IT

We determined that, in response to Executive Order 13767, U.S. Customs and Border Protection (CBP) implemented new tools and technologies that have enhanced Border Patrol’s surveillance capabilities and efficiency along the southwest border.  We made three recommendations to improve CBP’s border technology, enhance situational awareness of the southwest border, and address potential IT security vulnerabilities.  CBP concurred with all three recommendations.

The DHS Chief Information Officer (CIO) and most component CIOs had conducted strategic planning efforts to help prioritize legacy Information Technology (IT) systems and infrastructure to better accomplish mission goals.  However, due to a lack of standard guidance and funding, not all components have complied with or fully embraced Department-wide IT modernization initiatives to adopt cloud-based computing, and to consolidate data centers.  Meanwhile, DHS continues to rely on deficient and outdated IT systems to perform mission-critical operations.  Additionally, DHS has not yet leveraged the Modernizing Government Technology Act mandate to accelerate ongoing IT modernization efforts, as DHS and its components questioned whether the benefits of the Act outweighed the additional effort needed to use the resources provided under the Act.  Until DHS addresses these issues, it will continue to face significant challenges to accomplish mission operations efficiently and effectively.  We made three recommendations for the DHS OCIO to develop guidance for implementing cloud technology and migrating legacy IT systems to the cloud, coordinate with components to develop and finalize a data center migration approach, and establish a process to assign risk ratings for major legacy IT investments.  The Department concurred with all three recommendations.

Based on our recent and prior audits, inspections, special reviews, and investigations, we consider the most serious management and performance challenges currently facing DHS to be: (1) Managing Programs and Operations Effectively and Efficiently during times of Changes in Leadership, Vacancies, Hiring Difficulties; (2) Coordinating Efforts to Address the Sharp Increase in Migrants Seeking to Enter the United States through our Southern Border; (3) Ensuring Cybersecurity in an Age When Confidentiality, Integrity, and the Availability of Information Technology Are Essential to Mission Operations; (4) Ensuring Proper Financial Planning, Payments, and Internal Controls; and (5) Improving FEMA’s Disaster Response and Recovery Efforts.  Addressing and overcoming these challenges requires firm leadership; targeted resources; and a commitment to mastering management fundamentals, data collection and dissemination, cost-benefit/risk analysis, and performance measurement. 

DHS’ information security program was effective for fiscal year 2018 because the Department earned the targeted maturity rating, “Managed and Measurable” (Level 4) in four of five functions, as compared to last year’s lower overall rating, “Consistently Implemented” (Level 3). We attributed DHS’ progress to improvements in information security risk, configuration management practices, continuous monitoring, and more effective security training. By addressing the remaining deficiencies, DHS can further improve its security program ensuring its systems adequately protect the critical and sensitive data they store and process.

The Chief Financial Officers Act of 1990 (Public Law 101-576) and the Department Of Homeland Security Financial Accountability Act (Public Law 108-330) require us to conduct an annual audit of the Department of Homeland Security’s (DHS) consolidated financial statements and internal control over financial reporting. KPMG noted that the financial statements present fairly, in all material respects, DHS’ financial position as of September 30, 2018.

KPMG issued an adverse opinion on DHS’ internal control over financial reporting of its financial statements as of September 30, 2018. The report identifies the following six significant deficiencies in internal control, the first two of which are considered material weaknesses, and four instances where DHS did not comply with laws and regulations.

We conducted a verification review to determine the adequacy, effectiveness, and timeliness of USCIS' corrective actions to address the seven report recommendations in Better Safeguards Are Needed in USCIS Green Card Issuance, OIG-17-11, November 16, 2016. At the time of our audit fieldwork in spring 2016, USCIS’ efforts to address the errors were inadequate. USCIS conducted a number of efforts to recover the inappropriately issued cards; however, these efforts also were not fully successful. At the time of our audit fieldwork in spring 2016, USCIS’ efforts to address the errors were inadequate. USCIS conducted a number of efforts to recover the inappropriately issued cards; however, these efforts also were not fully successful.

Pursuant to the Federal Information Security Modernization Act of 2014, we reviewed the Department’s security program, including its policies, procedures, and system security controls for the enterprise-wide intelligence system. Since our FY 2016 evaluation, the Office of Intelligence and Analysis (I&A) has continued to provide effective oversight of the department-wide intelligence system and has implemented programs to monitor ongoing security practices. In addition, the United States Coast Guard is in the process of migrating its intelligence users to a system that is jointly managed by the Defense Intelligence Agency and the National Geospatial Agency.

"U.S. Citizenship and Immigration Services (USCIS) adjudicates applications for immigration benefits, including applications for permanent resident cards, also known as green cards. In response to congressional concerns, we examined green card application processing times, as well as why processing times vary among USCIS field offices. USCIS regularly posts information on its website about the time it takes field offices to adjudicate green card applications (processing time). Yet, the information is unclear and not helpful to USCIS’ customers because it does not reflect the actual amount of time it takes field offices, on average, to complete green card applications.

We reviewed DHS’ information security program in accordance with the Federal Information Security Modernization Act of 2014 (FISMA). Our objective was to determine whether DHS’ information security program and practices were adequate and effective in protecting the information and information systems that supported DHS’ operations and assets in fiscal year 2017.

In November 2015, we reported that the Federal Emergency Management Agency’s (FEMA) information technology (IT) management approach did not adequately address technology planning, governance, and system support challenges to effectively support its mission. We issued five recommendations to the FEMA Chief Information Officer (CIO) aimed at improving the agency’s management of IT.1 Specifically, we recommended the CIO finalize key planning documents related to IT modernization; execute against those planning documents; fully implement an IT governance board; improve integration and functionality of existing systems; and implement agency-wide acquisition, development, and operation and maintenance standards.