One of the underlying challenges for the Department of Homeland Security in bringing together a more cohesive IT strategy has been the need for a more cohesive IT governance process.

A new assessment from the Government Accountability Office reports that DHS’s efforts to create a tiered oversight structure that defines distinct roles, responsibilities and policies throughout the department are moving in the right direction.

“To the department’s credit, the vision is generally consistent with guidance and with best practices for managing projects and portfolios,” said David A. Powner Director, Information Technology Management Issues.

However, the GAO report raised concerns that DHS’s policies and procedures have not yet been finalized, because, according to DHS officials, the focus has been on piloting the new governance process. (Click the download button above left to review the full report.)

“While it is important to conduct pilots to test processes and identify lessons learned, until the department finalizes the policies and procedures associated with the new IT governance, it will have less assurance that its new IT governance will be consistent with best practices and address previously identified weaknesses in investment management,” concluded in report released July 25.

GAO inspectors found that the governance framework and the associated policies and procedures “are generally consistent with recent Office of Management and Budget (OMB) guidance and with best practices for managing projects and portfolios identified in GAO’s IT Investment Management framework.”

It cited, for example, the significant role DHS’s Chief Information Officer (Richard Spires) plays in overseeing programs. It also noted DHS’s draft procedures that require lower-level boards that oversee IT programs to include the DHS CIO, a component CIO, or a designated executive representative from a CIO office. GAO also credited DHS’s progress in conducting program health assessment reviews for all of its major IT programs.

However, the department has not fully followed other practices that GAO deemed important, such as developing a mechanism to capture lessons learned. “Until the department fully addresses these practices, its implementation approach may be less effective than intended,” the report concluded.

Specifically, GAO recommended:

• To implement an effective IT governance strategy, the Secretary of Homeland Security should direct the appropriate officials to finish defining the new IT governance process by finalizing the IT governance policies and procedures and ensuring they fully address or reference existing documents that address the following: (1) how the (Investment Review Board) is to maintain responsibility for lower-level board activities; and (2) investment selection and prioritization criteria.

• To assist in implementing the new IT governance strategy, the Secretary of Homeland Security should direct the appropriate officials to develop an implementation plan that draws together ongoing and additional efforts needed to implement the new IT governance process. The plan should: 1. build on existing strengths and weaknesses; 2. specify measurable goals, objectives, and milestones; 3. specify needed resources; 4. assign clear responsibility and accountability for accomplishing tasks; and 5. be approved by senior-level management.

• To assist in implementing the new IT governance strategy, the Secretary of Homeland Security should direct the appropriate officials to fully define and document key measures to monitor the implementation process...(and) establish mechanisms for capturing lessons learned.

DHS’s Director for the Departmental GAO-OIG Liaison Office responded to GAO’s concurred with the recommendations and estimated it would address them by September 30, 2013.