Hearing date: Wednesday, February 11, 2015
Chairman Johnson, Ranking Member Carper, and distinguished Members of the Committee:
Thank you for the opportunity to submit this Statement for the Record regarding the 2015 Government Accountability Office (GAO) High Risk List. Secretary Johnson and I appreciate this Committee’s interest in this important issue.
We are grateful to GAO for the valuable oversight they exercise. It is my firmly-held belief that good oversight not only delivers accountability critical to good government, but that it also drives innovation. We have benefited greatly from GAO’s hard work to help us improve, and continue to do so as we work regularly with GAO to address the Department of Homeland Security’s (DHS) presence on the High Risk List.
When I became the Deputy Secretary of DHS in late December 2013, the first action I took was to schedule a meeting with Comptroller General Dodaro. I committed early on to engage with GAO frequently, with the intention of not only getting off the GAO High Risk List but also to set the standard within the Federal Government for how to engage with and learn from GAO and its dedicated team of experts. I am proud of the progress we have made, demonstrating significant improvements in several High Risk List areas, and also serving as a model for collaboration and partnership with GAO. We will continue to seek out GAO and work together to improve this Department.
Strengthening Department of Homeland Security Management Functions
Upon its creation in 2003, DHS was immediately placed on the GAO High Risk List because of the challenge of bringing together 22 disparate federal entities and the very serious consequences of another attack on our Nation. In each subsequent GAO High Risk List report, DHS has demonstrated significant and constant progress. When the last High Risk List was issued in 2013, GAO narrowed this High Risk List category significantly. Now titled “Strengthening Department of Homeland Security Management Functions,” GAO stated that DHS’s approach, “if implemented and sustained, provides a path for DHS to be removed from GAO’s High Risk List.”
Throughout our first year at DHS, Secretary Johnson and I have committed ourselves fully to making meaningful progress in addressing this High Risk area, with the ultimate goal of removal from the high risk designation. We have taken extraordinary steps in the areas of financial management, human capital management, acquisitions, and information technology with that goal in mind, including receipt of a clean audit opinion of the Department’s financial statements, a significant accomplishment. We developed monthly action plans with measurable targets to address GAO recommendations, and we share those action plans regularly with GAO. The number of open GAO recommendations to DHS has decreased steadily.
We have enhanced, strengthened, and integrated our management lines-of-business not simply because of the High Risk list, but also because it is critical to the Secretary’s vision embodied in the Department’s Unity of Effort initiative, which aims to execute our missions in such a way that best utilizes our limited resources.
In FY 2014, DHS earned a clean audit opinion on the agency’s financial statements for the second consecutive year. Sustaining a clean audit opinion is the result of strong policies, procedures, and controls that are in place throughout the financial management community at DHS. The audit findings demonstrate that DHS can accurately account for and report on its resources. DHS also significantly improved internal controls by completing substantial property accounting remediation at the U.S. Coast Guard. At ICE and USCIS, the audit found improved information technology controls and removed that issue from the report. This positions DHS for a clean internal control audit in FY 2016.
Financial systems modernization is critical to sustaining progress in maturing financial management at DHS and maintaining a clean audit opinion. Modernizing will help address areas such as systematic internal control weaknesses, audit readiness and sustainability, and improve the Department’s ability to effectively and efficiently process and report financial data. In addition, Components comply with standard operating procedures on managing financial systems modernization (e.g. schedule, monitoring and mitigating risk, capturing lessons learned for future use.
Moving forward, DHS will continue to make improvements, identify and commit resources to remediate remaining material weaknesses, and continue to fully modernize financial systems to improve data reliability, availability, and accuracy.
Human Capital Management
Our dedicated employees are the backbone of our organization and I have committed a significant amount of time and energy to engage with DHS employees. For example, I have participated in several focus groups with employees to engage in honest conversations about what is working across the Department and what areas can realistically be improved. One priority area is to ensure that our hiring, promotion and performance management processes are fair and transparent. I will continue to engage with both our employees and managers to directly address and remediate morale issues.
GAO has provided positive feedback on the latest Human Capital Strategic Plan, which unifies the Department on critical goals, outcomes and measures to continuously improve the way we hire, develop and reward our workforce. This Plan serves as the cornerstone to drive success across the Department.
Acquisition Program Management
While we have made progress in the acquisition area, we know that we have much work yet to do. We are encouraged by the maturation of the reconstituted Joint Requirements Council as it works to assess joint requirements for several investment portfolios, which include: information-based screening and vetting, aviation commonality, information sharing, chemical-biological-radiological-nuclear programs, and cybersecurity efforts. In the past year, we have improved acquisition oversight by solidifying the Component Acquisition Executive structure, ensuring that qualification and training standards are clear for program managers within the Components.
To ensure that all of our acquisition programs are adequately staffed to support the Department’s mission, we now require all Component Acquisition Executives and major programs to submit staffing plans and three-year workforce planning documentation. Additionally, we continue to cultivate talent through the Acquisition Professional Career Program as 60 students graduated in 2014 and they have been placed throughout Components in both contracting and program related positions. These interns are home-grown talent and are positioned to become the acquisition leaders of the future.
The Department’s Acquisition Review Board increased the frequency of its program reviews in FY 2014, averaging more than one major program review per month. In FY 2014, we prepared a new Systems Engineering Lifecycle Instruction and Guidebook, and our Director of Operational Test and Evaluation initiated a project to improve the timing, quality, and content of program Test and Evaluation Master Plans. Also, as a proactive measure to identify and address issues before they become critical, DHS implemented a monthly High-Visibility Briefing of the Department’s major acquisition programs for the Chief Acquisition Officer (CAO) and Acquisition Review Board members. In FY 2015, we will further strengthen acquisition oversight by implementing more effective metrics to track policy compliance, program health, cost, schedule, and performance of major programs. This additional layer of oversight will enable the Department to apply data-driven evaluations to identify weaknesses and apply targeted remediation.
Information Technology Management
The Department is committed to strengthening information technology management and has either fully or mostly addressed four of six information technology management outcomes. For example, our continued commitment to strengthening Information Technology security is reflected by a compliance rate of 95% for the provisions of the Federal Information Security Management Act. In addition, we have adopted the continuous diagnostics and mitigation approach, which will allow Components to identify, fix, and report their most critical cyber problems on a near-real time basis. Lastly, we implemented intrusion monitoring to help the Department assess the overall effectiveness of specific network defense systems.
Strong Information Technology governance structures and processes ensure more efficient and effective management of technology investments. By aligning our technology investments to capability-based portfolios, establishing five new program-level Executive Steering Committees, the Department has strengthened its governance structure. Additionally, we conducted our annual portfolio reviews, which informed budget development for FY 2016.
Further, the Management Cube, a new Department-wide business intelligence tool developed by our dedicated DHS employees, is beginning to be used to inform critical decisions. This tool incorporates business data into a common platform, enabling analysis that links dollars, people, assets, contracts, and programs. We will work unceasingly in the coming year to build upon this progress.
National Flood Insurance Program
The National Flood Insurance Program (NFIP) is a key component of the Federal Government’s efforts to limit the damage and financial impact of floods; however, it will not generate sufficient revenues to repay the billions of dollars borrowed from the U.S. Department of the Treasury to cover claims from the 2005 hurricanes or future catastrophic losses. The lack of sufficient revenues highlights structural weaknesses in how the program is funded. The Federal Emergency Management Agency (FEMA), within DHS, is responsible for managing the NFIP. FEMA has taken steps to remediate weaknesses in NFIP management and operations, including financial reporting processes and internal controls and oversight of contractors that placed the program at risk. Additionally, Hazard Mitigation Assistance grants provide funding to enhance a community’s resilience to flooding. And finally, the President’s Climate Action Plan (June 2013) required agencies to revise their flood risk standards. To further this goal, an Executive Order Establishing a Federal Flood Risk Management Standard was announced January 30, 2015. While not directly linked to the NFIP, it will result in structures in flood-prone areas being more resilient. This will help strengthen the overall solvency of the program .
FEMA continues to make progress on the National Flood Insurance Program and to address structural and operating challenges. The Biggert-Waters Flood Insurance Reform Act of 2012 (Biggert-Waters Act) and the Homeowner Flood Insurance Affordability Act of 2014 (HFIAA) introduced many changes to NFIP. In particular, the Biggert-Waters Act eliminated subsidized premium rates for several types of properties. As mandated by the Biggert-Waters Act, FEMA has begun phasing out subsidies on policies for residential properties that are not primary residences, and single-family properties with severe repetitive losses. However, in March 2014, Congress passed and the President signed into law HFIAA, which altered portions of the Biggert-Waters Act. FEMA has worked to implement sections of the Homeowner Affordability Act that repealed certain rate increases and set new requirements for rate increases and continues to examine affordability issues through the Affordability Study required by both Acts.
FEMA continues to work closely with GAO to address the operating challenges identified in GAO’s recommendations to improve management and operations. GAO undertook several engagements in 2014 that resulted in recommendations, that when implemented will improve FEMA’s oversight of the NFIP. FEMA already implemented several recommendations and looks forward to working with GAO to close these recommendations.
Establishing Effective Mechanisms for Sharing and Managing Terrorism-Related Information to Protect the Homeland
The Department of Homeland Security (DHS) continues to be committed to its obligations to share information with the Intelligence Community (IC) partners for national security purposes and to ensure that the data shared is appropriately used, maintained, and protected by our IC partners. To that end, DHS finalized its bulk data sharing policy for counterterrorism purposes. DHS identified a framework of six factors (consisting of both data sensitivity and operational factors) to be considered in determining periods of retention by the IC of bulk-ingested DHS datasets. This framework was the cornerstone for the renegotiation of DHS datasets concerning the National Counterterrorism Center (NCTC) revised Attorney General Guidelines. DHS, in partnership with NCTC, was able to complete Memoranda of Agreements for the following DHS datasets:
- Advanced Passenger Information System (APIS);
- Refugees, Asylum, and Parole System (RAPS);
- Arrival and Departure Information System (ADIS); and
- Electronic System for Travel Authorization (ESTA).
DHS is also championing the DHS Data Framework, a scalable technology program; the pathway to building better data aggregation and information sharing systems, and incorporating privacy, civil rights and civil liberties protections into the data and system architecture, while enabling better controlled, more effective, and more efficient use of existing homeland security-related information across the DHS enterprise and with other U.S. Government partners, as appropriate.
DHS continues to mature its information sharing network with our State, Local, Tribal, and Territorial (SLTT) partners. In support of these information sharing efforts, DHS Office of Intelligence and Analysis (I&A) continues to leverage the Homeland Security Information Network (HSIN) as its primary platform to share unclassified information with these partners, and facilitate real-time collaboration on a host of topics ranging from joint production to the provision of real-time situational awareness. In particular, I&A shares unclassified intelligence information with SLTT partners via the HSIN-Intelligence (HSIN-Intel) community of interest. HSIN-Intel provides intelligence professionals with a secure platform for effective and efficient collaboration, access to data, analytical exchange, and timely information sharing and situational awareness. Additionally, I&A manages the joint DHS and Federal Bureau of Investigation (FBI) Countering Violent Extremism and Active Shooter (CVE-AS) Web Portal. This portal, also located within HSIN, provides users and training practitioners with accurate, appropriate, and relevant CVE and AS training development resources, subject matter expert contact information, and information on outreach and engagement initiatives.
The resources provide a great example of the tools DHS has implemented to minimize gaps in sharing relevant and timely information and intelligence concerning threats to the homeland with its customers.
Protecting the Federal Government’s Information Systems and the Nation’s Cyber Critical Infrastructures
The Department has made significant progress in improving its ability to protect against cyber threats by advancing its cyber analysis and warning capabilities, acquiring enhanced analytical and technical capabilities, developing strategies for hiring and retaining highly qualified cyber analysts, and strengthening the effectiveness of its public-private sector partnerships in securing cyber critical infrastructure.
Executive Order 13636 on Cybersecurity and Presidential Policy Directive 21 on Critical Infrastructure Security and Resilience takes a whole-of-government approach and reinforces the need for holistic thinking about security and risk management across critical infrastructure sectors. More specifically, the whole-of-government approach is a result of the Executive Order directing the Secretary of Homeland Security to establish a consultative process to coordinate improvements to the cybersecurity of critical infrastructure (Sec. 6). This approach also resulted in the interagency taskforce, led by DHS, to include representatives from Sector-Specific Agencies, other relevant agencies, independent regulatory agencies, the law enforcement community, the National Institute of Standards and Technology, and the Intelligence Community. DHS met each of its deadlines under these directives, including publication of the revised National Infrastructure Protection Plan and establishment of the Critical Infrastructure Cyber Community (C-Cubed) Voluntary Program.
Since the beginning of Fiscal Year 2014, DHS has closed 11 Government Accountability Office (GAO) and 18 Office of Inspector General (OIG) recommendations directed at DHS’s National Protection and Programs Directorate’s Office of Cybersecurity and Communications. Included in those recommendations, DHS closed out OIG-13-95, DHS Can Take Actions to Address Its Additional Cybersecurity Responsibilities, which was highlighted in the 2014 GAO High-Risk Series Discussion Draft. DHS has also implemented all recommendation issued in OIG-14-52, Implementation Status of EINSTEIN 3 Accelerated (E3A) and OIG-14-119, Implementation Status of Enhanced Cybersecurity Services (ECS). While recommendations remain open, DHS has demonstrated progress in implementing recommendations and working with GAO and OIG to ensure a mutually beneficial partnership.
The women and men of the Department of Homeland Security dedicate themselves each day to improving our Department, and making important advances on the areas enumerated in GAO’s High Risk List. The progress we have made as a Department are a direct result of these efforts. I pledge to this Committee our resolve that we will re-commit ourselves to working closely with GAO and re-doubling our efforts to make progress on these important areas, in order to make DHS eligible for removal from the GAO High Risk List.