DHS

We rated DHS’ information security program for FY 2024 as “effective,” according to this year’s reporting instructions.  We based this rating on our evaluation of DHS’ compliance with requirements of the Federal Information Security Modernization Act of 2014 for unclassified and national security systems.  DHS received a maturity rating of “Level 5 – Optimized” in two functions and “Level 4 – Managed and Measurable” in three functions.  We recommended the DHS Chief Information Officer strengthen oversight to ensure components adhere to DHS’ policies to remediate all known information security weaknesses in a timely manner.  DHS concurred with our recommendation.

DHS could not provide any performance measures and provided only limited data to demonstrate the full extent or effectiveness of its efforts to enforce wildlife trafficking laws.  In addition, CBP personnel inconsistently recorded data on wildlife encounters, and ICE Homeland Security Investigations (HSI) special agents did not always completely or accurately record actions and data related to wildlife trafficking.  CBP personnel also did not always demonstrate that they involved ICE HSI special agents when suspecting wildlife trafficking crimes.  Finally, DHS did not establish performance goals to measure the results of its efforts to combat wildlife trafficking.  We attributed these issues to DHS, CBP, and ICE not providing adequate oversight, including clear and comprehensive policies and procedures, of wildlife trafficking efforts.  As a result, DHS may be missing opportunities to curtail the spread of zoonotic viruses and disrupt transnational criminal organizations that use the same networks for other illicit trafficking, such as narcotics, humans, and weapons.  We made one recommendation to improve the Department’s efforts to combat wildlife trafficking.  The Department concurred with the recommendation and provided a plan to improve its efforts.

In May 2020, the Deputy Under Secretary for Management formally documented the Department’s risk acceptance to allow the Coast Guard to meet FISMA requirements according to Department of Defense, rather than DHS’ reporting requirements.  The Deputy Under Secretary for Management’s decision adversely affected our ability to evaluate the Department’s enterprise-wide information program under this year’s OIG reporting metrics.  Nonetheless, when evaluating the overall effectiveness of DHS’ information security program for FY 2020 FISMA, our rating does not include the Coast Guard.  DHS’ information security program earned a maturity rating of “Managed and Measurable” (Level 4) in three of five functions.  DHS can further improve the effectiveness of its information security program by ensuring components execute all its policies and procedures.  We made four recommendations in our report, with one to the DHS Chief Information Officer, one to the S&T Chief Information Officer, one to the Secret Service Chief Information Officer, and one to the FEMA Chief Information Officer.  The Department concurred with all four recommendations.

TSA acquired CT systems that did not address all needed capabilities.  These issues occurred because the Department of Homeland Security did not provide adequate oversight of TSA’s acquisition of CT systems.  DHS is responsible for overseeing all major acquisitions to ensure they are properly planned and executed and meet documented key performance thresholds.  However, DHS allowed TSA to use an acquisition approach not recognized by DHS’ acquisition guidance.  In addition, DHS allowed TSA to deploy the CT system even though it did not meet all TSA key performance parameters.  DHS also did not validate TSA’s detection upgrade before TSA incorporated it into the CT system.  As a result, TSA risks spending over $700 million in future appropriated funding to purchase CT systems that may never fully meet operational mission needs.  We made three recommendations to improve DHS’ oversight of TSA’s CT systems acquisition.  DHS concurred with all three recommendations.  

DHS did not fully comply with the public law.  TSA and the Coast Guard prepared, and DHS submitted, a CAP to Congress in June 2020.  Although the CAP identified corrective actions for one area, it did not address four issues we consider significant.  We recommended that DHS, in consultation with TSA and Coast Guard, re-evaluate the assessment to determine if further corrective actions are needed or justify excluding significant issues from the CAP.  DHS did not concur with the recommendation, but we consider DHS’ actions partially responsive to the recommendation. We consider the recommendation open and unresolved.

U.S. Customs and Border Protection (CBP) does not conduct COVID-19 testing for migrants who enter CBP custody and is not required to do so.  Instead, CBP relies on local public health systems to test symptomatic individuals.  According to CBP officials, as a frontline law enforcement agency, it does not have the necessary resources to conduct such testing.  For migrants that are transferred or released from CBP custody into the United States, CBP coordinates with DHS, U.S. Immigration and Customs Enforcement, U.S. Department of Health and Human Services, and other Federal, state, and local partners for COVID-19 testing of migrants.  In addition, although DHS generally follows guidance from the Centers for Disease Control and Prevention for COVID-19 preventative measures, the DHS’ multi-layered COVID-19 testing framework does not require CBP to conduct COVID-19 testing at CBP facilities.  Further, DHS’ Chief Medical Officer does not have the authority to direct or enforce COVID-19 testing procedures.  We recommended DHS reassess its COVID-19 response framework to identify areas for improvement to mitigate the spread of COVID-19 while balancing its primary mission of securing the border.  Additionally, we recommended DHS ensure the components continue to coordinate with the DHS Chief Medical Officer and provide available resources needed to operate safely and effectively during the COVID-19 pandemic and any future public health crisis.  We made two recommendations to improve DHS’ response to COVID-19 at the southwest border.  DHS concurred with both recommendations.

We determined DHS did not comply with Payment Integrity Information Act of 2019 (PIIA)  in fiscal year 2020 because it did not achieve and report an improper payment rate of less than 10 percent for 2 of 12 programs reported in its FY 2020 Agency Financial Report.  DHS complied with Executive Order 13520 by properly compiling and making available to the public its FY 2020 Quarterly High-Dollar Overpayment reports.  We made two recommendations to DHS to follow Office of Management and Budget requirements and ensure the Federal Emergency Management Agency continues its remediation process to reduce improper payments.  DHS concurred with both recommendations. 

DHS generally met deadlines for responding to simple Freedom of Information Act (FOIA) requests, it did not do so for most complex requests.  A significant increase in requests received, coupled with resource constraints, limited DHS’ ability to meet production timelines under FOIA, creating a litigation risk for the Department.  Additionally, DHS has not always fully documented its search efforts, making it difficult for the Department to defend the reasonableness of the searches undertaken.  With respect to responding to congressional requests, we determined DHS has established a timeliness goal of 15 business days or less; however, on average, it took DHS nearly twice as long to provide substantive responses to Congress, with some requests going unanswered for up to 450 business days.  Further, DHS redacted personal information in its responses to congressional committee chairs even when disclosure of the information was statutorily permissible.  This was a descriptive report and contained no recommendations.  In its response, DHS acknowledged FOIA backlogs remain a problem, despite increasing requests processed.  DHS stated its process responding to congressional requests varies greatly and that its redactions are appropriate.

DHS’ capability to counter illicit Unmanned Aircraft Systems (UAS) activity remains limited.  The Office of Strategy, Policy, and Plans did not execute a uniform department-wide approach, which prevented components authorized to conduct counter-UAS operations from expanding their capabilities.  This occurred because the Office of Policy did not obtain funding as directed by the Secretary to expand DHS’ counter-UAS capability.  We made four recommendations to improve the Department’s management and implementation of counter-UAS activities.  The Office of Strategy, Policy, and Plans concurred with all four of our recommendations.      

DHS complied with the Improper Payments Elimination and Recovery Act (IPERA) in fiscal year 2019 by meeting all six of the IPERA requirements.  DHS also complied with Executive Order 13520, Reducing Improper Payments.  Additionally, we reviewed DHS’ processes and procedures for estimating its annual improper payment rates.  Based on our review, we determined DHS did not provide adequate oversight of the components’ improper payment testing and reporting.  We made one recommendation to DHS’ Risk Management and Assurance Division to properly follow the requirements in the DHS Improper Payment Reduction Guidebook. 

DHS does not have a unified approach for procuring and using handheld chemical identification devices despite the widespread use of these devices across multiple components.  We recommended DHS establish a process to coordinate joint needs across components and maximize savings from strategic sourcing opportunities.  We made two recommendations that should help improve unity of effort in procuring and using handheld chemical identification devices.  DHS concurred with recommendation 1 but did not concur with recommendation 2.

Based on our recent and prior audits, inspections, special reviews, and investigations, we consider the most serious management and performance challenges currently facing DHS to be: (1) Managing Programs and Operations Effectively and Efficiently during times of Changes in Leadership, Vacancies, Hiring Difficulties; (2) Coordinating Efforts to Address the Sharp Increase in Migrants Seeking to Enter the United States through our Southern Border; (3) Ensuring Cybersecurity in an Age When Confidentiality, Integrity, and the Availability of Information Technology Are Essential to Mission Operations; (4) Ensuring Proper Financial Planning, Payments, and Internal Controls; and (5) Improving FEMA’s Disaster Response and Recovery Efforts.  Addressing and overcoming these challenges requires firm leadership; targeted resources; and a commitment to mastering management fundamentals, data collection and dissemination, cost-benefit/risk analysis, and performance measurement. 

The Department of Homeland Security did not comply with the Improper Payments Elimination and Recovery Act of 2010 (IPERA) because the Department did not meet two of the six requirements. Specifically, the Department omitted the percent of recaptured amounts from the Other Information section in its Agency Financial Report and did not meet its annual reduction target established for one of eight programs deemed susceptible to significant improper payments.The Department also did not comply with Executive Order 13520, Reducing Improper Payments, because DHS did not make available to the public its Quarterly High-Dollar Overpayment report for the second quarter of fiscal year 2018.

Annual report, Major Management and Performance Challenges Facing the Department of Homeland Security. Pursuant to the Reports Consolidation Act of 2000, the Office of Inspector General is required to issue a statement that summarizes what the Inspector General considers to be the most serious management and performance challenges facing the agency and briefly assess the agency’s progress in addressing those challenges. We acknowledge past and ongoing efforts by Department’s senior leadership to address the challenges identified in this report. At the same time, our aim in this report is two-fold ― to identify areas that need continuing focus and improvement and to point out instances in which senior leadership’s goals and objectives are not executed throughout the Department. We highlight persistent management and performance challenges that hamper the Department’s efforts to accomplish the homeland security mission efficiently and effectively.

Since FY 2014, DHS improved conference spending reporting and implemented policies and procedures to ensure proper oversight and accurate and timely reporting. However, we found instances where DHS did not comply with annual conference reporting requirements. The Department failed to report two conferences costing more than $100,000 each. The Department also did not always report all hosted conferences costing more than $20,000 to OIG within 15 days of the conclusion of each conference. In addition, the Department did not always properly record actual costs accurately and within 45 days of the conclusion of each conference. Although DHS did not always comply with reporting requirements, in most cases, its FY 2016 conference expenses appeared appropriate, reasonable, and necessary.

Between January 2016 and April 2017, DHS OIG received dozens of allegations regarding a variety of issues at the FLETC facility in Glynco, Georgia. Following extensive investigation, DHS OIG determined that many of the allegations could not be substantiated. However, with respect to certain other allegations, DHS OIG’s findings indicate that some of FLETC’s senior managers, including former Director Connie Patrick, failed to exercise the judgment, stewardship, and leadership expected of DHS senior officials. This report focuses on two specific allegations that exemplify the broader issues uncovered by DHS OIG’s investigation. Many of the allegations DHS OIG received regarding FLETC related to the official travel of the former FLETC Director, Connie Patrick. Patrick served as the Director of FLETC from 2002 until her retirement in June 2017. During this time, she frequently traveled domestically and internationally on FLETC-related business. DHS OIG conducted an extensive review of Patrick’s travel for the period January 15, 2014 through June 23, 2016 to identify any instances of impropriety. In addition to multiple complaints about Patrick’s alleged noncompliance with federal, DHS, and FLETC travel rules and regulations, DHS OIG received complaints alleging that Patrick pressured FLETC managers to hire her husband, John Patrick (JP), for a term position within the FLETC Law Enforcement Leadership Institute (LELI). DHS OIG’s investigation determined that JP was hired to a term position with LELI on January 3, 2010 and completed the term on September 11, 2011 — all during Patrick’s tenure as Director of FLETC

Pursuant to the Federal Information Security Modernization Act of 2014, we reviewed the Department’s security program, including its policies, procedures, and system security controls for the enterprise-wide intelligence system. Since our FY 2016 evaluation, the Office of Intelligence and Analysis (I&A) has continued to provide effective oversight of the department-wide intelligence system and has implemented programs to monitor ongoing security practices. In addition, the United States Coast Guard is in the process of migrating its intelligence users to a system that is jointly managed by the Defense Intelligence Agency and the National Geospatial Agency.

We reviewed DHS’ information security program in accordance with the Federal Information Security Modernization Act of 2014 (FISMA). Our objective was to determine whether DHS’ information security program and practices were adequate and effective in protecting the information and information systems that supported DHS’ operations and assets in fiscal year 2017.

Department of Homeland Security (DHS) Under Secretary for Intelligence and Analysis (USIA) David J. Glawe used a personal email account to send an invitation to his ceremonial swearing-in event to staff members of the United States Senate Committee on Homeland Security and Governmental Affairs. Because the invitation came from a non-DHS email account and resembled a phishing email, Senator Claire McCaskill asked the DHS Office of Inspector General to review the circumstances surrounding the invitation

Following news reports that U.S. Customs and Border Protection (CBP) personnel implementing Executive Order#13769 (EO) “Protecting the Nation from Foreign Terrorist Entry into the United States”(January 27, 2017) potentially violated the civil rights of individual travelers, we received a congressional request to investigate DHS’s implementation of the EO. In response, we investigated how DHS and CBP, the DHS entity primarily responsible for implementation of the EO, responded to challenges presented by the EO, including the consequence of court orders and CBP’s compliance with them. In our investigation, we found that CBP was caught by surprise when the President issued the EO on January 27, 2017. DHS had little opportunity to prepare for and respond to basic questions about which categories of travelers were affected by the EO. We found that the bulk of travelers affected by the EO who arrived in the United States, particularly LPRs, received national interest waivers. In addition, we observed that the lack of a public or congressional relations strategy significantly hampered CBP and harmed its public image.

The DATA Act required the OIG to review a statistically valid sample of DHS’ fiscal year 2017, 2nd quarter spending data posted on USASpending.gov and to submit to Congress a report assessing the data’s completeness, timeliness, quality, and accuracy; and DHS’ implementation and use of Government-wide financial data standards. The Digital Accountability and Transparency Act of 2014 (DATA Act) required DHS to submit, by May 2017, complete, accurate, and timely spending data to the Department of the Treasury (Treasury) for publication on USASpending.gov beginning with the 2nd quarter of FY 2017. DHS successfully certified and submitted its FY 2017/Q2 spending data for posting on USASpending.gov in April 2017. Although DHS met the DATA Act’s mandated submission deadline, we identified issues concerning the completeness and accuracy of its first data submission that hinders the quality and usefulness of the information.

 

Department leadership must commit itself to ensuring DHS operates more as a single entity. rather than a collection of components. The lack of progress in reinforcing a unity of effort translates to a missed opportunity for greater effectiveness. Second, Department leadership must establish and enforce a strong internal control environment typical of a more mature organization. The current environment of relatively weak internal controls affects all aspects of the Department’s mission, from border protection to immigration enforcement and from protection against terrorist attacks and natural disasters to cybersecurity. We have seen little evidence of proactive effort by leadership to view the organization holistically, to forcefully communicate the need for cooperation among components, and to establish programs or policies that ensure unity, even though such effort is a necessary precondition to unified action.

 

We determined that due to changes DHS made to the process, political appointees do not influence Freedom of Information Act (FOIA) processors to delay or withhold the release of FOIA information.  Unlike the former process, the new process does not provide opportunities for political appointees in headquarters to inappropriately interfere with releases of significant FOIA information, and we did not identify any instances in which headquarters officials used the process to engage in those activities.  However, because DHS has not issued final guidance for the process, it is vulnerable to misuse in the future.  We recommended that the Chief FOIA Officer/Chief Privacy Officer issue final guidance on the 1-Day Awareness Notification Process.  The guidance should state 1) the purpose of the process is to inform senior officials of the imminent release of information that may raise public interest and 2) FOIA staff determine whether information should be released or withheld under FOIA’s exceptions and exemptions.