OIG Evaluation and Inspections Report I-2006-007

Follow-up Review of the FBI’s Progress Toward Biometric Interoperability Between IAFIS and IDENT

Evaluation and Inspections Report I-2006-007
July 2006
Office of the Inspector General

Results of the Review - Part I

In May 2005, the FBI and the DHS resolved a disagreement that had existed since the early 1990s regarding a common fingerprint collection methodology. Since then, the agencies have begun implementing a three-phase plan for achieving full interoperability of IAFIS, IDENT, and US-VISIT, a process scheduled for completion in December 2009. In the first phase, already under way, the FBI and DHS plan to deploy a joint automated system for sharing key immigration and law enforcement data by September 2006. The FBI and the DHS must implement the remaining two phases to achieve full interoperability that would enable complete sharing of immigration and law enforcement records among federal, state, and local law enforcement agencies. To facilitate full interoperability, both agencies have begun upgrading their IAFIS and IDENT systems to process 10 flat fingerprints. In addition, the DHS is preparing to convert US VISIT from a 2-fingerprint to a 10-fingerprint enrollment standard. While the FBI and DHS have made progress toward achieving interoperability of their biometric fingerprint identification systems, the project faces significant technological, funding, and policy challenges to meet the scheduled completion date of December 2009.

The FBI and the DHS are implementing the first phase of a three-phase plan for achieving full interoperability.

In May 2005, the DHS Secretary announced that the DHS would adopt a 10‑fingerprint collection standard for enrolling visitors into US‑VISIT, as recommended in the NIST Technology Standard. The DHS’s decision to modify US‑VISIT resolved the first of two major barriers that had created an impasse toward achieving interoperability between IAFIS and IDENT.⁴⁸ On May 19, 2005, the DHS sent a memorandum to the Homeland Security Council stating that it would modify the US‑VISIT program as soon as practicable to use 10 flat fingerprints for enrollment and 2 flat fingerprints for identity verification. The Homeland Security Council concurred with the DHS’s decision and stated in a “summary of conclusions” dated June 7, 2005, that “it should be the policy of the United States Government that biometric screening of foreign visitors to the United States be based on a fingerprint standard requiring 10-[finger]print capture at enrollment and 2-[finger]print verification thereafter.”

The resolution of the impasse has allowed the FBI and the DHS to begin planning their approach to achieving full interoperability of the fingerprint systems. The FBI and the DHS currently are implementing the first phase of a three-phase plan that is intended to produce a joint, automated system for the reciprocal sharing of key immigration and law enforcement data. Appendix II contains a table showing significant interoperability-related events during 2005.

The FBI and the DHS have formed a working group and established a three-phase plan for achieving full interoperability.

In May 2005, the FBI (through the CJIS Division), DHS (through the US-VISIT office), and DOS formed the IPT to coordinate efforts to achieve full interoperability. The IPT charter sets out guiding principles to serve as the foundation for sharing biometric and related information among the agencies in accordance with each agency’s mission.⁴⁹ Since its creation, the IPT has produced several key interoperability planning documents, including the DHS/US-VISIT & DOJ/FBI Interoperability Concept of Operations and the DHS/US-VISIT & DOJ/FBI Interoperability Business Requirements.⁵⁰ All issues regarding the interoperability of IAFIS and IDENT are vetted through the IPT and its sub-teams.

The IPT plans to accomplish full interoperability in three phases. A brief description of the capabilities planned for each phase follows, while the phases themselves are described in more detail later in this report. According to CJIS Division officials who participate on the IPT, the interoperability efforts were on schedule as of June 2006.

Interim interoperability: The interim interoperability phase, currently being developed, is intended to enable the FBI and the DHS to directly access read-only copies of certain key law enforcement and immigration data from IAFIS and IDENT in near real time. By replicating the data, the FBI and the DHS will each be able to conduct fingerprint searches against the other agency’s records at their respective locations. The replicated files will also provide a 24‑hour backup for those shared IAFIS and IDENT records. The interim interoperability development phase is scheduled to be completed by September 3, 2006.⁵¹

Initial Operating Capability (IOC): The IOC development phase is intended to expand the data shared between the two agencies. By the end of the IOC development phase, plans are for the FBI to have access to all fingerprint images from IDENT, and for the DHS to have access to the entire Criminal Master File from IAFIS. This phase is also intended to provide the initial fingerprint search capacity and storage needed for full interoperability. As of June 2006, the IOC development phase was scheduled to last approximately 22 months, beginning on September 4, 2006, and ending in July 2008.

Full Operating Capability (FOC): During the FOC development phase, the FBI and the DHS plan to provide all federal, state, and local law enforcement agencies, as well as authorized non-criminal justice agencies, access to immigration data from IDENT.⁵² By the end of the FOC development phase, the agencies expect to have increased fingerprint search capacity and storage, improved response time, and additional IAFIS capabilities and services. The FOC phase is scheduled to be developed over 17 months, beginning in July 2008 and ending in December 2009 with full interoperability.

The FBI and the DHS are developing the first phase of the interoperability plan.

For the interim interoperability development phase, the FBI and the DHS established the following objectives: (1) meet both agencies’ most urgent requirements for data access; (2) share data in both directions; (3) serve as a prototype of technical concepts for full interoperability; and (4) not detract from achieving full interoperability in terms of cost, schedule, effort, and technical architecture. To meet these objectives, the FBI and the DHS began developing the interim Data Sharing Model (iDSM).⁵³ According to the iDSM Project Concept of Operations, the iDSM will deliver the first interoperable biometric data capability between the DHS and the FBI by allowing both agencies to share read-only copies of selected immigration and law enforcement data.⁵⁴ For the iDSM to become operational, the FBI and the DHS must identify the records to be shared and exchange the replicated files containing the selected records.

Data to be shared through the iDSM. In September 2005, the FBI, DHS, and DOS signed a letter of concurrence stipulating the data to be shared among agencies and the terms governing the use, disclosure, and protection of the shared data. As of June 2006, the FBI and the DHS had agreed to exchange read-only copies of records identified as being the most useful to support the other agency’s mission and data that would support IAFIS and IDENT users’ needs. According to iDSM planning documents, both the FBI and the DHS are responsible for updating the data that they share (e.g., expunging records or substituting records with better quality fingerprint images) through an automated process.

The FBI’s data. The FBI is planning to transfer all of the approximately 800,000 IAFIS Wants and Warrants records that have fingerprints associated with them to provide the DHS with access to the complete set of these records.⁵⁵ Once the iDSM becomes operational, the DHS should have access to all fingerprint records of subjects with active warrants, including U.S. citizens, and the current daily extract process will be eliminated.⁵⁶ According to the iDSM Concept of Operations, the DHS’s access to the full set of Wants and Warrants records will facilitate better decision-making about an individual’s admissibility, eligibility for immigration benefits, or deportability from the United States. Access also will allow the DHS to detain individuals who have outstanding arrest warrants and notify the appropriate law enforcement agency. Once all the Wants and Warrants data is available, IDENT users should be able to submit one transaction and receive the FBI’s and the DHS’s shared criminal history, biographic, and immigration information on the subject whose fingerprints are being searched. The DHS plans to conduct up to 250,000 fingerprint searches of visitors per day against the Wants and Warrants data.

In addition to developing the iDSM to provide the interim interoperability capability, the FBI also has taken steps to improve the records available to the DHS until the iDSM becomes operational. On November 30, 2005, the FBI began expanding the daily Wants and Warrants records extracted from IAFIS to provide the DHS with all newly issued or updated warrants created after November 2005, including those for U.S. citizens. The FBI provides up to 2,500 of these records to the DHS each day. Although technical limitations restrict the number of daily extracts to IDENT, the expansion is nonetheless increasing the information immediately available to the DHS. The DHS’s immediate access to these additional records allows immigration officials to conduct fingerprint searches using more complete and current information.

The DHS’s data. The DHS is planning to transfer 2 sets of records from IDENT to the iDSM: the approximately 16,000 Visa Denial and the approximately 390,000 Expedited Removal records.⁵⁷ The DHS does not currently provide the FBI – or the over 70,000 federal, state, and local law enforcement agencies that contribute to IAFIS – copies of any immigration data. The agencies chose to include those records in the iDSM because they were viewed as being most useful to law enforcement officials.⁵⁸ According to the iDSM Concept of Operations, these immigration records will help the FBI and other IAFIS users establish the identity of individuals they encounter, determine whether someone is in the United States illegally, conduct better risk assessments, protect officer safety, and enhance law enforcement agencies’ ability to develop comprehensive history and threat profiles. The FBI plans to conduct searches of at least 1,000 fingerprint submissions per day against these DHS records. As of June 2006, the DHS had not begun providing copies of these records to the FBI, but DHS officials told us that they would be able to transfer both sets of records to the iDSM by September 3, 2006.

CJIS Division officials stated that the initial iDSM storage capacity for the FBI’s and the DHS’s replicated files will accommodate up to 1 million records each. They explained that the FBI and the DHS designed each data storage component to accommodate about twice that amount of records to allow for growth and to prevent the need to immediately upgrade the iDSM.

Status of system development. FBI and DHS officials told us that, as of June 2006, the development of the iDSM was on schedule to become operational on September 4, 2006. CJIS Division officials stated they were in the process of purchasing the hardware and software needed for the storing of the replicated files. According to documents the CJIS Division provided, the hardware and software must be delivered by July 2006 to maintain that schedule.

On September 4, 2006, when the iDSM is expected to be fully populated with copies of the Wants and Warrants, Visa Denial, and Expedited Removal records, the FBI and the DHS plan to begin testing and using the iDSM. Once the iDSM is operational, the FBI plans to enable three agencies to submit fingerprint searches through IAFIS to be run against the DHS’s records. The three agencies are the Boston Police Department, the Texas Department of Public Safety, and the U.S. Office of Personnel Management. Those agencies represent state and local law enforcement and a federal agency authorized to conduct fingerprint searches for non-criminal justice purposes. The FBI is planning to divide the initial iDSM search capacity of 1,000 daily fingerprint searches among those three agencies. The FBI and the DHS plan to test the iDSM’s effectiveness by tracking the number of fingerprint searches each agency performs, the number of hits and positive identifications resulting from those searches, the number of individuals apprehended as a result of the positive identifications, the number of false positives, the transfer and storage of data in the iDSM, and the hardware and software performance.

If successful, the iDSM will be instrumental in establishing the foundation for full interoperability between IAFIS and IDENT. The DHS’s access to the full set of Wants and Warrants records will help reduce the risk of unknowingly admitting criminal aliens into the United States, including those claiming to be U.S. citizens. Once all the Wants and Warrants containing fingerprint data are transferred to the iDSM, immigration officials will be able to search visitors’ fingerprints against all of these records rather than a subset. Similarly, the FBI’s access to the Visa Denial and Expedited Removal records will help identify illegal aliens. The FBI’s access to those immigration records is significant because, for the first time, the FBI will be able to search fingerprint records in IAFIS against those in IDENT.

The FBI and the DHS plan to implement the remaining two interoperability phases by December 2009.

To achieve full interoperability, the FBI and the DHS must next complete the final two interoperability phases (IOC and FOC). The IOC development phase is planned to begin on September 4, 2006, and continue through July 2008. The FOC development phase is to begin in July 2008 and end by December 2009 with full interoperability.

During the IOC phase, the FBI and the DHS plan to choose a technical solution, expand data sharing, and broaden access to the data.

At the beginning of the IOC development phase, the FBI and the DHS must decide on one of three technical solutions currently under consideration for full interoperability. The three technical solutions, described below, are referred to as the shared data model, the shared services model, and a base case option.

Shared data. This model involves the FBI and the DHS exchanging, and conducting searches against, read‑only copies of each other’s fingerprint data. Under the shared data model, the FBI and the DHS would independently maintain their own biometric (fingerprint) and biographic data, but would provide a copy of the fingerprint data to the other agency. The receiving agency would be responsible for searching the data and requesting the associated biographic information when a match is encountered. The replicated data also would provide an offsite, 24-hour backup for IAFIS and IDENT data, which the agencies plan to keep updated in near real time. The iDSM has a shared data component because it allows both agencies to access copies of the same biometric data (e.g., Wants and Warrants, Visa Denials, and Expedited Removals).

Shared services. This model involves the FBI and the DHS each sending fingerprint search transactions directly to the other agency’s automated system. The shared services model would not utilize copies of the FBI’s and the DHS’s fingerprint data. Instead, each agency would maintain control over its data by requesting that the other agency perform a fingerprint search and return the associated biographic information. This model is similar to the current process whereby the DHS sends fingerprint searches (TPRS transactions) directly to IAFIS through the IDENT/IAFIS workstations and requests the criminal history or immigration information associated with any fingerprint matches. The iDSM has a shared services component because it allows both agencies to request biographic and criminal history data from the agency that owns it when a fingerprint match is found.

Base case. Finally, the IPT is also considering a base case option, which refers to a slightly improved version of the operational iDSM. According to the FBI, this would encompass the DHS’s efforts to modernize IDENT as they occur.

Although the FBI and the DHS have not made a final decision on the technical solution for full interoperability, they are implementing the iDSM as a prototype to test the shared data approach. CJIS Division officials stated that they are currently working on a cost-benefit analysis to determine the most efficient solution and estimate the necessary costs. The cost-benefit analysis is due to be completed by August 2006. CJIS Division officials stated that after September 3, 2006, when the iDSM is expected to become operational, they will test the technology for 30 to 90 days. The FBI and the DHS plan to make the records in the iDSM available for conducting fingerprint searches throughout the 22‑month duration of the IOC development phase. Both agencies plan to track and evaluate the number of fingerprint searches performed against the other agency’s records and the number of positive identifications resulting from the searches.

During the IOC phase, the FBI and the DHS expect to have access to one another’s basic immigration and criminal history information associated with any fingerprint searches that result in a match. Specifically, the FBI and the DHS plan to: (1) expand the data shared between them; (2) establish the initial fingerprint search capacity and storage needed for full interoperability; (3) allow federal, state, and local agencies limited access to immigration data, which includes basic biographic data; and (4) provide immigration authorities full access to criminal history information.

Expanded data sharing. During the IOC phase, the FBI and the DHS plan to expand the data accessible to each agency beyond the records initially selected for sharing through the iDSM. During the IOC phase, the FBI expects to have access to all biometric records in IDENT, and the DHS expects to have access to all biometric records from the IAFIS Criminal Master File.⁵⁹ The method of providing this access will depend on which of the technical solutions (shared data or shared services) the IPT selects (the base case would not provide access to all biometric records in IDENT and IAFIS because it includes only the iDSM records). For example, if the shared data model is chosen, both agencies would exchange copies of additional IAFIS and IDENT data, beyond the records in the iDSM.

Fingerprint search capacity and storage. The FBI and the DHS also expect to establish the initial fingerprint search and storage capacity needed for full interoperability during the IOC phase.⁶⁰ The CJIS Division plans to search a subset of its federal, state, and local agencies’ IAFIS transactions against the DHS’s records. Specifically, the CJIS Division plans to conduct up to 1,000 initial fingerprint searches per day of selected criminal arrestees and federal employees in positions of public trust or national security against the DHS’s records in the iDSM. By the end of the IOC development phase, the FBI plans to increase those fingerprint searches to approximately 50,000 per day and increase the storage capacity to accommodate all the records that will be in IAFIS and IDENT by FY 2009.

Federal, state, and local agencies’ limited access to immigration data. During the IOC development phase, the FBI plans to allow any agency – beyond the three pilot agencies – to request a fingerprint search against the DHS’s records. The agencies may be federal, state, or local law enforcement or civil agencies conducting non-criminal justice searches. The FBI’s current system receives approximately 60,000 search requests per day from all such agencies. Currently, FBI and other law enforcement personnel can obtain immigration data on a foreign national who is a “subject of interest” by submitting the subject’s name to the DHS’s Law Enforcement Support Center (LESC).⁶¹ During IOC, the LESC will continue to provide support to the FBI. When the FBI finds a match of a subject’s fingerprints against IDENT data, it plans to request the associated immigration data from the LESC. However, as of June 2006, FBI officials indicated that the amount and types of immigration data that the LESC would provide had not been determined. The FBI plans to request the data from the LESC by submitting an electronic request known as an Immigration Alien Query, to which the LESC will return an automated response. The FBI will then provide that response back to the requesting agency. Officials from the CJIS Division and US-VISIT office recently met with LESC representatives to plan for the additional workload. According to the iDSM Concept of Operations, the initial submissions to the LESC will not exceed 80 requests per day.

Immigration authorities’ full access to criminal history data. For criminal justice purposes, the DHS plans to obtain criminal history information through the existing procedure whereby it submits a query to the FBI’s National Crime Information Center. For non-criminal justice agencies (e.g., the DOS), the FBI will provide the criminal history information associated with a fingerprint match after it makes a positive identification in IAFIS.

During the FOC phase, the FBI and the DHS are planning to achieve full interoperability.

The FBI and the DHS plan to begin developing the FOC phase in July 2008, after completion of the IOC phase. The FOC phase is scheduled to be developed over 17 months, ending in December 2009, and is to achieve full interoperability among IAFIS, IDENT, and US-VISIT. According to CJIS Division officials, however, implementing the FOC development phase will be affected by the progress of two separate projects that we discuss later in this report: the CJIS Division’s development of a new version of IAFIS and the DHS’s modernization of IDENT.

The FOC phase is intended to be an expansion of the IOC phase and is planned to: (1) provide complete, standardized data sharing between the FBI and the DHS; (2) increase fingerprint search capacity and storage to accommodate more transactions; and (3) allow federal, state, and local agencies full access to immigration data.

Standardized data sharing. By the end of the FOC development phase, IAFIS and IDENT users are expected to be able to submit a single request that searches all fingerprint records maintained by the FBI and the DHS to receive associated criminal history and immigration information about the subject. The searches are to be based on fingerprints, although interoperability planning documents indicate that expansion to palm prints, facial recognition, and other biometrically based methods may be developed and used by the agencies in the future in a final interoperability solution (beyond FOC).⁶² The method of providing this information will depend on which of the technical solutions (shared data, shared services, or a base case) the IPT selects.

Increased fingerprint search capacity and storage. CJIS Division officials stated that by the end of the FOC phase, the federal, state, and local agencies’ capacity to search against the DHS’s records will increase from the planned IOC capacity of approximately 50,000 transactions per day to approximately 200,000 per day, a level that according to CJIS Division officials, will accommodate all requests. The FBI and the DHS are also planning to increase the storage capacity of the interoperability solution to accommodate all the records that will be in IAFIS and IDENT by FY 2010.

Federal, state, and local agencies’ full access to immigration data. By the end of the FOC development phase in December 2009, the FBI and the DHS are planning to allow all federal, state, and local law enforcement agencies, as well as authorized non-criminal justice agencies, full access to the DHS’s immigration data, both benefits- and enforcement-related. However, the two agencies have not yet decided on the parameters of this access and must still make several policy decisions. As of April 2006, officials from the CJIS Division and US‑VISIT office were meeting to discuss the following issues:

The FBI and the DHS must decide on a policy for agencies’ use of the immigration data. IDENT does not yet provide an individual’s comprehensive immigration records, and the DHS is concerned about the potential for law enforcement officers using incomplete information to apprehend someone that they think is an immigration violator. For example, if an individual apprehended along the border is naturalized 2 years later, IDENT would contain information on the apprehension but may not contain information on the subsequent naturalization. The latter information is kept in other DHS databases that are available to immigration officers but not to law enforcement agencies querying IDENT. The DHS is working to make comprehensive information available through its efforts to modernize IDENT (described in the next section).

The DHS is responsible for protecting the privacy of its information, particularly information on individuals with records in US-VISIT who are presumed to be visitors with no existing criminal records. Thus, the FBI and the DHS must decide on an appropriate policy to ensure that individuals’ privacy is protected once agencies can access immigration data.⁶³

With FOC, the LESC is expected to provide more comprehensive immigration information associated with fingerprint matches. As of June 2006, CJIS Division officials stated that although the amount and types of immigration data that the LESC would provide have not been determined, they described the idea of providing an “immigration summary sheet” that would contain a consolidated listing, from every available database, of all immigration information (including biographic) related to the subject.

To support full interoperability, the FBI and the DHS are upgrading IAFIS and IDENT, and the DHS is preparing to convert US‑VISIT to 10 fingerprints.

Concurrent with the IPT’s efforts to implement full interoperability, the FBI and the DHS are independently upgrading IAFIS and IDENT to process 10 flat fingerprints. The FBI is upgrading IAFIS to process more flat fingerprint submissions through its Next Generation Identification (NGI) initiative, and the DHS is planning to modernize IDENT and convert US‑VISIT from a 2‑ to a 10‑fingerprint system.

The FBI is upgrading IAFIS through its NGI initiative.

In early 2004, the FBI began planning the NGI initiative (then called Next Generation IAFIS) to provide IAFIS users with quicker and more accurate fingerprint searches and more complete criminal history information. As described below, the interoperability-related portions of the NGI initiative include the processing of an increased volume of flat fingerprints as well as several new services, including a specialized biometric database and improvements in criminal history data.

To oversee NGI planning and implementation, the CJIS Division created the NGI Program Office on March 15, 2005. On July 1, 2005, the FBI awarded a contract for a study to identify development and implementation strategies, functional and system level requirements, and cost estimates. To identify user needs, a team of contractors and FBI personnel from the NGI Program Office completed over 200 interviews with IAFIS users from federal, state, and local agencies, including the DHS and the DOS. NGI Program Office staff stated that they planned to categorize and prioritize user needs and develop cost estimates for them. The study is slated to be completed by December 2006.

The NGI initiative is scheduled to be implemented concurrently with the overall interoperability effort. CJIS Division officials told us that the interoperability‑related portions of NGI are tentatively scheduled to be completed by the end of the FOC development phase in December 2009, pending the results of the study. In FY 2006, the FBI received $16.8 million to support IAFIS hardware and software modernization associated with NGI. The CJIS Division estimated that it would need an additional $74.1 million in FY 2007 funding for further NGI development, however the Department requested $38.1 million in FY 2007 to cover the FBI’s NGI-related expenses.

Flat fingerprint processing. In our 2004 review, we found that the CJIS Division was planning to incorporate in its NGI initiative flat fingerprint processing for non-criminal justice purposes, including checking employees’ and applicants’ backgrounds, issuing licenses, and enrolling foreign nationals into US‑VISIT. To ensure that IAFIS would be prepared to handle 10 flat fingerprint submissions from the approximately 43 million annual US-VISIT enrollees, we recommended that the FBI develop options for the eventual upgrade of IAFIS.⁶⁴ Since we issued our 2004 report, the FBI has begun accepting flat fingerprint submissions on a limited basis. According to NGI Program Office staff, IAFIS currently processes flat fingerprints from three entities: the DOS, the American Bankers Association, and the Ohio Bureau of Criminal Identification and Investigation. From July 27, 2005, through April 17, 2006, those entities submitted approximately 47,000 search requests.

NGI Program Office staff stated that although conducting searches using flat fingerprints requires more processing power than rolled fingerprints, IAFIS currently can process the number of fingerprint searches it is receiving without affecting response time. However, because searches of US‑VISIT enrollees’ fingerprints will significantly increase the volume of flat fingerprint submissions, the CJIS Division is in the process of implementing upgrades to the fingerprint search segment of IAFIS and to the system’s overall search capacity. IAFIS is currently capable of processing up to 100,000 fingerprint searches a day from all sources, but NGI Program Office staff stated that the CJIS Division plans to expand this capacity to at least 200,000 daily fingerprint searches based upon requirements from IAFIS users from federal, state, and local agencies, including the DHS and the DOS.⁶⁵

In addition, NGI planning documents we reviewed indicated that enhancing IAFIS to process more flat fingerprints will require the FBI to develop two separate initiatives. First, the CJIS Division must ensure efficient searching in IAFIS using 10 flat fingerprints and, second, must develop processes for the acceptance of 2-fingerprint verification requests. NGI Program Office staff confirmed that the IAFIS will have the capability to process both 10 flat fingerprint searches and 2-fingerprint verifications.

Enhanced Terrorist Identification Service (ETIS). The CJIS Division is planning to implement a specialized biometric database that will allow more rapid identification of certain criminals and terrorists. The plans call for the ETIS to be integrated with the National Crime Information Center and to be interoperable with other automated fingerprint identification systems. The CJIS Division plans to implement the ETIS during the FOC development phase as a subsystem of IAFIS.

Disposition improvements for criminal history records. Another NGI initiative planned for the FOC development phase will improve the disposition information on criminal history records from the National Crime Information Center. The disposition provides users with information on the outcome of an arrest, such as whether the individual was convicted or acquitted.

The DHS plans to modernize IDENT.

The DHS is planning to begin modernizing IDENT through an effort it refers to as “Unified IDENT” to accept, store, and process 10 fingerprints and improve fingerprint matching accuracy. Further, according to the DHS’s draft Initial 10-print Transition Plan (10-Print Plan) dated September 16, 2005, the DHS plans to provide more comprehensive individual alien history information, link its various immigration databases, and establish a “person-centric view.” According to the 10-Print Plan, the goal of the person-centric view is for each individual with an immigration history to have only one identity across all DHS databases (known as a unique identifier). Under the person-centric view, the DHS expects users to be able to submit a single query and receive a consolidated response containing all biographic and immigration information (both benefits- and enforcement-related) associated with the individual being queried. The CJIS Division’s schedule reflects that the DHS is planning to begin modernizing IDENT during the interim interoperability development phase and complete the modernization during the FOC development phase.

When we asked DHS officials whether they were on schedule with the IDENT modernization efforts, they stated that the project is likely to take longer than they anticipated, but that this would not affect the achievement of full interoperability. US-VISIT officials stated that they are currently working with CBP and others to consolidate fingerprint records, but that they must acquire additional fingerprint processing power to support searching of those records. US-VISIT officials stated that their first priority was to prepare the records to be shared through the iDSM, particularly the Expedited Removal records, by ensuring that all the records contain an identifying number and that there are no duplicates. US-VISIT officials confirmed that they plan to complete the IDENT modernization project during the FOC development phase.

The DHS plans to convert US-VISIT to 10 fingerprints.

The DHS and the DOS have begun planning for the transition of US‑VISIT from a 2- to a 10-fingerprint enrollment standard during the interim interoperability development phase. The DHS has formed a user group to select a new scanner suitable for capturing 10 flat fingerprints. In April 2006, the DOS began a series of pilot projects to collect 10 flat fingerprints from foreign nationals applying for visas at selected consulates and embassies. The DOS plans to complete those pilot projects and begin deploying 10 flat fingerprint processing at the remaining consulates and embassies during the IOC development phase, according to the CJIS Division’s schedule. The DHS plans to begin pilot projects to collect 10 flat fingerprints from foreign nationals at selected ports of entry during the IOC development phase.

The DHS has estimated the costs to implement the US-VISIT transition from 2 to 10 fingerprints for both it and the DOS in FY 2006 and FY 2007. According to the DHS’s 10-Print Plan, the US-VISIT transition will cost approximately $281 million for both fiscal years ($240 million in DHS costs and $41 million in DOS costs).⁶⁶ In FY 2006, the DHS received $340 million for US-VISIT expenses.⁶⁷ In FY 2007, the DHS requested $362 million for US-VISIT expenses.

The DHS’s plans to convert US-VISIT. In preparation for modifying US-VISIT, the DHS formed a user group with representatives from the FBI, the National Institute of Justice, the DOS, the NIST, and the Department of Defense. The user group identified a need for fingerprint scanners that are faster, smaller, and more portable than the devices currently being used to capture 10 flat fingerprints.⁶⁸ The user group agreed on a set of core requirements and issued a Request for Information to vendors to develop a device capable of capturing 10 flat fingerprints. In a December 2005 report, the user group determined that, while the industry currently does not offer a device that meets all of its core requirements, two vendors would be able to provide, within 12 months, such a device.⁶⁹ The DHS plans to test and evaluate the devices during the interim interoperability development phase, according to the CJIS Division’s schedule.

The DOS’s pilot projects to collect 10 flat fingerprints. In April 2006, the DOS began testing software capable of processing either 2 or 10 fingerprints at the consulate office in Cairo, Egypt. The DOS also began a series of pilot projects recently to collect 10 flat fingerprints from visa applicants at selected consulates and embassies. The DOS began its first pilot project in San Salvador, El Salvador in April 2006 and is planning additional pilot projects in London, England in July 2006 and in Riyadh, Saudi Arabia in September 2006.

According to DOS officials, the pilot projects will test the process of collecting 10 fingerprints in an operational environment to identify the length of time needed to collect the fingerprints, the quality of the fingerprint images collected, and additional training needs. However, because IDENT is not yet prepared to accept 10 fingerprints, the DOS plans to continue transmitting 2 flat fingerprints for searches against IDENT.⁷⁰ DOS officials stated that they did not anticipate sending 10 flat fingerprint images to the DHS for inclusion in IDENT until September 2006, when IDENT is expected to begin accepting 10 fingerprints. To collect the fingerprints during the pilot projects, the DOS plans to use an existing type of 10-print scanner that the FBI certified as being in compliance with IAFIS. Once smaller, lighter scanners are available, the DOS plans to deploy the devices and require 10 flat fingerprint processing at its remaining consulates and embassies during the IOC development phase.

Pilot projects to collect 10 flat fingerprints from foreign nationals at selected ports of entry are scheduled to occur during the IOC phase, according to the CJIS Division’s schedule. In April 2006, DHS officials stated that the pilot locations had not yet been identified. They also stated that before the DHS decides on appropriate ports of entry for a pilot, they must conduct further planning, such as operational and process modeling, facilities modifications, proposed technical solutions, and environmental planning, and collaborate with CBP and other stakeholders. The DHS is planning to deploy US-VISIT 10-fingerprint capabilities at all ports of entry and consulates by the end of the FOC development phase.

The IPT is estimating interoperability costs for the IOC phase.

The IPT is working on a cost-benefit analysis, which it expects to complete by August 2006, that will estimate the IOC interoperability-related expenses for the FBI, DHS, and DOS to make IAFIS, IDENT, and US-VISIT interoperable.⁷¹ Those expenses will include agency-specific initiatives needed for interoperability, such as a portion of the FBI’s NGI, the DHS’s IDENT modernization, and the DHS and DOS joint implementation of a 10‑fingerprint enrollment standard for US-VISIT. The final cost will depend largely on which of the technical solutions the IPT chooses for full interoperability. FBI officials noted that achieving full interoperability is dependent on the FBI, DHS, and DOS receiving adequate appropriations to cover all interoperability-related expenses.

The FBI has estimated costs for the first two interoperability phases.

Separate from the IPT’s cost-benefit analysis for IOC, FBI officials have developed FBI-specific cost estimates for the first two interoperability phases. For FY 2006, the FBI estimated a cost of $7.9 million for the iDSM and $24 million for the first portion of the IOC development phase. In its FY 2006 appropriation, the FBI budgeted $18.9 million for interoperability-related expenses, most of which included reprogrammed funding.⁷² For FY 2007, the FBI estimated that $33 million will be needed for hardware and software for the IOC development phase and the FBI subsequently requested that amount in the President’s FY 2007 budget.⁷³

The FBI and the DHS have identified technical, funding, and policy risks and have developed mitigation strategies.

We examined whether the FBI and the DHS (through the IPT) have identified potential technical, funding, and policy risks that could delay full interoperability and whether they have developed corresponding mitigation strategies. We found that the IPT has developed risk management plans and mitigation strategies that appear reasonable for the overall interoperability effort. We also found that the FBI developed a risk management plan with mitigation strategies for its portion of the interim interoperability development phase (iDSM).⁷⁴

In a November 2005 draft Interoperability Concept of Operations, the IPT identified broad risks that must be managed throughout each of the interoperability phases.⁷⁵ The IPT devised mitigation strategies for those risks and stated that it, along with the DHS and the DOS, would manage the risks and periodically report to the IPT’s Executive Committee on the status of the mitigation effort. The broad risks and mitigation strategies in the document we examined included the following:

Limited time to develop, design, and deploy an interoperability solution: To mitigate this risk, the IPT stated it would develop a plan with targeted milestones and project measurements.

Lack of financial, personnel, or technical resources within participating agencies: To mitigate this risk, the IPT stated it would provide joint (FBI and DHS) briefings to the Office of Management and Budget, Congress, and other authorizing/funding bodies to ensure that interoperability remains a priority.

Privacy issues limiting participation or categories of transactions: To mitigate this risk, the IPT stated that its Strategy and Policy sub-team would address all legal and policy issues.

Misuse of data in interoperable solution: To mitigate this risk, the IPT stated it would devise protections to guard against misuse of data, including recommendations for policies, procedures, and audits.

The FBI identified the iDSM-specific risks in an April 2006 iDSM Concept of Operations. For the specific risks, the FBI identified corresponding mitigation strategies and risk consequences that build on the broader interoperability risks discussed in the previous document. CJIS Division officials stated that they regularly identify and monitor the iDSM risks, and on May 3, 2006, the officials provided documentation showing 18 open risks and 39 risks that they had closed.⁷⁶ The open risks involved areas such as schedule, technology, reliability of systems, cost, policy, privacy, and security. Among them were:

Purchase and receipt of iDSM equipment: The FBI recognized that the acquisition process for the hardware and software needed for the iDSM would be lengthy and could significantly delay the deployment schedule of the first interoperability phase. To address this risk, the FBI stated that the purchase of this equipment must be made by June 2006 and the equipment received by July 2006. As of June 27, 2006, FBI officials stated that they were in the process of purchasing the equipment. As a contingency plan in the event that a delay is encountered, the FBI stated that it would identify any similar equipment within the CJIS Division that can be temporarily but immediately utilized.

Sufficient resources for the iDSM: The FBI recognized the possibility that insufficient resources could cause the first interoperability phase to fall behind schedule. To address this risk, the FBI stated it would apply Earned Value Management to optimize investment planning and control.⁷⁷ Officials from both the FBI and the DHS have indicated that while they are currently on schedule, delays in receiving necessary funding would push back the December 2009 target completion date for full interoperability. For example, FBI officials stated that if a purchase request is delayed by as little as 45 days, it could cause the FBI to miss a procurement cycle, which would push back each of the interoperability phases.

Protection of sensitive data to be shared through the iDSM: Because the data to be shared through the iDSM is considered sensitive, the FBI recognized the risk of not protecting this data and stated that owners of the data may need to restrict access. To address this risk, the FBI is working with privacy officials and conducting analyses to determine whether a privacy impact assessment is needed.⁷⁸ The FBI also decided to limit the volume of data initially being shared through the iDSM.

Although the interoperability risks and corresponding mitigation strategies appear to be reasonable, the scope of our review did not include an analysis of whether the IPT or the FBI identified all potential risks to the interoperability project and appropriately closed or mitigated those risks. Further, because the FBI is working toward establishing the iDSM, it has not completed risk analysis plans for the remaining two phases, although FBI officials stated that they have begun identifying potential risks for the IOC and FOC development phases. We therefore encourage the FBI to continue regularly monitoring the overall risks to the project and to develop risk mitigation strategies for the IOC and FOC phases.

Footnotes

The second barrier has been partially resolved. In May 2005, the DHS agreed to provide the FBI and other law enforcement agencies with access to immigration data; however, the two agencies have not finalized procedures to provide this access.

The guiding principles state that each agency has responsibility for its own mission, each agency maintains its own repository of information and must ensure its integrity, and each agency must protect the privacy rights of individuals represented by the information it maintains. IPT members from the FBI and the DHS commented that the guiding principles of the IPT, particularly those related to data ownership, were integral to the agencies’ agreeing to share data with each other and with federal, state, and local law enforcement agencies.

The Interoperability Concept of Operations provides an overview of the proposed operational changes that would be required to achieve full interoperability (e.g., how law enforcement agencies will access and protect immigration data). The Interoperability Business Requirements, which the IPT derived from the Interoperability Concept of Operations, identifies the interoperability-related business processes and needs of all stakeholders.

The target completion dates for each phase are from a March 30, 2006, schedule developed by the CJIS Division that stated, “Dates are subject to further analysis and funding.”

Authorized non-criminal justice agencies are those agencies permitted to request criminal background checks for employment, licensing, immigration, credentialing, and volunteer activities.

The iDSM represents one of three technical solutions that the IPT is considering for full interoperability. These technical solutions are discussed in the next section of this report.

On April 18, 2006, the IPT finalized an iDSM Concept of Operations, which defines user needs and operational concepts for the iDSM and describes the components for which the FBI and the DHS each have responsibility (e.g., development, deployment, operations, and maintenance of the iDSM).

Prior to November 30, 2005, the DHS had access only to a subset of the Wants and Warrants records that did not include U.S. citizens. The FBI was providing the DHS with daily extracts of those Wants and Warrants records that met the DHS’s screening criteria of individuals who had an unknown or foreign birthplace and citizenship or who had a prior arrest on immigration charges.

Until full interoperability, the FBI plans to continue sending the DHS other IAFIS data, including the fingerprint records submitted as Known or Suspected Terrorists.

The iDSM Concept of Operations states that the DHS is planning to include the Recidivists with Alerts records in the iDSM “as soon as technically feasible.”

Some FBI personnel have limited access to US-VISIT and other immigration data via a February 2005 memorandum of understanding with the DHS. The DHS provided this access to allow certain FBI personnel at specified locations where the FBI and the DHS are co-located and co-operational (i.e., through the Joint Terrorism Task Forces) to conduct queries.

Information on individuals with protected identities (e.g., individuals seeking asylum or those enrolled in a witness protection program) will not be shared.

If a shared data model or the base case is chosen, then the necessary capacity of the iDSM will have to be determined. If the shared services model is chosen, then the agencies will need to determine the necessary capacity of IAFIS and IDENT.

The LESC – which operates 24 hours a day, 365 days a year – provides federal, state, and local law enforcement agencies with information about foreign nationals they encounter (e.g., immigration status, identity of individuals arrested or under investigation) by researching information available in various databases and criminal history repositories.

The Department’s National Institute of Justice is seeking to develop new fingerprint biometrics technology and also to improve current technology. Its Fast Capture Fingerprint/Palm Print Technology initiative is seeking to develop a device capable of collecting the equivalent of 10 rolled fingerprints in less than 15 seconds to improve the screening requirements for criminal, border, transportation, and employment checks. In September 2005, the National Institute of Justice awarded grants to 3 vendors to begin producing such devices, which will be available for testing within 18 to 24 months.

Access to immigration information in the DHS’s databases is governed by the Privacy Act of 1974 (5 U.S.C. § 552a, as amended), which contains requirements for agencies that maintain a system of records. The Privacy Act defines a system of records as “a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.” The FBI acknowledged the need to protect the privacy of the data to be shared between IAFIS and IDENT users in its risk management plan, which we discuss in the next section of this report.

CJIS Division officials explained that the algorithms in IAFIS were designed to process 10 rolled fingerprint submissions and that searching IAFIS using flat fingerprints requires more processing power than searching using rolled fingerprints.

Although the DHS is currently the CJIS Division’s only TPRS customer, the planned capacity increase should allow the CJIS Division to process TPRS transactions for other agencies in the future. However, if the IPT chooses a shared data or base case option, the need for TPRS transactions will be eliminated because the DHS will be able to conduct searches of visitors’ fingerprints against copies of IAFIS data.

The $281 million represents the higher of 2 cost estimates for the US-VISIT transition that the DHS provided in its 10-Print Plan. The higher estimate assumes that the transition to 10 fingerprints would require modifications to existing ports of entry facilities, whereas the lower estimate assumes that the transition would not require modifications.

The DHS’s FY 2006 budget request included $24 million to begin implementing the person-centric view.

Current scanners used by the DOS and other agencies are capable of capturing 10 flat fingerprints. However, according to the user group, those devices are limited in many respects (e.g., fingerprint capture time, scanner size, image quality) and do not offer the capabilities that the DHS and the DOS have identified as necessary for the efficient collection of 10 flat fingerprints from foreign nationals.

Smart Border Alliance, 10 Print Capture RFI Study Report, December 2005.

Until the 10-print records can be transferred to IDENT, the DOS is planning to store them in its Consular Consolidated Database, which contains information on visa applicants.

We attempted to obtain an estimate of the total interoperability-related expenses through the FOC phase but FBI officials stated that a total estimate was not available.

That figure consists of $15.5 million of reprogrammed funding and $3.4 million from the FY 2005 funding of the FBI’s IDENT/IAFIS integrated workstations.

The Department’s FY 2007 appropriations had not yet been awarded at the time this report was published.

FBI officials told us that the DHS Unique Identity IPT has also devised risk management plans for its portion of the interoperability risks. However, we did not verify this with the DHS or examine those plans.

In the Interoperability Concept of Operations, the IPT defined “risk” as a potential event or condition that would be detrimental to the successful implementation and operation of the interoperability effort.

The FBI closed a risk if: (1) it took action to mitigate the risk or render the risk moot, (2) it incorporated a specific risk with another one already being addressed, or (3) it determined the probability of occurrence was low.

Earned Value Management is a program management technique for estimating the performance of a project in terms of its budget and schedule while taking risk into consideration.

A privacy impact assessment is an analysis of how an agency handles information on individuals to ensure it conforms to applicable privacy laws and policies. The E-Government Act of 2002 requires executive branch agencies to conduct privacy impact assessments when they develop or modify electronic collections of such information.

« Previous

Table of Contents