The Office of Inspector General (OIG) has found that the Department of Homeland Security Science and Technology Directorate (S&T) did not execute all projects in line with Federal and DHS guidelines, policies, and procedures.
S&T works with DHS and its components to identify capability gaps in DHS operations and to research and develop technologies to address those gaps. For example, to address the growing need for new or improved border surveillance capabilities, S&T initiated a Ground Based Technologies Program to focus R&D projects on enhancing situational awareness, providing automated detections and alerts, and enhancing the safety of DHS officers and agents. Similarly, to address the need for effective screening of air cargo, S&T initiated an Air Cargo Screening Program to develop new security technologies to cost-efficiently screen diverse and complex cargo. In fiscal year 2020, S&T budgeted $18.4 million for these two programs alone. Altogether In FY 2020, S&T had 369 ongoing R&D projects in the execution phase, with obligations totaling $305 million.
OIG’s review found that S&T did not consistently comply with sensitive information and privacy requirements to protect sensitive information. For the 24 projects OIG reviewed for compliance with sensitive information requirements, three project checklists were not signed by the appropriate officials. In one of the three, the Chief Information Officer did not sign the checklist as required. The second checklist was not signed by officials from the DHS Cybersecurity and Infrastructure Security Agency and the Transportation Security Administration, which were required because the contractor would have access to vulnerable and sensitive security information. An official from the Transportation Security Administration did not sign the third checklist even though the project required review by that component because the contractor would have access to sensitive security information. Shortcomings were also found with correctly signed checklists which were incomplete, and a lack of privacy threshold analysis.
In addition, not all S&T project managers obtained the required Federal Acquisition Certification (FAC) to ensure they met training, experience, and development requirements. Of the 24 projects OIG reviewed, S&T project managers for nine of them had obtained the appropriate FAC, and one additional project manager was in the process of obtaining the certification. However, project managers for the remaining 14 projects were not FAC-certified. Of the 14 projects managed without a FAC-certified project manager, four were identified as high-risk for sensitive information on the project’s checklist. An S&T official told OIG that R&D project managers were exempt from the certification because research projects are not considered acquisition projects. OIG argued that guidance states such certification is mandatory.
Finally, the watchdog found that S&T project managers did not prepare project plans for review and approval for most of the R&D projects under scrutiny. OIG determined that S&T project managers did not prepare project plans for most (92 percent) of the 24 R&D projects reviewed. In fact, project managers prepared project plans for only two of the 24 projects. Although the two plans included the required information, the plans were not approved by S&T management before the project execution phase, as required. For the remaining 22 projects, project managers did not prepare project plans. Instead of project plans, project managers prepared program plans for 16 projects, research plans for two projects, and no plans for four projects.
According to OIG, these failures were a result of insufficient oversight and guidance as well as a lack of a centralized approach to manage and monitor project execution.
The watchdog set out five recommendations to improve S&T’s project management:
- Develop and implement a process to ensure required special clauses are included in contracts for project acquisitions with a high risk of unauthorized access to or disclosure of sensitive information.
- Develop and implement a process, with a timeline, to ensure that project managers prepare Privacy Threshold Analyses for all projects and provide the analyses to the S&T Privacy Office for review.
- Clarify the requirements for the preparation of Checklists for Sensitive Information, Privacy Threshold Analyses, project plans, update S&T guidance, and formally communicate the requirements to program and project managers.
- Develop and implement a policy to require and track FAC certification for research and development program and project managers that meets Office of Management and Budget and DHS requirements.
- Require that program and project managers use the Science and Technology Analytical Tracking System (STATS), or other centralized project management system, to track and manage all research and development projects.
S&T concurred with the first three recommendations and stated that the Compliance Division and the S&T Office of Contracts, Acquisition, and Program Support are collaboratively drafting a formal process, and associated implementation training, in consultation with the Office of Procurement Operations, to ensure the proper clauses are included in contracts for project acquisitions with a high risk of unauthorized access to, or disclosure of, sensitive information. S&T is also developing a process with associated timeline, checklists, and guidance to ensure that the privacy documentation, including the projected timeline with milestones is in place. A process to clarify the requirements of privacy documentation is also being developed. S&T expects to complete work to meet the first three recommendations by January 31, 2023.
S&T also agreed with the fourth recommendation and added that a tool to collect data to baseline project management capabilities within the organization and identify areas where S&T needs to increase certifications and skills to appropriate levels is under development. It is also worth noting that on December 1, 2021, the Director of Mission Capability Support issued a memorandum, “Federal Acquisition Certification for the Office of Mission and Capability Support (MCS) Program Managers (FAC-P/PM) Certification,” requiring project management certifications for all program managers.
Finally, to meet the fifth recommendation, the Deputy Under Secretary for S&T will issue a formal memorandum requiring the use of STATS for all research and development projects. S&T expects this memo to be issued by the end of March, 2022.