Information Technology
Improvements for Acquisition of Customs Trade Processing System Continue, but Further Efforts Needed to Avoid More Cost and Schedule Shortfalls
GAO-08-46, Oct 25, 2007
Additional Materials:
Contact:
(202) 512-6256
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
The Department of Homeland Security (DHS) established the Automated Commercial Environment (ACE) program to replace and supplement existing cargo processing technology. According to the fiscal year 2007 DHS appropriations act, DHS is to develop and submit an expenditure plan for ACE that satisfies certain conditions, including being reviewed by GAO. GAO reviewed the plan to (1) determine whether the expenditure plan satisfies the legislative conditions, (2) determine the status of 15 open GAO recommendations, and (3) provide observations about the expenditure plan and DHS's management of the program. To address the mandate, GAO assessed plans and related documentation against federal guidelines and industry standards and interviewed the appropriate DHS officials.
The ACE expenditure plan satisfies many--but not all--of the legislative conditions specified in the fiscal year 2007 DHS appropriations act. Specifically, the plan (with related program documentation and officials' statements) complies with acquisition rules, requirements, guidelines, and management practices of the federal government; includes a DHS certification that an independent verification and validation agent is under contract; was reviewed and approved by DHS and the Office of Management and Budget (OMB); and was reviewed by GAO. In addition, it partially satisfies conditions for meeting the capital planning and investment control review requirements established by OMB in Circular A-11 (part 7), including information security, and for complying with the DHS enterprise architecture. DHS has implemented eight open GAO recommendations made during the past 4 years, including those related to performance measures and targets, independent verification and validation, cost estimation, and program reporting. Seven other recommendations made during this time are in the process of being implemented. With respect to these seven, DHS has taken steps to satisfy each, such as establishing an accountability framework, reducing overlap and concurrence among ACE releases, and completing a privacy impact assessment, and actions are under way or planned to more fully address them. GAO is making three new observations about the expenditure plan and the management of ACE. First, the program is taking needed steps to redefine requirements for several ACE releases because of limitations in the completeness of original requirements, but this redefinition is likely to introduce significant program schedule delays and cost increases. Second, the changes to ACE requirements have led to replacement of a key commercial product, but the new product carries the risk of negatively impacting user productivity. Third, the automated database used for managing ACE risks is incomplete and does not contain information needed to adequately inform program decisions. All told, DHS has continued to make progress on ACE, and the program is better positioned today for delivering promised capabilities and benefits than it has been in the past. Nevertheless, key program management practices relating to, for example, human capital management, requirements management, and risk management remain a challenge, and other management areas, such as information security and architecture alignment, continue to require attention. As a result, GAO sees major program schedule delays and cost overruns on the horizon. To improve ACE management and minimize exposure to risk, it is important for DHS to remain vigilant in its efforts to satisfy ACE legislative requirements, fully implement prior GAO recommendations, and keep Congress fully informed about the program's status, plans, and risk.
Status Legend:
Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
- In Process
- Open
- Closed - implemented
- Closed - not implemented
Recommendations for Executive Action
Recommendation: To further strengthen ACE management and promote accountability for ACE performance and results, the Secretary of Homeland Security should direct the Customs and Border Protection (CBP) Commissioner to ensure that future quarterly reports to the House and Senate Appropriations Committees disclose the risks and associated mitigation strategies of not having fully satisfied the expenditure plan legislative conditions and not having completed implementation of all our prior recommendations.
Agency Affected: Department of Homeland Security
Status: Closed - Implemented
Comments: CBP?s quarterly reports to Congress addressed risk management for the Automated Commercial Environment (ACE). Specifically, two fiscal year 2009 reports to Congress summarized risks, mitigations, and status for the program, and stated that CBP was improving its risk management for ACE by listing risks with draft strategies, discussing risk status at weekly meetings, and updating the risk database based on these discussions. The fourth quarter fiscal year 2009 report also described risk response planning comprised of generic risk mitigation for schedule, cost, requirements management and other IT risks. In addition, in 2010, DHS demonstrated continued implementation of CBP?s risk management improvements through its risk tracking spreadsheet with mitigation worksheet, samples from a risk tracking data base, and risk meeting minutes. By taking these actions, CBP has demonstrated implementation of the recommendation.
Recommendation: To further strengthen ACE management and promote accountability for ACE performance and results, the Secretary of Homeland Security should direct the CBP Commissioner to ensure that future quarterly reports to the House and Senate Appropriations Committees the status and impacts on the program's estimated cost and schedule and lessons learned from ongoing efforts to redefine requirements and to implement a different commercial off-the-shelf product than originally selected.
Agency Affected: Department of Homeland Security
Status: Closed - Implemented
Comments: U.S. Customs and Border Protection (CBP) demonstrated implementation of this recommendation in its report to Congress for the third quarter of fiscal year 2009. Specifically, this report related results from its analysis of redefined requirements and commercial products, and its conclusion that no long term cost or schedule impacts were anticipated because the new solution would be better integrated with CBP architecture; meet ACE requirements with equivalent development efforts; address performance concerns with hardware additions; and not affect the ACE architecture. The report described the status and other impacts of changing its commercial off-the-shelf solution from SAP Enterprise Portal to SAP Transaction Server. The report also documented a lesson learned by stating that CBP realized the necessity of early identification and resolution of issues such as this, and had reorganized its architecture team to provide more oversight across release teams.
Recommendation: To further strengthen ACE management and promote accountability for ACE performance and results, the Secretary of Homeland Security should direct the CBP Commissioner to ensure that future quarterly reports to the House and Senate Appropriations Committees the program's plans and actions for improving ACE risk management and its current inventory of program risks, including their associated mitigation strategies and the status of the strategies' implementation.
Agency Affected: Department of Homeland Security
Status: Closed - Implemented
Comments: U.S. Customs and Border Protection (CBP) demonstrated implementation of this recommendation in two reports to Congress. In October 2009 and March 2010 reports, CBP identified the ways it was improving ACE risk management, such as listing risks with draft strategies; discussing risk status at weekly meetings; and updating the risk database based on these discussions. The March report also described a risk response plan and listed generic risk mitigation for schedule, cost, requirements management, and other IT risks. During 2010, the Department of Homeland Security also provided evidence of CBP's improvements in its risk tracking and mitigation status spreadsheets, views from its risk tracking data base, and risk meeting minutes.