Eye on Biometrics

As biometrics technology grows in importance, DoD must establish clear policies, governance and budgeting, says Government Accountability Office.

(Editor’s Note: The Government Accountability Office in September issued a report entitled, “DoD Needs to Establish Clear Goals and Objectives, Guidance and a Designated Budget to Manage Its Biometrics Activities” (GAO-08-1065). Following are edited excerpts from the report, which was addressed to the chairmen and ranking members of the House Armed Services Subcommittees on Readiness and on Terrorism and Unconventional Threats and Capabilities.)

The U.S. security environment has changed markedly in recent years. Once focused on the Cold War threat of the Soviet Union with its massive conventional forces and nuclear arsenal, the Department of Defense now faces not only potential conventional threats from hostile nations, but also unconventional threats from terrorist organizations or individuals. For example, these terrorists may seek to blunt U.S. forces by blending anonymously into native populations to avoid detection until an attack is launched. DoD uses fingerprint records, iris scans and other biometrics technologies to help establish the identity of such persons.

Biometrics technologies can be useful because they measure physical attributes of individuals, such as the whorls, arches and furrows of their fingerprints or the random patterns of the iris muscle of the eye, which are thought to be unique to an individual. Biometrics data not only can help establish a person’s identity with greater confidence, but also help improve the ability to link individuals to their past activities and previously used identities. According to DoD, biometrics technology is revolutionizing DoD operations and is used in many organizations and in many missions, including military operations such as population control, counterintelligence screening, and detainee management and interrogation, and in business operations such as base access control to verify Common Access Card credentials.

Biometrics activities are dispersed throughout DoD at many organizational levels. These DoD organizations use a variety of different systems to collect, store and analyze biometrics data. However, with many organizations developing the use of biometrics, coordination has been difficult to achieve across the department, according to several DoD reports. DoD efforts to formally organize and manage its biometrics activities date back to at least 2000, when Congress designated the Army as the executive agent responsible for leading and coordinating all DoD biometrics information assurance programs.

Given current wartime missions following the terrorist attacks on September 11, 2001, DoD has spent millions of dollars in procuring biometrics technologies and systems and installing them throughout the department and in its operations overseas. For example, for fiscal years 2006 and 2007, the Army alone received approval for about $540 million in biometrics-related funding and requested over $470 million in funding for fiscal year 2008. With the increased use of biometrics, DoD recognized that it needed to establish better overarching direction for its biometrics activities and improve coordination among the DoD organizations involved, and began to institute various initiatives to achieve those goals.

For example, by memorandum dated October 4, 2006, the deputy secretary of defense designated the director of defense research and engineering, under the under secretary of defense for acquisition, technology and logistics, as the principal staff assistant for DoD biometrics. The deputy secretary directed the principal staff assistant to establish the DoD Biometrics Executive Committee with members representing DoD’s military services and intelligence, acquisitions, networks and information integration, personnel, and policy communities. In a February 2008 directive, DoD designated the principal staff assistant as the chair of the Executive Committee.

While biometrics technologies are important tools in DoD operations, they also are enabling technologies for the much broader operating concept termed identity management. While the definition for identity management is evolving, a basic understanding from federal and DoD reports and other documents is that identity management seeks to manage identity information, including biometrics data, in an integrated, coordinated way to enable improved sharing and analysis of identity information.

Biometrics data represent only a part of an individual’s identity. For example, in addition to unique physical attributes, such as fingerprints and iris scans, other information on individuals may include their names, Social Security numbers or dates of birth. Identity information on known or suspected terrorists, as well as U.S. or foreign individuals, may also be collected, organized, analyzed and protected in databases associated with military combat or base access operations or intelligence, law enforcement, border security or other national security mission areas.

The greater confidence provided by biometrics data raises the potential for it to be used as a “master key” to grant access across all these databases and systems, and cross-reference information from all the different perspectives—subject to existing privacy protections—resulting in the opportunity for new analytical perspectives. In its 2006 concept of operations, DoD recognized that its current methods of identifying individuals, organizing information on persons, and recalling and sharing such information were inadequate to meet its operational needs. As a result, DoD saw the need to integrate its dispersed biometrics operations to be consistent with the type of improved information sharing and analysis sought by identity management.

The need for increased sharing of biometric and other information in the global war on terrorism is also being recognized across the federal government. For example, in June 2008, the president issued a new national security directive establishing a governmentwide framework for the sharing of biometrics data. The directive is designed to ensure that federal agencies use compatible methods and procedures in the collection, storage, use, and analysis of biometric information to enhance the sharing of such data.

In light of the increasing importance of biometrics and identity management to DoD’s missions and the significant amount of funding devoted to biometrics technologies, you asked that we examine the effectiveness of DoD’s efforts to manage biometrics in support of the larger context that is identity management. This is the third in a series of products we have issued in response to your request.

In December 2007, we issued a management letter raising concerns about whether the newly established principal staff assistant for biometrics was being provided with the authority needed to improve coordination and direction of DoD’s biometrics initiatives. In May 2008, we recommended that DoD establish guidance specifying a standard set of biometrics data for collection during military operations in the field, and explore broadening its data sharing with other federal agencies in some areas. In this report, we examine the extent to which DoD has established biometrics goals and objectives, implementing guidance for managing biometrics activities, and a designated budget linking resources to specific objectives and providing a consolidated view of the resources devoted to biometrics activities.

To address this report’s objective, we considered leading management practices and principles identified in our prior reports and analyses. Our analysis focused primarily on DoD’s management of biometrics activities, systems and programs associated with its current warfighting and counterterrorism efforts, particularly those used in U.S. Central Command’s geographic area of responsibility, which includes Iraq and Afghanistan. We reviewed documents and interviewed officials from a range of DoD organizations at the departmental, military service and combatant command levels involved in conducting, managing or overseeing biometrics activities. These documents included various memorandums, directives, briefings, progress reports, budgetary data, planning documents, charters, agendas, reports, studies and analyses related to biometrics activities in the department.

RESULTS IN BRIEF

DoD began to take actions to better manage its dispersed biometrics activities in 2000, but as of August 2008, it had not established management practices that include clearly defined goals and objectives, implementing guidance that clarifies decision-making procedures for the Executive Committee, and a designated biometrics budget.

First, while DoD has stated some general goals for biometrics, such as providing comprehensive planning policy in several documents such as the November 2005 “Department of Defense Biometrics Strategy,” it has not articulated specific program objectives, the steps needed to achieve those objectives, and the priorities, milestones, and performance measures needed to gauge results. DoD officials said that in late 2008 they plan to complete studies that will lay the foundation for the eventual development of a formal biometrics program.

Second, DoD issued a directive in 2008 to establish biometrics policy and assigned general responsibilities to the Executive Committee and the principal staff assistant, but has not issued implementing guidance that clarifies decision-making procedures for policy and management issues. The Executive Committee is chaired by the principal staff assistant and includes a wide array of representatives from DoD communities such as intelligence, acquisitions, networks and information integration, personnel, and policy and the military services. The Executive Committee is responsible for resolving biometrics management issues, such as issues between the military services and joint interests resulting in duplications of effort. However, the committee does not have guidance for making decisions that can resolve management issues. At one time, DoD considered providing the Executive Committee with a voting mechanism to resolve policy issues and help ensure that such issues and others are formally addressed and resolved in the best interests of the department as a whole. However, this directive did not include this voting mechanism. Past DoD reports have noted difficulties in decision making and accountability in the management of its biometrics activities.

Third, DoD also has not established a designated budget for biometrics that links resources to specific objectives and provides a consolidated view of the resources devoted to biometrics activities. Instead, it has relied on initiative-byinitiative requests for supplemental funding, which may not provide a predictable stream of funding for biometrics. Until DoD has established a designated budget, it will continue to experience uncertainty in obtaining resources for its biometrics activities.

Our prior work on performance management demonstrates that successful programs incorporate such key management practices, and for several years, DoD reports and studies have also called for DoD to establish such practices for its biometrics activities. Similarly, a new presidential directive issued in June 2008 supports the establishment of these practices in addition to calling for a governmentwide framework for the sharing of biometrics data. DoD officials have said that DoD’s focus has been on quickly fielding biometrics systems and maximizing existing systems to address immediate warfighting needs in Afghanistan and Iraq.

This focus on responding to immediate warfighting needs and the absence of the essential management practices have contributed to operational inefficiencies in managing DoD’s biometrics activities, such as DoD’s difficulties in sharing biometrics data within and outside the department. For example, in May 2008, we recommended that DoD establish guidance specifying a standard set of biometrics data for collection during military operations in the field. These shortcomings may also impede DoD’s implementation of the June 2008 presidential directive and the overall identity management operating concept. Therefore, we are recommending that DoD establish clearly defined goals and objectives, issue implementing guidance that clarifies decision-making procedures for the Executive Committee, and establish a designated budget for managing its biometrics activities.

CONCLUSIONS

Biometrics technologies have become essential tools for supporting DoD’s warfighting and counterterrorism missions, but DoD continues to lack clear goals and performance measures, implementing guidance to specify how the Executive Committee will make decisions to resolve disputes over duplication of effort or other important policy or management issues, and a designated budget—management practices key for program success. While each is important in its own right, these practices also interrelate, with weaknesses in one practice reinforcing and prolonging weaknesses in another.

For example, program officials need to establish clear, long-term biometrics goals and objectives to provide program direction. Clear program goals and objectives are needed to justify and prioritize budgetary resources, and in turn, such resources are necessary to accomplish program goals. Similarly, a lack of clear implementing guidance on how decisions to resolve important policy or management issues are made can confuse accountability. Officials say that some of the management weaknesses have occurred because the department’s focus on fielding biometrics systems as quickly as possible to meet immediate, shorterterm warfighting needs has resulted in insufficient attention to developing an overall approach for managing dispersed biometrics activities across the department.

However, weaknesses in DoD’s management of its biometrics activities, if allowed to continue, serve to hinder DoD’s ability to effectively support its warfighting and counterterrorism missions in the long term. For example, continuing interoperability problems among several major biometrics systems in Central Command’s area of operations—problems involving inconsistent biometrics data formats and screening procedures—have impeded the command’s ability to share biometrics data in an efficient, timely manner. Furthermore, according to Central Command officials, several high-priority departmental initiatives intended to address such problems—identified as “urgent operational needs” in 2005 by the command— were delayed, thereby jeopardizing the command’s ability to identify and detain potential enemy combatants.

In addition, shortcomings in DoD’s management of biometrics activities may impede the department’s efforts to fully implement the June 2008 presidential directive on using biometrics within the federal government to enhance national security, as well as hinder DoD’s ability to further develop the overall identity management operating concept. As a result, we believe that the department needs to take a longer-term perspective on the management of its biometrics initiatives.

RECOMMENDATIONS FOR EXECUTIVE ACTION

To improve the management of DoD’s biometrics activities, we recommend that the secretary of defense direct the principal staff assistant and Executive Committee to (1) develop clearly defined goals and measures of success to guide and monitor development of biometrics activities, (2) issue implementing guidance that clarifies decision-making procedures for the Executive Committee, and (3) work with the comptroller to establish a designated biometrics budget.

AGENCY COMMENTS

In written comments on a draft of this report, DoD concurred with all of our recommendations. Also, the director of defense biometrics provided us with technical comments, which we incorporated in the report where appropriate.

DoD concurred with our first recommendation that the secretary of defense direct the principal staff assistant and the Executive Committee for DoD Biometrics to develop clearly defined goals and measures of success to guide and monitor the development of DoD’s biometrics activities. In its concurrence with this recommendation, DoD indicated that the Executive Committee had approved a “DoD Biometrics Enterprise Strategic Plan (2008-2013)” while the department was reviewing a draft of this report. According to DoD, the strategy includes specific goals and objectives for DoD’s biometrics enterprise and directs the development of a detailed implementation plan that includes metrics and milestones.

DoD further stated that it would develop additional milestones and metrics for emerging biometrics acquisitions programs in conjunction with the development of a more formal biometrics program. We did not have an opportunity to review the DoD Biometrics Enterprise Strategic Plan before publishing this report and therefore did not evaluate the extent to which the plan’s goals and measures of success would help guide and monitor the development of DoD’s biometrics activities.

DoD also concurred with our second recommendation that the secretary of defense direct the principal staff assistant and the Executive Committee for DoD Biometrics to issue implementing guidance that clarifies decision-making procedures for the Executive Committee. In its concurrence with this recommendation, DoD noted that the Executive Committee had initiated the development of an implementation instruction to clarify and provide details about the governing process for DoD biometrics. The department expects approval of this guidance in fiscal year 2009.

Finally, DoD concurred with our third recommendation that the secretary of defense direct the principal staff assistant and the Executive Committee for DoD Biometrics to work with the department’s comptroller to establish a designated biometrics budget. In its concurrence, DoD agreed with the need for defined biometrics programs and associated funding lines. The department stated that it had established a discrete biometrics science and technology program in fiscal year 2008 in order to focus biometrics technology development within a primary program.

In addition, DoD stated that it had taken significant steps, such as its ongoing capabilities-based assessment of biometrics, to transition its biometrics acquisition efforts into more structured programs with associated funding lines. The department intends to initiate such biometrics programs in fiscal year 2010. However, noting that biometrics is an enabling technology that supports many departmental capabilities, DoD intends to establish multiple discrete programs with associated funding lines, rather than a single funding line that encompasses all DoD investments in biometrics technology, systems, and programs. In our view, however, pursuing an approach involving multiple funding lines, DoD should ensure that the funding lines are clearly linked to specific biometrics program objectives and that they provide a consolidated view of the resources devoted to biometrics activities throughout the department. ♦