DHS components couldn’t identify all of their non-major acquisitions, audit says
Until recently, the Department of Homeland Security’s component agencies weren’t giving proper scrutiny to non-major acquisition programs, according to a new Government Accountability Office report.
Many of the programs didn’t have established cost and schedule baselines — and in some cases, the agencies couldn’t identify certain programs at all, the GAO said. DHS’s non-major acquisitions include various kinds of systems and capabilities. The report cited examples such as a Customs and Border Protection mobile video surveillance system and a wearable system that can detect radiological threats.
Agencies such as the Coast Guard and Customs and Border Protection “lack the information needed to effectively oversee their non-major acquisitions because they cannot confidently identify all of them,” auditors found. “They identified over $6 billion in non-major acquisitions; however, GAO found 8 of the 11 components could not identify them all.”
And in the past, the auditors have documented problems with one of the department’s non-major acquisition programs, the DHS Performance and Learning Management System, which the GAO describes as “a key element of DHS’s Human Resources Information Technology investment.” Indeed, lawmakers fretted last year that the consolidation project presents big cybersecurity risks.
How many non-major acquisitions are there?
Based on the information the auditors got back from a data call to DHS components, they decided they could not reliably determine the number of current non-major acquisitions, and associated costs.
“However, we determined that the data were sufficiently reliable to identify the minimum number of these acquisitions, and the general magnitude of the minimum acquisition costs associated with active non-major acquisitions,” the report says. “For those acquisitions that components could identify, we found issues with the reliability of data components provided.”
As an example, when it came to identifying non-major acquisitions, a Coast Guard official said the component’s “procedures do not always successfully distinguish IT acquisitions from non-acquisition activities.”
“According to the official, many non-major IT acquisition activities may be occurring, but the USCG acquisition support staff may not be aware of them,” the report says, noting that USCG had about 400-500 IT investments to assess, to decide whether they should be considered acquisitions.
And Citizenship and Immigration Services combines its smallest acquisitions into one acquisition aligned with a specific office, such as one in the Office of Information Technology, and tracks them that way.
“Using this approach, USCIS may be underreporting the number of non-major acquisitions, as multiple acquisitions may be counted as one, and the [Component Acquisition Executive] may be missing opportunities to influence the acquisitions at key decision events,” the auditors note.
Lack of baselines
“We found that most of the active non-major acquisitions (23 of 38) did not have approved baselines, and that the value of the acquisitions without baselines constituted nearly half of the total value of the active acquisitions,” the auditors note.
When fiscal year 2017 started, some of the components did not require approved baselines, the GAO said. That changed in February 2017, in response to the auditors’ preliminary findings: “DHS required component leadership approve baselines for non-major acquisitions, which should help components oversee them more effectively.”
Why are baselines so important? The auditors note that establishing baselines helps leadership understand the scope of the acquisition, assess how well its going and make sure they have enough funding for it.
Several components also told the GAO they were having problems with accuracy and completeness of the data that they did provide.