Follow-up Review of the FBI’s Progress Toward Biometric Interoperability Between IAFIS and IDENT
Evaluation and Inspections Report I-2006-007
July 2006
Office of the Inspector General
The FBI and the DHS are implementing the first phase of a three-phase plan for achieving full interoperability. In May 2005, the DHS Secretary announced that the DHS would adopt a 10‑fingerprint collection standard for enrolling visitors into US‑VISIT, as recommended in the NIST Technology Standard. The DHS’s decision to modify US‑VISIT resolved the first of two major barriers that had created an impasse toward achieving interoperability between IAFIS and IDENT.48 On May 19, 2005, the DHS sent a memorandum to the Homeland Security Council stating that it would modify the US‑VISIT program as soon as practicable to use 10 flat fingerprints for enrollment and 2 flat fingerprints for identity verification. The Homeland Security Council concurred with the DHS’s decision and stated in a “summary of conclusions” dated June 7, 2005, that “it should be the policy of the United States Government that biometric screening of foreign visitors to the United States be based on a fingerprint standard requiring 10-[finger]print capture at enrollment and 2-[finger]print verification thereafter.” The resolution of the impasse has allowed the FBI and the DHS to begin planning their approach to achieving full interoperability of the fingerprint systems. The FBI and the DHS currently are implementing the first phase of a three-phase plan that is intended to produce a joint, automated system for the reciprocal sharing of key immigration and law enforcement data. Appendix II contains a table showing significant interoperability-related events during 2005. The FBI and the DHS have formed a working group and established a three-phase plan for achieving full interoperability. In May 2005, the FBI (through the CJIS Division), DHS (through the US-VISIT office), and DOS formed the IPT to coordinate efforts to achieve full interoperability. The IPT charter sets out guiding principles to serve as the foundation for sharing biometric and related information among the agencies in accordance with each agency’s mission.49 Since its creation, the IPT has produced several key interoperability planning documents, including the DHS/US-VISIT & DOJ/FBI Interoperability Concept of Operations and the DHS/US-VISIT & DOJ/FBI Interoperability Business Requirements.50 All issues regarding the interoperability of IAFIS and IDENT are vetted through the IPT and its sub-teams. The IPT plans to accomplish full interoperability in three phases. A brief description of the capabilities planned for each phase follows, while the phases themselves are described in more detail later in this report. According to CJIS Division officials who participate on the IPT, the interoperability efforts were on schedule as of June 2006.
The FBI and the DHS are developing the first phase of the interoperability plan. For the interim interoperability development phase, the FBI and the DHS established the following objectives: (1) meet both agencies’ most urgent requirements for data access; (2) share data in both directions; (3) serve as a prototype of technical concepts for full interoperability; and (4) not detract from achieving full interoperability in terms of cost, schedule, effort, and technical architecture. To meet these objectives, the FBI and the DHS began developing the interim Data Sharing Model (iDSM).53 According to the iDSM Project Concept of Operations, the iDSM will deliver the first interoperable biometric data capability between the DHS and the FBI by allowing both agencies to share read-only copies of selected immigration and law enforcement data.54 For the iDSM to become operational, the FBI and the DHS must identify the records to be shared and exchange the replicated files containing the selected records. Data to be shared through the iDSM. In September 2005, the FBI, DHS, and DOS signed a letter of concurrence stipulating the data to be shared among agencies and the terms governing the use, disclosure, and protection of the shared data. As of June 2006, the FBI and the DHS had agreed to exchange read-only copies of records identified as being the most useful to support the other agency’s mission and data that would support IAFIS and IDENT users’ needs. According to iDSM planning documents, both the FBI and the DHS are responsible for updating the data that they share (e.g., expunging records or substituting records with better quality fingerprint images) through an automated process. The FBI’s data. The FBI is planning to transfer all of the approximately 800,000 IAFIS Wants and Warrants records that have fingerprints associated with them to provide the DHS with access to the complete set of these records.55 Once the iDSM becomes operational, the DHS should have access to all fingerprint records of subjects with active warrants, including U.S. citizens, and the current daily extract process will be eliminated.56 According to the iDSM Concept of Operations, the DHS’s access to the full set of Wants and Warrants records will facilitate better decision-making about an individual’s admissibility, eligibility for immigration benefits, or deportability from the United States. Access also will allow the DHS to detain individuals who have outstanding arrest warrants and notify the appropriate law enforcement agency. Once all the Wants and Warrants data is available, IDENT users should be able to submit one transaction and receive the FBI’s and the DHS’s shared criminal history, biographic, and immigration information on the subject whose fingerprints are being searched. The DHS plans to conduct up to 250,000 fingerprint searches of visitors per day against the Wants and Warrants data. In addition to developing the iDSM to provide the interim interoperability capability, the FBI also has taken steps to improve the records available to the DHS until the iDSM becomes operational. On November 30, 2005, the FBI began expanding the daily Wants and Warrants records extracted from IAFIS to provide the DHS with all newly issued or updated warrants created after November 2005, including those for U.S. citizens. The FBI provides up to 2,500 of these records to the DHS each day. Although technical limitations restrict the number of daily extracts to IDENT, the expansion is nonetheless increasing the information immediately available to the DHS. The DHS’s immediate access to these additional records allows immigration officials to conduct fingerprint searches using more complete and current information. The DHS’s data. The DHS is planning to transfer 2 sets of records from IDENT to the iDSM: the approximately 16,000 Visa Denial and the approximately 390,000 Expedited Removal records.57 The DHS does not currently provide the FBI – or the over 70,000 federal, state, and local law enforcement agencies that contribute to IAFIS – copies of any immigration data. The agencies chose to include those records in the iDSM because they were viewed as being most useful to law enforcement officials.58 According to the iDSM Concept of Operations, these immigration records will help the FBI and other IAFIS users establish the identity of individuals they encounter, determine whether someone is in the United States illegally, conduct better risk assessments, protect officer safety, and enhance law enforcement agencies’ ability to develop comprehensive history and threat profiles. The FBI plans to conduct searches of at least 1,000 fingerprint submissions per day against these DHS records. As of June 2006, the DHS had not begun providing copies of these records to the FBI, but DHS officials told us that they would be able to transfer both sets of records to the iDSM by September 3, 2006. CJIS Division officials stated that the initial iDSM storage capacity for the FBI’s and the DHS’s replicated files will accommodate up to 1 million records each. They explained that the FBI and the DHS designed each data storage component to accommodate about twice that amount of records to allow for growth and to prevent the need to immediately upgrade the iDSM. Status of system development. FBI and DHS officials told us that, as of June 2006, the development of the iDSM was on schedule to become operational on September 4, 2006. CJIS Division officials stated they were in the process of purchasing the hardware and software needed for the storing of the replicated files. According to documents the CJIS Division provided, the hardware and software must be delivered by July 2006 to maintain that schedule. On September 4, 2006, when the iDSM is expected to be fully populated with copies of the Wants and Warrants, Visa Denial, and Expedited Removal records, the FBI and the DHS plan to begin testing and using the iDSM. Once the iDSM is operational, the FBI plans to enable three agencies to submit fingerprint searches through IAFIS to be run against the DHS’s records. The three agencies are the Boston Police Department, the Texas Department of Public Safety, and the U.S. Office of Personnel Management. Those agencies represent state and local law enforcement and a federal agency authorized to conduct fingerprint searches for non-criminal justice purposes. The FBI is planning to divide the initial iDSM search capacity of 1,000 daily fingerprint searches among those three agencies. The FBI and the DHS plan to test the iDSM’s effectiveness by tracking the number of fingerprint searches each agency performs, the number of hits and positive identifications resulting from those searches, the number of individuals apprehended as a result of the positive identifications, the number of false positives, the transfer and storage of data in the iDSM, and the hardware and software performance. If successful, the iDSM will be instrumental in establishing the foundation for full interoperability between IAFIS and IDENT. The DHS’s access to the full set of Wants and Warrants records will help reduce the risk of unknowingly admitting criminal aliens into the United States, including those claiming to be U.S. citizens. Once all the Wants and Warrants containing fingerprint data are transferred to the iDSM, immigration officials will be able to search visitors’ fingerprints against all of these records rather than a subset. Similarly, the FBI’s access to the Visa Denial and Expedited Removal records will help identify illegal aliens. The FBI’s access to those immigration records is significant because, for the first time, the FBI will be able to search fingerprint records in IAFIS against those in IDENT. The FBI and the DHS plan to implement the remaining two interoperability phases by December 2009. To achieve full interoperability, the FBI and the DHS must next complete the final two interoperability phases (IOC and FOC). The IOC development phase is planned to begin on September 4, 2006, and continue through July 2008. The FOC development phase is to begin in July 2008 and end by December 2009 with full interoperability. During the IOC phase, the FBI and the DHS plan to choose a technical solution, expand data sharing, and broaden access to the data. At the beginning of the IOC development phase, the FBI and the DHS must decide on one of three technical solutions currently under consideration for full interoperability. The three technical solutions, described below, are referred to as the shared data model, the shared services model, and a base case option. Shared data. This model involves the FBI and the DHS exchanging, and conducting searches against, read‑only copies of each other’s fingerprint data. Under the shared data model, the FBI and the DHS would independently maintain their own biometric (fingerprint) and biographic data, but would provide a copy of the fingerprint data to the other agency. The receiving agency would be responsible for searching the data and requesting the associated biographic information when a match is encountered. The replicated data also would provide an offsite, 24-hour backup for IAFIS and IDENT data, which the agencies plan to keep updated in near real time. The iDSM has a shared data component because it allows both agencies to access copies of the same biometric data (e.g., Wants and Warrants, Visa Denials, and Expedited Removals). Shared services. This model involves the FBI and the DHS each sending fingerprint search transactions directly to the other agency’s automated system. The shared services model would not utilize copies of the FBI’s and the DHS’s fingerprint data. Instead, each agency would maintain control over its data by requesting that the other agency perform a fingerprint search and return the associated biographic information. This model is similar to the current process whereby the DHS sends fingerprint searches (TPRS transactions) directly to IAFIS through the IDENT/IAFIS workstations and requests the criminal history or immigration information associated with any fingerprint matches. The iDSM has a shared services component because it allows both agencies to request biographic and criminal history data from the agency that owns it when a fingerprint match is found. Base case. Finally, the IPT is also considering a base case option, which refers to a slightly improved version of the operational iDSM. According to the FBI, this would encompass the DHS’s efforts to modernize IDENT as they occur. Although the FBI and the DHS have not made a final decision on the technical solution for full interoperability, they are implementing the iDSM as a prototype to test the shared data approach. CJIS Division officials stated that they are currently working on a cost-benefit analysis to determine the most efficient solution and estimate the necessary costs. The cost-benefit analysis is due to be completed by August 2006. CJIS Division officials stated that after September 3, 2006, when the iDSM is expected to become operational, they will test the technology for 30 to 90 days. The FBI and the DHS plan to make the records in the iDSM available for conducting fingerprint searches throughout the 22‑month duration of the IOC development phase. Both agencies plan to track and evaluate the number of fingerprint searches performed against the other agency’s records and the number of positive identifications resulting from the searches. During the IOC phase, the FBI and the DHS expect to have access to one another’s basic immigration and criminal history information associated with any fingerprint searches that result in a match. Specifically, the FBI and the DHS plan to: (1) expand the data shared between them; (2) establish the initial fingerprint search capacity and storage needed for full interoperability; (3) allow federal, state, and local agencies limited access to immigration data, which includes basic biographic data; and (4) provide immigration authorities full access to criminal history information. Expanded data sharing. During the IOC phase, the FBI and the DHS plan to expand the data accessible to each agency beyond the records initially selected for sharing through the iDSM. During the IOC phase, the FBI expects to have access to all biometric records in IDENT, and the DHS expects to have access to all biometric records from the IAFIS Criminal Master File.59 The method of providing this access will depend on which of the technical solutions (shared data or shared services) the IPT selects (the base case would not provide access to all biometric records in IDENT and IAFIS because it includes only the iDSM records). For example, if the shared data model is chosen, both agencies would exchange copies of additional IAFIS and IDENT data, beyond the records in the iDSM. Fingerprint search capacity and storage. The FBI and the DHS also expect to establish the initial fingerprint search and storage capacity needed for full interoperability during the IOC phase.60 The CJIS Division plans to search a subset of its federal, state, and local agencies’ IAFIS transactions against the DHS’s records. Specifically, the CJIS Division plans to conduct up to 1,000 initial fingerprint searches per day of selected criminal arrestees and federal employees in positions of public trust or national security against the DHS’s records in the iDSM. By the end of the IOC development phase, the FBI plans to increase those fingerprint searches to approximately 50,000 per day and increase the storage capacity to accommodate all the records that will be in IAFIS and IDENT by FY 2009. Federal, state, and local agencies’ limited access to immigration data. During the IOC development phase, the FBI plans to allow any agency – beyond the three pilot agencies – to request a fingerprint search against the DHS’s records. The agencies may be federal, state, or local law enforcement or civil agencies conducting non-criminal justice searches. The FBI’s current system receives approximately 60,000 search requests per day from all such agencies. Currently, FBI and other law enforcement personnel can obtain immigration data on a foreign national who is a “subject of interest” by submitting the subject’s name to the DHS’s Law Enforcement Support Center (LESC).61 During IOC, the LESC will continue to provide support to the FBI. When the FBI finds a match of a subject’s fingerprints against IDENT data, it plans to request the associated immigration data from the LESC. However, as of June 2006, FBI officials indicated that the amount and types of immigration data that the LESC would provide had not been determined. The FBI plans to request the data from the LESC by submitting an electronic request known as an Immigration Alien Query, to which the LESC will return an automated response. The FBI will then provide that response back to the requesting agency. Officials from the CJIS Division and US-VISIT office recently met with LESC representatives to plan for the additional workload. According to the iDSM Concept of Operations, the initial submissions to the LESC will not exceed 80 requests per day. Immigration authorities’ full access to criminal history data. For criminal justice purposes, the DHS plans to obtain criminal history information through the existing procedure whereby it submits a query to the FBI’s National Crime Information Center. For non-criminal justice agencies (e.g., the DOS), the FBI will provide the criminal history information associated with a fingerprint match after it makes a positive identification in IAFIS. During the FOC phase, the FBI and the DHS are planning to achieve full interoperability. The FBI and the DHS plan to begin developing the FOC phase in July 2008, after completion of the IOC phase. The FOC phase is scheduled to be developed over 17 months, ending in December 2009, and is to achieve full interoperability among IAFIS, IDENT, and US-VISIT. According to CJIS Division officials, however, implementing the FOC development phase will be affected by the progress of two separate projects that we discuss later in this report: the CJIS Division’s development of a new version of IAFIS and the DHS’s modernization of IDENT. The FOC phase is intended to be an expansion of the IOC phase and is planned to: (1) provide complete, standardized data sharing between the FBI and the DHS; (2) increase fingerprint search capacity and storage to accommodate more transactions; and (3) allow federal, state, and local agencies full access to immigration data. Standardized data sharing. By the end of the FOC development phase, IAFIS and IDENT users are expected to be able to submit a single request that searches all fingerprint records maintained by the FBI and the DHS to receive associated criminal history and immigration information about the subject. The searches are to be based on fingerprints, although interoperability planning documents indicate that expansion to palm prints, facial recognition, and other biometrically based methods may be developed and used by the agencies in the future in a final interoperability solution (beyond FOC).62 The method of providing this information will depend on which of the technical solutions (shared data, shared services, or a base case) the IPT selects. Increased fingerprint search capacity and storage. CJIS Division officials stated that by the end of the FOC phase, the federal, state, and local agencies’ capacity to search against the DHS’s records will increase from the planned IOC capacity of approximately 50,000 transactions per day to approximately 200,000 per day, a level that according to CJIS Division officials, will accommodate all requests. The FBI and the DHS are also planning to increase the storage capacity of the interoperability solution to accommodate all the records that will be in IAFIS and IDENT by FY 2010. Federal, state, and local agencies’ full access to immigration data. By the end of the FOC development phase in December 2009, the FBI and the DHS are planning to allow all federal, state, and local law enforcement agencies, as well as authorized non-criminal justice agencies, full access to the DHS’s immigration data, both benefits- and enforcement-related. However, the two agencies have not yet decided on the parameters of this access and must still make several policy decisions. As of April 2006, officials from the CJIS Division and US‑VISIT office were meeting to discuss the following issues:
With FOC, the LESC is expected to provide more comprehensive immigration information associated with fingerprint matches. As of June 2006, CJIS Division officials stated that although the amount and types of immigration data that the LESC would provide have not been determined, they described the idea of providing an “immigration summary sheet” that would contain a consolidated listing, from every available database, of all immigration information (including biographic) related to the subject. To support full interoperability, the FBI and the DHS are upgrading IAFIS and IDENT, and the DHS is preparing to convert US‑VISIT to 10 fingerprints. Concurrent with the IPT’s efforts to implement full interoperability, the FBI and the DHS are independently upgrading IAFIS and IDENT to process 10 flat fingerprints. The FBI is upgrading IAFIS to process more flat fingerprint submissions through its Next Generation Identification (NGI) initiative, and the DHS is planning to modernize IDENT and convert US‑VISIT from a 2‑ to a 10‑fingerprint system. The FBI is upgrading IAFIS through its NGI initiative. In early 2004, the FBI began planning the NGI initiative (then called Next Generation IAFIS) to provide IAFIS users with quicker and more accurate fingerprint searches and more complete criminal history information. As described below, the interoperability-related portions of the NGI initiative include the processing of an increased volume of flat fingerprints as well as several new services, including a specialized biometric database and improvements in criminal history data. To oversee NGI planning and implementation, the CJIS Division created the NGI Program Office on March 15, 2005. On July 1, 2005, the FBI awarded a contract for a study to identify development and implementation strategies, functional and system level requirements, and cost estimates. To identify user needs, a team of contractors and FBI personnel from the NGI Program Office completed over 200 interviews with IAFIS users from federal, state, and local agencies, including the DHS and the DOS. NGI Program Office staff stated that they planned to categorize and prioritize user needs and develop cost estimates for them. The study is slated to be completed by December 2006. The NGI initiative is scheduled to be implemented concurrently with the overall interoperability effort. CJIS Division officials told us that the interoperability‑related portions of NGI are tentatively scheduled to be completed by the end of the FOC development phase in December 2009, pending the results of the study. In FY 2006, the FBI received $16.8 million to support IAFIS hardware and software modernization associated with NGI. The CJIS Division estimated that it would need an additional $74.1 million in FY 2007 funding for further NGI development, however the Department requested $38.1 million in FY 2007 to cover the FBI’s NGI-related expenses. Flat fingerprint processing. In our 2004 review, we found that the CJIS Division was planning to incorporate in its NGI initiative flat fingerprint processing for non-criminal justice purposes, including checking employees’ and applicants’ backgrounds, issuing licenses, and enrolling foreign nationals into US‑VISIT. To ensure that IAFIS would be prepared to handle 10 flat fingerprint submissions from the approximately 43 million annual US-VISIT enrollees, we recommended that the FBI develop options for the eventual upgrade of IAFIS.64 Since we issued our 2004 report, the FBI has begun accepting flat fingerprint submissions on a limited basis. According to NGI Program Office staff, IAFIS currently processes flat fingerprints from three entities: the DOS, the American Bankers Association, and the Ohio Bureau of Criminal Identification and Investigation. From July 27, 2005, through April 17, 2006, those entities submitted approximately 47,000 search requests. NGI Program Office staff stated that although conducting searches using flat fingerprints requires more processing power than rolled fingerprints, IAFIS currently can process the number of fingerprint searches it is receiving without affecting response time. However, because searches of US‑VISIT enrollees’ fingerprints will significantly increase the volume of flat fingerprint submissions, the CJIS Division is in the process of implementing upgrades to the fingerprint search segment of IAFIS and to the system’s overall search capacity. IAFIS is currently capable of processing up to 100,000 fingerprint searches a day from all sources, but NGI Program Office staff stated that the CJIS Division plans to expand this capacity to at least 200,000 daily fingerprint searches based upon requirements from IAFIS users from federal, state, and local agencies, including the DHS and the DOS.65 In addition, NGI planning documents we reviewed indicated that enhancing IAFIS to process more flat fingerprints will require the FBI to develop two separate initiatives. First, the CJIS Division must ensure efficient searching in IAFIS using 10 flat fingerprints and, second, must develop processes for the acceptance of 2-fingerprint verification requests. NGI Program Office staff confirmed that the IAFIS will have the capability to process both 10 flat fingerprint searches and 2-fingerprint verifications. Enhanced Terrorist Identification Service (ETIS). The CJIS Division is planning to implement a specialized biometric database that will allow more rapid identification of certain criminals and terrorists. The plans call for the ETIS to be integrated with the National Crime Information Center and to be interoperable with other automated fingerprint identification systems. The CJIS Division plans to implement the ETIS during the FOC development phase as a subsystem of IAFIS. Disposition improvements for criminal history records. Another NGI initiative planned for the FOC development phase will improve the disposition information on criminal history records from the National Crime Information Center. The disposition provides users with information on the outcome of an arrest, such as whether the individual was convicted or acquitted. The DHS plans to modernize IDENT. The DHS is planning to begin modernizing IDENT through an effort it refers to as “Unified IDENT” to accept, store, and process 10 fingerprints and improve fingerprint matching accuracy. Further, according to the DHS’s draft Initial 10-print Transition Plan (10-Print Plan) dated September 16, 2005, the DHS plans to provide more comprehensive individual alien history information, link its various immigration databases, and establish a “person-centric view.” According to the 10-Print Plan, the goal of the person-centric view is for each individual with an immigration history to have only one identity across all DHS databases (known as a unique identifier). Under the person-centric view, the DHS expects users to be able to submit a single query and receive a consolidated response containing all biographic and immigration information (both benefits- and enforcement-related) associated with the individual being queried. The CJIS Division’s schedule reflects that the DHS is planning to begin modernizing IDENT during the interim interoperability development phase and complete the modernization during the FOC development phase. When we asked DHS officials whether they were on schedule with the IDENT modernization efforts, they stated that the project is likely to take longer than they anticipated, but that this would not affect the achievement of full interoperability. US-VISIT officials stated that they are currently working with CBP and others to consolidate fingerprint records, but that they must acquire additional fingerprint processing power to support searching of those records. US-VISIT officials stated that their first priority was to prepare the records to be shared through the iDSM, particularly the Expedited Removal records, by ensuring that all the records contain an identifying number and that there are no duplicates. US-VISIT officials confirmed that they plan to complete the IDENT modernization project during the FOC development phase. The DHS plans to convert US-VISIT to 10 fingerprints. The DHS and the DOS have begun planning for the transition of US‑VISIT from a 2- to a 10-fingerprint enrollment standard during the interim interoperability development phase. The DHS has formed a user group to select a new scanner suitable for capturing 10 flat fingerprints. In April 2006, the DOS began a series of pilot projects to collect 10 flat fingerprints from foreign nationals applying for visas at selected consulates and embassies. The DOS plans to complete those pilot projects and begin deploying 10 flat fingerprint processing at the remaining consulates and embassies during the IOC development phase, according to the CJIS Division’s schedule. The DHS plans to begin pilot projects to collect 10 flat fingerprints from foreign nationals at selected ports of entry during the IOC development phase. The DHS has estimated the costs to implement the US-VISIT transition from 2 to 10 fingerprints for both it and the DOS in FY 2006 and FY 2007. According to the DHS’s 10-Print Plan, the US-VISIT transition will cost approximately $281 million for both fiscal years ($240 million in DHS costs and $41 million in DOS costs).66 In FY 2006, the DHS received $340 million for US-VISIT expenses.67 In FY 2007, the DHS requested $362 million for US-VISIT expenses. The DHS’s plans to convert US-VISIT. In preparation for modifying US-VISIT, the DHS formed a user group with representatives from the FBI, the National Institute of Justice, the DOS, the NIST, and the Department of Defense. The user group identified a need for fingerprint scanners that are faster, smaller, and more portable than the devices currently being used to capture 10 flat fingerprints.68 The user group agreed on a set of core requirements and issued a Request for Information to vendors to develop a device capable of capturing 10 flat fingerprints. In a December 2005 report, the user group determined that, while the industry currently does not offer a device that meets all of its core requirements, two vendors would be able to provide, within 12 months, such a device.69 The DHS plans to test and evaluate the devices during the interim interoperability development phase, according to the CJIS Division’s schedule. The DOS’s pilot projects to collect 10 flat fingerprints. In April 2006, the DOS began testing software capable of processing either 2 or 10 fingerprints at the consulate office in Cairo, Egypt. The DOS also began a series of pilot projects recently to collect 10 flat fingerprints from visa applicants at selected consulates and embassies. The DOS began its first pilot project in San Salvador, El Salvador in April 2006 and is planning additional pilot projects in London, England in July 2006 and in Riyadh, Saudi Arabia in September 2006. According to DOS officials, the pilot projects will test the process of collecting 10 fingerprints in an operational environment to identify the length of time needed to collect the fingerprints, the quality of the fingerprint images collected, and additional training needs. However, because IDENT is not yet prepared to accept 10 fingerprints, the DOS plans to continue transmitting 2 flat fingerprints for searches against IDENT.70 DOS officials stated that they did not anticipate sending 10 flat fingerprint images to the DHS for inclusion in IDENT until September 2006, when IDENT is expected to begin accepting 10 fingerprints. To collect the fingerprints during the pilot projects, the DOS plans to use an existing type of 10-print scanner that the FBI certified as being in compliance with IAFIS. Once smaller, lighter scanners are available, the DOS plans to deploy the devices and require 10 flat fingerprint processing at its remaining consulates and embassies during the IOC development phase. Pilot projects to collect 10 flat fingerprints from foreign nationals at selected ports of entry are scheduled to occur during the IOC phase, according to the CJIS Division’s schedule. In April 2006, DHS officials stated that the pilot locations had not yet been identified. They also stated that before the DHS decides on appropriate ports of entry for a pilot, they must conduct further planning, such as operational and process modeling, facilities modifications, proposed technical solutions, and environmental planning, and collaborate with CBP and other stakeholders. The DHS is planning to deploy US-VISIT 10-fingerprint capabilities at all ports of entry and consulates by the end of the FOC development phase. The IPT is estimating interoperability costs for the IOC phase. The IPT is working on a cost-benefit analysis, which it expects to complete by August 2006, that will estimate the IOC interoperability-related expenses for the FBI, DHS, and DOS to make IAFIS, IDENT, and US-VISIT interoperable.71 Those expenses will include agency-specific initiatives needed for interoperability, such as a portion of the FBI’s NGI, the DHS’s IDENT modernization, and the DHS and DOS joint implementation of a 10‑fingerprint enrollment standard for US-VISIT. The final cost will depend largely on which of the technical solutions the IPT chooses for full interoperability. FBI officials noted that achieving full interoperability is dependent on the FBI, DHS, and DOS receiving adequate appropriations to cover all interoperability-related expenses. The FBI has estimated costs for the first two interoperability phases. Separate from the IPT’s cost-benefit analysis for IOC, FBI officials have developed FBI-specific cost estimates for the first two interoperability phases. For FY 2006, the FBI estimated a cost of $7.9 million for the iDSM and $24 million for the first portion of the IOC development phase. In its FY 2006 appropriation, the FBI budgeted $18.9 million for interoperability-related expenses, most of which included reprogrammed funding.72 For FY 2007, the FBI estimated that $33 million will be needed for hardware and software for the IOC development phase and the FBI subsequently requested that amount in the President’s FY 2007 budget.73 The FBI and the DHS have identified technical, funding, and policy risks and have developed mitigation strategies. We examined whether the FBI and the DHS (through the IPT) have identified potential technical, funding, and policy risks that could delay full interoperability and whether they have developed corresponding mitigation strategies. We found that the IPT has developed risk management plans and mitigation strategies that appear reasonable for the overall interoperability effort. We also found that the FBI developed a risk management plan with mitigation strategies for its portion of the interim interoperability development phase (iDSM).74 In a November 2005 draft Interoperability Concept of Operations, the IPT identified broad risks that must be managed throughout each of the interoperability phases.75 The IPT devised mitigation strategies for those risks and stated that it, along with the DHS and the DOS, would manage the risks and periodically report to the IPT’s Executive Committee on the status of the mitigation effort. The broad risks and mitigation strategies in the document we examined included the following:
The FBI identified the iDSM-specific risks in an April 2006 iDSM Concept of Operations. For the specific risks, the FBI identified corresponding mitigation strategies and risk consequences that build on the broader interoperability risks discussed in the previous document. CJIS Division officials stated that they regularly identify and monitor the iDSM risks, and on May 3, 2006, the officials provided documentation showing 18 open risks and 39 risks that they had closed.76 The open risks involved areas such as schedule, technology, reliability of systems, cost, policy, privacy, and security. Among them were:
Although the interoperability risks and corresponding mitigation strategies appear to be reasonable, the scope of our review did not include an analysis of whether the IPT or the FBI identified all potential risks to the interoperability project and appropriately closed or mitigated those risks. Further, because the FBI is working toward establishing the iDSM, it has not completed risk analysis plans for the remaining two phases, although FBI officials stated that they have begun identifying potential risks for the IOC and FOC development phases. We therefore encourage the FBI to continue regularly monitoring the overall risks to the project and to develop risk mitigation strategies for the IOC and FOC phases. Footnotes
|
« Previous | Table of Contents | Next » |