IV&V not always implemented for major DHS IT acquisitions, says GAO


Although the Homeland Security Department says it's been widely using independent verification and validation in its major information technology acquisition programs, Government Accountability Office auditors found eight big programs that only inconsistently implement key IV&V elements.

In a report dated July 28, the GAO examines the DHS portfolio of major IT acquisitions, finding that about 15 percent typically only partially implement elements of the IV&V process. GAO blames the state of affairs in part on "lack of clear departmentwide policy requiring the application of such elements," noting that the DHS chief information officer and chief procurement officer don't track which programs use IV&V unless Congress has specifically told them to do so.

IV&V, of course, is a best practice for complex software projects, since it lends an independent opinion on whether the system is on track to deliver against stated requirements, standards, and user needs. The DHS Acquisition Guidebook recommends, but generally does not require, its use.

The element least applied across the eight programs is establishment of risk-based decision criteria. Five programs, the GAO says, know either how or when to apply IV&V results to improve the program's management, but haven't established and used a risk-based approach for deciding whether or to what extent to use IV&V.

Another problematic element is oversight. Although all programs have established some degree of management and oversight, they have done so with gaps, the report says. For example, the IV&V plan for the Automated Commercial Environment program at Customs and Border Protection lacks a process for how CBP will respond to issues brought up by an IV&V agent.

Report authors say DHS should reviews its acquisition policy so that all major IT programs conduct a risk-based assessment on whether IV&V is necessary and should start collecting and analyzing IV&V data from major IT programs. The department told GAO auditors it agrees with all the recommendations.

For more:
- download the report GAO-11-581 (.pdf)

Related Articles:
DHS cancels TASC 
DHS cancels SBInet 
DHS signs up for Google Analytics account