July 25, 2012 - The Department of Homeland Security (DHS) has defined a vision for its new information technology (IT) governance process, which includes a tiered oversight structure that defines distinct roles and responsibilities throughout the department.
The new governance framework and the associated policies and procedures are generally consistent with recent Office of Management and Budget (OMB) guidance and with best practices for managing projects and portfolios identified in GAO's IT Investment Management framework, with two practices partially addressed and seven others fully addressed. For example, consistent with OMB guidance calling for the Chief Information Officer (CIO) to play a significant role in overseeing programs, DHS's draft procedures require that lower-level boards overseeing IT programs include the DHS CIO, a component CIO, or a designated executive representative from a CIO office. In addition, consistent with practices identified in GAO's IT Investment Management framework, DHS's draft procedures identify key performance indicators for gauging portfolio performance. However, DHS's policies and procedures have not yet been finalized, because, according to officials, the focus has been on piloting the new governance process. While it is important to conduct pilots to test processes and identify lessons learned, until the department finalizes the policies and procedures associated with the new IT governance, it will have less assurance that its new IT governance will be consistent with best practices and address previously identified weaknesses in investment management.
DHS has begun to implement aspects of its new governance process. For example, it has established several governance entities and conducted program health assessment reviews for all of its major IT programs. In implementing its new governance, the department has generally followed key industry best practices, such as establishing an implementation team; however, the department has not fully followed other practices, including developing a mechanism to capture lessons learned. The table below summarizes GAO's assessment of DHS's implementation efforts. Until the department fully addresses these practices, its implementation approach may be less effective than intended.
Why GAO Did This Study
DHS has one of the largest IT budgets in the federal government. In fiscal year 2012, DHS plans to spend about $5.6 billion to, among other things, acquire, implement, and operate approximately 360 IT programs, including about 83 major programs, which are intended to assist in carrying out its diverse missions. With such a large portfolio of IT programs, it is important to ensure that the appropriate governance exists so that the programs meet their cost, schedule, and performance goals and continue to support the department's strategies and objectives. In line with this, DHS has been working to define and implement a new IT governance process.
GAO was asked to (1) describe DHS's new IT governance process and associated policies and procedures, and assess them against best practices; and (2) determine progress made in implementing the new process and how DHS's implementation efforts comport with relevant best practices. To do so, GAO analyzed relevant documentation and interviewed DHS officials responsible for defining and implementing the new governance process.
What GAO Recommends
To implement an effective IT governance process, GAO recommends that DHS finalize associated policies and procedures, and fully follow best practices for implementing the process. In comments on a draft of this report, DHS concurred with GAO's recommendations and estimated it would address them by September 2013.
