The Office of Inspector General (OIG) has published its annual report into the management and performance challenges facing the Department of Homeland Security (DHS).
Countering Terrorism and Homeland Security Threats
Domestic and international actors abroad pose dangers to the U.S. The threats are dynamic and becoming more complex. Threats are more interconnected, technologically advanced, targeted, and close to home.
Following the breach of the U.S. Capitol building in Washington, D.C. on January 6, 2021, OIG found DHS identified specific threat information prior to January 6 but did not issue any intelligence products about these threats until two days later. DHS was unable to provide its many state, local, and Federal partners with timely, actionable, and predictive intelligence. Additionally, DHS did not adequately follow its internal processes and comply with applicable Intelligence Community policy standards and requirements when editing and disseminating an Office of Intelligence and Analysis (I&A) intelligence product regarding Russian interference in the 2020 U.S. Presidential election, which put I&A at risk of creating a perception of politicization. OIG also determined DHS has not completed, as planned, 70 percent of the goals under its strategic framework for countering domestic terrorism, and said it can improve how it identifies domestic terrorism threats, tracks trends for future risk-based planning, and informs partners and the public about domestic terrorism.
OIG stated that it continues to identify challenges DHS faces countering improvised explosive devices. The watchdog said in its annual review that DHS needs to improve its management of component activities to comply with implementation of Presidential Policy Directive 17: Countering Improvised Explosive Devices within DHS. OIG continues to review DHS’ countering terrorism efforts including DHS’ response to the events of January 6, 2021, and DHS’ procedures and technology systems to safeguard and share terrorist screening data.
OIG also continues to identify law enforcement missions where DHS would benefit from better collaboration, sharing and leveraging processes, data collection, and best practices across components. OIG has identified inadequate oversight of DHS’ law enforcement components to ensure proper DNA collection and preparation for cross-component protection of Federal facilities. The watchdog found that U.S. Immigration and Customs Enforcement’s (ICE) Homeland Security Investigations investigated less than 1 percent of U.S. Customs and Border Protection’s (CBP) Intellectual Property Rights seizures annually from fiscal years 2017 to 2020 because CBP did not prioritize reporting investigative referrals to ICE, nor did it establish guidance or a system to do so. Further, OIG found opportunities for the Cybersecurity and Infrastructure Security Agency (CISA), Office for Bombing Prevention to improve its oversight of components’ input for countering improvised explosive devices and to better lead DHS and nationwide capability efforts to address these threats. Finally, OIG said DHS component collaboration on law enforcement virtual training is limited.
Progress has been made however. DHS has developed strategies and taken other steps to help the U.S. counter terrorism, and has made progress countering domestic terrorism. For example, DHS implemented redundant capabilities to disseminate intelligence products addressing departmental threats. Additionally, DHS will initiate a needs assessment to identify staffing and budget requirements to counter domestic terrorism. The Department’s Counterterrorism Coordinator will work with other program offices to evaluate the oversight and coordination of efforts to counter domestic terrorism following the conclusion of the needs assessment.
DHS also continues its efforts to develop and update internal controls, directives, policies, procedures, and training plans, as well as improve its integration of data sources and modernize its reporting systems to generate real-time automated reports. These actions are designed to strengthen collaboration among its components and Federal law enforcement partners. For example, on September 29, 2021, the Secretary established the Law Enforcement Coordination Council that coordinates department-wide law enforcement related matters on training and policy.
OIG said DHS needs to remain committed to effective threat assessment methods and law enforcement collaboration, as well as internal control development, including useful and relevant goals, performance indicators, metrics, measures, corrective action plan implementation, and deliberate improvement. In addition, the watchdog noted that DHS needs to enhance and provide intelligence training and guidance and improve its processes for timely reviews of open source intelligence products. DHS could also improve how it identifies domestic terrorism threats, tracks trends for future risk-based planning, and informs partners and the public about domestic terrorism, OIG said. The Inspector General’s office has also called for DHS to better manage its counter-improvised explosive devices (C-IED) efforts, as well as its assessment of national, regional, and state C-IED capabilities.
Coordinating Border Security Efforts and Migrant Surges
CBP apprehended more than 1.6 million migrants illegally crossing the Southwest Border in FY 2021. This trend continued in FY 2022. Migrant surges require a whole-of-government approach. DHS manages a major part of the border security and immigration enforcement mission set, but in prior surges OIG found that multi-component planning between CBP and ICE and a coordinated response ultimately did not occur. These surges in immigration have exposed technology challenges which impede CBP and ICE personnel from tracking migrants from apprehension to release or transfer. Technology deficiencies also meant that data was not consistently documented in DHS’ systems of record, which can delay DHS from uniting children with families and sponsors, or cause migrants to remain in DHS custody longer than legally allowed.
The United States also experienced a sudden influx of Ukrainian and Afghan citizens requesting entry into the country under unprecedented circumstances. This change in immigration patterns reconfirmed longstanding staffing issues at CBP, OIG said. Sufficient staffing is needed to ensure complete and accurate processing of all individuals requesting entry into the United States. However, screening, vetting, and inspecting all evacuees during the recent Afghanistan crisis was a challenge, and OIG continues to evaluate CBP’s access to critical data to fully vet individuals trying to enter the United States.
In terms of progress made in this area, OIG pointed to corrective action plans that show that DHS is updating its technology platforms to enhance information sharing across its components and with external partners, including the U.S. Department of Health and Human Services. DHS is also updating internal guidance to ensure staff fully understand processes, procedures, technology systems, and the value of robust controls.
OIG said DHS should continue to address internal fragmentation affecting border security and immigration processing, and work on improving consistent application of standard procedures to fully document migrant apprehensions and to enhance timely and orderly processing to identify security threats. The watchdog added that DHS should also develop a comprehensive contingency plan to handle evacuation efforts in the future and thoroughly account for, screen, vet, and inspect all individuals during unprecedented events when limited biographic data is available.
Managing Detention Conditions
Surges result in prolonged detention in short-term facilities, overcrowding, capacity issues, and inconsistent compliance with standards for care at Border Patrol stations. According to CBP officers, the lack of bed space at ICE detention facilities also contributes to the challenges CBP is experiencing managing migrants at its facilities. Additionally, DHS continues to struggle with contractor performance and overall compliance with detention standards such as segregation, medical care, and access to legal services. For example, in March 2022, OIG issued a Management Alert recommending the immediate removal of all detainees from the Torrance County Detention Facility in Estancia, New Mexico due to safety risks and unsanitary living conditions. In April 2022, we made several recommendations aimed at improving care of detainees at the South Texas ICE Processing Center.
OIG said CBP has taken steps to increase coordination and planning, enhance existing infrastructure to add capacity, and expand access to medical care through improved screening. According to DHS, ICE continues to improve conditions at its detention facilities and completing any identified repairs from internal or OIG inspections. In addition, ICE has updated its request tracking system and enhanced its documentation of commissary and mail services for detainees at the South Texas ICE Processing Center. Further, DHS recently announced it is creating a new Office of Health Security to coordinate and provide oversight for public health, medical, and safety activities for both its own workforce and those in its care.
The watchdog said DHS should work on improving consistent application of standards for treatment and care of migrants and timely, orderly, and humane processing.
Securing Cyberspace and Critical Infrastructure
DHS must provide a high level of cybersecurity for the information and systems supporting day-to-day operations for its approximately 240,000 personnel. Recent breaches have shown that cyber attacks pose a serious threat against U.S. cyberspace and critical infrastructure, and why preventing such attacks will remain a major management challenge. These attacks have been designed to gain unauthorized access to sensitive data stored and processed by DHS systems, infiltrate U.S. Government computers and networks to slow or halt operations, access intellectual property and research, and gather useful intelligence. As cyber threats evolve, securing U.S. technology systems and networks from unauthorized access and potential exploits will become more challenging.
OIG’s annual report noted that the DHS Secretary has made operationalizing cybersecurity and increasing cybersecurity awareness a top priority for DHS. Other priorities include strengthening the integrity of elections, protecting government networks, applying new technologies to supply chain security, and preparing for the challenges of new, emerging technology. The watchdog said DHS has made some progress to address the threats of cyberattacks and reduce the likelihood of exploitation of critical weaknesses. For example, DHS implemented specific tools and technologies to detect and prevent security events on component systems and to help protect DHS’ network communication and data. DHS has also made progress improving cybersecurity collaboration and coordination with the Department of Defense (DoD) in accordance with the Cyber Action Plan and memorandums. DHS continues to participate in critical infrastructure programs, improve cyber situational awareness, co-locate DHS and DoD liaisons, and conduct cybersecurity readiness training. DHS has also continued to provide oversight of the department-wide intelligence system and has implemented programs to monitor ongoing security practices. It is also working to update relevant plans, address identified vulnerabilities, and continues to improve configuration and patch management.
DHS concurred with recent OIG recommendations aimed at helping the Department improve upon its efforts to implement its critical infrastructure strategy and programs. CISA is working to improve oversight for Dams Sector security and resilience. OIG noted that it is reviewing DHS’ efforts to improve Energy Sector resilience.
OIG said DHS needs to revise its policies and procedures to reflect the latest NIST standards and that the DHS Chief Information Officer should develop a change management process to identify and implement Policy Directives. The watchdog also said DHS needs to improve its Cybersecurity Awareness Training Program to ensure all DHS users receive a comprehensive, baseline level of cybersecurity education. Additionally, OIG wants DHS to address weaknesses in access controls, patching procedures, and configuration settings. Finally, OIG said DHS needs to address recent recommendations to improve the Department’s information security program.
OIG will continue to monitor DHS’ cybersecurity coordination efforts by partnering with the National Security Agency (NSA) to review DHS and NSA’s efforts to assess the actions taken by DHS in advance of, and in connection with, recent intrusions into U.S. Government and private networks. OIG is also reviewing CISA’s ability to detect and mitigate risks from major cyberattacks based on lessons learned after the SolarWinds breach. OIG said CISA needs to improve its oversight, coordination, and communication to better support the Dams Sector security and resilience. Also, the watchdog noted that DHS is receiving approximately $8 billion from the Infrastructure Investment and Jobs Act (IIJA) to strengthen critical infrastructure and says the Department will need to create new programs, and a strategy for spending IIJA funds.
Ensuring Proper Financial Management and Oversight
DHS has shown it has strong financial principles, but notable financial deficiencies can undermine the public’s confidence in DHS and its ability to make strategic investments using taxpayer dollars, OIG says. For FY 2022, Congress provided funding of $57 billion, an increase of $5.1 billion compared with FY 2021. It provided total funding of $94.8 billion, including $18.8 billion for major disaster response and recovery and $19 billion offset by fee collections. Independent auditors issued an adverse opinion on DHS’ internal controls over financial reporting because of material weaknesses. Specifically, auditors found weaknesses in Information Technology Controls and Information Systems and Financial Reporting. Auditors identified significant deficiencies in Custodial Activities: Drawbacks and Seized and Forfeited Property; Grants Management and Other Needs Assistance Programs; Insurance Liabilities; and Journal Entries. They also noted noncompliance with the Federal Managers’ Financial Integrity Act of 1982 and Federal Financial Management Improvement Act of 1996.
OIG said DHS continued to improve its financial management in FY 2021 and achieved its ninth consecutive unmodified (clean) opinion on all financial statements. DHS continues to make progress meeting its reporting requirements under the DATA Act. DHS implemented actions to improve the completeness of budgetary and award data in its DATA Act submission to make the spending information more transparent. DHS is working to improve compliance with requirements set forth in laws, regulations, directives, and policies by strengthening oversight, internal control, data quality, and transparency. For example, DHS demonstrated through corrective action plans its intent to address OIG recommendations to develop or enhance various performance measures, procedures, and internal controls.
DHS has taken steps toward remediating other issues OIG previously reported, including in Financial Statement Audit reports. DHS has undertaken a Financial Systems Modernization program which is intended to replace outdated systems across the Department. OIG found that to date, DHS has deployed a modernized financial management system to the Countering Weapons of Mass Destruction Office, the Transportation Security Administration, and United States Coast Guard. DHS is also planning to modernize financial management systems at other components. DHS officials have stated that this modernization effort will help mitigate many of the underlying causes of the Information Technology Controls and Information Systems and Financial Reporting material weaknesses identified in previous audit reports.
In order to improve further, OIG said DHS needs to implement and consistently use the government-wide financial data standards to improve the accuracy of reporting for certain data elements to fully achieve the DATA Act’s objective. Further, the watchdog said FEMA needs to strengthen its fraud preventive controls when determining claimant eligibility because its reliance on self-certifications continues to lead to billions of dollars in potentially fraudulent and improper payments. OIG said CBP needs to improve its compliance with the Trade Facilitation and Trade Enforcement Act of 2015, its procedural guidance for its Centers of Excellence and Expertise, and the reliability of trade import and enforcement data in its information systems.
Ensuring Technology Supports Essential Mission Operations
OIG has found that DHS continues to struggle with aligning DHS technology, personnel, resources, assets, systems, and infrastructure to support its mission. The Inspector General warns that DHS should mitigate risks to operational performance before they become issues and to deploy capability timely.
OIG’s recommendations show that DHS still needs to increase and sustain its focus and effort to improve oversight, ensure consistent configuration management, prioritize systems and applications modernization, and remediate the internal control issues that underlie data deficiencies. Additionally, the watchdog said DHS needs to address a remaining unresolved and open recommendation from OIG’s evaluation of DHS’ information security program for FY 2019.
Improving FEMA’s Disaster Assistance and Fraud Prevention
According to DHS, COVID-19 response and recovery is the largest relief assistance program in American history. FEMA, as the lead response agency, has been charged with administering and overseeing $45 billion in Coronavirus Aid, Relief, and Economic Security (CARES) Act funding. Further, FEMA has recently been charged with administering $6.8 billion in IIJA funding.
OIG has found that FEMA struggles with ensuring disaster grant recipients and subrecipients understand and comply with relevant authorities governing grants and assistance. FEMA has also proven susceptible to widespread fraud and made billions in improper payments, the watchdog said. As of July 31, 2022, OIG had received more than 7,500 complaints and initiated more than 300 investigations related to COVID-19, including allegations that fraud networks have secured pandemic-related benefits.
The Inspector General has also published a significant body of work recommending improvements in Federal disaster response and recovery efforts.
OIG said FEMA is making efforts to improve on these shortcomings and recommended that the agency and DHS analyze systemic weaknesses across the spectrum of disaster-related funding and services and make overarching improvements in risk assessment, controls, policies, systems and applications, resources, training, data to support equitable assistance distribution, and collaboration with stakeholders.
Strengthening Oversight and Management of Major Systems Acquisition and Procurement
DHS and its components are acquiring capabilities to help secure the border, increase marine safety, screen travelers, enhance cybersecurity, improve disaster response, and execute a wide variety of other operations. In FY 2021, DHS planned to spend more than $7 billion on major acquisition programs. In FY 2022, DHS plans to spend more than $5 billion on major acquisition programs, and, ultimately, the Department plans to invest more than $240 billion over the life cycle of these programs. Most of DHS’ major acquisition programs have lifecycle costs of at least $300 million and take multiple years to acquire.
OIG said it continues to identify issues with poorly defined operational requirements for assets being acquired, adherence to the DHS Acquisition Lifecycle Framework, contract oversight, and reporting. The watchdog acknowledged that DHS is making progress in its acquisition program oversight processes and controls through implementation of a revised acquisition management directive and a revised acquisition instruction.
OIG has called for DHS to grow and mature the Joint Requirements Council and its requirements process the Joint Requirements and Integration Management System as well as other requirements determination guidance. In addition, OIG said DHS’ Office of Program Accountability and Risk Management needs to continue to strengthen oversight of acquisitions programs to ensure they follow all key steps in the Acquisition Lifecycle Framework. DHS also needs to reinforce the use of the checklists, job aids, and guides developed by the DHS Office of the Chief Procurement Officer, OIG said.
On receiving OIG’s draft report, DHS leadership voiced concerns over some of the statements which it says could be misleading to some readers. DHS called the statements “inaccurate, contextually incomplete, and confusing” and said they could result in misinformation.
The Department also did not believe OIG’s draft report adequately recognized the strides DHS has made in some areas. It added that only a small percentage of recommendations previously made by OIG remain open and unresolved.
Additionally, DHS said that OIG’s draft annual report failed to consider the perspective of DHS leaders, officials and experts who have previously expressed concerns about and disagreement with OIG’s findings and conclusions in its reports over the year.