dhs needs to further define and implement its new governance process

7/31/2019 DHS Needs to Further Define and Implement Its New Governance Process

1/39

INFORMATIONTECHNOLOGY

DHS Needs to FurtherDefine and ImplementIts New GovernanceProcess

Report to Congressional Requesters

July 2012

GAO-12-818

United States Government Accountability Office

GAO


2/39

United States Government Accountability Office

Highlights ofGAO-12-818, a report tocongressional requesters

July 2012

INFORMATION TECHNOLOGY

DHS Needs to Further Define and Implement ItsNew Governance Process

Why GAO Did This Study

DHS has one of the largest IT budgetsin the federal government. In fiscalyear 2012, DHS plans to spend about$5.6 billion to, among other things,acquire, implement, and operateapproximately 360 IT programs,including about 83 major programs,which are intended to assist in carryingout its diverse missions. With such a

large portfolio of IT programs, it isimportant to ensure that theappropriate governance exists so thatthe programs meet their cost,schedule, and performance goals andcontinue to support the departmentsstrategies and objectives. In line withthis, DHS has been working to defineand implement a new IT governanceprocess.

GAO was asked to (1) describe DHS'snew IT governance process andassociated policies and procedures,and assess them against best

practices; and (2) determine progressmade in implementing the new processand how DHSs implementation effortscomport with relevant best practices.To do so, GAO analyzed relevantdocumentation and interviewed DHSofficials responsible for defining andimplementing the new governanceprocess.

What GAO Recommends

To implement an effective ITgovernance process, GAO

recommends that DHS finalizeassociated policies and procedures,and fully follow best practices forimplementing the process. Incomments on a draft of this report,DHS concurred with GAOsrecommendations and estimated itwould address them by September2013.

What GAO Found

The Department of Homeland Security (DHS) has defined a vision for its newinformation technology (IT) governance process, which includes a tieredoversight structure that defines distinct roles and responsibilities throughout thedepartment. The new governance framework and the associated policies andprocedures are generally consistent with recent Office of Management andBudget (OMB) guidance and with best practices for managing projects andportfolios identified in GAOs IT Investment Management framework, with twopractices partially addressed and seven others fully addressed. For example,consistent with OMB guidance calling for the Chief Information Officer (CIO) to

play a significant role in overseeing programs, DHSs draft procedures requirethat lower-level boards overseeing IT programs include the DHS CIO, acomponent CIO, or a designated executive representative from a CIO office. Inaddition, consistent with practices identified in GAOs IT Investment Managementframework, DHSs draft procedures identify key performance indicators forgauging portfolio performance. However, DHSs policies and procedures havenot yet been finalized, because, according to officials, the focus has been onpiloting the new governance process. While it is important to conduct pilots totest processes and identify lessons learned, until the department finalizes thepolicies and procedures associated with the new IT governance, it will have lessassurance that its new IT governance will be consistent with best practices andaddress previously identified weaknesses in investment management.

DHS has begun to implement aspects of its new governance process. Forexample, it has established several governance entities and conducted programhealth assessment reviews for all of its major IT programs. In implementing itsnew governance, the department has generally followed key industry bestpractices, such as establishing an implementation team; however, thedepartment has not fully followed other practices, including developing amechanism to capture lessons learned. The table below summarizes GAOsassessment of DHSs implementation efforts. Until the department fullyaddresses these practices, its implementation approach may be less effectivethan intended.

Assessment of DHSs Implementation Efforts

Best practice DHSs implementation efforts

Organizational buy-in DHS has organizational buy-in from top management, as evidenced by the

Under Secretary for Management approving key documents supporting thenew IT governance process. In addition, the Office of the CIO took steps tosecure stakeholder buy-in.

Implementation teamand plan

DHS has established a team for implementing its IT governance structure;however, the department has not yet developed an implementation plan.

Evaluation DHS has documented several performance measures, including measuresto assess the effectiveness of Executive Steering Committee meetings, buthas not documented others. In addition, DHS does not have mechanismsto capture lessons learned.

Source: GAO analysis of DHS data.

ViewGAO-12-818. For more information,contact David A. Powner at (202) 512-9286 [email protected].
http://www.gao.gov/products/GAO-12-818http://www.gao.gov/products/GAO-12-818http://www.gao.gov/products/GAO-12-818http://www.gao.gov/products/GAO-12-818http://www.gao.gov/products/GAO-12-818http://www.gao.gov/products/GAO-12-818http://www.gao.gov/products/GAO-12-818http://www.gao.gov/products/GAO-12-818


3/39

Page i GAO-12-818 DHS's IT Governance

Letter 1

Background 3

DHSs New IT Governance Process Is Generally Consistent with

Best Practices 11

DHS Has Implemented Aspects of Its New Structure, but Has Not

Fully Followed Best Practices 22

Conclusions 27

Recommendations for Executive Action 27

Agency Comments and Our Evaluation 28

Appendix I Objectives, Scope, and Methodology 30

Appendix II Comments from the Department of Homeland Security 32

Appendix III GAO Contacts and Staff Acknowledgments 34

Tables

Table 1: IT Governance Entities and Membership 14

Table 2: Assessment of Policies and Procedures for Program

Management 18

Table 3: Assessment of Policies and Procedures for Portfolio

Management 21

Table 4: Status of the Implementation of Governance Entities 23

Figures

Figure 1: DHS Department-level Organizations with IT Acquisition

Management Responsibilities 4Figure 2: Overview of the DHS Acquisition Phases 7

Figure 3: DHSs Integrated Enterprise Governance Structure 13

Figure 4: DHSs Recommended IT Governance Operating Model 16

Contents


4/39

Page ii GAO-12-818 DHS's IT Governance

Abbreviations

CIO chief information officer

COE Centers of ExcellenceDHS Department of Homeland SecurityEBMO Enterprise Business Management OfficeESC Executive Steering CommitteeIRB Investment Review BoardIT information technologyITIM Information Technology Investment ManagementOMB Office of Management and BudgetPARM Program Accountability and Risk Management

This is a work of the U.S. government and is not subject to copyright protection in theUnited States. The published product may be reproduced and distributed in its entiretywithout further permission from GAO. However, because this work may containcopyrighted images or other material, permission from the copyright holder may benecessary if you wish to reproduce this material separately.


5/39

Page 1 GAO-12-818 DHS's IT Governance

United States Government Accountability OfficeWashington, DC 20548

July 25, 2012

The Honorable Tom CarperChairmanSubcommittee on Federal Financial Management,Government Information, Federal Services,and International Security

Committee on Homeland Security and Governmental AffairsUnited States Senate

The Honorable Michael T. McCaulChairmanThe Honorable William R. KeatingRanking MemberSubcommittee on Oversight, Investigations,and Management

Committee on Homeland SecurityHouse of Representatives

The Department of Homeland Security (DHS) has one of the largestinformation technology (IT) budgets in the federal government. With afiscal year 2012 IT budget of about $5.6 billion, DHS plans to use thesefunds to, among other things, acquire, implement, and operateapproximately 360 IT programs, including about 83 major1 programs, to

assist in carrying out its diverse missions. Given the size of DHSs ITportfolio and its importance to the departments mission, it is important toensure that the appropriate governance exists so that the programs meettheir cost, schedule, and performance goals and continue to support thedepartments strategies and objectives. According to the IT GovernanceInstitutes Control Objectives for Information and related Technology 4.1,2

1DHS defines major IT acquisitions as those having life cycle cost estimates of $50 millionor more.

IT governance is the responsibility of executives, and consists of theleadership, organizational structures, and processes that ensure that an

2IT Governance Institute, Control Objectives for Information and related Technology 4.1(Rolling Meadows, Ill.: 2007).


6/39


enterprises IT sustains and extends the organizations strategies andobjectives.3

In 2003, we designated implementing and transforming DHS as high risk,in part due to weaknesses related to the departments management of itsIT programs.

4

To address these objectives, we analyzed documents such as the DHSUnder Secretary for Managements Program Management & ExecutionPlaybook, the Integrated Strategy for High Risk ManagementImplementation and Transformation, and Chief Information Officers (CIO)draft Concept of Operations documents for Program Governance andPortfolio Governance. We also interviewed officials from DHSs Office ofthe CIOs Enterprise Business Management Office (EBMO) who haveprimary responsibility for defining and implementing the new governance

process, and from the Office of Program Accountability and RiskManagement (PARM) who have general responsibility for acquisitionmanagement policy. We assessed the governance framework againstGAOs Information Technology Investment Management (ITIM) guide,

In 2011, the department introduced a new initiative to

improve and streamline its IT governance and address continuingweaknesses. This report responds to your request that we conduct areview of DHSs new IT governance process. Specifically, our objectiveswere to (1) describe DHSs new IT governance process and associatedpolicies and procedures, and assess them against best practices; and (2)determine progress made in implementing the new process and howDHSs implementation efforts comport with relevant best practices.

5

3According to the IT Governance Institute, IT governance is also the responsibility of theboard of directors. However, we have omitted that reference because it is not relevant toDHS.

4GAO, High-Risk Series: An Update,GAO-11-278 (Washington, D.C.: February 2011).GAO designated implementing and transforming DHS as high risk because DHS had to

transform 22 agenciesseveral with major management challengesinto onedepartment, and failure to effectively address DHSs management and mission risks couldhave serious consequences for U.S. national and economic security. The high-risk areaincludes challenges in strengthening DHSs management functions, including acquisition,IT (which included IT governance), financial, and human capital management; the impactof those challenges on DHSs mission implementation; and challenges in integratingmanagement functions within and across the department and its components.

5GAO, Information Technology Investment Management: A Framework for Assessing andImproving Process Maturity,GAO-04-394G (Washington, D.C.: March 2004).
http://www.gao.gov/products/GAO-11-278http://www.gao.gov/products/GAO-11-278http://www.gao.gov/products/GAO-11-278http://www.gao.gov/products/GAO-04-394Ghttp://www.gao.gov/products/GAO-04-394Ghttp://www.gao.gov/products/GAO-04-394Ghttp://www.gao.gov/products/GAO-04-394Ghttp://www.gao.gov/products/GAO-11-278


7/39


and the implementation of the framework against industry best practices.Details on our scope and methodology can be found in appendix I.

We conducted this performance audit from October 2011 to July 2012 inaccordance with generally accepted government auditing standards.Those standards require that we plan and perform the audit to obtainsufficient, appropriate evidence to provide a reasonable basis for ourfindings and conclusions based on our audit objectives. We believe thatthe evidence obtained provides a reasonable basis for our findings andconclusions based on our audit objectives.

DHSs mission is to lead the unified national effort to secure America bypreventing and deterring terrorist attacks and protecting against andresponding to threats and hazards to the nation. The department is alsoresponsible for ensuring that the nations borders are safe and secure,welcoming lawful immigrants and visitors, and promoting the free flow ofcommerce. Created in 2002, DHS assumed control of about 209,000civilian and military positions from 22 agencies and offices that specializein one or more aspects of homeland security. The intent behind themerger that created DHS was to improve coordination, communication,and information sharing among these multiple federal agencies. Each ofthese agencies is responsible for specific homeland security missions andfor coordinating related efforts with its sibling components, as well asexternal entities. Figure 1 shows the department-level organizationswhich are responsible for or share responsibility for IT acquisitionmanagement activities.

Background


8/39


Figure 1: DHS Department-level Organizations with IT Acquisition ManagementResponsibilities

Within the departments Management Directorate, headed by the UnderSecretary for Management, is the Office of the CIO. The CIOsresponsibilities include setting departmental IT policies, processes, and

standards, and ensuring that IT acquisitions comply with DHS ITmanagement processes, technical requirements, and approved enterprisearchitecture, among other things. Additionally, the CIO chairs DHSs ChiefInformation Officer Council, which is responsible for ensuring thedevelopment of IT resource management policies, processes, bestpractices, performance measures, and decision criteria for managing thedelivery of IT services and investments, while controlling costs andmitigating risks.


9/39


Within the Office of the CIO, EBMO has been given primary responsibilityfor ensuring that the departments IT investments align with its missionsand objectives. EBMO was recently reorganized to include a newEnterprise Portfolio Governance Division dedicated to executing portfolioreviews. This division is to provide support to portfolio stakeholders toadminister portfolio activities, such as aligning programs with portfolios,creating baseline portfolios, and establishing portfolio pilot efforts.

In October 2011, DHS realigned its acquisition management functionspreviously performed by divisions within the Office of the ChiefProcurement Officer to establish PARM.6 The office, which reports

directly to the Under Secretary for Management, is to ensure theeffectiveness of the overall program execution governance process insupport of the departments Investment Review Board (IRB), and has theresponsibility for developing and maintaining DHSsAcquisitionManagement Directive.7

PARM is also responsible for providing

independent assessments of major investment programs, and monitoringprograms between formal reviews to identify any emerging issues thatDHS needs to address to keep the programs on track.

DHS acquisitionswhich are expected to total about $18 billion in fiscal

year 2012support a wide range of missions and investments, includingships and aircraft, border surveillance and screening equipment, nucleardetection equipment, and systems to track the departments financial andhuman resources. In support of its diverse missions, DHS plans to spendabout $5.6 billion in fiscal year 2012 to deploy and maintain over 360 ITprograms to perform both mission-critical and support functions, whichfrequently must be coordinated among components, as well as amongexternal entities. In 2003, DHS established an investment review processto help reduce risk and increase the chances for successful acquisitionoutcomes by providing departmental oversight of major investmentsthroughout their life cycle and to help ensure that funds allocated forinvestments through the budget process are being spent wisely,

6PARM incorporates the functions and responsibilities previously performed by theAcquisition Program Management Division and the Cost Analysis Division of the Office ofthe Chief Procurement Officer.

7Department of Homeland Security,Acquisition Management Directive, Directive Number102-01 (Jan. 20, 2010). Guides supporting this directive were updated in October 2011.

DHSs Acquisition

Management Process


10/39


efficiently, and effectively. In October 2010, DHS updated the acquisitionguidance, which outlined the acquisition life cycle phases and called forsenior-level approval of each major acquisition program at key decisionevents during a programs acquisition life cycle.

DHSs Acquisition Review Board renamed the IRB in October 2011was established to review and approve major acquisition programs,8 at

key stages in their life cycles before the acquisition program could moveto the next phase.9

1. The need phaseduring which a problem is defined and the neededcapability is identified. This phase concludes with the IRB granting theacquisition program approval to proceed at Acquisition DecisionEvent 1.

DHSs guidance establishes four phases that

constitute the acquisition life cycle:

2. The analyze/select phaseduring which it is determined how toprovide the needed capability. This phase concludes with the IRBgranting the acquisition program approval to proceed at AcquisitionDecision Event 2A.

3. The obtain phaseduring which the needed capability is obtained.The IRB may review the acquisition program multiple times before

granting the acquisition program approval to proceed with particularacquisition activities.10

8According to DHSsAcquisition Management Directive, these are acquisition programswhose life cycle cost estimates exceed $300 million or services programs with annualexpenditures exceeding $100 million. Major IT acquisitions with life cycle cost estimates

between $50 million and $300 million are not reviewed by the IRB.

Between Acquisition Decision Event 2A andAcquisition Decision Event 2B, the project manager formulates theacquisition into types of acquisition (e.g., capital investment projects,services procurements). The phase concludes with the IRB grantingthe program approval to proceed at Acquisition Decision Event 3.

9DHSsAcquisition Directive 102-01 established the Acquisition Review Board as a cross-component group within the department that determines whether a proposed acquisitionhas met the requirements of key phases in the acquisition life cycle framework and is ableto proceed to the next phase and eventual full production and deployment.

10During the obtain phase, a program manager may make multiple appearances beforethe IRB to seek approval for acquisitions needed to support test and evaluation activitiesfor the proposed acquisition. The acquisition decision events are noted as 2B, 2C, etc.


11/39


4. The produce/deploy/support phaseduring which the process toproduce, deploy, and support the needed capability takes place.

Although the IRB does not have a standard, defined role in this phaseit may conduct additional reviews as necessary.

Figure 2 presents the four DHS acquisition phases defined in DHSsacquisition directive.

Figure 2: Overview of the DHS Acquisition Phases

DHS recently articulated a vision for an Integrated Investment LifecycleModel as part of a broad effort to improve its overall acquisitionmanagement process. The model is intended to help integrate thedepartments planning, programming, budgeting, and execution

processes with the goal of strengthening strategic decision making byimplementing a repeatable process at critical phases throughout theinvestment life cycle. In June 2012, DHS noted that with the early phasesof the models development, a key challenge was developingstandardized business terms, data elements, and a central portal tocollect, store, and report data. DHS also reported that it planned tocomplete a concept of operations document and an implementation planfor the Integrated Investment Lifecycle Model concept of operations bythe second quarter of fiscal year 2013.

Over the years, GAO, the department, and DHSs Office of the Inspector

General have reviewed DHSs overall acquisition process, as well as theprocesses specifically related to its IT acquisitions, identified weaknessesand provided recommendations for improvements. For example, in April2007, we reported that although DHS had established the managementstructure to effectively manage its IT investments, the department had yet

GAO and DHS HaveReported on theDepartments AcquisitionManagement Efforts


12/39


to define most of the policies specifically associated with managing its ITprojects as investment portfolios.11 We also reported that DHS had not

fully implemented the key practices needed to actually controlinvestmentseither at the project level or at the portfolio level. Werecommended that DHS fully define the project-level and portfolio-levelpolicies and procedures defined in GAOs ITIM framework12

In November 2008, we reported that DHS had not provided the oversightneeded to identify and address cost, schedule, and performanceproblems for its major acquisitions.

and

implement the practices needed to effectively control investments. DHSagreed with our findings and recommendations, and took action toaddress the majority of them, including augmenting the resources forproviding project oversight.

13

In 2010, DHSs Office of the CIO conducted a series of reviews of itsmajor IT programs. According to DHSs draft Portfolio GovernanceConcept of Operations,

Specifically, we reported that of the

48 major investments reviewed that required milestone or annual reviews,45 were not reviewed in accordance with the departments investmentreview policy, and 18 were not reviewed at all. Four of these investmentshad transitioned into a late acquisition phaseproduction anddeploymentwithout any required reviews. We recommendedand DHSconcurredthat the department identify and align sufficient managementresources to implement oversight reviews in a timely manner throughoutthe investment life cycle.

14

these reviews, plus additional insights from the

CIO, highlighted several problems with the existing IT investmentmanagement process, including the following:

11GAO, Information Technology: DHS Needs to Fully Define and Implement Policies andProcedures for Effectively Managing Investments,GAO-07-424 (Washington, D.C.: April27, 2007).

12GAO-04-394G.

13GAO, Department of Homeland Security: Billions Invested in Major Programs LackAppropriate Oversight,GAO-09-29 (Washington, D.C.: Nov. 18, 2008).

14DHS, Portfolio Governance Concept of Operations, Draft(Washington, D.C.: Dec.9,2011).
http://www.gao.gov/products/GAO-07-424http://www.gao.gov/products/GAO-07-424http://www.gao.gov/products/GAO-07-424http://www.gao.gov/products/GAO-04-394Ghttp://www.gao.gov/products/GAO-04-394Ghttp://www.gao.gov/products/GAO-04-394Ghttp://www.gao.gov/products/GAO-09-29http://www.gao.gov/products/GAO-09-29http://www.gao.gov/products/GAO-09-29http://www.gao.gov/products/GAO-09-29http://www.gao.gov/products/GAO-04-394Ghttp://www.gao.gov/products/GAO-07-424


13/39


Governance was based on a program-by-program approach that didnot reflect the reality that many programs are inter-related indelivering mission outcomes.

Programs took too long, were often over cost, and did not meetperformance objectives.

Decision makers were often far removed from program details; manydecisions were reserved for the IRB, which lacks the capacity andtime to be familiar with all mission needs and program issues.

In addition, the department again held portfolio reviews in 2011 and foundthat while some progress had been made, many of the aforementionedproblems continued.

Following the February 2011 update to our high-risk series report onimplementing and transforming DHS, in which we reported that while thedepartment had improved its policies and procedures for investmentmanagement, more work remained,15 DHS began providing us with bi-

annual updates on its progress in addressing weaknesses, including ITmanagement.16

Further, we recently reported that the portfolio reviews DHS conducted in2011 to avoid investing in systems that were duplicative or overlapping,and to identify and leverage investments across the departmentcontributed to the identification and consolidation of duplicativefunctionality within four investments.

17

15

DHS also developed plans to

further consolidate systems by 2014, which is expected to produceapproximately $41 million in cost savings. The portfolio reviews alsocontributed to the identification of 38 additional systems that areduplicative.

GAO-11-278.

16On June 15, 2012, DHS issued the third bi-annual update on its progress.

17GAO, Information Technology: Departments of Defense and Energy Need to AddressPotentially Duplicative Investments,GAO-12-241 (Washington, D.C.: Feb. 17, 2012).
http://www.gao.gov/products/GAO-11-278http://www.gao.gov/products/GAO-11-278http://www.gao.gov/products/GAO-11-278http://www.gao.gov/products/GAO-12-241http://www.gao.gov/products/GAO-12-241http://www.gao.gov/products/GAO-12-241http://www.gao.gov/products/GAO-12-241http://www.gao.gov/products/GAO-11-278


14/39


In December 2010, the Office of Management and Budget (OMB) issuedits 25 Point Implementation Plan to Reform Federal InformationTechnology Management, a document outlining activities spanning 18months to reform IT management throughout the federal government. Akey goal of the planreferred to as the IT Reform Planis to foster moreeffective management of large-scale IT programs. One way the planrecommends this be done is through streamlining governance andimproving accountability. According to the plan, this involves reformingand strengthening IRBs to enable them to more adequately manageagency portfolios, redefining the role of agency CIOs and the federal CIOCouncil to focus on portfolio management, and rolling out TechStat

reviews at the agency and bureau levels to focus attention on ITinvestments, including those that are poorly performing.18 In April 2012,

we reported that OMB and key federal agencies had made progress onselected action items identified in the IT Reform Plan, but several areas,including strengthening the role of the CIO, were not yet completed.19

In an August 2011 memorandum,

20

in conjunction with implementing the

IT Reform Plan, OMB clarified the primary areas of responsibility for CIOsthroughout the government. It stressed moving the role of CIOs from justpolicymaking and infrastructure maintenance to encompassing trueportfolio management for all IT, which would enable CIOs to focus on

delivering solutions that support the mission and business effectivenessof their agencies and overcome bureaucratic impediments to deliverenterprisewide solutions. The memorandum highlighted the role of theCIO to drive the investment review process and to have responsibilityover the entire IT portfolio for an agency. In addition, it stated that theCIOs must work with chief financial officers and chief acquisition officersto ensure portfolio analysis is an integral part of the yearly budget processfor an agency.

18TechStat Accountability Sessions are face-to-face reviews of agency IT programs withOMB and/or agency leadership.

19GAO, Information Technology Reform: Program Made; More Needs to Be Done toComplete Actions and Measure Results,GAO-12-461 (Washington, D.C.: April 26, 2012).

20OMB, Chief Information Officer Authorities, M-11-29 (Washington, D.C.: August 8,2011).

OMB Has EstablishedInitiatives to ReformFederal IT InvestmentManagement throughPortfolio Governance and

Accountability
http://www.gao.gov/products/GAO-12-461http://www.gao.gov/products/GAO-12-461http://www.gao.gov/products/GAO-12-461http://www.gao.gov/products/GAO-12-461


15/39


DHS has defined a vision for its new IT governance process, whichincludes a three-tiered oversight structure that defines distinct roles andresponsibilities from the program through the department. The newgovernance process is generally consistent with recent OMB guidanceand with best practices for managing projects and portfolios, with twopractices partially addressed and seven others fully addressed. However,the supporting policies and procedures have yet to be finalized.

According to officials, this is because the focus has been on piloting theprocess. While it is important to conduct pilots to test processes andidentify lessons learned, until DHS finalizes its procedures associatedwith the new IT governance, it will have less assurance that the

governance will be consistent with best practices and address previouslyidentified weaknesses in investment management.

In December 2011, the Under Secretary for Managements IntegratedStrategy for High Risk Managementintroduced an initiative to improveand streamline IT program execution governance. The initiativeestablished a tiered governance structure for program execution, withspecific decision responsibilities for each tier. This structure is intended tosupplement, not replace, DHSs existing policies and procedures formanaging acquisitions. It also includes several of the governance entitiesrepresented in the Integrated Investment Lifecycle Model the departmentis currently defining to integrate the planning, programming, budgeting,and execution processes.

According to the strategy, the governance process is intended to improve

IT investment management across DHS by providing enterprise-levelgovernance and oversight based on functional IT portfolios;21

the integration of enterprisewide processes for strategic planning,program management, budget planning, acquisition, and programexecution by establishing a tiered governance structureenterprise,

portfolio, and program governance;

21Investments are to be vetted to determine the best portfolio based on the functional andtechnological scope of the investment.

DHSs New ITGovernance ProcessIs GenerallyConsistent with BestPractices

DHSs Vision for New ITGovernance Process isBased on a TieredOversight Structure


16/39


program health by continuing initiatives to enable IT programs tomanage to budget and schedule, mitigate risks, and deliver desiredfunctionality; and

IT investment performance reporting across the department byleveraging a business intelligence toolknown as the DecisionSupport Toolthat will provide standardization of data and consistentmonitoring of IT portfolios and programs.

To meet these goals, DHS has defined a scalable, tiered structure amongthe governance entities that establishes distinct roles and responsibilitiesfrom the program through the department. (This structure is illustrated infigure 3.)

Enterprise level governanceEnterprise governance will focus onsetting strategic priorities and requirements to meet the enterprisemission.

Portfolio level governancePortfolio governance will manage groupsof related programs to ensure that programs are properly aligned andfunction to meet DHS mission needs.

Program level governanceProgram governance is the primarydecision-making authority for individual programs.


17/39


Figure 3: DHSs Integrated Enterprise Governance Structure


18/39


Table 1 lists the entities involved in the tiered governance process, andprovides a description of their membership. While some of the entities arenew, others already existed.

Table 1: IT Governance Entities and Membership

Entity Membership

Department Strategy Council (New) Chaired by the Secretary or Deputy Secretary and is to include senior headquarters andcomponent leadership.

Capabilities and RequirementsCouncil (New)

Composed of operational experts from headquarters and components.

Program Review Board Chaired by the Deputy Secretary and supported by the Office of the Chief Financial OfficersDirector for Program Analysis & Evaluation.

IRB Chaired by the Acquisition Decision Authority, the Under Secretary for Management, andincludes the Assistant Secretary for Policy, Under Secretary for Science and Technology,Director of Operational Test and Evaluation, General Counsel, Chief Financial Officer, CIO,Chief Administrative Services Officer, Chief Procurement Officer, Chief Human Capital Officer,Chief Security Officer, other lines of business chiefs as appropriate, user representatives fromcomponents sponsoring the capability, and other officials within the department determined tobe appropriate to the subject matter by the Acquisition Decision Authority.

Portfolio Governance Boards (New) The chair for each Portfolio Governance Board is appointed by senior leadership and issupported by members who are senior executives from stakeholder organizations able tocontribute relevant expertise and insight to the Portfolio Governance Boards issues andproceedings.

ESC (New) Each ESC is chaired by either the DHS CIO or component CIO for critical IT programs. In

addition, the Component Acquisition Executive will co-chair ESCs for the components mostcritical programs. The board membership will be approved by the IRB and is to include seniorexecutives from program stakeholder organizations who are empowered to make decisions fortheir organization.

Program Management Offices Managed by a Program Manager, and supported by a team including a systems engineer, lifecycle logistician, Contracting Officer Technical Representative, a business/financial managerand, if applicable, an IT/systems architect.

Centers of Excellence for ProgramManagement (COE)

Headed by a COE lead, and supported by a core leadership team of full-time, dedicated staff.In addition, the membership of a COE will include subject matter experts in specific disciplinesfrom across the department. While these subject matter experts will continue to reside withinand report to their home organizations, they will be available for consultation regarding theirexpertise in a community of practice model.


In addition to the tiered structure intended to improve oversight ofprograms and portfolios, the IT governance vision also more broadlyaddresses the process for determining what investments should beselected to address mission gaps (during the planning phase) andultimately, deliver capabilities (during the execution phase). The followingdescribes these two phases:


19/39


During theplanning phase, DHS expects to consider IT investmentsfrom a departmentwide portfolio perspective, and determine whichinvestments should be funded. To do this, DHS envisions the use offunctional portfolios. The portfolios are to align to the 13 functionalsegments of the departments enterprise architecture and will begoverned by the Portfolio Governance Boards.22

The execution phase is intended to ensure the investments continueto be aligned with the departments strategic goals and fully supportmission performance, and ultimately provide the intended capabilities.DHS envisions an interaction among the entities that provideoversight, control, and assistance during program executionthe IRBthe ESCs, and COEs. The ESCs are to oversee major programs orgroups of closely related programs. However, if a major program runsinto difficultly in its schedule, budget, or scope performance, the

program manager would be required to present the status and actionplan to the IRB for assessment and approval. This requirement is inaddition to the ongoing governance provided by the ESCs. The COEswould provide expert support in core program managementdisciplines, such as requirements engineering. The department alsoplans to standardize reviews, including the TechStats and programhealth assessments. The TechStat reviews are intended to evaluateprograms, identify any issues, develop a corrective action plan, andensure that the program receives proper support to fix the issues. Theprogram health assessments look at individual programs health inexecuting and carrying out the program. In fiscal year 2011, DHSperformed reviews of 47 IT programs, primarily focusing on those

programs with poor performance ratings or deemed highly critical or

The DepartmentStrategy Council is to provide these portfolios with strategic guidance.Using input from the portfolio managers, the Capabilities andRequirements Council is to adjudicate issues across portfolios and setoverall department priorities. In addition, the Portfolio GovernanceBoards will provide guidance and investment recommendations to the

Program Review Board for future year planning, programming, andbudgeting. The Program Review Board will then formulate the budgetand communicate with OMB and the IRB.

22The 13 planned portfolios are: Benefits Administration, Continuity of Operations, DomainAwareness, Incident Management, Information Sharing and Safeguarding, Intelligence,Law Enforcement, Screening, Securing, Enterprise Financial Management, EnterpriseHuman Resource Management, Enterprise IT Services, and Enterprise BusinessServices.


20/39


visible by the CIO. Under the new governance, the Office of the CIOplans to conduct reviews of all 83 major IT investments anywherefrom monthly to semi-annually, depending on the health of the project.

According to officials, while the Under Secretary for Management has notyet approved the new IT governance model, DHS has startedimplementing it. Figure 4 shows the recommended process fordetermining what investments should go forward, providing oversight, anddelivering capabilities.

Figure 4: DHSs Recommended IT Governance Operating Model

In addition, DHS plans to use its Decision Support Tool to provideupdated program information to all governance bodies on the status ofmajor programs. The Decision Support Tool is to provide the ability to


21/39


integrate data resident within multiple existing source systems includingthe Next Generation Periodic Reporting System and the InvestmentManagement System, to generate reports, charts and graphs on programperformance.23

DHSs new IT governance framework is generally consistent with recentOMB guidance. Specifically, consistent with OMB guidance calling for theCIO to play a significant role in the oversight of the portfolio of ITprograms, DHSs draft procedures note that ESCs overseeing ITprograms must include the DHS CIO, a component CIO, or a designated

executive representative from a CIO office. In addition, for programs thatthe DHS CIO Council designates as most critical, the DHS CIO or anappropriate component CIO will co-chair the ESC. Further, consistentwith recent OMB guidance to focus on portfolio management, the newgovernance framework includes the establishment of portfolio governanceboards to oversee functional portfolios with the goals of eliminatingduplication and leveraging services and programs across the department.

In addition, DHSs new IT governance framework and the associatedpolicies and procedures are generally consistent with best practices formanaging projects and portfolios identified in GAOs ITIM framework, with

two practices partially addressed and seven others fully addressed;however, the procedures have not been finalized. Tables 2 and 3summarize our assessment of DHSs draft procedures against relevantpractices of our ITIM.

23The Next Generation Periodic Reporting System captures contract, project and programlevel data for quarterly and monthly reporting. It supports portfolio reviews at the DHS,component, program, and project levels and enables users to conduct analysis, trending,and forecasting at these levels and allows users to generate reports. The InvestmentManagement System supports DHSs capital planning process and is used, among otherthings, to capture and report on business case information, such as in Exhibit 300submissions.

DHSs New IT GovernanceFramework Is GenerallyConsistent with Guidance,Best Practices, but Policies

and Procedures Have NotYet Been Finalized


22/39


Table 2: Assessment of Policies and Procedures for Program Management

Practicecategory Specific practice Assessment Summary of evidence

InstitutingInvestmentBoardOperations

In cases where lower-level investmentboards (such as the ESCs) are charteredto carry out the responsibilities of theenterprisewide IT investment board withintheir own business units, theenterprisewide IT investment board stillmust maintain ultimate responsibility forand therefore visibility intothe lower-level boards activities.

Partially addressed According to the draft program governanceprocedures, if a program that has been assignedto an ESC experiences schedule, budget, orscope problems, the program manager mustpresent a status and action plan to the IRB forassessment and approval. In addition, the IRB isto reassume acquisition decision authority if aprogram is in breach of cost, schedule orperformance goals established in the acquisition

program baseline until the program has takencorrective actions, rebaselined the program withan IRB-approved acquisition program baseline,and the IRB authorizes the ESC to reassumeacquisition decision authority. Theserequirements, however, are not established inpolicies and procedures such as the ProgramGovernance Concept of Operations document,which would have broader applicability. Further,while in practice, the department maintainsvisibility into the ESC activities by having theCIOwho is a member of the IRBchair orattend meetings, the policies and proceduressupporting the new IT governance process do notaddress this or reference existing documents

which might address this.The enterprisewide IT investment boardshould be responsible for major systemsthat affect multiple components and users,and stay actively involved in those that arehigh cost or high risk or have significantscope and duration.

Fully addressed As previously stated, the board maintainsresponsibility for major IT investments with lifecycle cost estimates of $300 million or more.While ESCs may oversee these investments, theyare only expected to receive authority to approvecertain acquisition decision events. In addition, asstated above, depending on the status of aprogram, this decision authority could berescinded. Further, according to the draft programgovernance procedures, if a program experiencesschedule, budget, or scope problems, theprogram manager must present a status andaction plan to the IRB for assessment andapproval.

Investment management guidance shouldspecify the manner in which ITinvestment-related processes will becoordinated with other organizationalplans, processes, and documentsincluding, at a minimum, the strategicplan, budget, and enterprise architectureprocesses.

Fully addressed DHSs draft portfolio governance proceduresindicate that portfolio activities include executingsuitability analysis, adding and rankinginvestments into the rolling 5-year strategy andenterprise architecture transition plan, requestingbudget approval, and tracking continuing statusand performance of programs underway.


23/39



Subordinate boards should have the samebroad business unit and IT representationas the enterprisewide board.

Fully addressed DHSs draft governance procedures specify thatthe composition of the ESCs and PortfolioGovernance Boards should include both businessand technical representation.

Selecting anInvestment

Policies and procedures for effectivelyselecting investments for funding typicallyoutline a structured method for identifying,evaluating, prioritizing, and selecting newIT investment proposals, including criteriato support the analysis, prioritization, andselection of new investments. Similar

policies and procedures should exist forreselecting ongoing investments

Partially addressed DHSs draft portfolio governance policies andprocedures address the selection of proposedinvestments and the reselection of existinginvestments. They specify a process for thereview and selection of proposed investments,requiring a Portfolio Governance Board to rank aproposed investments relative priority with all

other approved investments in order to formallyadd it to the portfolio transition plan. This plan isto represent a point of reference to which DHSinvestments, both legacy and new investmentsapproved for execution, are identified. The draftprocedures also specify that the review of aninvestment must use existing DHS selection andprioritization criteria, such as resources neededand benefits to be derived. However, the draftprocedures do not specify these criteria orreference other documents where these criteriamay be identified.

ProvidingInvestmentOversight

Procedures for providing investmentoversight typically specify the proceduralrules for investment boards operation and

for decision making during programoversight; the criteria that the investmentboards use when analyzing projectperformance as part of their oversightfunction; that corrective actions arerequired when the project deviates orvaries significantly from the projectmanagement plan; and the procedures forescalating unresolved or significantissues.

Fully addressed As stated above, the board maintainsresponsibility for major IT investments.


24/39



CapturingInvestmentInformation

Procedures for capturing investmentinformation typically specify thatresponsibility for submitting, updating, andmaintaining relevant inventory informationfor each project or asset is explicitlyassigned; the process to be followed forthe collection of information, access to theinformation, and support for maintainingthe information; the data elementsrequired for each IT-related item, includingthe cost (e.g., history of actualdevelopment costs, annual operating andmaintenance costs, and expected lifecycle costs) of each item; and the ownerof each item.

Fully addressed In February 2012, the Under Secretary forManagement directed the implementation of theenterprise Decision Support Tool to improve thedepartments governance capabilities, as well asaid departmental strategic acquisition decisionmaking. The tool is to integrate and enhance thefunctionalities of existing systems usedthroughout DHS in order to generate integrated,high-quality data on program performance. It is toestablish standard content, format, and frequencyfor investment performance analysis andreporting, including key risks and mitigation plans.In addition, the tool is to allow the stakeholders toefficiently report program health status to thePortfolio Governance Board using a format that isconsistent across portfolios, programs, andgovernance bodies. PARM officials stated thatcomponent acquisition executives are to beresponsible for the completeness of the data inthe tool, and accuracy for their respectiveprograms. DHS is deploying the Decision SupportTool in phases as it addresses additionalrequirements.



25/39


Table 3: Assessment of Policies and Procedures for Portfolio Management

Practicecategory Specific practices Assessment Summary of evidence

Creating thePortfolio

The organizations policies and procedures foranalyzing and developing IT investment portfoliostypically provide common definitions for ITinvestment portfolio categories, apply to each ITinvestment board as it develops its comprehensiveportfolio, and stipulate conditions that should bemet for investment funding decisions whereexceptions are made.

Fullyaddressed

DHSs draft portfolio governance proceduresidentify the steps that will be taken to approveproposed investments and assign them to theappropriate functional portfolio. In addition, theprocedures state that after investmentproposals are analyzed by the enterprisearchitecture organization to assess potentialoverlap or duplication, they must then gothrough a suitability analysis to determine the

functional and technological scope of theinvestment proposals. After the investment hasbeen approved, the procedures further call foran analysis of the investments alignment withthe DHS strategic goals, which will assist inranking the new investments priority relative tothe others in that portfolio.

Evaluating thePortfolio

The organization should have documentedpolicies and procedures for reviewing, evaluating,and improving the performance of its portfolios.This includes defining and collecting performancedata that is consistent with established portfolioperformance criteria, and making adjustments tothe IT investment portfolio in response to actualperformance.

Fullyaddressed

In DHSs draft portfolio governance procedures,the department identified specific portfoliogovernance critical success factorssuch ashaving proactive executives and subject matterexpertsto ensure its investments are definedand planned in the most effective way in orderto lead to a greater probability of success. Thedocument also identified key performance

indicators, such as progress in meetingstrategic objectives and timely decision makingto gauge portfolio performance.


According to officials, the policies and procedures supporting DHSs newIT governance have not been finalized because the focus has been onpiloting the new governance process. To the departments credit,according to officials, the Portfolio Governance Concept of Operations,which focuses more on the role of the Portfolio Governance Boards, isexpected to be approved by the end of July. In addition, the ProgramGovernance Concept of Operations, which is intended to specify how

programs are to be overseen, is currently being drafted and expected tobe finalized in August 2012 (and approved by the CIO later). Further,according to officials, resources have recently been assigned to updatingDHSs current Information Technology Integration and Managementdirective to reflect the new framework, and work has also begun to updatetheAcquisition Management Directive. While the use of pilots is valuablein testing processes and identifying lessons learned, until DHS finalizesthe policies and procedures associated with the new IT governance, thedepartment will have less assurance that its new IT governance will be


26/39


consistent with best practices and address previously identifiedweaknesses in investment management.

DHS has begun to implement components of the IT governanceframework. Specifically, the department has primarily focused itsimplementation efforts on the execution phase of the IT governanceoperating model (see fig. 4) because, according to officials, it includes thedepartments more mature processes. Efforts to implement other aspectsof the model have been more limited.

Table 4 below shows the status of the implementation of the governancebodies.

DHS HasImplemented Aspectsof Its New Structure,but Has Not Fully

Followed BestPractices


27/39


Table 4: Status of the Implementation of Governance Entities

Governance entity Status

IRB This board pre-dates the new governance structure. It has been operating and holding meetings.

Capabilities and RequirementsCouncil

According to officials, this group is not yet established.

Department Strategy Council According to officials, this council is not yet established.

Portfolio Governance Boards Currently three Portfolio Governance Boards are operational, and two are expected to becomeoperational by the end of this fiscal year. DHSs three current portfolio governance boards arethe Information Technology Services Governance Board, Information Sharing & SafeguardingGovernance Board, and Human Resources Information Technology. The two planned forcompletion by the end of the fiscal year are Screening and Integrated Domain Awareness.According to the CIO, the vision is to have one Portfolio Governance Board for each of DHSs 13functional portfolios.

Program ESCs DHS has initiated pilot ESCs to test aspects of the new governance structure. Specifically, theCIO identified an initial set of 16 high-visibility programs to be overseen by ESCs

aAccording to

the CIO, DHS envisions assigning larger, more complex, higher visibility or riskier programs toan ESC.

COE DHS has established seven COEs to support program management, and, according to officials,recently established an eighth one

bIn addition, a COE Council and COE Coordinating Office

have been established. Officials stated that they are still in the process of conducting a resourceassessment for developing a Federated Governance Staffing Requirements Plan. This shouldcontribute to identifying staff with needed expertise to serve as subject matter experts for theCOEs.


aThe 16 high-visibility programs are: Automated Commercial Environment/International Trade DataSystems; Command, Control, Communications, Computers, Intelligence, Surveillance,Reconnaissance; Customs and Border Protections Traveler Enforcement Compliance SystemModernization; Homeland Security Network; Homeland Security Presidential Directive 12 Identity,Credential, and Access Management; Immigration and Customs Enforcements Traveler EnforcemenCompliance System Modernization; Infrastructure Transformation Program; National Cyber SecurityProtection System; National Flood Insurance Program; Next Generation Tactical Communications;Student and Exchange Visitor Information System II; Technical Infrastructure Modernization; UnitedStates Citizenship and Immigration Services Transformation; United States Visitor & Immigrant StatusIndicator Technology; United States Secret Service Information Integration and Transformation; andVerification Information System/Employment Eligibility Verification.

bThe seven COEs are: Program Management, Test and Evaluation, Enterprise Architecture,Accessibility, Requirements Engineering, Cost Estimating, and Privacy. According to officials, aSystems Engineering COE was recently established.

In addition to progress made with the governance entities above, DHShas also taken other steps to implement the new IT governance structure.

Portfolio reviews: According to the CIO, the department is currentlyperforming portfolio reviews in collaboration with PARM and the Officeof the Chief Financial Officer. These reviews look at the alignment of afunctional grouping of investments and the mission effectiveness, orvalue, those investments deliver. The focus of these reviews is toidentify overlaps and redundancies in existing investments, and to


28/39


identify gaps in existing capabilities. According to the Deputy CIO,these portfolio reviews represent a new way of operating for thecomponents, as they were not used to looking at functions across thedepartment, only portfolios within their respective components.

According to the CIO, as the Portfolio Governance Boards areestablished, they are expected to take over the role of reviewing theseportfolios.

Program reviews: In fiscal year 2011, the CIOs office performedprogram health assessment reviews of 47 IT programs, primarilyfocusing on those programs with poor performance ratings or

determined to be highly critical or visible by the CIO. According toofficials, all 83 major IT investments have been reviewed for this fiscalyear.

TechStat reviews: According to officials, the Office of the CIO alsoperformed two TechStat reviews in fiscal year 2011, and three of thefour TechStats planned for fiscal year 2012. In addition, officialsstated they have completed TechStat training for 12 components.

According to industry best practices, in order to effectively implement anew IT governance framework, or any large organizational change,organizations should obtain buy-in by involving all key stakeholders toensure key perspectives are considered and facilitate adoption. Thisincludes having top management support and creating forums forinvolving business representatives.

DHS has top management support, as evidenced by the Under Secretaryfor Management approving key documents supporting the newgovernance process. For example, the December 2011 IntegratedStrategy for High Risk Management, which introduces the vision for the ITgovernance structure, was approved by the Under Secretary forManagement. The Under Secretary also issued a memorandum callingfor the use of pilot ESCs and providing these ESCs authority to oversee

investment performance. In addition, to secure buy-in, EBMO also soughtcomments on a draft of its Portfolio Governance Concept of Operations,and, according to officials communicated its efforts to improve ITinvestment management to senior executives (including the ChiefFinancial Officer and Chief Procurement Officer) and to the components.

According to the EBMO Director, these stakeholders participation onESCs or portfolio review boards and involvement in conducting theportfolio reviews has also helped to secure their buy-in. Taking thesesteps increases the likelihood that the new IT governance process will be

DHS Is Taking Steps toObtain Organizational Buy-

in


29/39


adopted despite the significant cultural change it represents. The CIO andExecutive Director for EBMO both noted that the new governance isgradually gaining acceptance.

Effectively implementing a new IT governance process also requiresdeveloping an effective implementation team and plan. According to bestpractices, an effective implementation team should be put in place thatincludes key stakeholders from both business and IT components. Inaddition, we have previously reported that to effectively implement ITinvestment management processes, organizations need to be guided by

a plan that builds on existing strengths and weaknesses; specifiesmeasurable goals, objectives, and milestones; specifies neededresources; assigns clear responsibility and accountability foraccomplishing tasks; and is approved by senior-level management.24

DHS has established an integrated product team to guide theimplementation of the new IT governance structure. According to DHSofficials, the departments integrated product team is made up of officialsfrom EBMO, PARM, and the departments chief executives (e.g., CIO,

Chief Financial Officer, etc.). Further, according to the department, theEBMO senior staff directly involved with the implementation of thegovernance structure have both program-level and portfolio-levelgovernance experience. According to officials, the integrated productteam is supported by subject matter experts and the Component

Acquisition Executives.

Such a plan is instrumental in helping agencies coordinate and guideimprovement efforts.

However, the department has not yet developed an implementation plan.While DHSs June 2012 Integrated Strategy for High Risk Managementincludes components of an implementation plan, such as high-level goalsand activities to be completed by the end of fiscal year 2012, DHS doesnot have an implementation plan addressing the elements mentioned

above. While officials recognized the value of an implementation plan,they stated they had not yet developed one because they are still pilotingthe new governance process. Further, officials stated that they planned

24GAO, Information Technology: Treasury Needs to Strengthen Its Investment BoardOperations and Oversight,GAO-07-865 (Washington, D.C.: July 23, 2007).

An Implementation TeamHas Been Established, butthe Department Lacks anImplementation Plan
http://www.gao.gov/products/GAO-07-865http://www.gao.gov/products/GAO-07-865http://www.gao.gov/products/GAO-07-865http://www.gao.gov/products/GAO-07-865


30/39


on developing a 2-year implementation plan that would incorporate bestpractices identified in the ITIM framework for effectively managingprojects and portfolios. They stated that this plan would draw from thedepartments revised IT strategic plan due to be completed by the end ofthe summer of 2012. To mitigate for the limited resources available, DHSstates it will adopt a federated model for resourcesdrawing resourcesfrom componentsand use contractor support, as needed. Until a plan isdeveloped, the department may not be able to effectively implement thenew IT governance process to ensure that it addresses previouslyidentified weaknesses, and effectively uses the departments limitedresources.

According to best practices, when implementing an IT governanceframework, it is important to evaluate the implementation efforts by,among other things, developing measures to assess progress in meetingobjectives. In addition, according to best practices, when implementing anew governance framework, there should be mechanisms in place todocument lessons learned for subsequent governance improvementinitiatives. According to our ITIM framework, among other things, lessonslearned and recommendations for improving the investment processshould be developed and documented, and then distributed to allstakeholders.

DHS has defined measures in the June 2012 update to the IntegratedStrategy for High Risk Management. For example, DHS plans to measurethe (1) percentage of DHS IT program reviews completed in fiscal year2012; (2) percentage of DHS IT programs rated as low risk; (3)percentage of IT investment portfolio governance boards and ESCsestablished and chartered; and (4) percentage of components trained andconducting component-led TechStats. In addition, the department hasidentified measures to assess the effectiveness of the ESC programreviews. Further, according to officials, draft measures for the COEfunctions have also been developed; however, they have not yet been

documented and officials did not have any time frames for doing so.Without fully defining and documenting measures of success, it is unlikelythat the department will be able to determine if it has successfully andefficiently established its new IT governance framework.

DHS officials stated that they are using lessons learned from their pilotingactivities to improve their governance process; however, they have notestablished a mechanism for capturing lessons learned. Without thismechanism, the department risks not being able to continue to build on

DHS Has Yet to FullyDefine Processes forEvaluating ItsImplementation Efforts


31/39


the experiences and lessons learned from prior initiatives, which couldhelp to identify, introduce, and sustain additional efficiency gains on amore systematic basis.

DHSs new approach to IT governance shows promise in establishingmechanisms for greater oversight, involving key staff in programdecisions, and focusing on functional portfolios in order to avoidunnecessary duplication. To the departments credit, the vision isgenerally consistent with guidance and with best practices for managingprojects and portfolios. However, we identified two practices which were

only partially addressed in policies and proceduresensuring that theIRB maintains visibility into the activities of the ESCs, and defining projectselection and prioritization criteriawhich could limit the extent to whichthese practices are institutionalized. In addition, the policies andprocedures have not yet been finalized. To its credit, DHS has effortsunderway to address this. However, until DHS finalizes these policies andprocedures and ensures that they fully address practices for managingprograms and portfolios of investments, the department will have lessassurance that its new approach will address identified weaknesses andfacilitate effective governance.

DHS has implemented aspects of its new approach, such as establishinggovernance entities associated with the execution phase of its approachand conducting portfolio and program reviews. However, because theagency has not developed an implementation plan, fully documentedperformance measures, or established a mechanism for capturinglessons learned, there is a risk that the approach may be less effectivethan intended.

To implement an effective IT governance strategy, we recommend thatthe Secretary of Homeland Security direct the appropriate officials tofinish defining the new IT governance process by

finalizing the IT governance policies and procedures and ensuringthey fully address or reference existing documents that address thefollowing:

how the IRB is to maintain responsibility for lower-level boardactivities; and

Conclusions

Recommendations forExecutive Action


32/39


investment selection and prioritization criteria.

In addition, to assist in implementing the new IT governance strategy, werecommend that the Secretary of Homeland Security direct theappropriate officials to

develop an implementation plan that draws together ongoing andadditional efforts needed to implement the new IT governanceprocess. The plan should:

1. build on existing strengths and weaknesses;

2. specify measurable goals, objectives, and milestones;

3. specify needed resources;

4. assign clear responsibility and accountability for accomplishingtasks; and

5. be approved by senior-level management.

fully define and document key measures to monitor the

implementation process; and

establish mechanisms for capturing lessons learned.

DHSs Director for the Departmental GAO-OIG Liaison Office providedwritten comments on a draft of this report (reprinted in appendix II). Hestated that the department was pleased to note GAOs positiveacknowledgement that DHSs IT governance framework was consistentwith OMB guidance and GAOs ITIM framework. He also stated that thedepartment concurred with the recommendations and estimated it wouldaddress them by September 30, 2013. The department also providedtechnical comments, which we have incorporated where appropriate.

We are sending copies of this report to interested congressionalcommittees and the Secretary of Homeland Security. In addition, thereport is available at no charge on the GAO website athttp://www.gao.gov.

Agency Commentsand Our Evaluation


33/39


If you or your staffs have any questions on the matters discussed in thisreport, please contact me at (202) 512-9286 [email protected] points for our Offices of Congressional Relations and Public

Affairs may be found on the last page of this report. GAO staff who mademajor contributions to this report are listed in appendix III.

David A. PownerDirector, Information Technology

Management Issues


34/39

Appendix I: Objectives, Scope, andMethodology


The objectives of our review were to (1) describe the Department ofHomeland Securitys (DHS) new information technology (IT) governanceprocess and associated policies and procedures, and assess themagainst best practices; and (2) determine progress made in implementingthe new approach and how DHSs implementation efforts comport withrelevant best practices.

To address our first objective, we reviewed and analyzed documentationon DHSs newly initiated IT governance process. This documentationincluded the Under Secretary for Managements Program Management &Execution Playbook, the December 2011 biannual update to the

Implementation and Transformation section of DHSs Integrated Strategyfor High Risk Management, the Office of the Chief Information OfficersConcept of Operations documents for Program and Portfolio Governance,and Chief Information Officer quarterly update briefings presented toGAO. We also reviewed various memorandums from the Under Secretaryfor Management, which covered such issues as the chartering ofExecutive Steering Committees and the implementation of thedepartments Decision Support Tool. We also interviewed officials fromDHSs Office of the Chief Information Officers Enterprise BusinessManagement Office (EBMO), and from the Office of Program

Accountability and Risk Management (PARM). To assess DHSs vision ofits planned governance process against GAOs Information TechnologyInvestment Management (ITIM) guide,1

To address our second objective, we obtained and evaluateddocumentation showing the departments efforts in implementing thegovernance process. This included documentation defining the roles ofvarious governance entities, such as the Executive Steering Committeesand Portfolio Governance Boards, to be involved in the process. Wereviewed available charters and meeting minutes for several of these

entities to determine if they were functioning. We also revieweddocumentation on the Centers of Excellence established by DHS toprovide subject matter expertise to support program management. In

we identified the ITIM stage 2 and

stage 3 critical process areas that were most relevant to DHSs efforts,and compared the evidence collected from our document reviews andinterviews to the practices associated with these areas.

1GAO, Information Technology Investment Management: A Framework for Assessing andImproving Process Maturity,GAO-04-394G (Washington, D.C.: March 2004).

http://www.gao.gov/products/GAO-04-394Ghttp://www.gao.gov/products/GAO-04-394Ghttp://www.gao.gov/products/GAO-04-394Ghttp://www.gao.gov/products/GAO-04-394G


35/39



addition, we interviewed officials from EBMO and PARM to determine thestatus of the departments efforts in implementing the governanceprocess. We also requested information from the five programs for whichExecutive Steering Committees were first established on the variousreviews they had undergone since January 2010including type ofreview, time frames for each review, and information requestedtodetermine the extent of duplication or overlap among the reviews. In orderto assess DHSs implementation of the IT governance approach againstaccepted best practices, we first used content-analysis software toidentify best practices shared by industry and the federal government. Weidentified these practices from prior our reports, Office of Management

and Budget guidance, and guidance from recognized experts in ITgovernance.2

We conducted this performance audit from October 2011 to July 2012 inaccordance with generally accepted government auditing standards.Those standards require that we plan and perform the audit to obtainsufficient, appropriate evidence to provide a reasonable basis for our

findings and conclusions based on our audit objectives. We believe thatthe evidence obtained provides a reasonable basis for our findings andconclusions based on our audit objectives.

We grouped the practices into three categories(1)

organizational buy-in, (2) development of an implementation team andimplementation plan, and (3) evaluation and determined from theevidence collected from our document reviews and interviews the extentto which DHS was following these best practices.

2These include, among others, IT Governance Institute, Gartner, IBM, and Oracle.


36/39

Appendix II: Comments from the Departmentof Homeland Security




37/39




38/39

Appendix III: GAO Contacts and StaffAcknowledgments


David A. Powner at (202) 512-9286 [email protected]

In addition to the contact named above, the following staff also made keycontributions to this report: Sabine R. Paul, Assistant Director; William G.Barrick; Sairah R. Ijaz; Lee A. McCracken; and Tomas Ramirez.

Appendix III: GAO Contacts and StaffAcknowledgments

GAO Contact

StaffAcknowledgments

(311260)
mailto:[email protected]:[email protected]:[email protected]:[email protected]


39/39

The Government Accountability Office, the audit, evaluation, andinvestigative arm of Congress, exists to support Congress in meeting itsconstitutional responsibilities and to help improve the performance andaccountability of the federal government for the American people. GAOexamines the use of public funds; evaluates federal programs andpolicies; and provides analyses, recommendations, and other assistanceto help Congress make informed oversight, policy, and funding decisions.GAOs commitment to good government is reflected in its core values ofaccountability, integrity, and reliability.

The fastest and easiest way to obtain copies of GAO documents at no

cost is through GAOs website (www.gao.gov). Each weekday afternoon,GAO posts on its website newly released reports, testimony, andcorrespondence. To have GAO e-mail you a list of newly posted productsgo towww.gao.govand select E-mail Updates.

The price of each GAO publication reflects GAOs actual cost ofproduction and distribution and depends on the number of pages in thepublication and whether the publication is printed in color or black andwhite. Pricing and ordering information is posted on GAOs website,http://www.gao.gov/ordering.htm.

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or

TDD (202) 512-2537.Orders may be paid for using American Express, Discover Card,MasterCard, Visa, check, or money order. Call for additional information.

Connect with GAO onFacebook, Flickr,Twitter, and YouTube.Subscribe to ourRSS FeedsorE-mail Updates.Listen to ourPodcasts.Visit GAO on the web atwww.gao.gov.

Contact:

Website:www.gao.gov/fraudnet/fraudnet.htmE-mail:[email protected]

Automated answering system: (800) 424-5454 or (202) 512-7470

Katherine Siggerud, Managing Director,[email protected], (202) 512-4400, U.S. Government Accountability Office, 441 G Street NW, Room7125, Washington, DC 20548

Chuck Young, Managing Director,[email protected], (202) 512-4800U.S. Government Accountability Office, 441 G Street NW, Room 7149Washington DC 20548

GAOs Mission

Obtaining Copies ofGAO Reports andTestimony

Order by Phone

Connect with GAO

To Report Fraud,Waste, and Abuse inFederal Programs

CongressionalRelations

Public Affairs
http://www.gao.gov/http://www.gao.gov/http://www.gao.gov/http://www.gao.gov/http://www.gao.gov/http://www.gao.gov/http://www.gao.gov/ordering.htmhttp://www.gao.gov/ordering.htmhttp://facebook.com/usgaohttp://facebook.com/usgaohttp://facebook.com/usgaohttp://flickr.com/usgaohttp://twitter.com/usgaohttp://twitter.com/usgaohttp://twitter.com/usgaohttp://youtube.com/usgaohttp://www.gao.gov/feeds.htmlhttp://www.gao.gov/feeds.htmlhttp://www.gao.gov/feeds.htmlhttp://www.gao.gov/subscribe/index.phphttp://www.gao.gov/subscribe/index.phphttp://www.gao.gov/podcast/watchdog.htmlhttp://www.gao.gov/http://www.gao.gov/http://www.gao.gov/http://www.gao.gov/fraudnet/fraudnet.htmhttp://www.gao.gov/fraudnet/fraudnet.htmmailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]://www.gao.gov/fraudnet/fraudnet.htmhttp://www.gao.gov/http://www.gao.gov/podcast/watchdog.htmlhttp://www.gao.gov/subscribe/index.phphttp://www.gao.gov/feeds.htmlhttp://youtube.com/usgaohttp://twitter.com/usgaohttp://flickr.com/usgaohttp://facebook.com/usgaohttp://www.gao.gov/ordering.htmhttp://www.gao.gov/http://www.gao.gov/

dhs needs to further define and implement its new governance process

Documents