The Department of Homeland Security set out in 2016 to replace its facial and fingerprint recognition system. But little has gone right for the Homeland Advanced Recognition Technology (HART) program. It’s three years late, no components are yet up and running. The Government Accountability Office said DHS officials need to get on with a lot of procurement best practices. Federal Drive with Tom Temin got more details from the GAO’s director of information technology and cybersecurity issues, Kevin Walsh.
Insight by Micro Focus Government Solutions: Learn from agency and industry executives as they explore why protecting data requires a comprehensive approach involving every part of the IT chain – people, policy, infrastructure and applications in this exclusive executive briefing.
Tom Temin: Kevin, good to have you back.
Kevin Walsh: Thank you, Tom, good to be on.
Tom Temin: And tell us how this program is structured, they need to acquire these new technologies. Is this a single acquisition or is it a series of sub components?
Kevin Walsh: So this is a series of contracts. And as you noted, the first contract has had a series of issues, they’ve reached their schedule twice, they’ve reached their cost once. And it just seems like this cavalcade of ongoing things going wrong. So since this is a 27 year old program, we really want to get them on the right page back developing correctly and working well with their contractor so that we can fix this critical functionality and make sure that we get the next level of functionality which we want to use to support decisions made by national security, law enforcement and immigration folks over there at DHS.
Tom Temin: And where does this all fit in there? Because, for example, TSA and Customs and Border Protection have both deployed facial recognition systems at ports of entry and airports and so on. But you’re talking about something different, and where does it fit in vis-à-vis those systems and also via the IAFIS system of the FBI.
Kevin Walsh: So this is at the DHS level, and it’s at the highest level. And as you noted, TSA, CBP, even FBI, they are partner agencies that work with DHS to coordinate on biometric identity management. So you noted in the intro that this one does fingerprints and facial recognition, biometrics, though in the future could also include things like DNA, iris recognition, even the way you walk or talk. So there’s a lot more functionality that DHS wants to get that this 27 year old system can’t quite do.
Tom Temin: And what specifically are they buying? Because a system could refer to a series of sensors and fingerprint readers and iris readers, but it sounds like they’re buying something comprehensive. Is it going to be contractor operated? What are they driving at?
Kevin Walsh: So this program is, geez, it is mammoth in scope. So it’s going to be a nine year long development effort or will be by the time it’s completed according to the current tentative schedule. And it’s going to cost $4 billion. So yeah, this is going to be fairly comprehensive. They want to use it to determine visa issuance, immigration eligibility, whether folks should get access to sensitive facilities or sensitive systems, law enforcement actions related to Homeland Security. So they really need to get this right. This is critical to the functioning of our government and those who deal with it.
Tom Temin: Yeah. And it’s so it’s three years late on initial deployment. And also what your report states that the DHS’ own IT dashboard says things have been okay with it.
Kevin Walsh: Yeah, this was really an interesting oversight. So the first schedule breach that happened with this program was in June of 2017. They said it was due to contracting delays and bid protests, they revised their schedule came out with a new one in May 2019. Yay. And then eight months later breached it again in January 2020. And that’s when things get interesting for what’s on the dashboard, because then the cost breach was four months after that in May 2020. But from November 2019, all the way through November 2020, if you looked on the dashboard, it said everything’s green, everything’s fine. All these big breaches were going on. So it was really a head scratcher when we saw that. Now, to DHS’ credit after November 2020, they flipped it down to red again. But what was going on in the background there was they were working through a new process, they had some big leadership changes. So they acknowledge that the ratings on the dashboard were inaccurate and outdated because of that new process. And it seems like they’ve got things straightened out so that it won’t happen again.
Tom Temin: Yes, I smell a re-baselining coming here. We’re speaking with Kevin Walsh, director of information technology and cybersecurity issues at the GAO. And basically, you’re saying that they have not fulfilled a number of best practices that should go with these large and complex procurements. Just review those for us.
Kevin Walsh: Yeah, so in addition to looking at how they were doing historically, and how they were reporting on it transparently through the dashboard, we looked at a series of best practices related to risk management, agreement management, project monitoring control and requirements management. Now, for risk management, we identified seven key best practices, and to their credit, they were doing pretty good. They had fully implemented four of them and partially implemented three. The ones they didn’t included documenting their risk meetings, which is something we’d like to see, it’s not going to run it off the rails. But they also didn’t document when a risk transfers from a potential risk into the what’s the trigger to now this is happening and we need to mediate and address it. On the acquisition best practices side of things, we had 14 best practices in amongst the grievant management and the others, they had fully addressed seven and partially addressed seven. So it’s a little bit more mixed there. But still, this isn’t quite program management off the rails, this is, hey these are some things we really think you guys should do to make sure you’re doing this correctly. So it’s hopeful, given how much of this was done. But given the history of the program, Tom, this is really still concerning. This is $4 billion. It’s three years past when we expected it to be delivered. So we’re not saying everything’s alright right now.
Tom Temin: Sure. Who are their prime contractors here?
Kevin Walsh: So we did not name that in the report – and I’m not prepared to get into that today.
Tom Temin: Alright. Well, we’ll find out one way or another, but understood that it’s not in the report. But I guess my question is, in looking at this, how have the requirements management been, because biometrics is a moving target and the technology changes almost monthly with some new algorithm or some new way of seeing the crinkle in the corner of the eyes and so on? And has that been an issue creeping and changing requirements?
Want to stay up to date with the latest federal news and information from all your devices? Download the revamped Federal News Network app
Kevin Walsh: Absolutely. So if you recall, I mentioned that there were two scheduled breaches and one cost breach. The first schedule breach, DHS said it was due to contracting delays and bid protests, and the eventual contract that they put in place has been modified 12 subsequent times, and the costs have increased to $143 million. So those 12 contract mods tell us that they really didn’t do great setting the requirements upfront. The second schedule breach was also due to a technical challenge and disagreements with the contractor on the requirements. And the final cost breach was also due to changing requirements – and that increased the cost of the program by $400 million. So spot on, Tom, this is a lot due to understanding the requirements of the program and how they continue to change and evolve as the program takes longer and longer.
Tom Temin: Yeah, basically, these are all, well, the basics, you might say. And what does Homeland Security say in response to your latest report here?
Kevin Walsh: So we made a total of seven recommendations to DHS that they update their policy to reflect the issues that we identified in here – and to their credit, they concurred with everything. And they also provided estimate dates for implementing them. So they’re owning this and they’re working to address it. So that’s the hopeful note to end on.
Tom Temin: Kevin Walsh is director of information technology and cybersecurity issues at the Government Accountability Office. Thanks so much.
Kevin Walsh: Appreciate the time, Tom, thank you.