DHS is failing in risk management for new biometric ID system — report
It is hard to imagine an information system — a biometric identity management system, no less — that has been asked to work without a major upgrade for 30 years. But it is not hard to find.
That would be Ident, the automated biometric ID system managed by the U.S. government’s Office of Biometric Identity Management. It is the focus of a new report by the Government Accountability office, which wants to know why Ident has not been retired yet.
The Department of Homeland Security was due to replace Ident with the Homeland Advanced Recognition Technology, or HART, system this year, but it is delayed.
By federal government standards, HART is not too late. The $4.3 billion project, begun in 2016, is now expected to be fully operational by 2024. But still, it is not a good look for a department viewed by many as the final barrier between American lives and those who wish to take them.
The GAO was tasked with accounting for the delay; national security, law enforcement and immigration officials need the data for critical decision-making.
Among the problems identified with development of the biometrics project, GAO analysts found that the DHS CIO was using outdated program-review policy, which likely has resulted in critical departmental IT programs would not know about newer specific process requirements.
And the department has fully implemented four of seven risk-management best practices. Three are partially implemented, and, according to the GAO, there are plans to complete only two of the remaining practices.
That could hamper the Homeland Security Department in its ability to “effectively monitor the status of risks and mitigation plans.”
Analysts recommended that project staff keep records of risk-mitigation discussions, including those about the resources that required to handle risk.
Similarly, they write that risk owners must maintain accurate and status updates for each mitigation plan.
Perhaps more alarming is the office’s finding that the way IT purchases are handled has “contributed to an increased level of risk for the program,” and could cause more cost overruns and delays.
The government is not, for example, “fully reviewing the contractor’s work products,” monitoring costs or maintaining traceability of requirements.
It is up to the DHS to accept and implement the GAO recommendations.