The Department of Homeland Security (DHS) started working on replacing its outdated biometric identity management system (fingerprint matching and facial recognition) in 2016. IDENT has been in operation since 1994 and is growing at a rate of approximately 200 million fingerprint records every month. DHS reported in 2011 that IDENT had significant shortcomings and began to plan for its replacement.
The new multi-billion dollar program, known as Homeland Advanced Recognition Technology or HART, is now three years behind schedule due to technical and other challenges.
Similar to IDENT, partner agencies will be expected to use HART for different purposes. Partner agencies may query the new system before making national security, law enforcement, immigration, and intelligence decisions. These agencies may also use the system to upload and store new biometric data that they have collected from individuals. For example, among other things, the Department of State is expected to use HART to support biometric identification and verification of international travelers seeking U.S. visas, to help determine if visas should be issued. The Transportation Security Administration is expected to rely on the system to retrieve identity data for trusted travelers scheduled to fly within the next 24 hours for use in identity verification at an airport’s security checkpoint. Meanwhile, the U.S. Customs and Border Protection is expected to use HART to support biometric identification and verification of in-scope travelers entering the U.S. through air, sea, and land ports of entry to determine if further action is needed.
The Government Accountability Office (GAO) has recently evaluated the HART program in order to determine its current status and any ongoing challenges.
DHS initially expected to implement the entire HART program by 2021; however, no segments of the program have been deployed to date. Currently estimated to cost $4.3 billion in total, DHS plans to deploy increment 1 of the program in December 2021 and expects to implement later increments in 2022 and 2024. Increment 1 is expected to replace the functionality of the existing system.
HART’s schedule problems first emerged in June 2017. At that time, the program declared that it had breached its schedule from its 2016 approved baseline, which established that the program would implement increment 1 in 2018 and fully implement the remaining increments by 2021. According to DHS officials, the breach was due to delays in awarding a contract for increments 1 and 2 and a bid protest. DHS subsequently awarded a $95 million contract to Northrop Grumman to develop increments 1 and 2 in September 2017. However, since 2017, DHS has modified the development contract 12 times, which has seen the budget exceed its initial limits.
GAO’s review found that although the multi-billion dollar HART program had suffered continuing delays, until the end of last year, the DHS Chief Information Officer (CIO) had reported the program as low risk on the IT Dashboard, a website showing, among other things, the performance and risks of agency information technology (IT) investments. In May 2020, the Office of the CIO began developing a new assessment process which led to the CIO accurately elevating HART’s rating from low to high risk and reporting this rating to the IT Dashboard in November 2020. In addition, consistent with OMB guidance, the CIO fulfilled applicable oversight requirements for high-risk IT programs by, among other things, conducting a review of the program known as a TechStat review. While the CIO complied with applicable oversight requirements in conducting the TechStat review, GAO noted that DHS’s associated policy was outdated. Specifically, the 2017 policy does not reflect the revised process DHS started using in 2020. As such, until the guidance is updated, other departmental IT programs deemed high risk would likely not be readily aware of the specific process requirements.
Concurrent with the CIO’s actions to conduct oversight, HART program management has also acted to implement important risk management practices. Specifically, GAO found that HART had fully implemented four of seven risk management best practices and partially implemented the remaining three. As of February 2021, the program had identified 49 active risks, including 15 related to cost and schedule and 17 related to technical issues. While DHS has plans under way to fully implement two of the partially implemented practices, until it fully implements the remaining practice GAO says its efforts to effectively monitor the status of risks and mitigation plans may be hampered.
GAO is making seven recommendations, including that DHS update its policy to reflect the current IT program assessment process, and fully implement the risk management best practice related to monitoring the status of risks and mitigation plans.
Specifically, the watchdog recommends that DHS:
- updates existing policy to reflect the processes that should be used to address each of the TechStat requirements;
- ensures that the HART program keeps records of its discussions related to risk mitigation, including the resources needed for risk handling activities;
- ensures that the HART program’s risk owners maintain accurate and current status updates for each risk mitigation plan in the risk register;
- ensures that the HART program office fully reviews and approves or rejects contractor deliverables prior to working on the next system release;
- ensure that, moving forward, the HART program tracks and monitors all of its costs, including government labor costs;
- ensures that the HART program defines the extent to which it should be interacting with each of its stakeholders throughout the acquisition process, and, once established, monitors stakeholder involvement against that defined level of involvement; and
- ensures that the HART program establishes and maintains a process to ensure bidirectional traceability of its requirements in future development.
DHS concurred with each recommendation and has set out planned action to address them. For example, it will update and further refine related policy to address each of the five TechStat requirements. The department said it plans to complete this activity by November 2021. In addition, the department stated that it intends to complete a review of backlogged deliverables for increment 1. Further, with regard to increment 2 development activities, the department stated that the HART program office will fully review and approve, or reject, contractor deliverables prior to working on the next system release. The department stated that it plans to implement these actions by August 2021.
Reliance on an overextended 27 year old biometric identity management system to support national security, law enforcement, and immigration decisions, emphasizes the critical need to ensure that further delays, cost overruns, and performance issues with the HART program are avoided.