GAO: DHS coming up short on FITARA implementation

The Department of Homeland Security needs stronger IT contract evaluation and approval by its CIO in order to fully comply with the Federal IT Acquisition Reform Act, according to a new Government Accountability Office report.

Under FITARA, agency CIOs must review and approve IT contracts associated with major investments, but according to the report, the DHS CIO "did not participate in the approval of any of the 48 contracts in GAO's sample associated with major investments." DHS's CIO is now Richard Staropoli, but he was appointed by President Donald Trump only in late April. Luke McCormack was Staropoli's predecessor as DHS CIO.

GAO reviewed 131 action plans developed by DHS to implement FITARA as well as DHS's IT acquisition human capital, data consolidation and IT program risk assessment plans. GAO then conducted a deeper review of 31 of the 109 action plans DHS said it had completed.

The report found that DHS has not successfully implemented three of the reviewed action plans, including using the updated TechStat process to support troubled IT programs.

Further, GAO said the DHS CIO is no longer conducting risk evaluations of 30 IT investments and updating the ratings on the Office of Management and Budget's IT Dashboard in accordance with FITARA.

"Instead, multiple DHS organizations and officials are to evaluate these investments and the CIO's assessment only accounts for about 18 percent of the total score," states the GAO study.

The report also states that the CIO did not prioritize reviews of major IT contracts with known performance problems, and "there were many contracts and interagency agreements in our sample for which DHS officials were unable to map to a major or non-major IT investment; as such, they could not ensure that these contracts and agreements were reviewed by the appropriate officials."

In addition, GAO found that DHS is not meeting the human capital requirements of FITARA, stating: "the department faces challenges in strengthening its IT acquisition cadre because it has not yet identified the specific positions or personnel that are to be included in the cadre."

GAO did note that DHS has taken steps towards bringing CIO acquisition approval in line with FITARA, but that more action is necessary.

The report makes seven recommendations, including updating DHS's IT acquisition review governance process, updating IT risk assessment procedures to ensure the CIO is reporting assessments to the OMB Dashboard and implementing a plan to identify future IT skillset needs and resolving any gaps identified.

DHS concurred with all seven recommendations, and noted in a letter included in the report that "as of April 2017, the Department has completed approximately 95 percent of FITARA action items."