The Office of the Inspector General (OIG) found that the Department of Homeland Security’s Science and Technology (S&T) Directorate did not execute all projects in accordance with Federal and DHS guidelines, policies, and procedures.
S&T works with DHS and its components to identify capability gaps in DHS operations and to research and develop technologies to fill those gaps. For example, to meet the growing need for new or improved border surveillance capabilities, S&T initiated a ground-based technologies program to focus R&D projects on improving situational awareness, providing detections and automated alerts and improved security for DHS officers and agents. Similarly, to address the need for effective air cargo screening, S&T initiated an Air Cargo Screening Program to develop new security technologies to cost-effectively screen diverse and complex cargo. In fiscal year 2020, S&T has budgeted $18.4 million for these two programs alone. In total, in fiscal 2020, S&T had 369 ongoing R&D projects in the execution phase, with obligations totaling $305 million.
The OIG review found that S&T did not consistently comply with sensitive information and confidentiality requirements to protect sensitive information. For the 24 projects that the OIG reviewed for compliance with sensitive information requirements, three project checklists were not signed off by the appropriate officials. In one of the three cases, the Chief Information Officer did not sign the checklist as required. The second checklist was not signed off by officials from the DHS Cybersecurity and Infrastructure Security Agency and the Transportation Security Administration, which were required because the contractor would have access to vulnerable and sensitive security information. A Transportation Security Administration official did not sign off on the third checklist even though the project required review by that component because the contractor would have access to sensitive security information. Gaps were also found with properly signed checklists that were incomplete and a lack of confidentiality threshold analysis.
In addition, not all S&T project managers have obtained the Federal Acquisition Certification (FAC) required to ensure they meet training, experience and development requirements. Of the 24 projects reviewed by the OIG, the S&T project managers of nine of them had obtained the appropriate FAC, and an additional project manager was in the process of obtaining certification. However, the project managers of the remaining 14 projects were not FCC certified. Of the 14 projects managed without an FCC-certified project manager, four were identified as high risk for sensitive information on the project checklist. An S&T manager told the OIG that R&D project managers are exempt from certification because research projects are not considered acquisition projects. The OIG argued that the guidelines state that such certification is mandatory.
Finally, the oversight body found that S&T project managers did not prepare project plans for review and approval for most of the R&D projects reviewed. The OIG determined that S&T project managers had not prepared project plans for most (92%) of the 24 R&D projects reviewed. In fact, project managers only prepared project plans for two of the 24 projects. Although both plans included the required information, the plans were not approved by S&T management prior to the execution phase of the project, as required. For the remaining 22 projects, project managers did not prepare project plans. Instead of project plans, project managers prepared program plans for 16 projects, research plans for two projects, and no plans for four projects.
According to the OIG, these failures were the result of insufficient oversight and guidance as well as a lack of a centralized approach to manage and monitor project execution.
The watchdog made five recommendations to improve the management of S&T projects:
- Develop and implement a process to ensure that required special clauses are included in contracts for the acquisition of projects with a high risk of unauthorized access or disclosure of sensitive information.
- Develop and implement a process, with a timeline, to ensure that project managers prepare confidentiality threshold analyzes for all projects and provide the analyzes to the S&T confidentiality office for review.
- Clarify requirements for preparation of checklists for sensitive information, confidentiality threshold analyses, project plans, update S&T guidelines and formally communicate requirements to program and project managers.
- Develop and implement a policy to require and track FCC certification for research and development programs and project managers that meet Office of Management and Budget and DHS requirements.
- Require program and project managers to use the Science and Technology Analytical Tracking System (STATS), or other centralized project management system, to track and manage all research and development projects.
S&T agreed with the first three recommendations and stated that the Compliance Division and the S&T Office of Contracts, Acquisitions and Program Support collaboratively draft a formal process and training associated with implementation, in consultation with the Office of Procurement Operations, to ensure proper clauses are included in procurement contracts for projects with a high risk of unauthorized access or disclosure of sensitive information. S&T is also developing a process with associated timeline, checklists and guidance to ensure that privacy documentation, including planned timeline with milestones, is in place. A process to clarify confidentiality documentation requirements is also being developed. S&T expects to complete work to address the first three recommendations by January 31, 2023.
S&T also agreed with the fourth recommendation and added that a tool to collect data to establish project management capabilities within the organization and identify areas where S&T needs to increase certifications and skills to appropriate levels is under development. It should also be noted that on December 1, 2021, the Director of Mission Capability Support issued a memorandum, “Federal Acquisition Certification for Certification of Office of Mission and Capability Support (MCS) Program Managers (CAF-P/PM)”, requiring certifications in project management for all program managers.
Finally, to address the fifth recommendation, the Deputy Assistant Secretary for S&T will issue an official memorandum requiring the use of STATS for all research and development projects. S&T expects this note to be released by the end of March 2022.