Another GAO report is out, this time discussing the CBP's and ICE's failed attempts at modernizing their computer systems. As I've noted before, the word "scathing" often precedes the words "GAO report," most of which detail the sort of ineptitude that only large-scale bureaucracies can achieve. As I've also noted, the operative phrase following "scathing GAO report" is more often than not, "business as usual." Most GAO reports mention previous findings that were ignored, haphazardly implemented or back-burnered indefinitely.
The latest GAO report deals with two of our favorite government entities/targets, the CBP (Border Patrol) and ICE (IP industry go-fers). Both are under the purview of the DHS and both have computer systems sorely in need of an upgrade. The good news is… well, there's really no good news in here. The explanatory note helps set the stage.
DHS’s border enforcement system, known as TECS, is the primary system for determining admissibility of persons to the United States. It is used to prevent terrorism, and provide border security and law enforcement, case management, and intelligence functions for multiple federal, state, and local agencies. It has become increasingly difficult and expensive to maintain and is unable to support new mission requirements. In 2008, DHS began an effort to modernize the system. It is being managed as two separate programs by CBP and ICE.
TECS keeps our borders safe, fights terrorism, provides support for multiple levels of law enforcement… and has been undergoing modernization for more than a half-decade
. This should be disheartening enough -- an outdated system is being used to secure a nation, a system that can't even keep up with current demands. But it gets so much worse as the report goes on.
The schedule and cost for the Department of Homeland Security’s (DHS) border enforcement system modernization program known as TECS Mod that is managed by Customs and Border Protection’s (CBP) continue to change; while the part managed in parallel by Immigration and Customs Enforcement (ICE) is undergoing major revisions to its scope, schedule, and cost after discovering that its initial solution is not technically viable.
CBP’s $724 million program intends to modernize the functionality, data, and aging infrastructure of legacy TECS and move it to DHS’s data centers by 2016. To date, CBP has deployed functionality to improve its secondary inspection processes to air and sea ports of entry and, more recently, to land ports of entry in 2013. However, CBP is in the process of revising its schedule baseline for the second time in under a year. Further, CBP has not developed its master schedule sufficiently to reliably manage work activities or monitor program progress. These factors raise questions about the certainty of CBP’s remaining schedule commitments.
If everything works out according to, well, normally I'd say "plan" right here but it certainly appears that nothing resembling a "plan" is actually in place, it will be eight years from start-to-finish on the TECS modernization. And that's the CBP only. And that's only if the CBP can keep it on schedule, which at this point, appears to be something it can't actually do.
Then there's ICE, running its own parallel update to TECS, and failing just about as spectacularly as the CBP.
Regarding ICE’s $818 million TECS Mod program, it is redesigning and replanning its program, having determined in June 2013 that its initial solution was not viable and could not support ICE’s needs. As a result, ICE largely halted development and is now assessing design alternatives and is revising its schedule and cost estimates. Program officials stated the revisions will be complete in spring 2014. Until ICE completes the replanning effort, it is unclear what functionality it will deliver, when it will deliver it, or what it will cost to do so, thus putting it in jeopardy of not completing the modernization by its 2015 deadline.
Five years after TECS mods is put in motion, ICE decides the modernization won't work. Six
years later, it's promising a new estimate
by spring of 2014. The previous best guess was completion in seven
years, but the GAO notes that this end date is highly improbable considering work has been completely halted to "assess design alternatives." A realistic scenario most likely puts modernization completion a decade out from the start date, at which point one has to wonder if the new system will be outdated before it even goes completely live.
A few pages later the GAO points out that the system being upgraded dates back to the 1980s and several government entities rely on it for mission-critical data. However, "archaic" doesn't mean "cheap." The CBP estimates licensing and maintenance on its TECS system runs $40-60 million per year. Sadly, this expensive, outdated system can't even keep up with written languages that have been around for hundreds and thousands of years.
The current TECS system uses obsolete technology, which combined with expanding mission requirements, have posed operational challenges for CBP and others. For example, users may need to access and navigate among several different systems to investigate, resolve, and document an encounter with a passenger. In addition, CBP identified that TECS’s search algorithms do not adequately match names from foreign alphabets.
Seems like a Border Control agency might need a system that can parse foreign alphabets accurately. Foreigners are its main concern. You would think an issue like this, which could lead to misidentification of innocent people as threats or vice versa would be a chief concern. (I'm sure the DHS/CBP are more concerned with the latter than the former, but it's still a big hole in their ability to "secure" the nation's borders.)
What's even sadder about this "foreign alphabet" issue is the fact that the GAO had to list it as a recommendation. This means the CBP had no current plans in place to patch this critical hole in its TECS system.
The CBP keeps promising a 2015 date for delivery of the updated system, but the more the GAO digs, the less it believes it has any chance of meeting this deadline. The agency apparently can't be bothered to follow simple best practices to help guide the modernization project to completion.
CBP is in the process of revising its schedule baseline for the second time in under a year, making it unclear when the program ultimately intends to deliver needed functionality. Exacerbating this situation is the fact that CBP has not developed its master schedule sufficiently to effectively manage work activities or monitor the program’s progress.
Not only that, but nothing's linked together in the shambolic project management the CBP has slapped together. A delay elsewhere in the project won't be reflected by current budget and date estimates, which will pretty much dump the project into the "it'll be done when it's done" category. All the while, tax dollars are being pumped in to maintain a system that can't keep up with what was asked of it a half-decade ago
How does a project like this slip into a mismanaged mess without any cohesive guiding force? Well, if the agency behind the project feels like it isn't a job worth doing, it has plenty of ways to ensure the job will never get done.
Program officials stated these deficiencies existed because the program has only two staff members with skills needed to properly develop and maintain the schedules, and that fully documenting all the dependencies would be time consuming, and in their view, not sufficiently important to warrant the additional resources necessary to complete them.
An agency, one tasked with The Most Important Job (national security), can't even be bothered to entrust modernization of a computer system dating back to the 1980s to more than two people. And when pressed, it can't even be bothered to care that these limits will result in excess expenditures and endless delays.
Things aren't much better on the ICE side.
Instead of continuing with the existing technical solution, the program manager explained that ICE would scrap a significant portion of the work done to date and start over. As a result, ICE halted most development work in June 2013 and has since been assessing different design and technical alternatives. In January 2014, ICE reported that it had rebaselined its program requirements and that it anticipates having its revised cost and schedule estimates finalized this coming spring. Nevertheless, given the time lost in developing the current technical solution, as well as the already reduced program scope, ICE cannot say what specific features it will release to users, when this functionality will be delivered, or how much such efforts will cost. As such, ICE is at significant risk of not achieving independence from the existing system by 2015.
So, ICE has basically informed the GAO that it has no idea whether the upgraded system, if and when it arrives, will be capable of meeting the demands of the agency. It has already made one false start and scrapped that entirely, rather than used whatever gains it achieved as a new starting point. The report delves a little deeper and details just how much
ICE scrapped before starting over, and why.
In ICE’s case, management weaknesses and the lack of appropriate guidance for the program’s requirements management process led to technical issues, testing failures, and ultimately, the deferral and/or deletion of about 70 percent of the program’s original requirements. ICE issued new requirements guidance for the program in March 2013 that is consistent with leading practices, but has yet to demonstrate that these have been fully implemented.
ICE will now move forward on a new modernization plan, one that looks to be handled no better than the one it scrapped in 2013. Both agencies seemingly have no idea how to run a project of this scope (and have shown little interest in doing so). If either of these agencies were private businesses, they'd already be dead and long-forgotten. Even those tasked with evaluating ICE/CBP's modernization plans seem to be unqualified to do the job.
In its most recent program health assessments, the Enterprise Business Management Office partially based its rating of moderately low risk on CBP’s use of earned value management; however, the program manager stated to us that the CBP program is not utilizing earned value management because neither it nor its development contractor had the capability to do so. Similarly, even though ICE had not reported recent cost or schedule data for its program—an issue that may signal a significant problem—the Office of the CIO rated ICE’s program as medium risk. The reliance on incomplete and inaccurate data raises questions about the validity of the risk ratings.
The GAO took its findings up the bureaucratic ladder to the DHS, which didn't seem to be very troubled by the bumbling incompetence of the agencies under its purview.
DHS concurred with all but one of our recommendations, disagreeing with the recommendation regarding the weaknesses in CBP’s schedule. In response, DHS stated that CBP’s scheduling efforts for TECS Mod were sound. However, given the weaknesses in CBP’s master schedule, we continue to believe that management will be unable to determine how a slip in the completion date of a particular task may affect the overall project or program schedule, and thus, absent any changes, continuing to use it as a tool to track progress will remain ineffective.
In conclusion, the GAO found plenty of money wasted and nothing to show for it.
[A]fter spending nearly a quarter billion dollars and over 4 years on its two TECS Mod programs, it remains unclear when DHS will deliver them and at what cost. While CBP’s program has delivered one of the five major projects that comprise the program, its commitments are being revised again and the master schedule used by the program to manage its work and monitor progress has not been fully developed.
The $250 million is more than one-quarter of the CBP's total estimated budget for its TECS overhaul. At this point, it's still basically at square one and is doing absolutely nothing to ensure the project stays on track or within budget. ICE's expenditures aren't broken out separately, but judging from its decision to scrap one attempt entirely and start over, there's little doubt that its modernization program is doomed to the same fate at the CBP's.