To help execute its many critical missions, the Department of Homeland Security (DHS) plans to spend more than $4 billion on its portfolio of major acquisition programs—those with life-cycle costs over $300 million—in fiscal year 2023.
In its eighth annual assessment of DHS’ major acquisition programs, the Government Accountability Office (GAO) found that 18 of the 25 programs it reviewed were meeting their cost and schedule goals by the end of FY 2022. Most of the other programs were not yet required by policy to have an approved program baseline.
DHS’ major acquisition programs acquire systems for operations like securing the border, screening travelers, and improving disaster response. Of the 18 programs meeting their goals, three started the fiscal year either behind their approved schedule or over their approved budget, putting them in breach status. However, all three completed the process needed to get back on track, including revising their baseline estimates. By the end of fiscal year 2022, those programs met their revised cost and schedule goals. Four other programs also revised or were revising their baselines in fiscal year 2022 due to changes in the projects’ scope, such as a change in the quantity being acquired.
In addition, eight of the 25 DHS acquisition programs completed the operational test and evaluation phase of the acquisition process during fiscal year 2022, according to a DHS official. After completing operational test and evaluation, those programs are on track to begin production and deliver new capabilities.
GAO found that COVID-19 affected some of the 25 major acquisition programs it reviewed in a variety of ways, including supply chain issues and inflation. As of September 2022:
- Five programs were seeking approval to adjust their schedule or cost baselines due to COVID-19 effects. These programs have requested flexibilities offered in a July 2022 DHS memorandum to address the effects of COVID-19.
- Five other programs reported COVID-19 cost or schedule effects in fiscal year 2022, but were able to manage them within their baselines.
- The remaining 15 programs did not report schedule or cost effects related to COVID-19.
GAO also found that since the department’s acquisition cybersecurity instruction was issued, none of the seven programs that had subsequent acquisition decision events completed a cybersecurity risk recommendation memorandum (CRRM). The instruction requires that major acquisition programs consider cybersecurity throughout the acquisition life cycle. Specifically, major acquisition programs are required to present a CRRM at acquisition decision events to identify the programs’ cybersecurity status and their risk recommendation (high, medium, low).
DHS officials told GAO that a CRRM was not applicable to them for various reasons. In one instance, a program provided documentation that this requirement was waived by DHS. The other six programs reported that other documentation was used instead, that the memorandum was not applicable to their program, or that they simply did not develop one. GAO said the instruction does not clarify when the CRRM requirement might be waived, is not applicable, or when or what other documentation may be used in its place. Consequently, GAO is concerned that DHS, in its oversight role, may not have information to effectively assess cybersecurity risk and ensure that risk mitigations are adequate. GAO is therefore recommending that, as DHS updates its instruction, it clarifies which major acquisition programs are required to have completed cybersecurity risk recommendation memorandums prior to acquisition decision events, and when exemptions apply. DHS agreed with the recommendation and indicated that the department planned to implement it by March 30, 2024.
