Mission gap: A special report on the Homeland Security Department

Two years after coming into being, the Homeland Security Department is still a vast construction site, a loose amalgamation of 22 extant and newly created agencies strewn across the landscape with no common infrastructure.No one said it would be easy.From the outset, assembling DHS represented a massive, next-to-impossible undertaking.“This reorganization of government has presented the biggest ‘change management’ challenge of all time,” DHS deputy secretary James Loy acknowledged last month in testimony before the House Select Committee on Homeland Security.“Never before have we witnessed a full-scale government divestiture, merger, acquisition and startup all coming together at once—certainly not on this scale,” he told the committee. “Neither have we seen a consolidation of this size occur with national importance and urgency and in such a short amount of time.”The General Accounting Office said much the same thing in a report last year: “The creation of DHS represents one of the largest and most complex restructurings in the federal government. The size, complexity and importance of the effort make the challenge especially daunting and incomparably critical to the nation’s security.”In this special report, GCN takes a look at the gaps between the promise and the reality of DHS’ systems, focusing on five key areas: border and transportation security, information sharing, back-office operations, enterprise architecture and consolidation, and initiatives with state and local organizations.By all accounts, IT and efficient management are critical to transforming a variety of programs and missions into a high-performance, focused organization.IT will provide a consolidated and integrated framework for that transformation.But the hurdles ahead for streamlining the department’s IT operations are formidable.“The challenge facing the IT function of DHS is very complex,” Loy said. “Rationalizing disparate technologies with conflicting business rules, consolidating data centers and networks, getting the right information to border agents, preventing cyberattacks against our mission-critical systems, or even having a common e-mail system must be achieved to help detect and deter future terrorist attacks.”In a recent status report, the DHS inspector general agreed: “IT remains a major management challenge for the department. IT systems and tools are fundamental to the programs and activities across the department used to accomplish its wide-ranging missions.”Steve Cooper, Homeland Security’s CIO, knows what obstacles lie ahead.[IMGCAP(2)]“We inherited a hodgepodge of 22 component agencies, some of which had very robust IT teams, personnel and assets, and others that were brand-new and brought no IT capability,” he said. “We have to transform what we inherited into a smoothly functioning, well-oiled machine.”Cooper has outlined eight IT priorities for the CIO’s office through the end of fiscal 2005:In many ways, these priorities are interconnected. The department’s enterprise architecture, for example, will guide the information-sharing and mission-rationalization efforts, Cooper said.“We are going to use the enterprise architecture to identify where and how it makes the most sense to share information,” he said.In the same way, “the enterprise architecture work has identified multiple applications that support the same business area,” Cooper said. “For example, we’ve identified 14 major applications that do alerting and warning within DHS. We don’t know that one is the proper answer. We do know that 14 is probably more than we need.”Cooper stressed that mission-rationalization, though one of his priorities, is not an IT initiative per se. “It’s a business initiative that CIOs can all support and participate in,” he said.Among the other priorities, moving the department to a single, integrated IT infrastructure by December 2005 will likely be the most difficult.To lay the groundwork for this task, Cooper is overhauling the department’s IT governance configuration so that infrastructure personnel from across DHS will report directly to his office (see sidebar, this page).But some observers find the prospect of integrating and consolidating DHS’ IT infrastructures into a single infrastructure more than a little scary.“The biggest worry for me is the scope issue,” said Patrick Schambach, who last month left the CIO job at the Transportation Security Administration to become general manager of PEC Solutions Inc. of Fairfax, Va.“We’ve seen that the [establishment of an IT infrastructure] of TSA was a big fish to swallow,” he said. “So trying to do one infrastructure for all of DHS just magnifies the problem in my mind. It’s a challenging notion.”Is December 2005 a realistic goal? “It’s hard to tell where’s the beginning and where’s the end of an exercise like this,” he said. “We could be sitting here 10 years from now and still trying to pull the final pieces together.”Another tough assignment will be improving the department’s information-security posture.The department received an F on the House Government Reform Committee’s most recent IT security report card.The report card puts significant weight on the asset inventory, and certification and accreditation requirements under FISMA.“We have a very large number of apps and only about 35 percent are accredited,” Cooper said. “So guess what? Last time I was in school 35 percent was not a passing grade, and that’s it. There is part and parcel why we got an F.”Cooper said his office has instituted an aggressive information security program to improve the department’s security posture and meet FISMA requirements.“It’s one of the things I look at almost every day with [DHS chief information security officer] Bob West,” he said. “Hopefully, if we get the right number of people to assist us—and that’s dependent on some funding, obviously, because we need contract resources in addition to our own—we’re going to try to upgrade our letter grade and get to the right [certification and accreditation] numbers that will get us a D, then a C.“But I can’t move the numbers fast enough to jump from an F to an A. It’s not going to happen.”To improve its FISMA compliance, the department has deployed Trusted Agent FISMA, a commercial application for reporting security data, finding security weaknesses, monitoring patches and managing self-assessments.Officials said the department will be heavily dependent on partnerships with industry and on private-sector innovation to meet its IT goals.But DHS’ relationship with the IT industry is a disappointment for many on the vendor side.Industry sources say vendors are frustrated with the department’s bureaucracy, which makes it difficult to communicate with DHS about their products.“There are lots of exciting new technologies that could have a play in the Homeland Security environment, but the agency seems to have trouble processing all those requests,” said Ray Bjorklund, vice president for market intelligence and chief knowledge officer of Federal Sources Inc. of McLean, Va.For DHS’ part, officials say it’s been tough to cope with all the industry queries.“As you can imagine from our side, we’ve just been swamped from Day One with well-intentioned and well-meaning offers of assistance and silver bullets,” Schambach said. “It becomes difficult to sift through and find the nuggets.”“We have to figure out for ourselves what’s most important, where we are going to start and assemble the resources to get started and then engage industry,” he said.The department recently launched a Web site, at , for collecting information on IT products and services from vendors.“It’s good that DHS now has a more coherent process for accepting nominations of technologies, but I’m very skeptical as to whether it’s really going to accelerate the process and make everything go much more smoothly,” Bjorklund said.DHS also has trouble communicating with other stakeholders outside the department, sources said.For instance, local security agencies are often in the dark about interoperability issues and projects, said an official.“I know there’s a lot of activity going on, but it hasn’t yet filtered down to us,” said Mark Penn, emergency management coordinator for the city of Alexandria, Va. “We’re hearing from vendors about projects but we’re not hearing about them from Homeland Security. It would be fair to say we just don’t know all of what’s going on.”Penn agreed that it’s all part of DHS’ growing pains.“It’s just such a big organization and it’s trying to serve so many things,” he said. “First, they have to get their organizational structure together and then they have IT challenges. I don’t think Homeland Security [officials] have got their arms around all of it yet.”Penn said his primary concern is that there is little information from DHS about interoperability issues and technologies.“I can go out and buy IT stuff today but it may not be interoperable with what DHS is getting,” he said. “We know we have to operate with DHS. But we don’t get good, solid point-to-point communications about [DHS IT initiatives].”He added: “If Homeland Security went away tomorrow, we could still operate, and that’s the bottom line. But it would make it a lot easier if we were all better connected, knew what the projects were, knew what their thinking was and knew where they were headed.”There is no question that there will be plenty of barriers to overcome as DHS moves toward meeting Cooper’s vision of the department as a piece of well-oiled machinery.Indeed, DHS still hasn’t reached its final organizational shape. Yet more structural changes are afoot. Rep. Christopher Cox (R-Calif.), chairman of the House Select Committee on Homeland Security, said last month that Congress would press DHS officials to overhaul the department’s management structure and improve its procurement processes.