House lawmakers fear that a mismanaged $180 million Human Resources IT systems consolidation project at the Department of Homeland Security presents big cybersecurity risks.
Not only does the department, 13 years after it was established, still lack an integrated HR environment, it doesn’t even know how many HR systems it currently has operating, members of the House Homeland Security Oversight and Management Efficiency Subcommittee were told Thursday.
DHS has been developing its Human Resources Information Technology project, a consolidation and modernization of its fragmented HR systems and environments, since the department was created from the merger of 22 federal departments and agencies in 2003.
As of November 2015, however, the department has only implemented one of its 15 targeted systems improvements laid out in a 2011 restructured plan — including off-boarding and on-boarding processing, knowledge management, HR data management and sharing, and performance measurement — according to a new Government Accountability Office audit of HRIT.
The systems improvements, many of which were scheduled for completion between 2012 and 2014, are not yet in place, members of the subcommittee said during the hearing, citing the GAO audit. As a result, DHS leaders lack an accurate picture of the people they employ, which puts internal security at great risk, particularly in light of a recent breach of the department’s employee data.
“Really the dysfunction of what you have is that with your fragmented and outdated human resource systems … you don’t have accurate information on who is employed,” said Rep. Barry Loudermilk, R-Ga.
Carol Cha, director of IT management acquisition issues for GAO, testified that she believes that DHS’ fragmentation of systems puts it at risk.
“DHS identified 422 fragmented systems and applications within their HR environment,” Cha told lawmakers. “That study was done in 2011. Currently DHS does not know the state of that 422-system inventory … It could be more, it could be less. But until they get a full handle of the total number of systems in the inventory, a risk exists.”
“How can the Department of Homeland Security vet effectively and identify individuals that may have links to terrorism when you don’t have all the information on your employees?” Rep. Buddy Carter, R-Ga., questioned.
DHS representatives, like DHS Deputy Under Secretary for Management Chip Fulghum, argued that DHS has “very good, solid procedures in place to vet employees.”
Cha countered, however, that DHS itself admitted in a prior business justification for the HRIT system that “these numerous, antiquated, and fragmented systems inhibited its ability to perform basic workforce management functions necessary to support mission critical programs.”
GAO’s audit “countervails most of what you tell us, except for what you’ve been working on recently because [GAO auditors have] been babysitting,” said subcommittee Chairman Rep. Scott Perry, R-Penn. “We don’t hire people in the senior executive schedule to be babysat. You’re the leaders. You’re the heavies. We hire the heavies to get things done.”
Fulghum contended that they’ve been getting more done than the GAO recognizes, particularly focusing the department’s attention on the implementation of the Performance and Learning Management System — HRIT’s only ongoing development — and a few other areas, but did so with poor documentation.
Indeed, DHS’ tracking of the entire HRIT project has been somewhat of a mess, according to the GAO, which claims that the department hasn’t tracked spending on it, leading auditors and lawmakers to worry the price tag could be well above the $180 million appropriated. For that reason, and others, GAO highlighted the HRIT project as one of the top-10 projects most at risk of failing in government in its 2015 High Risk Report, which annually documents the federal government’s notoriously bad track record with IT acquisition management.
DHS CIO Luke McCormack rated the investment at “moderately high risk” of failing in 2015, according to GAO.
The struggles of this project have also been exacerbated by the ongoing game of “hot potato” played by DHS’ offices of the Chief Human Capital Officer and the CIO. Several times since its inception, the responsibility of the project has been transferred between the CHCO and CIO, leaving lawmakers wondering who at DHS really wants to ensure this project isn’t an outright failure.
Most recently, the project was handed back to the CIO’s office on Jan. 29.
Likewise, in a 2010 inspector general report that Perry revisited, DHS pointed the blame for the project’s little progress to a lack of commitment from component agencies and lack of oversight from DHS officials.
“There’s no lack of commitment,” Perry said to Fulghum, questioning his ability to lay out orders to subordinates. “You issue orders. If you don’t want to commit to it, you go get another job. This is taxpayers’ money … Why is there a lack of commitment? Who says ‘no’ and gets away with it?”
Fulghum said a new steering committee for the project will be more effective in imploring the DHS agencies to get on board, but Perry found it hard to take his word in the face of the department’s history of mismanagement with HRIT.
“For the love of God,” Perry exclaimed, “this is 10 years on. $180 million pissed away.”
Contact the reporter on this story via email at Billy.Mitchell@FedScoop.comor follow him on Twitter @BillyMitchell89. Subscribe to the Daily Scoop to get all the federal IT news you need in your inbox every morning at fdscp.com/sign-me-on.