For the second time in a year, Customs and Border Protection (CBP) is revising its schedule baseline for the TECS border enforcement system modernization program, and hasn’t yet “developed its master schedule sufficiently to reliably manage work activities or monitor program progress," Congress learned during a hearing last week. And it’s raised questions about the certainty of CBP’s remaining schedule commitments, said David A. Powner, director of Information Technology Management Issues at the Government Accountability Office (GAO).
A legacy system that’s been in operation since 1987, TECS “has become increasingly difficult and expensive to maintain due to the system’s antiquated technology and its inability to support the requirements needed by CBP and Immigration and Customs Enforcement (ICE) personnel in the field,” said House Committee on Homeland Security Subcommittee on Oversight and Management Efficiency Chairman Rep. Jeff Duncan (R-SC) as he opened the subcommittee’s hearing Thursday on DHS’s need to strengthen its efforts to modernize key enforcement systems.
Today, TECS is the Department of Homeland Security’s (DHS) primary border security and enforcement system that’s managed by CBP. It supports the sharing of information about people who are inadmissible or may pose a threat to the security of the United States through the creation and query of “lookout records.” It helps CBP officers determine the admissibility of more than 900,000 visitors annually and approximately 465,000 vehicles daily. It’s used by more than 70,000 users, including users from more than 20 federal agencies.
But “TECS not only collects and creates border security information,” it “also shares that data with other systems and agencies,” explained Charles Armstrong, CBP Assistant Commissioner, Office of Information and Technology. “TECS also provides access to National Criminal Information Center (NCIC) and the International Justice and Public Safety Network (Nlets), as appropriate. TECS provides security and privacy controls to ensure users can only run transactions and access data to which they are authorized. TECS also includes extensive auditing of user actions for internal control purposes.”
“The schedule and cost for … TECS Mod … continue to change; while the part managed in parallel by ICE is undergoing major revisions to its scope, schedule and cost after discovering that its initial solution is not technically viable,” Powner testified.
CBP’s $724 million TECS Mod program is supposed to modernize the functionality, data and aging infrastructure of the aged TECS system and move it to DHS’s data centers by 2016.
“To date, CBP has deployed functionality to improve its secondary inspection processes to air and sea ports of entry and, more recently, to land ports of entry in 2013,” Powner told lawmakers.
With regard to ICE’s $818 million TECS Mod program, Powner said “it is redesigning and replanning its program, having determined in June 2013 that its initial solution was not viable and could not support ICE’s needs. As a result, ICE largely halted development and is now assessing design alternatives and is revising its schedule and cost estimates.”
Powner said program officials had told GAO that the revisions will be complete in spring 2014. But “until ICE completes the replanning effort,” he said, “it is unclear what functionality it will deliver, when it will deliver it or what it will cost to do so, thus putting it in jeopardy of not completing the modernization by its 2015 deadline.”
Powner told the subcommittee GAO isn’t making any new recommendations, but noted that in December 2013 it had recommended that DHS improve its efforts to manage requirements and risk, as well as its governance of the TECS Mod programs.
DHS agreed with all but one of GAO’s eight recommendations, which was the recommendation that CBP’s master schedule needed to be improved.
“GAO continues to believe improvements are necessary to validate schedule commitments and monitor progress,” Powner said.
Powner explained that “CBP and ICE have managed many risks in accordance with some leading practices, but they have had mixed results in managing requirements for their programs. In particular, neither program identified all known risks, nor escalated them for timely management review.”
“Further,” he said, “CBP’s guidance reflects most leading practices for effectively managing requirements, but important requirements development activities were underway before such guidance was established. ICE, meanwhile, operated without requirements management guidance for years, and its requirements activities were mismanaged, resulting in testing failures and delays. ICE issued requirements guidance in March 2013 that is consistent with leading practices, but it has not yet been implemented.”
DHS’s governing bodies have taken actions to oversee the two TECS Mod programs and, specifically, has monitored TECS Mod performance and progress and ensured that corrective actions have been identified and tracked.
“However,” Powner told the subcommittee, “a lack of complete, timely, and accurate data have affected the ability of these governance bodies to make informed and timely decisions, thus limiting their effectiveness. Until these governance bodies base their performance reviews on timely, complete, and accurate data, they will be constrained in their ability to effectively provide oversight.
“GAO … found that CBP did not develop a master schedule that links work activities to the overall project schedule, despite the fact that numerous projects are being developed concurrently. And while CBP contends the remainder of its concurrent program upgrades will be operational by the beginning of 2016, I am concerned that minus a sound master schedule, the project could be further delayed and over budget which could snowball into CBP officers not having the tools they need to do their job,” Duncan said.
“Despite TECS’s critical importance to our security, CBP and ICE have failed to manage the modernization program effectively,” Duncan said. “As the Government Accountability Office recently reported, the result has been wasted taxpayer dollars, missed deadlines and delays in fielding enhancements to CBP officers and ICE agents.”
“For instance,” Duncan noted, “despite some success deploying functional capabilities to secondary inspection locations, GAO reported that CBP has revised its schedule and cost estimates because they were unachievable.”
“Of even more concern are ICE’s failures,” Duncan said. “Due to unmet requirements, ICE is starting over on redeveloping its requirements after spending some $60 million and failing to produce any deliverables. After about four years and $60 million, ICE has little to show for, doesn’t yet know the revised total cost or what the program will achieve. The stakes are high because of a looming 2015 deadline that if not met will force DHS to spend more taxpayer dollars to maintain the system currently in use.”
“In addition,” Duncan said, “I am concerned that despite numerous management layers, DHS headquarters still let the program proceed. The DHS Chief Information Officer has increased oversight and governance of information technology by reviewing DHS component programs and acquisitions over the years. Yet the Office of Program Accountability and Risk Management; two Executive Steering Committees; and the Office of the Chief Information Officer’s Enterprise Business Management Office all failed to adequately address escalating problems associated with the TECS modernization effort.”
“Further, the lack of complete, timely and accurate data from the components to the DHS Chief Information Officer as reported by the GAO negatively affected the department’s ability to make informed and timely decisions on the program,” Duncan continued, adding that “even the best governance framework won’t improve outcomes if senior DHS leaders don’t have thediscipline to enforce it. DHS must hold programs accountable. If they fail, then we will hold DHS accountable.”
Duncan said “With the speed with which technology advances today, it shouldn’t take DHS eight years to complete an IT project. Private sector CEOs likely wouldn’t tolerate such poor performance and management. Neither should DHS. It’s an affront to the American taxpayer and it’s time DHS do better.
Defending the TECS modernization program, Armstrong told the subcommittee Thursday that “A specific challenge to CBP’s modernization effort is that modifications cannot interrupt existing TECS functionality or availability. CBP’s TECS system must be available to support border crossing operations 24 hours a day, 7 days a week. The need for high availability requires redundant hardware and failover processes to allow system maintenance with little or no interruption to end users of the system.”
Armstrong said “CBP’s TECS Mod program is transitioning functionality incrementally with five projects, focusing on major functional areas to decrease risk and to continue providing existing capabilities to the end user until modernization is complete. In addition to the five functional area projects, CBP TECS Mod also includes two overarching efforts to address infrastructure and security. The program includes migration of data from the legacy source system to the target databases, developing services for interfaces and deploying a modernized web-based user interface (portal) to support TECS online users, ensuring compliance with security and privacy policies.”
Defending TECS Mod program governance and oversight, Armstrong said “The CBP TECS Modernization Executive Steering Committee (ESC) provides oversight ofthe TECS modernization effort. As CBP’s Chief Information Officer and Office of Information and Technology (OIT) Assistant Commissioner, I chair the ESC, which includes members from CBP offices; DHS’s Under Secretary for Science and Technology, Chief Information Officer and Chief Financial Officer; representatives from stakeholder groups; and ICE’s TECS Mod Program Manager. The ESC, which meets every two months, monitors the program’s cost, schedule and performance, reviews risk management mitigation activities and ensures corrective actions are identified.”
“Additional oversight and governance of CBP’s TECS Mod program is provided by existing policies and guidance from DHS’s Office of the Chief Information Officer (OCIO), Office of the Undersecretary for Management, and the Director of Operational Test and Evaluation,” Armstrong explained. “All three offices play key roles in overseeing DHS’s major acquisition programs and are very involved with CBP TECS Mod.”
“Further,” Armstrong told lawmakers, “DHS’s Office of Program Accountability and Risk Management (PARM) works to ensure the effectiveness of the overall program execution governance process by providing independent assessments of major investment programs, and by identifying emerging risks and issues that DHS and its components need to address. I hold a monthly Program Management Review (PMR), attended by OCIO and PARM representatives, which covers schedule, cost, risks/issues and other topics. In addition to these formal meetings, Thomas Michelli, ICE’s Chief Information Officer, and I hold regular meetings to coordinate TECS Mod activities, and our program staffs meet frequently for detailed collaboration.”