1、OIG-24-47August 20,2024FINAL REPORTS&T Inconsistently Managed Critical Infrastructure Security and Resilience Research and Development Activities OFFICE OF INSPECTOR GENERAL U.S.Department of Homeland Security Washington,DC 20528|www.oig.dhs.gov August 20,2024 MEMORANDUM FOR:The Honorable Dimitri Ku

2、snezov,Ph.D.Under Secretary Science and Technology Directorate FROM:Joseph V.Cuffari,Ph.D.Inspector General SUBJECT:S&T Inconsistently Managed Critical Infrastructure Security and Resilience Research and Development Activities Attached for your action is our final report,S&T Inconsistently Managed C

3、ritical Infrastructure Security and Resilience Research and Development Activities.We incorporated the formal comments provided by your office.The report contains four recommendations aimed at improving S&Ts critical infrastructure research,development,testing,and evaluation efforts.Your office conc

4、urred with all four recommendations.Based on information provided in your response to the draft report,we consider recommendations 1,3,and 4 open and resolved.Once your office has fully implemented the recommendations,please submit a formal closeout letter to us within 30 days so that we may close t

5、he recommendations.The memorandum should be accompanied by evidence of completion of agreed-upon corrective actions and of the disposition of any monetary amounts.Recommendation 2 is closed and resolved.Please send your response or closure request to OIGAuditsFollowupoig.dhs.gov.Consistent with our

6、responsibility under the Inspector General Act,we will provide copies of our report to congressional committees with oversight and appropriation responsibility over the Department of Homeland Security.We will post the report on our website for public dissemination.Please contact me with any question

7、s,or your staff may Kristen Bernard,Deputy Inspector General for Audits,at(202)981-6000.Attachment OIG Project No.AUD-22-057-AUD-S&T DHS OIG HIGHLIGHTSDHS OIG HIGHLIGHTS S&T Inconsistently Managed Critical Infrastructure Security and Resilience Research and Development Activities www.oig.dhs.gov OIG

8、-24-47 August 20,2024 Why We Did This Audit S&T is responsible for leading the Departments research and development efforts.In 2021,S&T received$157.5 million in funding through the Infrastructure Investment and Jobs Act to address critical infrastructure R&D needs.We conducted this audit to determi

9、ne how well S&T has managed R&D activities aimed at improving critical infrastructure security and resilience.What We Recommend We made four recommendations to improve S&Ts critical infrastructure R&D efforts.For Further Information:Contact our Office of Public Affairs at (202)981-6000,or email us a

10、t:DHS-OIG.OfficePublicAffairsoig.dhs.gov.What We Found The Science and Technology Directorate(S&T)can improve management of its research,development,testing,and evaluation(R&D)activities related to critical infrastructure security and resilience.Although S&T is actively making efforts to improve pro

11、cesses,it:does not use a risk-based,holistic approach to prioritize critical infrastructure R&D programs and projects department-wide;does not follow established project management principles and its own project management policies and procedures;and relies on inaccurate and incomplete information t

12、o manage its critical infrastructure R&D projects.These problems occurred because S&T relies on component-based R&D prioritization processes instead of establishing and updating department-wide strategic priorities.Additionally,S&T does not ensure adherence to project management best practices,such

13、as integrating program and project plans,using standard terminology and abbreviations,and tailoring its processes to fit the project needs.Finally,S&T has no formal data validation process to ensure the quality of R&D project management data.Without adequate controls in place to consistently plan,ma

14、nage,and execute its R&D activities,S&T may not be able to support the Departments critical infrastructure R&D needs.The issues we identified also raise concerns as to S&Ts ability to successfully plan,manage,and spend the$157.5 million in Infrastructure Investment and Jobs Act funding.S&T Response

15、S&T officials concurred with all four recommendations and described corrective actions to address the issues we identified.www.oig.dhs.gov OIG-24-47 OFFICE OF INSPECTOR GENERALOFFICE OF INSPECTOR GENERALU.S.Department of Homeland Security Table of Contents Background.1 Infrastructure Investment and

16、Jobs Act.2 Results of Audit.3 S&T Did Not Use a Risk-Based,Holistic Approach to Prioritize Its Critical Infrastructure R&D Programs and Projects Department-Wide.3 S&T Did Not Follow Established Project Management Principles,Policies,and Procedures.6 S&T Relies on Incomplete and Inaccurate Informatio

17、n to Manage Its Critical Infrastructure R&D Projects.8 Conclusion.10 Recommendations.10 Management Comments and OIG Analysis.11 Appendix A:Objective,Scope,and Methodology.14 DHS OIGs Access to DHS Information.15 Appendix B:S&T Comments on the Draft Report.16 Appendix C:List of Programs and Projects

18、Within the Audit Scope.22 Appendix D:S&T CISRR Focus Area Descriptions.23 Appendix E:S&Ts BPF Processes and Decision Points.24 Appendix F:Major Contributors to This Report.25 Appendix G:Report Distribution.26 Abbreviations BPF Business Process Flow CISA Cybersecurity and Infrastructure Security Agen

19、cy CISRR Critical Infrastructure Security and Resilience Research Program FFMS Federal Financial Management System GAO U.S.Government Accountability Office IIJA Infrastructure Investment and Jobs Act IPT integrated product team IRDC Innovation,Research,and Development Coordination MCS Office of Miss

20、ion Capability and Support PEC Program Element Code www.oig.dhs.govOIG-24-47OFFICE OF INSPECTOR GENERALOFFICE OF INSPECTOR GENERALU.S.Department of Homeland SecurityPPD-21 Presidential Policy Directive 21 R&D research,development,testing,and evaluation S&T Science and Technology Directorate STATS S&

21、T Analytical Tracking System www.oig.dhs.gov 1 OIG-24-47 OFFICE OF INSPECTOR GENERALOFFICE OF INSPECTOR GENERAL U.S.Department of Homeland Security Background The Science and Technology Directorate(S&T)is the primary research and development arm of the Department of Homeland Security.The Homeland Se

22、curity Act of 2002 1 gives the Secretary of DHS,acting through the Under Secretary for S&T,responsibility for establishing and administering the Departments research,development,testing,and evaluation(R&D)activities,including determining the long-term R&D needs and capabilities for all DHS component

23、s and coordinating and integrating all the Departments R&D activities.S&T is also responsible for leading R&D efforts to strengthen the security and resilience of the Nations 16 critical infrastructure sectors.2 Two of S&Ts four main offices have primary responsibility for conducting,managing,and ov

24、erseeing critical infrastructure R&D activities:The Office of Mission Capability and Support(MCS)provides support through customer-focused implementation of programs based on validated priorities,gaps,and requirements.The offices main function is program management.MCS has five active programs relat

25、ed to critical infrastructure.See Appendix C for a list of MCS critical infrastructure projects and programs.The Office of Innovation and Collaboration(Innovation and Collaboration)provides research,development,innovation,business capabilities,and expert solutions that address and help overcome oper

26、ational challenges.Within this office,the Office of University Programs works with universities to establish S&T Centers of Excellence.Through these centers,S&T uses academia and private sector expertise to research and develop potential solutions for DHS operational challenges.Innovation and Collab

27、oration has four Centers of Excellence related to critical infrastructure.See Appendix C for a list of Innovation and Collaborations Centers of Excellence related to critical infrastructure.The S&T Operating Model Blueprint(Blueprint),3 in conjunction with the Business Process Flow(BPF),4 serves as

28、S&Ts project management framework and details the processes for R&D efforts.Collectively,these documents standardize the R&D process,ensure engagement with S&Ts 1 Title 6 of the United States Code,Section 182.2 The Nation has 16 critical infrastructure sectors whose assets,systems,and networks,wheth

29、er physical or virtual,are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security,national economic security,national public health or safety,or any combination thereof.The Cybersecurity and Infrastructure Security Agency(CISA)h

30、elps S&T safeguard critical infrastructure by enhancing stakeholder capacity to mitigate risks.3 Included within Understanding S&Ts Business Process Flow,June 2022.4 The BPF expands the Blueprint into nine processes and seven decision points to ensure effective oversight and informed decision making

31、 through the life cycle of programs and projects.www.oig.dhs.gov 2 OIG-24-47 OFFICE OF INSPECTOR GENERALOFFICE OF INSPECTOR GENERAL U.S.Department of Homeland Security customers,and enable effective oversight and informed decision making throughout the program and project life cycle.S&T acknowledged

32、 challenges with the BPF and contracted with the Homeland Security Operational Analysis Center(Analysis Center),5 which is currently operated by the RAND Corporation,6 to help identify areas of improvement.The Analysis Center issued its assessment in May of 2023 with various recommendations to impro

33、ve the BPF process.S&T tracks activities,including R&D,through its S&T Analytical Tracking System(STATS).This system contains acquisition,financial,and project management documentation that helps S&T track,manage,and administer effective program and project operations.Within STATS,S&T uses Program E

34、lement Codes(PEC)to track its program,project,and activity information.S&T also uses PECs in its financial system of record,the Federal Financial Management System(FFMS).7 Infrastructure Investment and Jobs Act In November 2021,the President signed the Infrastructure Investment and Jobs Act(IIJA).8

35、The IIJA provided S&T with$157.5 million(available through 2026)for critical infrastructure R&D projects in five focus areas,which are further described in Appendix D.Focus Area 1-Special Event Assessment Rating Planning Tools9 Focus Area 2-Electromagnetic Pulse10 and Geomagnetic Disturbance11 Resil

36、ience Capabilities Focus Area 3-Position,Navigation,and Timing Capabilities Focus Area 4-Public Safety and Violence Prevention/Soft Target12 Security Focus Area 5-Security Testing Capabilities for Telecommunications Equipment,Industrial Control Systems,and Open-Source Software To better manage and e

37、nsure proper execution of activities occurring within IIJA focus areas,5 S&T requested that the Analysis Center conduct an independent analysis of its BPF.In its May 2023 report to S&T,the Analysis Center described challenges related to governance and process ownership,gap intake and triage,collabor

38、ation,and centralized tracking of research and development activities.This review resulted in several recommendations that S&T is currently working on to improve its processes.6 The RAND Corporation is an independent nonprofit institution that helps develop solutions to public policy and decision-ma

39、king challenges through its written publications.7 FFMS is owned and operated by U.S.Immigration and Customs Enforcement.8 P.L.117-58,Division J.9 Special Event Assessment Ratings are applied to events that are not designated as a national special event.Most of these events are state and local event

40、s that may require additional support from the Federal Government.10 An electromagnetic pulse is a burst of electromagnetic energy produced by a nuclear explosion in the atmosphere,considered capable of widespread damage to power lines,telecommunications,and electronic equipment.11 A geomagnetic tem

41、porary disturbance of the Earths magnetosphere caused by a solar wind shock wave and/or cloud of magnetic field that interacts with the Earths magnetic field.12 A soft target is a target that can be attacked easily because it does not have military defenses.www.oig.dhs.gov 3 OIG-24-47 OFFICE OF INSP

42、ECTOR GENERALOFFICE OF INSPECTOR GENERAL U.S.Department of Homeland Security S&T created the Critical Infrastructure Security and Resilience Research(CISRR)Program.MCS is responsible for implementing the program.We conducted this audit to determine how well S&T has managed R&D activities aimed at im

43、proving critical infrastructure security and resilience for fiscal years 2018 through 2022.Our audit focused on Focus Areas 2(Electromagnetic Pulse and Geomagnetic Disturbance Resilience Capabilities)and 4(Public Safety and Violence Prevention/Soft Target Security).These two focus areas had a combin

44、ed budget of$71,800,000 in IIJA funding($22,750,000 for Focus Area 2 and$49,050,000 for Focus Area 4).Results of Audit S&T can improve management of its R&D activities related to critical infrastructure security and resilience.Although S&T is actively making efforts to improve processes,it:does not

45、use a risk-based,holistic approach to prioritize critical infrastructure R&D programs and projects department-wide;does not follow established project management principles and its own project management policies and procedures;and relies on inaccurate and incomplete information to manage its critic

46、al infrastructure R&D projects.These problems occurred because S&T relies on component-based R&D prioritization processes instead of establishing and updating department-wide strategic priorities.Additionally,S&T does not ensure adherence to project management best practices,such as integrating prog

47、ram and project plans,using standard terminology and abbreviations,and tailoring its processes to fit the project needs.Finally,S&T has no formal data validation process to ensure the quality of R&D project management data.Without adequate controls in place to consistently plan,manage,and execute it

48、s R&D activities,S&T may not be able to support the Departments critical infrastructure R&D needs.The issues we identified also raise concerns as to S&Ts ability to successfully plan,manage,and spend the$157.5 million in IIJA funding.S&T Did Not Use a Risk-Based,Holistic Approach to Prioritize Its C

49、ritical Infrastructure R&D Programs and Projects Department-Wide The Homeland Security Act of 2002 tasks S&T with establishing and administering R&D activities for the Department,including long-term research and development needs and capabilities for all elements of the Department.Presidential Polic

50、y Directive 21,Critical Infrastructure Security and www.oig.dhs.gov 4 OIG-24-47 OFFICE OF INSPECTOR GENERALOFFICE OF INSPECTOR GENERAL U.S.Department of Homeland Security Resilience(PPD-21)13 recommends that the DHS Secretary,who subsequently delegated responsibility to S&T,14 issue and update a Nat

51、ional Critical Infrastructure Security and Resilience Research and Development Plan every 4 years(or more frequently,if necessary).The plan should identify priorities and guide R&D requirements and investments.The plan should also set priorities for the entire critical infrastructure community beyon

52、d DHS,including Federal,state,and local government and the private sector.Finally,S&Ts 2021 strategic plan15 calls for an annual threat assessment report to help inform R&D investments.S&T did not use a formal risk-based process to prioritize R&D needs on a department-wide basis.Instead of prioritiz

53、ing R&D needs using the strategic-level plans,such as the National Critical Infrastructure Security and Resilience Research and Development Plan and annual strategic plans,S&T relied on DHS components to establish the prioritization of R&D needs.According to S&T officials,S&T subject matter experts

54、work with components to prioritize their identified R&D needs.However,an S&T official stated these needs are very compartmentalized.S&T will then execute components identified R&D efforts once funding becomes available.All the activities funded by the IIJA were R&D needs previously identified by com

55、ponents.This occurred because S&T changed its process for identifying and prioritizing R&D projects to be based on customer-focused(as opposed to mission-focused)R&D needs and did not complete R&D strategic planning documents and its strategic plan.In 2018,S&T implemented a customer needs-driven,int

56、egrated product team(IPT)16 approach to its work at the component level.According to the Analysis Centers assessment of S&Ts processes,each component has a different level of maturity and capability.According to an S&T official,some components do not have an IPT and,as a result,the applicability and

57、 quality of components gaps varied greatly.This means the Department does not have a standardized IPT process for identifying risks and prioritizing R&D projects across DHS components.Although an S&T official stated they try to prioritize R&D gaps identified by multiple components,there is no proces

58、s to perform cross-portfolio analysis to weigh,rank,or score projects to determine which projects to fund.The S&T official also stated that S&T attempts to fund at least one of each components top priorities regardless of relative risk or value.DHS and S&T have published 2023 strategic priorities17

59、that provide guidance to components for assessing capability gaps.Even so,S&T has not published threat assessment and strategic policy documents that could aid in identifying and prioritizing R&D activities for itself,the Department,13 On April 30,2024,the National Security Memorandum on Critical In

60、frastructure Security and Resilience(NSM-22)was published.This memorandum rescinded and replaced PPD-21.14 PPD-21 tasks the DHS Secretary with this responsibility.DHS Delegation Number 10001 Rev.01(April 28,2014)delegates all PPD-21 R&D responsibilities to the Under Secretary of S&T.15 S&T Strategic

61、 Plan 2021.16 IPTs consist of S&T and component officials.These teams address specific issues relevant to the mission and align R&D investments with operational gaps and planned acquisitions.17 DHS 2023 Priorities and S&Ts Calendar Year 2023 Priority Areas.www.oig.dhs.gov 5 OIG-24-47 OFFICE OF INSPE

62、CTOR GENERALOFFICE OF INSPECTOR GENERAL U.S.Department of Homeland Security and all its critical infrastructure partners.Specifically,it has not updated the National Critical Infrastructure Security Resilience Research and Development Plan recommended by PPD-21 since its issuance in 2015.Given that

63、PPD-21 recommends the National Critical Infrastructure Security Resilience Research and Development Plan be updated every 4 years,S&T should have published updated versions in 2019 and 2023 but did not.Moreover,during our audit,S&T was unable to provide us with information on who in the organization

64、 was responsible for updating the plan.S&T has yet to publish an annual threat assessment report,as called for by its own 2021 Strategic Plan.According to an S&T official,threat assessments are no longer required because of other annual priority publications such as the DHS 2023 Priorities and S&Ts

65、Calendar Year Priority Areas.S&T also noted that in January of 2023,DHS established the Innovation,Research,and Development Coordination(IRDC)Council to address the need to prioritize R&D efforts.The IRDC is co-chaired by the Undersecretary for S&T and serves as the executive governing body for the

66、DHS R&D coordination process.18 The goal of the IRDC is to help the Department identify strategic priority research issues.Instead of updating these strategic documents and establishing a risk-based process for selecting R&D projects,S&T decided to spend the$157.5 million in IIJA funds for R&D activ

67、ities without evaluating the projects strategic value across DHS.Further,because S&T has not updated the National Critical Infrastructure Security and Resilience Research and Development Plan,other critical infrastructure partners may be unaware of priority critical infrastructure needs and apply th

68、eir efforts to less strategic and advantageous programs and projects.Given these factors,S&T may not be using IIJA and other R&D funds to address the Nations highest risks.In May 2024,after the end of our audit scope,DHS published the DHS Innovation,Research&Development Strategic Plan,which includes

69、 information collected in FY 2023,such as innovation,research,and development of current state initiatives;emerging technologies analyses;and individual operational component future trends assessments.The plan also assesses trends across future capabilities and points to opportunities for the Depart

70、ment to use innovation,research,and development in a cross-cutting manner to advance DHS missions and objectives.18 The IRDC was established after the end of our audit scope.As such,we did not test the implementation of the IRDC or how it impacts S&Ts critical infrastructure R&D efforts.www.oig.dhs.

71、gov 6 OIG-24-47 OFFICE OF INSPECTOR GENERALOFFICE OF INSPECTOR GENERAL U.S.Department of Homeland Security S&T Did Not Follow Established Project Management Principles,Policies,and Procedures The Project Management Institute19 established standards on effective project and program management practic

72、es,and S&T has its own established policies and procedures.However,S&T did not adhere to the recommended standards or its own policies and procedures.The Project Management Institutes A Guide to the Project Management Body of Knowledge 20 and The Standard for Program Management 21 include leading pr

73、actices for program and project management that can be applied to S&T R&D activities.Specifically:It is the program managers responsibility to ensure alignment of individual project management plans with the programs goals.The program management plan should integrate the programs subsidiary project

74、plans.This ensures the projects and programs are aligned with the strategic priorities of the organization to deliver expected benefits.Project teams should tailor the project management framework to enable the flexibility to consistently produce positive outcomes within the context of the project l

75、ife cycle.This includes taking specific action to select and mix specific project elements to suit the unique characteristics of the project and project environment.S&Ts Blueprint22 outlines high-level foundational processes that enable common program and project management practices for R&D efforts

76、,including establishing a project management framework and processes for all discretionary research,development,and innovation-funded capability gap initiatives.S&Ts BPF23 further outlines processes and decision points for assessing outcomes to ensure compliance with the Blueprint for projects and p

77、rograms.Appendix E shows S&Ts BPF processes and decision points.The BPF is designed to be tailored to meet the needs of individual projects,allowing for the BPF to be adjusted to meet the needs of the specific gap or need.These processes include developing project plans containing work breakdown str

78、uctures,milestones/schedules,budget,communication plans,test and assessment plans,and a 19 According to Program Management:DOE Needs to Develop a Comprehensive Policy and Training Program,GAO-17-51,November 2016,the Project Management Institute has established a standard on program management that i

79、s generally recognized as a leading practice for most programs.20 Project Management Institutes A Guide to the Project Management Body of Knowledge,6th Edition.21 Project Management Institutes The Standard for Program Management,4th Edition.22 Included within Understanding S&Ts Business Process Flow

80、,June 2022.23 Understanding S&Ts Business Process Flow,June 2022.www.oig.dhs.gov 7 OIG-24-47 OFFICE OF INSPECTOR GENERALOFFICE OF INSPECTOR GENERAL U.S.Department of Homeland Security transition strategy.The BPF also requires managers to integrate the project plan into a program management plan if t

81、he project is part of a larger program.We found that S&T did not consistently manage critical infrastructure R&D programs and projects per the Project Management Institute standards,Blueprint,or BPF processes.Specifically:MCS We determined MCS did not always develop program and project management pl

82、ans for its R&D activities.Specifically:One of the six MCS programs24 reviewed did not have a program management plan.Seven of nine MCS critical infrastructure projects reviewed did not have project management plans.Instead,project managers used program management plans to govern project execution.H

83、owever,program management plans do not contain the level of detail,such as milestones,staffing plans,and deliverables,needed to adequately execute,monitor,and control projects.Innovation and Collaboration Even though S&T designed the framework to be tailored to meet the needs of individual projects,

84、Innovation and Collaboration neither follows the BPF process nor has any other policies in place of the BPF to ensure it adheres to the Blueprint.As a result,S&T uses inconsistent definitions of program and project,which further prevents S&T management from providing effective oversight of its criti

85、cal infrastructure R&D efforts.Innovation and Collaboration uses program management plans for each Center of Excellence,and in turn,uses work plans written by the centers to govern individual efforts.Innovation and Collaboration considers each Center of Excellence as a“program.”However,STATS denotes

86、“DHS Centers”as a program and the individual centers as projects.These issues occurred because S&T does not have consistent policies and procedures to ensure its offices responsible for critical infrastructure R&D adhere to program and project management best practices,such as integrating program an

87、d project plans,using standard terminology and abbreviations,and tailoring their processes to fit the project needs.For example,S&Ts BPF implementation templates use“PMP”interchangeably for“program management plan”and“project management plan.”Similarly,the BPF uses“PM”as an abbreviation for both“pro

88、ject manager”and“program manager,”leaving ambiguity regarding who is responsible for managing different pieces of the process,including integrating the project plan into the program plan.24 The Explosives Detection program was discontinued and transitioned to Physical Security.www.oig.dhs.gov 8 OIG-

89、24-47 OFFICE OF INSPECTOR GENERALOFFICE OF INSPECTOR GENERAL U.S.Department of Homeland Security What we found is consistent with a previous DHS Office of Inspector General report25 and the Analysis Centers assessment of S&Ts processes.We reported in 2022 on privacy and contracting issues within S&T

90、 and identified concerns regarding the lack of project plans.In 2023,the Analysis Center identified an issue with the lack of a single BPF process owner to provide overall governance and management resulting in patchwork accountability,siloed management,poorly documented sub-processes,duplication of

91、 efforts,and delays in meeting component needs.S&T officials stated resource constraints and mission differences between MCS and Innovation and Collaboration impact the offices abilities to consistently follow the Blueprint or other best practices.For example,MCS has used either the program or proje

92、ct plan interchangeably and does not ensure integration of project management plans into the higher-level program management plan because it does not have the resources to create and integrate both documents.This limits managements ability to monitor and control projects or measure execution against

93、 cost and schedule baselines.The two offices also have different requirements for customer agreement.MCS does not begin developing a project until the customer agrees it is a viable solution.Conversely,Innovation and Collaboration takes a broader perspective,with the Office of University Programs pr

94、oviding management and oversight of the Centers of Excellences activities.However,the Centers of Excellence establish their own annual workplans.Without applying its own framework and processes,as well as program and project management best practices,S&T cannot ensure effective oversight and informe

95、d decision making for its critical infrastructure R&D efforts,including those funded by the IIJA.S&T Relies on Incomplete and Inaccurate Information to Manage Its Critical Infrastructure R&D Projects According to the U.S.Government Accountability Offices(GAO)Standards for Internal Control in the Fed

96、eral Government,26 management should have relevant data from reliable sources and data processed into quality information to inform decisions.In response to a recommendation from our prior audit of S&T,27 the Senior Official Performing the Duties of the Under Secretary for S&T issued a June 8,2022,m

97、emorandum mandating that all staff use STATS to track and manage all R&D projects across the Directorate.The memorandum requires that STATS contain all project-related information,including authoritative,organization,and contact data,and quarterly updates to key milestones and transitions.The memora

98、ndum also notes that STATS should serve as an interconnected database of financial and budget tools to support data analysis and reporting across S&T.Through STATS,S&T can ensure the successful collection and appropriate reporting of key information required to inform decision making.25 S&T Needs to

99、 Improve Its Management and Oversight of R&D Projects,OIG-22-30,March 7,2022.26 Standards for Internal Control in the Federal Government,GAO-14-704G,September 2014.27 S&T Needs to Improve Its Management and Oversight of R&D Projects,OIG-22-30,March 2022.www.oig.dhs.gov 9 OIG-24-47 OFFICE OF INSPECTO

100、R GENERALOFFICE OF INSPECTOR GENERAL U.S.Department of Homeland Security S&T project managers do not consistently use STATS to track project performance,as required,and do not ensure STATS records are up to date.We determined STATS included incomplete or inaccurate project information.For example,we

101、 reviewed records for 14 critical infrastructure-related projects and determined that 9 of 14(64 percent)projects had inconsistent and incomplete information:four projects did not include active or met milestones;one project was missing from the system;and four projects contained inconsistent titles

102、.We also identified STATS modules containing inconsistent and incomplete financial information for four of the seven(57 percent)programs reviewed,as depicted in Figure 1.Additionally,information in STATS did not match information in FFMS.Figure Figure 1 1.DiscrepanciesDiscrepancies in Financial Data

103、in Financial Data between S&Ts between S&Ts IT SystemsIT Systems$0$5,000,000$10,000,000$15,000,000$20,000,000$25,000,000$30,000,000$35,000,000$40,000,000$45,000,000DHS Centers40-01Explosives Detection62-03Explosives ThreatAssessment63-03Physical Security68-03Program Expenditures Discrepancies betwee

104、n S&T IT Systems for Fiscal Years 2018 to 2022FFMSSTATS Tableau Module(Tableau)STATS Project Tracker Module(Project Tracker)Source:DHS OIG analysis of FFMS and STATS data These issues align with the Analysis Centers independent review identifying challenges with data and information management.Speci

105、fically,the Analysis Center concluded S&T does not have data governance and highlighted the need for enterprise-level oversight and authority.The Analysis Center noted S&T has multiple systems that do not communicate with each other,and this has led to delays in S&Ts ability to integrate the data be

106、tween the systems.www.oig.dhs.gov 10 OIG-24-47 OFFICE OF INSPECTOR GENERALOFFICE OF INSPECTOR GENERAL U.S.Department of Homeland Security S&T does not ensure compliance with internal control standards and best practices or with its own internal requirement to use STATS for a number of reasons.For ex

107、ample:At least two project managers track project information on a SharePoint site and rely on institutional knowledge of the projects history to manage their projects.S&Ts offices do not have a consistent definition or application for the terms“program,”“project,”and“activity,”resulting in inconsis

108、tent levels of program and project information necessary for decision makers to compare and monitor efforts.S&T predominately uses a manual process to transfer data from FFMS into STATS,resulting in numerous errors.Transfer errors contributed to inaccurate information in STATS that financial and bud

109、get personnel did not reconcile during our audit.S&T does not have a standardized data validation process for reconciling data inaccuracies between STATS and FFMS.According to S&T personnel,they usually identify about 200 discrepancies out of 8,000-or 9,000-line items during their manual review that

110、 need correction.As a result,S&T relies on incomplete and inaccurate data to track and manage its projects and programs and make decisions about program operations and continued funding.This issue will be exacerbated if staff and subject matter experts leave,taking institutional knowledge with them.

111、Conclusion S&Ts strategic documents have a far-reaching impact across all 16 critical infrastructure sectors.Instead of updating strategic plans to inform a risk-based approach,S&T focuses on individual customer R&D requests.By doing so,S&T cannot ensure that the Departments highest priority critica

112、l infrastructure R&D needs are addressed.Without improved project and data management practices,S&T also cannot ensure effective use of current project funding,including the$157.5 million of IIJA funding available to address critical infrastructure R&D needs.Recommendations Recommendation 1:Recommen

113、dation 1:We recommend the Under Secretary for S&T clearly identify the appropriate entity with the authority and responsibility for updating critical infrastructure research and development strategic plans and annual homeland threat assessments and ensure that entity publishes each document in accor

114、dance with each of the prescribed timeframes.Recommendation 2:Recommendation 2:We recommend the Under Secretary for S&T establish a formal,risk-based process that incorporates strategic plans and threat assessments to prioritize the Departments www.oig.dhs.gov 11 OIG-24-47 OFFICE OF INSPECTOR GENERA

115、LOFFICE OF INSPECTOR GENERAL U.S.Department of Homeland Security research,development,testing,and evaluation projects and activities identified by the components and integrated product teams.Recommendation 3:Recommendation 3:We recommend the Under Secretary for S&T develop and implement improved con

116、trols to ensure all S&T offices adhere to program and project management principles per the Operating Model Blueprint,including,but not limited to,policies,procedures,and training.These controls should ensure that tailored project approaches are documented and approved,standardized project managemen

117、t language is used,project and program plans are appropriately integrated,and roles and responsibilities are clearly defined.Recommendation 4:Recommendation 4:We recommend the Under Secretary for S&T develop and implement data validation controls to ensure accurate and consistent financial and proje

118、ct information in S&Ts centralized project tracking system,including,but not limited to,implementation policies,procedures,and training.Management Comments and OIG Analysis In response to our draft report,S&T officials concurred with all four recommendations and described corrective actions to addre

119、ss the issues we identified.We consider Recommendations 1,3,and 4 open and resolved and Recommendation 2 closed and resolved.Appendix B contains S&Ts management response in its entirety.We also received technical comments on the draft report and revised the report as appropriate.A summary of S&Ts re

120、sponse and our analysis follows.S&T Response to Recommendation 1:S&T Response to Recommendation 1:Concur.The S&T Office of Strategy and Policy is primarily responsible for coordinating and publishing applicable R&D plans,to include updating guidance that removes any S&T requirement to produce threat

121、 assessments under the exclusive purview of other DHS components and offices,as appropriate.Further,S&T will work closely with CISA in CISAs development of the National Infrastructure Risk Management Plan,which will be informed by sector-specific and cross-sector risk assessments.Following finalizat

122、ion of the National Infrastructure Risk Management Plan,S&T will produce an R&D plan to address critical infrastructure R&D needs.S&T will also continue to use its IPT with CISA and the DHS Innovation,Research&Development Strategic Plan to identify DHS-wide/cross-component critical infrastructure R&

123、D priorities.The estimated completion date is August 29,2025.OIG Analysis:OIG Analysis:We consider these actions responsive to the recommendation,which we consider open and resolved.We will close this recommendation when S&T publishes and provides updated guidance and a critical infrastructure R&D p

124、lan.S&T Response to Recommendation 2:S&T Response to Recommendation 2:Concur.To apply a risk-based approach to identify DHS-wide/cross-component R&D priorities,S&T uses the IRDC Council,which was chartered in www.oig.dhs.gov 12 OIG-24-47 OFFICE OF INSPECTOR GENERALOFFICE OF INSPECTOR GENERAL U.S.Dep

125、artment of Homeland Security January 2023.The analysis performed under the IRDC Council enables S&T,and DHS as a whole,to optimize investment,reduce the risk of duplication,ensure complementary efforts,and focus on common challenges regarding DHS R&D projects and activities.Additionally,the DHS Inno

126、vation,Research&Development Strategic Plan integrates internal DHS strategies and provides external partners with Department gaps for future partnerships.This Plan addresses the objective to strengthen the security and resilience of critical infrastructure by identifying future innovation,research,a

127、nd development capabilities needed for mission success through FY 2030.OIG AnalOIG Analysis:ysis:S&T provided a copy of the May 2024 DHS Innovation,Research&Development Strategic Plan and the January 2023 Innovation,Research,and Development Coordination Council Charter,satisfying the intent of the r

128、ecommendation.This,combined with the integration of these strategic documents into S&Ts program management process as discussed in response to Recommendation 3,meets the intent of this recommendation.We consider this recommendation closed and resolved.S&T Response to Recommendation 3:S&T Response to

129、 Recommendation 3:Concur.In addition to implementing recommended improvements identified in the Analysis Center report,S&T is now planning updates,as appropriate,to strengthen the current BPF with an updated BPF 3.0,which is being planned for completion before the end of FY 2024.S&T is also currentl

130、y drafting updated IPT guidebooks,which will integrate BPF decision-making,provide direct tie-in to the DHS Innovation,Research&Development Strategic Plan,and provide more instruction on cross-component analysis.The estimated completion date is August 29,2025.OIG Analysis:OIG Analysis:We consider th

131、ese actions responsive to the recommendation,which we consider open and resolved.We will close this recommendation when S&T provides documentation related to the BPF 3.0 update and any other program management policies and directives to cover all of S&Ts critical infrastructure R&D activities across

132、 all divisions,relevant training material to educate staff,and updated IPT guidebooks.S&T RS&T Response to Recommendation 4:esponse to Recommendation 4:Concur.S&Ts Finance and Budget Division will conduct informational sessions/trainings to demonstrate how STATS can be used to track project informat

133、ion to ensure policies and procedures are being followed,as well as provide clear expectations of when to use the terms“program,“project,”and“activity.”In October 2023,S&Ts Finance and Budget Division initiated corrective actions to identify and correct inaccuracies and inconsistencies between the F

134、FMS and STATS data,and by January 2024 the division had established a data cleansing team and began developing several data visualization tools.The estimated completion date is August 29,2025.OIG Analysis:OIG Analysis:We consider these actions responsive to the recommendation,which we consider open

135、and resolved.We will close this recommendation when S&T provides documentation such www.oig.dhs.gov 13 OIG-24-47 OFFICE OF INSPECTOR GENERALOFFICE OF INSPECTOR GENERAL U.S.Department of Homeland Security as updated policies and procedures mandating the use of STATS,training material,policies and pro

136、cedures used by the cleansing team along with actions taken,and proof of implementation of STATS data visualization tools.www.oig.dhs.gov 14 OIG-24-47 OFFICE OF INSPECTOR GENERALOFFICE OF INSPECTOR GENERAL U.S.Department of Homeland Security Appendix A:Objective,Scope,and Methodology The Department

137、of Homeland Security Office of Inspector General was established by the Homeland Security Act of 2002(Pub.L.No.107296)by amendment to the Inspector General Act of 1978.We conducted this audit to determine how well S&T has managed R&D activities aimed at improving critical infrastructure security and

138、 resilience.The scope included two focus areas outlined in the IIJA:Focus Area 2(Electromagnetic Pulse and Geomagnetic Disturbance Resilience Capabilities)and Focus Area 4,(Public Safety and Violence Prevention/Soft Target Security)and the related PECs for FYs 2018 through 2022.To accomplish our obj

139、ective,we obtained and reviewed relevant Federal laws,as well as DHS and S&T policies,procedures,and guidance related to R&D activities.We reviewed and analyzed prior DHS OIG and GAO audit reports related to the audit objective.We conducted interviews with S&T officials and obtained relevant documen

140、ts from various offices to better understand roles and responsibilities related to critical infrastructure R&D activities,including policies and procedures followed and funding.These interviews included,but were not limited to:Office of Enterprise Services MCS Office of Science and Engineering Innov

141、ation and Collaboration Strategy and Policy Office Finance and Budget Division We also interviewed data systems and financial management officials and the program and project managers responsible for the projects included in our review.Additionally,we obtained relevant documents related to the BPF a

142、nd S&Ts systems,including STATS and FFMS.We determined S&T used 13,044 PECs during the audit period of FYs 2018 through 2022.From these,we identified and reviewed 23 PECs consisting of 14 critical infrastructure projects(9 MCS and 5 Innovation and Collaboration)and 7 programs(6 MCS and 1 Innovation

143、and Collaboration).We assessed internal controls related to S&Ts management of R&D activities.We identified weaknesses with S&Ts reliance on components prioritization processes,not using project management best practices,and not validating R&D project management data.These internal www.oig.dhs.gov 1

144、5 OIG-24-47 OFFICE OF INSPECTOR GENERALOFFICE OF INSPECTOR GENERAL U.S.Department of Homeland Security control deficiencies are discussed in the“Results of Audit”section of this report.Because our review was limited to these internal control components and underlying principles,it may not have discl

145、osed all internal control deficiencies that may have existed at the time of this audit.As part of this audit,we coordinated with the DHS OIG Office of Innovations Data Services Division,which provided technical support.To determine data reliability,the DHS OIG Office of Innovations Data Services Div

146、ision obtained access to S&T information systems and coordinated with the audit team to provide various system reports for use in our review.Using information from these reports and S&T-provided data,we assessed and reconciled the completeness and accuracy of the PECs,obligations,and expenditures.We

147、 determined the PEC universe was sufficiently reliable,and we identified and reviewed 14 critical infrastructure projects.However,as documented in our report,we determined that expenditures and obligations were unreconcilable across S&Ts two systems,FFMS and STATS.Although information system control

148、 deficiencies were identified,as described in the body of the report,we determined the subsequent data in FFMS was sufficiently reliable for the purposes of this audit.We conducted this audit from September 2022 through April 2024,pursuant to the Inspector General Act of 1978,5 United States Code 40

149、1424,and according to generally accepted government auditing standards.Those standards require that we plan and perform the audit to obtain sufficient,appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives.We believe that the evidence obtain

150、ed provides a reasonable basis for our findings and conclusions based on our audit objectives.DHS OIGs Access to DHS Information During this audit,S&T provided timely responses to our requests for information and did not delay or deny access to information we requested.www.oig.dhs.gov 16 OIG-24-47 O

151、FFICE OF INSPECTOR GENERALOFFICE OF INSPECTOR GENERAL U.S.Department of Homeland Security Appendix B:S&T Comments on the Draft ReportJune 25,2024 U.S.Depaltment of IJomehrnd Security Washington,DC Science and Technology MEMORANDUM FOR:Joseph V.Cuffa1i,Ph.D.Inspector General SUBJECT:ANGELA ANGELA M N

152、OYES M NOYES Date:2024.06.25 09:47:38-0400 FROM:Angela Noyes Senior Component Accountable Official OHS Science and Technology Directorate Digitally signed by Management Response to Draft Report:S&T T Inconsistently Managed Critical lnfrastmcture Security and Resilience Research and Development Activ

153、ities(Project No.22-057-AUD-S&T)Thank you for the opportunity to comment on this draft report.The U.S.Departrnent of Homeland Secmity(DHS,or the Department)Science and Technology Directorate(S&T)appreciates the work of the Office oflnspector General(OTG)in planning and conducting its review and issu

154、ing this report.S&T leadership is pleased to note OIGs positive recognition that S&T is actively making efforts to improve processes.For example,on July 27,2022,S&T contracted with the Homeland Security Operational Analysis Center(HSOAC),a DHS federally funded research development center,to evaluate

155、 S&T internal processes of the Business Process Flow(BPF)and recommend areasfor improvement.In addition,from February2021 to January 2023,S&T undertook extensive cross-Department work to establish the Innovation,Research,and Development Coordination(IRDC)Council to address DHS-wide and cross-Compone

156、nt coordination,strategic planning,and long-term resourcing of innovation and research and development(R&D).This effort ultimately led to the signing and release of the DHS Innovation,Research and Development(IRD)Strategic Plan,Fiscal Years 2024-2030(IRD Strategic Plan).1 S&T remains committed to pr

157、oviding scientific and technical expertise to develop sound program and project management principles and address outstanding critical infrastructure ofR&D projects.S&T leadership,however,does not agree with OTGs assessments that,S&T detennined to spend the$157.5 million in lnfrastmcture Investment

158、and Jobs Act(IIJA)2 funds for 1 Dated May 13.2024;https:/www.dhs.gov/science-and-technology/publication/dhs-ird-strategic-plan-fv24-30 2 P.L.117-58.Division J.www.dhs.go,J science-aucl-technology www.oig.dhs.gov 17 OIG-24-47 OFFICE OF INSPECTOR GENERALOFFICE OF INSPECTOR GENERAL U.S.Department of Ho

159、meland Security R&D activities without evaluating the projects strategic value across DHS or that S&T may not be using IIJA and other R&D funds to address the Nations highest risks.In fact,throughout this audit,S&T provided OIG with documentation and comments demonstrating the mindful approach S&T t

160、ook with IIJA funding.On April 25,2022,for example,S&T created the Critical Infrastructure Security and Resilience Research(CISRR)program in response to the IIJA,working with the Cybersecurity and Infrastructure Security Agency(CISA),the Transp011ation Security Administration(TSA),and the DHS Specia

161、l Events Program on the approach CISRR would take.As part of the Departments deliberate and thoughtful approach to evaluate the strategic value of these R&D activities,the CISRR effort to address the IIJA took into consideration Research,Development,Test and Evaluation(RDT&E)needs identified by CISA

162、,TSA,and the Special Events Program,as well as information from CISA risk advisors regarding working with partners to defend against threats and collaborating to build a more secure and resilient infrastructure for the future.Further,the appropriate R&D focus areas for IIJA funds,as specified in the

163、 IIJA legislation,included areas of research for which S&T and CISA had previously unfunded requirements(i.e.,projects)that had been through the review and selection process.To address risk in their R&D eff011s,S&T utilizes twelve DHS Component Integrated Product Teams(IPTs),five Component collabora

164、tions(non-IPTs),and the IRDC Council to inform S&T investment strategies,each of which consider the risk landscape.It is inaccurate and misleading to suggest that these activities are not addressing risk,or collectively not addressing the Nations highest risks.It is also important to note that,over

165、the years,S&Ts budget has fluctuated from$1.4 billion in fiscal year(FY)2006 to$744 million in FY 2024,making it difficult to execute planned R&D activities.The IIJA funding allowed S&T the opportunity to develop sound program and project management principles and address outstanding critical infras

166、tructure projects not previously selected due to limited funding.The draft report contained four recommendations with which S&T concurs.Enclosed find our detailed response to each recommendation.S&T previously submitted technical comments addressing several accuracy,context,and other issues under a

167、separate cover for OIGs consideration.Again,thank you for the opportunity to review and comment on this draft report.Please feel free to contact me if you have any questions.We look forward to working with you again in the future.Enclosure 2 www.oig.dhs.gov 18 OIG-24-47 OFFICE OF INSPECTOR GENERALOF

168、FICE OF INSPECTOR GENERAL U.S.Department of Homeland Security Enclosure:Management Response to Recommendations Contained in 22-057-AUD-S&T OIG recommended that the Under Secretary for S&T:Recommendation 1:Clearly identify the appropriate entity with the authority and responsibility for updating crit

169、ical infrastructure research and development strategic plans and annual homeland threat assessments and ensure that entity publishes each document in accordance with each of the prescribed timeframes.Response:Concur.The S&T Office of Strategy and Policy is primarily responsible for coordinating and

170、publishing applicable R&D plans,to include updating guidance that removes any S&T requirement to produce threat assessments under the exclusive purview of other DHS Components and offices,as appropriate.Further,S&T will work closely with the CISA in CISAs development of the National Infrastructure R

171、isk Management Plan(NIRM Plan),which will be informed by sector-specific and cross-sector risk assessments.Following finalization of the NIRM Plan,S&T will produce a R&D plan to address critical infrastructure RDT&E needs.S&T will also continue to utilize its IPT with CISA and the IRD Strategic Plan

172、 to identify DHS-wide/cross-Component critical infrastructure RDT&E priorities.Estimated Completion Date(ECD):August 29,2025.Recommendation 2:Establish a formal,risk-based process that incorporates strategic plans and threat assessments to prioritize the Departments R&D projects and activities ident

173、ified by the components and integrated product teams.Response:Concur.DHS currently utilizes existing strategic plans that sufficiently address this recommendation by using a risk-based approach to identify DHS-wide/cross-Component RDT&E priorities.The Departments IRDC Council,which was chartered in

174、January 2023,serves as the senior-level executive body overseeing DHS-wide coordination,strategic planning,and long-term resourcing of innovation and R&D,which includes basic research,applied research,development,test and evaluation,technology improvement,and innovation efforts.The IRDC Council also

175、 serves as the executive governing body for the DHS R&D Coordination Process,in accordance with DHS Directive 069-02,Revision 2.3 The Councils goal is to ensure that the most pressing challenges faced by the Department have appropriate and effective investments to support mission achievement.Accordi

176、ngly,analysis performed under the IRDC Council enables S&T,and DHS as a whole,to optimize investment,reduce the risk of duplication,ensure complementary efforts,and provide focus on common challenges regarding DHS R&D projects and activities.This is accomplished through effective governance,3 Resear

177、ch and Development Coordination,dated February 19,2020.3 www.oig.dhs.gov 19 OIG-24-47 OFFICE OF INSPECTOR GENERALOFFICE OF INSPECTOR GENERAL U.S.Department of Homeland Security oversight,coordination,and guidance to all DHS and Component-level programs conducting innovation and R&D in support of DHS

178、 capabilities and mission objectives.The Departments IRD Strategic Plan for FY 2024-2030 integrates internal DHS strategies and provides external partners with Department demand signals for future partnerships.From February to October 2023,S&Ts Operations and Requirements Analysis(ORA)division worke

179、d with all DHS Components and offices to build this IRD Strategic Plan,to include inventorying current IRD activities;conducting a strength,weakness,opportunities,and threat analysis;holding a futures workshop;collecting Component future trend assessments(risks,threats,challenges);and reviewing nati

180、onal,DHS,and Component IRD strategies and guidance.S&Ts ORA also held a public Technology and Innovation Network workshop on October 30,2023,to present and gather feedback on the plan.In addition,the IRD Strategic Plan highlights complementary efforts underway across the DHS Homeland Security Enterp

181、rise(HSE),which consists of federal,state,local,tribal,territorial,nongovernmental,and private sector entities,as well as individuals,families,and communities who share a common national interest in the safety and security of the United States and its people.Further,the IRD Strategic Plan inventorie

182、s current and future IRD efforts within DHS,organized by the DHS Missions and Objectives in The Third Quadrennial Homeland Security Review.4 By capturing these initiatives in a comprehensive plan,the Department can better align IRD to the desired outcomes of the DHS Missions and Objectives,as well a

183、s identify cross-cutting IRD themes that provide opportunities for making impacts towards meeting multiple desired outcomes.These initiatives are articulated as Strategic Priority Research Areas(SPRAs),which are cross-cutting assemblies of enduring scientific efforts that provide a means for address

184、ing priority needs across multiple HSE mission areas and provide the Department an overarching path for future investments for FY 2024-2030.The identified SPRAs include:(1)Advanced Sensing;(2)Artificial Intelligence and Autonomous Systems;(3)Biotechnology;(4)Climate Change;(5)Communications and Netw

185、orking;(6)Cybersecurity;(7)Data Integration,Analytics,Modeling,and Simulation;and(8)Digital Identity and Trust.In addition,the IRD Strategic Plan addresses the objective to strengthen the security and resilience of critical infrastructure by identifying future IRD capabilities needed for mission suc

186、cess through FY 2030.Specifically,DHS must detect and prevent threats to critical infrastructure on which National Critical Functions(NCFs)rely,while also improving critical infrastructures security,resilience,and attack mitigation.Doing so will minimize the impact of attempts to infiltrate,exploit,

187、disrupt,or destroy critical infrastructure systems,networks,and NCFs they enable.4 Dated April 2023;https:/www.dhs.gov/quadrennial-homeland-security-review.4 www.oig.dhs.gov 20 OIG-24-47 OFFICE OF INSPECTOR GENERALOFFICE OF INSPECTOR GENERAL U.S.Department of Homeland Security However,DHS cannot mit

188、igate threats it does not see,which requires expanding its operational visibility of threats to critical infrastructure.DHS S&T,to include ORA and several other offices coordinating as appropriate,is planning substantial future IRD to provide research and tools for event risk assessments;protection

189、against impacts of climate change,electromagnetic pulses,and geomagnetic disturbance;protection of position,navigation,and timing systems;public safety for soft targets and crowded places;testing of new telecommunications equipment;exploration of artificial intelligence and machine learning to incre

190、ase resiliency;testing and security of industrial control systems;and security for open-source software.The following SPRAs are expected to make impacts in meeting desired outcomes associated with this objective:Advanced Sensing;Artificial Intelligence and Autonomous Systems Biotechnology;Climate Ch

191、ange;and Cybersecurity.S&T requests that the 010 consider this recommendation resolved and closed,as implemented.Recommendation 3:Develop and implement improved controls to ensure all S&T offices adhere to program and project management principles in accordance with the Operating Model Blueprint,inc

192、luding,but not limited to,policies,procedures,and training.These controls should ensure that tailored project approaches are documented and approved,standardized project management language is used,project and program plans are appropriately integrated,and roles and responsibilities are clearly defi

193、ned.Response:Concur.S&T agrees with the imp01tance of continuously tracking,evaluating,and improving internal processes to become more efficient and effective.In 2022,for example,senior S&T leadership recognized the need to improve internal processes of the BPF 2.0 version,and hired the HSOAC to per

194、form an assessment and provide recommended areas of improvement to the effectiveness and efficiency of BPF 2.0.On November 15 and 16,2022,S&T ORA conducted Directorate wide workshops in coordination with HSOAC to gain current perspectives as a baseline,and on February 28,2023,a second Directorate wi

195、de workshop was conducted in coordination with HSOAC to review potential recommended improvements.HSOAC completed their assessment and provided recommendations in May 2023.S&T has since addressed these HSOAC recommendations,and in June 2023,S&T leadership took actions to address these recommendation

196、s,and issued decisions to improve the following four critical areas of the BPF:(1)Governance and Process Ownership;(2)BPF Process Management Office;(3)Intake and Triage and R&D Lifecycle Teams;and(4)Centralized Tracking ofR&D efforts.5 www.oig.dhs.gov 21 OIG-24-47 OFFICE OF INSPECTOR GENERALOFFICE O

197、F INSPECTOR GENERAL U.S.Department of Homeland Security Since implementation of these decisions,S&T has seen tremendous improvement,such as(but not limited to)a reduction in time between intake and project/activity approval from 15 months to 6 months(conduct prioritization,decomposition,tech scoutin

198、g,solution analysis,business case analysis,project pitch,and approval),which amounts to a 250 percent increase in efficiency.This improvement also includes the creation of a centralized BPF tracker system that monitors and reports RDT&E needs as they progress through the lifecycle,integration of int

199、ernal matrix teams and standards,tailoring of approaches to identified RDT&E needs,and creation of a change control board configuration.Currently,S&T is now pursuing updates,as appropriate,to strengthen BPF 3.0,which is being planned for completion before the end of FY 2024.S&T is also currently dra

200、fting updated IPT Guidebooks,which will include integration of BPF decision-making,provide direct tie-in to the IRD Strategic Plan,and provide more instruction on cross-component analysis.ECD:August 29,2025.Recommendation 4:Develop and implement data validation controls to ensure accurate and consis

201、tent financial and project information in S&Ts centralized project tracking system,including,but not limited to,implementation policies,procedures,and training.Response:Concur.S&Ts Finance and Budget Division(FBD)will conduct informational sessions/trainings to demonstrate how S&T Analytical Trackin

202、g System(STATS)can be used to track project information to ensure policies and procedures are being followed,as well as provide clear expectations of when to use the terms program,project,and activity.In October 2023,S&Ts FBD initiated corrective actions to identify and correct inaccuracies and inco

203、nsistencies between the Federal Financial Management System and STATS data,and by January 2024 had established a data cleansing team and began developing several data visualization tools.ECD:August 29,2025.6 www.oig.dhs.gov 22 OIG-24-47 OFFICE OF INSPECTOR GENERALOFFICE OF INSPECTOR GENERAL U.S.Depa

204、rtment of Homeland Security Appendix C:List of Programs and Projects within the Audit Scope Table 1.Table 1.CritiCritical Infrastructurecal Infrastructure MCSMCS ProgramsPrograms and Projectsand Projects No.No.PECPEC ProgramProgram ProjectProject 1 62-03-09-001 62-03-09-002 62-03-09-003 Explosives D

205、etection(now Physical Security)Mass Transit 2 62-03-18-001 Explosives Detection(now Physical Security)Soft Target Crowded Places Security 3 63-03-02-001 63-03-02-002 63-03-02-101 Explosives Threat Assessment Homemade Explosives Identification,Detection and Mitigation 4 65-09-06-002 Community and Inf

206、rastructure Critical Infrastructure Resilience 5 65-09-07-001 65-09-07-002 65-09-07-003 CISRR CISRR Electromagnetic Pulse and Geomagnetic Disturbance Resiliency 6 68-02-01-001 Countering Violent Extremism Public Safety Violence Prevention 7 68-02-02-001 68-02-02-002 CISRR CISRR Public Safety and Vio

207、lence Prevention 8 68-03-01-001 Physical Security Soft Target,Vehicle,School Safety 9 68-03-03-001 68-03-03-002 68-03-03-003 CISRR CISRR Soft Target Physical Security Source:STATS and S&T officials Table 2.Innovation and Collaboration Table 2.Innovation and Collaboration Critical Infrastructure Crit

208、ical Infrastructure Centers of ExcellenceCenters of Excellence No.No.PECPEC ProgramProgram Project(Center of Excellence)Project(Center of Excellence)1 40-01-10-001 DHS Centers Awareness and Localization of Explosives-Related Threats(ALERT)-Emeritus28 2 40-01-14-001 DHS Centers National Counterterror

209、ism Innovation,Technology,and Education Center(NCITE)3 40-01-17-001 DHS Centers Critical Infrastructure and Resilience Institute(CIRI)4 40-01-24-001 DHS Centers National Counterterrorism Innovation,Technology,and Education Center(NCITE)5 40-01-25-001 DHS Centers Soft-Target Engineering to Neutralize

210、 the Threat Reality(SENTRY)Source:STATS and S&T officials 28 Emeritus Centers of Excellence are centers that have completed the term of their cooperative agreement.www.oig.dhs.gov 23 OIG-24-47 OFFICE OF INSPECTOR GENERALOFFICE OF INSPECTOR GENERAL U.S.Department of Homeland Security Appendix D:S&T C

211、ISRR Focus Area Descriptions Focus Area 1 Special Event Assessment Rating Planning Tools This focus area aims at enhancing physical security at special events by providing assistance,such as explosive detection canine teams,cyber risk assessments,venue screening and field intelligence teams,and air

212、security and tactical operations support.Focus Area 2-Electromagnetic Pulse and Geomagnetic Disturbances Electromagnetic Pulse and Geomagnetic disturbance events could heavily impact large-scale infrastructure by disrupting or permanently damaging critical electrical components and systems.This focu

213、s area aims at improving the understanding of the effects of these events on communications infrastructure through research and delivering this information to critical infrastructure owners and operators.Focus Area 3-Position,Navigation,and Timing Capabilities U.S.critical infrastructure depends on

214、reliable positioning,navigation,and timing capabilities and any disruption or damage of these services could send cascading effects throughout the infrastructure networks including safety-of-life issues and complete system failure.This focus area aims at developing various methods,such as approaches

215、,best practices,and solutions that ensure the continued resilience of critical infrastructure if a position,navigation,and timing event were to occur.Focus Area 4-Public Safety and Violence Prevention/Soft Target Security Soft targets and crowded places are at risk of foreign and domestic terrorist

216、attacks.This focus area aims at improving security efforts related to the prevention,protection,response,and mitigation of potential attacks to soft targets and crowded places,including improving capabilities in countering improvised explosive devices.Focus Area 5-Security Testing Capabilities for T

217、elecommunications Equipment,Industry Control Systems,and Open-Source Software This includes telecommunications networks to factories,power plants,water systems,industrial facilities,and other critical infrastructure that are at risk of cybersecurity attacks.This focus area aims at improving capabili

218、ties related to threats to telecommunications networks,cybersecurity,and open-source software.www.oig.dhs.gov 24 OIG-24-47 OFFICE OF INSPECTOR GENERALOFFICE OF INSPECTOR GENERAL U.S.Department of Homeland Security Appendix E:S&Ts BPF Processes and Decision Points BPF Processes and Decision PointsBPF

219、 Processes and Decision Points PhasePhase ProcessProcess Decision PointsDecision Points Understand Needs 1:Collect Customer Needs D1:S&T Gap/Need Prioritization 2:Gap Decomposition and Customer Validation D2:Customer Validates Refined Gap/Need and Priority Apply a Deliberate Approach to Addressing N

220、eeds 3:Define Solution Approaches D3:Customer Determines Viability of Solution Approaches 4:Business Case Analysis D4:Customer Confirms/Selects Solution Path 5:Project Pitch D5A:S&T Executive-Level Project Approval D5B:Customer Contributes Resources Execute Efficiently and Effectively 6:Project and

221、Resource Planning D6:Customer Agrees to Move Forward with Project Plan 7:Solution Execution and Assessment D7:Customer Accepts Solution 8:Solution Delivery None 9:Post-Delivery Close-out None Source:S&Ts Understanding S&Ts Business Process Flow www.oig.dhs.gov 25 OIG-24-47 OFFICE OF INSPECTOR GENERA

222、LOFFICE OF INSPECTOR GENERAL U.S.Department of Homeland Security Appendix F:Major Contributors to This Report The Office of Audits major contributors to this report are Yesi Starinsky,Audit Director;Ruth Blevins,Audit Director;Douglas Campbell,Audit Manager;John Schmidt,Auditor-in-Charge;Lauren Bull

223、is,Auditor;Rebecca Hetzler,Auditor;Tanya Suggs,Auditor;Kevin Dolloson,Communications Analyst;and Nadine F.Ramjohn,Independent Reference Reviewer.The Office of Innovation major contributors are Gaven Ehrlich,Supervisory Program Analyst and Joseph Welton,Program Analyst.www.oig.dhs.gov 26 OIG-24-47 OF

224、FICE OF INSPECTOR GENERALOFFICE OF INSPECTOR GENERAL U.S.Department of Homeland Security Appendix G:Report Distribution Department of Homeland Security Secretary Deputy Secretary Chief of Staff Deputy Chiefs of Staff General Counsel Executive Secretary Director,GAO/OIG Liaison Office Under Secretary

225、,Office of Strategy,Policy,and Plans Assistant Secretary for Office of Public Affairs Assistant Secretary for Office of Legislative Affairs S&T Audit Liaison Office of Management and Budget Chief,Homeland Security Branch DHS OIG Budget Examiner Congress Congressional Oversight and Appropriations Com

226、mittees Additional InformationAdditional InformationTo view this and any other DHS OIG reports,Please visit our website:www.oig.dhs.govFor further information or questions,please contact the DHS OIG Office of Public Affairs via email:DHS-OIG.OfficePublicAffairsoig.dhs.govDHS OIG HotlineDHS OIG Hotli

227、neTo report fraud,waste,abuse,or criminal misconduct involving U.S.Department of Homeland Security programs,personnel,and funds,please visit:www.oig.dhs.gov/hotlineIf you cannot access our website,please contact the hotline by phone or mail:Call:1-800-323-8603U.S.Mail:Department of Homeland SecurityOffice of Inspector General,Mail Stop 0305Attention:Hotline245 Murray Drive SWWashington,DC 20528-0305