Delayed DHS biometrics system’s risk management issues persist
The Department of Homeland Security plans to replace the functionality of its 27-year-old biometrics system, the first increment of a program that was supposed to end this year, in December.
Part of the reason the $4.3 billion Homeland Advanced Recognition Technology (HART) system for fingerprint matching and facial recognition won’t be fully operational is that DHS considered the program low risk until it began updating its assessment process in May 2020.
The Government Accountability Office found DHS still hasn’t updated its policy associated with assessments, so that other high-risk IT programs are aware of the new requirements, and that HART still has three risk management best practices to fully implement, according to a report released Tuesday.
GAO’s report comes a little more than a year after the DHS Privacy Office found partial and unmitigated privacy risks, like those posed by deepfakes and unintended sharing of sensitive information, to HART in an assessment.
The HART program has yet to fully maintain a risk management strategy, develop a risk mitigation plan based off that strategy, or periodically monitor the status of all risks to mitigate them.
As a result, DHS’s existing Automated Biometric Identification System (IDENT) — used to store digital fingerprints and iris scans on foreign nationals for travel, trade and immigration screening by the U.S. and its allies — remains in place. IDENT has data capacity, accuracy and assurance issues known since 2011, and can’t fully support agencies attempting to match biometrics against their data repositories.
Begun in 2016, HART was expected to cost $5.8 billion all told and provide additional biometric services, a web portal, and analysis and reporting tools by 2021. Now the DHS Office of Biometric Identity Management projects that Increment 2 won’t be finished until 2022 and Increments 3 and 4 until 2024.
Once Increment 1 is complete, all agencies will move from IDENT to HART.
Increment 2 will see the addition of multiple matching operations, like using two forms of biometric data to identify someone, while improving accuracy and potentially storage. Development is underway.
Increment 3 covers new tools boosting human examination of biometric data; the web portal; and addition of DNA, palm, voice, scar and tattoo data.
The final increment includes analyses and reporting based on Increment 2 data storage, a holistic view of identities, even more data, mobile access, and elimination of duplicate and inaccurate data.
Neither of the last two increments have been started.
“OBIM’s reliance on an overextended, 27-year-old biometric identity management system to support national security, law enforcement and immigration decisions emphasizes the critical need for OBIM to ensure that further delays, cost overruns, and performance issues with the HART program are avoided,” reads GAO’s report.
The prospect remains difficult because the HART program has also struggled with IT acquisition best practices, introducing more risks to the program.
According to GAO, program officials must: fully review contractor work, monitor all program costs, monitor stakeholder involvement, and maintain bidirectional traceability requirements.
Without this. HART will face further delays, cost overruns and won’t meet agencies needs, according to the oversight body.
GAO recommended DHS address the seven partially implemented best practices it flagged, and DHS concurred — responding that all would be completed between June 30 and December 31.
“DHS remains committed to incorporating feedback to improve its program management and oversight processes,” wrote R.D. Alles, deputy under secretary for management, in the response. “The department will continue to provide its stakeholders with current and accurate cost and funding data through existing mechanisms and will continue to address the IT Dashboard.”