance.
GAO’s audit examined, among other things, the extent to which DHS implemented selected action plans and the key challenges DHS has faced in implementing selected FITARA provisions.
“To do so,” GAO said it “analyzed DHS’s efforts to implement a sample of 31 of 109 action plans that DHS had reported as complete and that described later-stage implementation steps.”
GAO reported deficiencies it found included CIO approval of contracts and agreements.
“FITARA requires, among other things, the agency CIO to review and approve IT contracts and agreements associated with major investments (e.g., high cost) prior to award. However," GAO found, "the CIO did not participate in the approval of any of the 48 contracts in GAO’s sample associated with major investments. While DHS has made improvements to its review process, until the Office of the CIO determines how to increase its review of contracts and agreements, the CIO will continue to have limited visibility into planned IT expenditures.”
CIO evaluation of risk. GAO found, “DHS’s Office of the CIO was conducting risk evaluations of major IT investments and updating the ratings on the OMB’s public website known as the IT Dashboard, as required by FITARA. However, in October 2016, DHS changed its process for evaluating 30 of DHS’s 93 major IT investments and, as a result, the CIO is no longer primarily responsible for the evaluations or associated risk ratings that are publicly reported for these investments.”
“Instead,” GAO reported, “multiple DHS organizations and officials are to evaluate these investments and the CIO’s assessment only accounts for about 18 percent of the total score. Further, while under the old process, DHS’s CIO was responsible for assessing these 30 investments against criteria that OMB guidance stated CIOs may use, under the new process, the CIO is only to assess these investments against one of OMB’s criteria. This process change challenges the CIO’s ability to publicly report risk ratings.”
GAO concluded that, “Until DHS addressesthese challenges, the goal of FITARA to elevate the role of the department CIO in acquisition management will not be fully realized.”
GAO made 7 recommendations to DHS “to ensure that it fully and effectively implements FITARA. Among other things, GAO recommends[ed]that DHS fully implement the action plans and address challenges related to CIO contract approval and evaluation of risk.”
GAO said DHS concurred with all 7 recommendations and provided estimated completion dates for implementing each one.