Article critique
Chapter Title: Assessment of the Assignments and Arrangements of the Executive Agent Book Title: An Assessment of the Assignments and Arrangements of the Executive Agent for DoD Biometrics and Status Report on the DoD Biometrics Enterprise
Book Author(s): Douglas Shontz, Martin C. Libicki, Rena Rudavsky and Melissa A. Bradley
Published by: RAND Corporation
Stable URL: https://www.jstor.org/stable/10.7249/j.ctt3fh0n8.10
JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide range of content in a trusted digital archive. We use information technology and tools to increase productivity and facilitate new forms of scholarship. For more information about JSTOR, please contact [email protected]. Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at https://about.jstor.org/terms
This content is licensed under a RAND Corporation License. To view a copy of this license, visit https://www.rand.org/pubs/permissions.html.
RAND Corporation is collaborating with JSTOR to digitize, preserve and extend access to An Assessment of the Assignments and Arrangements of the Executive Agent for DoD Biometrics and Status Report on the DoD Biometrics Enterprise
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
17
ChAptEr thrEE
Assessment of the Assignments and Arrangements of the Executive Agent
This chapter begins with a description of the EA organization, roles, and responsibilities. It then describes the biometric capabilities that fall under the purview of the EA. The third sec- tion assesses the assignments and arrangements of the EA and describes issues with each of the eight stages of the biometrics cycle and qualitatively assesses the risk that certain identified issues pose to the cycle.
The EA is supporting a functioning biometrics cycle that meets some level of warfighter needs and has had significant success identifying bad actors. Aspects of the EA’s assignments and arrangements show some deficiencies in managing biometrics responsibilities and pose risks to the biometrics cycle and ability to provide for user needs. However, this assessment examines ten years of activity and was conducted at a single point in time. Thus, it does not fully capture the recent efforts by the EA to improve operations, many of which were ongo- ing during our research. The EA has worked to increase automation, formalize activities, and develop metrics that demonstrate the impact of biometrics work. R AND expects that the required future annual assessments will track these continued changes and efforts to improve effectiveness and efficiency.
Assignments and Arrangements of the Executive Agent
The responsibilities and functions of SECARMY acting as the EA for DoD Biometrics are spelled out in DoDD 8521.01E, paragraph 5.12, a document released by DoD in 2008 to pro- mote a joint and coordinated organizational structure for a DoD-wide biometric capability. DoDD 8521.01E lists discrete tasks the EA must accomplish, but, in keeping with standard DoD practice, the directive does not dictate how the Army must specifically organize its vari- ous biometrics functions to carry out its responsibilities.
The Biometrics Cycle
However, before describing the specifics of the EA’s management and functions, it is useful to briefly summarize what the EA is currently executing. In general, the EA executes those func- tions needed to enable and support the biometrics cycle for red- and gray-force information.
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
18 An Assessment of the Executive Agent for DoD Biometrics
Figure 3.1 describes the biometrics cycle as derived from the PSA’s description, DoD documen- tation, and interviews.
The EA’s role in enabling and supporting the cycle includes developing, procuring, and fielding biometric collection, storage, and analytical technology, operating the authoritative database for red and gray forces, promulgating standards for biometric data, and collecting common biometric requirements.1
For most biometric records, the cycle currently operates as follows: An individual is “enrolled” by collecting (ideally) ten fingerprints, iris scans, a facial photograph, and biographic information (name, height, weight, etc.); the data are sent to the Automated Biometric Iden- tification System (ABIS) to determine if a biometric match can be made to existing records; a match/no match response is sent to a recipient who may or may not be the person who sub- mitted the request.2 Most fingerprint records submitted to ABIS can be resolved by automated analysis, but some (approximately 9.5 percent as of January 2012 according to BIMA) must be reviewed by a human forensic examiner. Submissions are prioritized based on urgency, with SOCOM inquiries receiving higher priority than detention center inquiries (as well as Navy maritime interdiction operations, and FBI Hostage Rescue Team operations). Results of bio- metric submissions are also analyzed in conjunction with other available information about the identified person. As of January 2012, ABIS contained 7.1 million records linked to 4.5 million unique identities, and ABIS was processing, on average, approximately 6,500 transac- tions per day.
In addition to this process, BIMA employs latent print examiners who try to match ABIS records to partial fingerprints collected from various sources, e.g., IEDs. Fingerprint records are also received from partner nations working in cooperation with the United States.
1 The EA is also responsible for blue-force biometric work, but the current level of activity is much lower as described later in this report. 2 One might suppose the cycle would terminate when a match/no match response is sent back to the field. It does not unless the match is to someone on the BEWL or the match request came from SOCOM. According to CENTCOM sources, the Project Manager for DoD Biometrics (PM-Biometrics) has had a requirement to implement a function in Bio- metrics Automated Toolkit (BAT) to be able to receive responses, but it has not been implemented.
Figure 3.1 The Biometrics Cycle
RAND TR1290/1-3.1
Task/Direct Collect Transmit Match
Decide/Act Analyze Share/Reference Store
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 19
EA Roles and Responsibilities
Prior to describing the biometrics-specific functions of the EA listed in DoDD 8521.01E, it is useful to reference DoDD 5101.1, which defines the general role of an EA within DoD. Con- ceptually, an EA is designated to ensure proper coordination among DoD components, iden- tify requirements and resources, and monitor and report results of performance for capabilities not clearly within the purview of a single DoD component.3 DoDD 5101.1 explicitly describes the role of an EA:
• “5.2.1. Execute DoD Executive Agent responsibilities, consistent with applicable law, DoD Directive 5100.3 (reference (d)), DoD Directive 5100.73 (reference (e)), and this Directive.
• “5.2.2. Ensure proper coordination with the DoD Components for the responsibilities and activities assigned to provide continuous, sustainable, and global support as required by end-users. Ensure effective planning throughout operations by developing a coordi- nated process and support plans for transition from peacetime to wartime and/or contin- gency operations.
• “5.2.3. Identify requirements and resources, including force structure to the extent per- mitted by law, necessary to execute assigned responsibilities and functions. Submit these requirements to the cognizant Head of the DoD Component to be included in their respective budget documentation.
• “5.2.4. Monitor resources used in performing assigned responsibilities and functions. • “5.2.5. Develop, maintain, and report results of performance of DoD Executive Agent
responsibilities and functions, as may be required by law, Secretary of Defense decision, or other Congressional requirements.
• “5.2.6. Obtain reports and information, consistent with DoD Directive 8910.1 (reference (f )), as necessary, to carry out assigned DoD Executive Agent responsibilities, functions, and authorities.
• “5.2.7. Establish, maintain, and preserve information as records, consistent with DoD Directive 5015.2 (reference (g)), that document the transaction of business and mission of the DoD Executive Agent.
• “5.2.8. Designate a focal point to coordinate matters regarding assigned DoD Executive Agent responsibilities, functions, and authorities.”
DoDD 8521.01E specifies the role of the Biometrics EA in light of DoDD 5101.1 and the development and deployment of common biometric technology, operating the authoritative database, promulgation of data standards, and collection of requirements, among other things. In considering these duties, it is important to remember two things: First, the assignments and arrangements of an EA in general are meant to be monitored regularly for effectiveness in meeting end-user requirements. Second, DoDD 8521.01E preceded formalized strategy for a
3 DoD, “DoD Executive Agent,” DoD Directive 5101.1, May 9, 2003.
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
20 An Assessment of the Executive Agent for DoD Biometrics
coordinated DoD biometric capability and thus is merely an initial step. In light of these cave- ats, DoDD 8521.01E by itself does not (and cannot) serve as the basis for assessing the EA’s assignments and arrangements. Instead, the directive is a framework for the entire biometrics program, including the EA’s role, that is meant to be further specified by other implementation measures such as a DoD Instruction (DoDI). DoDD 8521.01E lists the explicit responsibilities of the Biometrics EA:
• “5.12.1. Execute responsibilities of the DoD EA for DoD Biometrics in accordance with Reference (w) and this Directive.
• “5.12.9. Develop, publish, and update as appropriate a DoD Biometrics Security Clas- sification Guide.
• “5.12.8. Coordinate all component biometric requirements with DoD Component mem- bers of the DoD Biometrics EXCOM.
• “5.12.6. Program for and budget sufficient resources to support common enterprise requirements documentation, architecture development, materiel development, test and evaluation, lifecycle management, prototyping, exercises, records management, demon- strations, and evaluations to include efforts at maturing viable technologies and standards.
• “5.12.7. Program for and budget sufficient resources to support common biometric data management, training, operations, and lifecycle support.
• “5.12.3. Provide for, manage, and maintain a biometrics center of excellence. • “5.12.2. Appoint an Executive Manager for DoD Biometrics, who shall be a G/FO or
SES equivalent, with responsibilities as outlined in Enclosure 4. • “5.12.4. Appoint a single Program Management Office, under the authority of the
Army Acquisition Executive, responsible for the development, acquisition, and field- ing of common biometrics enterprise systems to support common, Service, and joint requirements.”4
We gathered additional information through interviews and document reviews to gain a more complete understanding of the EA’s activities.
First, the EA appoints the Executive Manager for DoD Biometrics, who is currently the Director of BIMA. The Executive Manager is responsible for biometrics standards and prom- ulgation, among other things. BIMA is an agency created by the Army responsible for carrying out the Executive Manager’s functions, including managing the “authoritative DoD reposito- ries of biometric samples on those individuals not issued a DoD credential.”5
Second, the EA provides for, manages, and maintains “a biometrics center of excellence.”6
4 DoD, 2008s. 5 DoD, 2008a, paragraph E4.11. 6 DoD, 2008a, paragraph 5.12.3.
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 21
Third, the EA appoints “a single Program Management Office” for biometrics, cur- rently PM-Biometrics, which is “responsible for the development, acquisition, and fielding of common biometrics enterprise systems to support common, Service, and joint requirements.”7
Fourth, the EA, “when applicable … make[s] recommendations to [the Under Secretary of Defense for Acquisition, Technology and Logistics] USD(AT&L) concerning acquisition category and milestone decisions for all biometric acquisition programs.”8
Fifth, the EA is tasked with programming and budgeting resources to support common requirements. Currently, and over the last ten years, these resources have come overwhelmingly from OCO funding. This funding source relieved the Army of having to make trade-offs in its base budget between DoD-wide biometrics support and other Army needs. However, once OCO funding ends—a factor already starting to impinge on the FY13 program—biometrics will have to compete for funding and will therefore need a strong rationale in favor of surviving as an enduring DoD capability in some form. Furthermore, without OCO funding, biomet- rics requirements must be supported with formal PoRs created by the Army. As of this writ- ing, the Army has initiated this effort, but it has moved only through Army’s internal staffing process and must still complete joint staffing.
Sixth, the EA is responsible for programming and budgeting “sufficient resources to sup- port common biometric data management, training, operations, and lifecycle support.” Train- ing has been ad hoc so far because formal training cannot be developed without PoRs.
Seventh, the EA is responsible for coordinating “all component biometric requirements with DoD Component members” of the DoD Biometrics Executive Committee (EXCOM), and, by extension, using these requirements in developing its acquisitions.
Finally, the EA is responsible for developing, publishing, and updating “a DoD Biomet- rics Security Classification Guide.”
The EA has taken on and engaged in additional biometrics activities not specified in DoDD 8521.01E by virtue of additional OSD guidance, past practice, and the consequences of deployed systems. We identified these activities during the study and incorporated them into our understanding of the assignments and arrangements as appropriate.
The EA’s management structure described by DoDD 8521.01E, officially formed by the EA, guided by ADMs, and as carried out in practice, is shown in Figure 3.2. Beyond the DoDD-required Executive Manager (BIMA) and PM-Biometrics, the management structure includes requirements and (in the future) training functions formally assigned to U.S. Army TR ADOC, as well as BEI functions carried out by the National Ground Intelligence Center (NGIC). The EA components’ primary functions and responsibilities as identified during this study are summarized in Table 3.1. For purposes of this report, we assumed all other EA func- tions are retained by the EA.
As described by the DoDDs discussed above, a PSA—currently the Assistant Secretary of Defense for Research and Engineering—oversees the EA’s activities. For biometrics, the PSA
7 DoD, 2008a, paragraph 5.12.4. 8 DoD, 2008a, paragraph 5.12.5.
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
22 An Assessment of the Executive Agent for DoD Biometrics
accomplishes his oversight primarily by chairing the EXCOM, which is the coordinating body for DoD biometrics. The EA is represented at EXCOM meetings by the Executive Manager, and the EA components provide the PSA with updates on biometrics activities. Other DoD components also participate in the EXCOM as needed.
Shortly after the publication of DoDD 8521.01E in 2008, DoD released the Biometrics Enterprise Strategic Plan (BESP). This document firmly prioritizes support of military opera- tions for DoD biometrics, but, as discussed in Chapter Four, its goals are vague. As discussed in Chapter Two, when we tried to apply a logic model approach to track the program inputs to intended outcomes, we found the documents were inconsistent among themselves. This led us to use the approach that focuses on the biometrics cycle.
Assessment of EA Management Assignments and Arrangements
Several aspects of the EA’s assignments and arrangements for carrying out its biometrics respon- sibilities are stovepiped, unclear, and duplicative, which could contribute to reduced effective- ness and efficiency of biometrics capabilities for end-users. R AND identified three factors as the likely root causes of management deficiencies:
• EA responsibilities spread across Army in a somewhat nontraditional manner
Figure 3.2 Executive Agent Management Structure
RAND TR1290/1-3.2
Assistant Secretary of Defense (Research and Engineering
(PSA)
Organizations with known or designated key EA functions
Secretary of the Army (EA)
Deputy Chief of Staff for Intelligence
(G-2)
Deputy Chief of Staff for Operations and
Plans (G-3/5/7)
Training and Doctrine Command
(TRADOC)
National Ground Intelligence Center
PM-Biometrics
Intelligence and Security Command
BIMA (Executive Manager)
Capability Manager for Biometrics and
Forensics (TRADOC)
Assistant Secretary of the Army for
Acquisition, Logistics, and Technology
Program Executive Office—Enterprise
Information Systems
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 23
• continued reliance on OCO funding and quick reaction capabilities (QRCs) • lack of objectives and metrics.
First, as noted above, the EA’s functions—both those formally assigned and others taken on—are spread across the Army and only meet organizationally at the EA himself, SECARMY. The management arrangement is mostly typical within the Army, with separate roles for col- lecting requirements, procuring technology, and operating systems. However, the complicat- ing factors in this case are the EA’s Executive Manager and the need for centralized operations. Normally, requirements are gathered, equipment is acquired and fielded, and Army units use the equipment independently. With biometrics, the equipment must be used in concert with a central database that supports all of DoD. The EA’s Executive Manager operates the database and has assumed some roles in technology development and requirements. Further, the EA’s Executive Manager only has authority over BIMA, with no ability to coordinate the EA’s func- tions and components.
Consequently, the closest approximation to the true role of Executive Manager has been taken on more by the PSA’s representative, the Director of Defense Biometrics. However, as an
Table 3.1 Summary of Executive Agent Component Primary Functions and Responsibilities Identified in RAND Research
EA Component Functions Notes
BIMA – Executive Manager
• Vice chair of Biometrics EXCOM • Manage database for red and gray forces • technology “support” • Standards • Develop tools to facilitate interoperability • Coordinate on continuity of operations (COOp)
site
responsible for all Executive Manager responsibilities listed in DoDD 8521.01E
pM-Biometrics • Develop, acquire, and field biometrics systems • Database COOp site
reports to program Executive Office and Asst. Sec. Army on acquisition matters
trADOC • Gather biometrics requirements through tCM-B&F
• Develop Capability Development Documents (CDDs) for pors through tCM-B&F
• Develop and conduct training
NGIC • Operate BEwL • provide BEI through analysts funded by the
Military Intelligence program (MIp) and National Intelligence program (NIp)
• handle biometric data
BEwL and BEI functions directed to DIA in DoDD 8521.01E, but Army NGIC has been carrying them out
SOUrCE: DoD, 2008a; and interviews with U.S. government personnel.
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
24 An Assessment of the Executive Agent for DoD Biometrics
OSD office responsible for oversight and guidance, the PSA lacks directive authority over the EA’s components. According to BIMA, “The EA’s responsibilities in DoDD 8521.01E include additional items beyond what is included in DoDD 5101.1, thus distorting the perception of who has the responsibility to lead the DoD Biometrics Program. By allocating additional responsibilities to the PSA ... the EA focal point [in this case the Executive Manager] does not have the authority and responsibilities to adequately manage the DoD Biometrics Program.”9 We do not believe “additional” PSA responsibilities are hindering the Executive Manager, but the practical effect is that SECARMY, as the EA, remains the single point of management at a level in the Army that does not have the time to devote to the day-to-day minutiae of biomet- rics activities. The impact of this organizational positioning is shown in several instances. All non-Army personnel interviewed by R AND were unsure or unaware of which EA components are responsible for the EA’s functions, and in fact, several Army personnel were also unsure about roles within the EA.
Because of its limited organizational reach, BIMA is unable to properly promulgate and enforce standards for biometric technology. Under DoDD 8521.01E, the DoD components are responsible for complying with the standards, and BIMA stated that the Biometric Stan- dards Working Group, which BIMA chairs, has formally recommended standards to the DoD Information Technology Standards and Profile Registry (DISR) regularly since 2006. How- ever, BIMA has not enforced the data standards, and technology has been procured that does not meet the standards.
Because of unclear responsibilities or unclear management direction, BIMA and TCM- B&F both ran requirements working groups, despite this function normally residing with a TCM. BIMA attempts to differentiate its working group by stating that it focuses on “col- laboration among the services and federal partners,” but TCM also works to include the other military services in the course of validating requirements.10 Both TCM-B&F and G-3 said that having two groups operating in the requirements space is duplicative and inefficient. This duplication of effort—and potential lack of clarity about who was ultimately responsible—may have contributed to the approximately three years required to develop and complete the CDDs for BEC and Joint Personnel Identification version 2 (JPIv2), discussed in greater detail below.
A lack of collaboration between EA components has led to direct failures. PM-Biometrics and BIMA are both responsible for ABIS; BIMA for day-to-day management of operations and PM-Biometrics for fielding, upgrades, and maintenance. However, the organizations blamed each other for multiple failed ABIS upgrades—the most recent occurring in August 2011, with each group claiming the other failed to provide adequate information for the upgrade. Because of the stovepiped management structure, the conflict could only be resolved by the EA himself. Similarly, both PM-Biometrics and BIMA play a role in the COOP site for ABIS. DoD and
9 Comments from BIMA to R AND on the draft of this report, April 2012; DoDD 5101.1 lays out the general framework and scope of responsibilities for EAs, while DoDD 8521.01E provides the specific responsibilities and functions for the Bio- metrics EA. 10 Biometrics and Identity Management Agency comments to R AND, April 2012.
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 25
Army policy require COOP contingencies, and the EA has had a standing request for an ABIS COOP site since approximately 2007. As of this report, the COOP site is scheduled to be run- ning in the first quarter of FY13, five years after the requirement was issued. At least one failed attempt to set up the COOP site has been made on the West Coast since 2007. PM-Biometrics stated, “It is the PM’s job to establish a COOP site, but the PM has been unable to accomplish this mission because of lack of concurrence from BIMA.”11
Second, most of the biometrics activities have been supported by OCO funding and have focused on procuring QRCs because of wartime environment demands. Much of the Army has been forced to respond to urgent operational needs from Iraq and Afghanistan, which resulted in tools and technology being rapidly developed and fielded without adhering to DoD standards, formal performance measures, and operational testing and evaluation requirements. This was seen as important for early fielding given the pressure of wartime. However, the biometrics enterprise continued operating under this paradigm, lacking firm deadlines and accountability measures, according to a G-3/5/7 interview. The absence of structure and stra- tegic planning contributed to the proliferation of devices that are not completely interoperable and to conflicts between end-users and EA components over which tasks were given priority. For example, PM-Biometrics was criticized by part of the Army for prioritizing work on the Biometric Identification System for Access (BISA) rather than the BAT, which was in greater use at the time. PM-Biometrics claimed the apparent difference in effort was due to BISA’s code having “greater maintainability and sustainability.”12
Third, the EA lacks metrics to determine the sufficiency and efficiency of its activities. When R AND first requested performance metrics from the EA components, the responses largely consisted of budget execution (i.e., spending) and staffing levels. BIMA-WV explained how it tracks ABIS daily transactions, number of matches, and downtime, but these are met- rics with mostly self-imposed (i.e., BIMA-imposed) thresholds and objectives and without a basis to determine sufficiency, i.e., whether warfighter needs are being adequately met.13 As discussed below, DoD as a whole lacks goals for using biometrics and implementing biometric technology, but the EA is still responsible for developing organizational goals and objectives to provide guidance and enforce accountability. BIMA identified the DoD BESP 2008-2015, issued August 27, 2008, as a source of goals and objectives. However, the strategic plan is vague and generally tracks DoD’s broad mission of supporting the warfighter. Also, the strategic plan was issued in 2008 while BIMA was still known as the BTF, U.S. troops were still present in Iraq, and no formal PoRs had been developed.
These root causes of management issues are inherently linked and manifest in different ways within the EA’s components. PM-Biometrics could take any approach it deemed appropriate— and as approved by its immediate superior, Program Executive Office for Enterprise Information
11 Comments from PM-Biometrics to R AND on the draft of this report, April 2012. 12 PM-Biometrics comments, April 2012. 13 BIMA comments, April 2012. BIMA noted that the threshold of the maximum time to respond to SOCOM inquiries was set by SOCOM.
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
26 An Assessment of the Executive Agent for DoD Biometrics
Systems (PEO-EIS)—to address the urgent operational needs and requests for changes in bio- metrics equipment. However, these decisions essentially were made in a vacuum because there were no programmatic goals or metrics and no links between OCO funding and programmatic output. Further, the organizational stovepipes meant PM-Biometrics did not have to collaborate with BIMA in making decisions. According to CENTCOM, more than 80 percent of validated requirements submitted from theater to PM-Biometrics were not completed.
Despite these issues, the biometrics capability maintained by the EA has helped make more than 900 matches to the High Value Individual Watch List and deny more than 80,000 attempts by people to gain employment, access, or training at U.S. or coalition facilities.14
It is important to note that beginning in 2008, GAO wrote multiple reports highlighting some of these problems with management.15 The EA also hired ANSER Analytic Services (and a team of study partners) to provide a series of reports.16
The EA is taking some initial steps to correct highlighted problems, such as imposing the structure and discipline of formal PoRs and moving ABIS operations from BIMA to another Army organization.17 However, the three root causes—stovepiped management, OCO fund- ing of QRCs, and a lack of objectives—remain essentially unchanged and therefore will likely continue causing difficulties. How the EA manages biometrics responsibilities through the various components is discussed in greater detail in the following section.
EA Management: BIMA and PM-Biometrics
BIMA (and predecessor organizations) and PM-Biometrics have played the most prominent roles for the EA because they have specifically designated roles and are collectively responsible for most of the biometrics technology and data.
BIMA and predecessor organizations have had significant successes in supporting war- fighter needs for biometrics matching, but they have struggled to define themselves over approxi- mately 12 years. Responsibilities were initially split between the BMO and BFC under G-6 in July 2000. The organizations were merged into the BTF under G-3/5/7 in June 2006, which was then changed to BIMA in March 2010.18 BIMA’s responsibilities are being reorganized again as of the end of our research effort, and BIMA’s functions will be made subordinate to the Office of the Provost Marshal General by the end of FY12. This instability of role and management has likely been at the root of some of BIMA’s (and predecessor organizations’) internal management deficiencies described here. BIMA has mostly self-imposed performance objectives for operating ABIS, its most important function, and no organizational metrics or goals that were shared with
14 BIMA comments, April 2012. 15 GAO, 2008a; GAO, 2008b; GAO, 2011; GAO, 2012. 16 See, e.g., Team ANSER, 2009a, 2009b, 2009c. 17 John M. McHugh, Secretary of the Army, “Future of the Biometrics Identity Management Agency,” memorandum, Washington, D.C., March 12, 2012. 18 At least one interviewee stated that G-2 had responsibility for part of the biometrics mission between G-6 and G-3/5/7. This was denied by BIMA but is a further indication of the lack of clarity about roles and responsibilities.
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 27
RAND. BIMA notes that it has a threshold requirement of 8,000 transactions per day for ABIS and that actual performance recently increased to 18,500 per day. This self-imposed threshold is easily achieved, given current performance, and is not based on a DoD-wide (and potentially U.S. government-wide) understanding of the true need, which could be higher or lower. BIMA has spent millions of dollars on multiple pilot efforts without a transition plan for any technology it develops, and without any successful transition of technology to DoD users. Exact figures were unavailable, but in recent years, these efforts have averaged in excess of $3 million per year. As one BIMA staff member indicated, BIMA in recent years has self-initiated research efforts with- out a specific request or an obvious need from an end-user.19
BIMA’s inability to effectively promulgate and enforce standards (discussed in greater detail below) for biometric data collection contributed to the multiple devices procured across DoD that are not fully interoperable and, in the case of the Handheld Interagency Identity Detection Equipment (HIIDE), did not record data that meet the FBI’s fingerprint standard. BIMA has taken steps to improve procedures for ensuring that biometrics equipment conforms to standards by obtaining accreditation from the National Institute of Standards and Technol- ogy (NIST) under the National Voluntary Laboratory Accreditation Program. However, as highlighted by GAO, “the current DODD 8521.01E already requires such compliance testing for new biometrics acquisitions, but DOD noted and we [GAO] agree that the directive does not fully address quick reaction capabilities such as the Handheld Interagency Identity Detec- tion Equipment (HIIDE).”20 Thus, the first significant opportunities to prove the value of these efforts will not come until new equipment is under development through the new PoRs.
In contrast to BIMA, PM-Biometrics has a relatively clear set of responsibilities for pro- curing and developing biometrics technology, but the execution of these responsibilities lacks any measures of sufficiency or efficiency and has been criticized by biometrics users in the field, among others. The most frequent complaint about PM-Biometrics from interviewees was that it did not work on the top user priorities, focusing efforts instead on priorities of its own choos- ing. CENTCOM noted that PM-Biometrics has not completed the four JUONS submitted since 2009, with only the replacement for the HIIDE nearing completion. CENTCOM also stated that PM-Biometrics did not complete “89% of Army [Department of Army] DA G3 Validated Requirements in over 4[-plus] years.”21 Assertions about PM-Biometrics’s approach are further supported to some extent by the fact that the only performance metrics PM- Biometrics initially provided R AND were numbers of staff and funds expended.
PM-Biometrics’ response to this criticism, in part, was to point out that it does not have formal requirements. However, PM-Biometrics noted that its work priorities are captured in Configuration Change Boards. Also, as noted above, the lack of goals and objectives is a defi- ciency throughout the EA and all of DoD. This is highlighted by recent delays and changes in schedules and funding. Between December 2011 and January 2012, PM-Biometrics pushed
19 Interview with BIMA staff member, September 2011. 20 GAO-11-276, March 2011. 21 Comments from CENTCOM to R AND on the draft of this report, May 2012.
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
28 An Assessment of the Executive Agent for DoD Biometrics
back the estimated date to replace the HIIDE devices with Secure Electronic Enrollment Kit version II (SEEK II) devices by at least three months.22 PM-Biometrics explained that U.S. Forces Afghanistan (USFOR-A) had added a requirement that the new SEEK II needed to be able to communicate through the BAT infrastructure, which, according to PM-Biometrics, “is a step backwards for the SEEK as it perpetuates the BAT-[Army version 4]Av4 inefficient architecture.” However, PM-Biometrics’s original plan for the SEEK appeared to rely on BISA, which is being phased out. Further, between November 2011 and January 2012, BEC fund- ing for FY13 through FY16 was decreased from $35 million per year to $3 million per year.23 Without formal PoRs that impose deadlines and accountability measures, PM-Biometrics appears to some users to be setting its own priorities (with approval from PEO-EIS), while PM-Biometrics complains of being forced to maintain existing inefficient technology. Neither approach is based on true measures of performance and effectiveness.
Moreover, DoD lacks a process for prioritizing JUONS, so PM-Biometrics may be receiv- ing multiple requests that are competing for limited resources. According to G-3, the Army has put in place a process to track JUONS and the responses to them, but DoD as a whole lacks a process to prioritize JUONS. BIMA stated that “Part of the issue also resides with the [Joint Rapid Acquisition Cell] JR AC for approving and validating JUONS that were not feasible ([e.g.,] JUONS 0434), instead of requesting a capability and describing a problem the JUONS has [sic] approved as [a] wish list of solutions.”24 However, this only partly explains CENT- COM’s statement that PM-Biometrics has not completed the four validated JUONS submitted by CENTCOM since 2009.
EA Management: TRADOC and NGIC
To date, TR ADOC’s most important functions related to biometrics have been to assign TCM-B&F responsibility for gathering requirements and developing the CDDs for the BEC and JPIv2 PoRs. As noted above, the CDDs were approximately three years in the making (the delays attributed to various and conflicting reasons), but G-3/5/7 complimented TCM-B&F’s work and inclusiveness in collecting and documenting the requirements.
TR ADOC’s most notable deficiency is the fact that no formal biometrics training pro- gram can exist for equipment that did not originate from a PoR. Training remains ad hoc despite biometrics technology being fielded and used for almost ten years. TCM-B&F, which is not responsible for the eventual formal training program, has taken steps to develop bio- metrics training simulations, but even these are not being provided in sufficient quantity for pre-deployment training. However, BIMA claims TCM-B&F “continue to do development associated with BAT, [Multilingual Automated Response System] MARS, et al [sic] despite not having acquisition authority in biometrics.”25
22 PM-Biometrics comments, April 2012. 23 Comments from Army personnel to R AND on the draft of this report, January 2012. 24 BIMA comments, April 2012. 25 BIMA comments, April 2012.
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 29
As noted above, NGIC is not formally called out as part of the EA, but it has assumed some EA functions as well as some of DIA’s assigned functions for biometrics. NGIC has been acting as an intermediary between the field and ABIS for matching requests and has provided BEI for all DoD components through MIP- and NIP-funded analysts and resources. In late 2011, Army announced it would no longer provide analytical support to non-land forces and potentially all non-Army organizations (as of February 2012, G-2 and DIA were staffing and discussing possible options). This uncertainty creates difficulty for non-Army component plan- ning. Moreover, Army is reluctant to relinquish control over the NIP-funded resources despite not having official control over them. These issues need to be resolved to ensure sufficient ana- lytical resources are available for non–Army-specific missions going forward.
Current Biometrics Capability Under EA Purview
The biometrics capabilities currently under the EA purview comprise a variety of technological solutions that arose by matching available technology to operational needs on a quick reaction basis. No structured, programmed capabilities existed prior to OCOs in Iraq and Afghanistan, and DoD biometrics priorities before that did not include tactical collection. The operational demands of two wars required the EA to begin providing tactical equipment, which diverged from the EA’s original assignments that were based on more hypothetical ambitions of DoD biometrics. This divergence was not fully resolved in DoDD 8521.01E. In an unintended fash- ion, the tactical collection devices—which were not part of any articulated vision or procure- ment strategy of the DoD biometrics community—have become the foundation of DoD’s biometrics collection capability.
The limitations of the technology currently under the EA purview are well known, particularly in the PoR requests for the BEC and JPIv2. The GAO reports about the DoD Biometrics Program also highlighted deficiencies in the enterprise.26 We do not attempt in this report to characterize specific root causes for technological constraints of each technology; instead, we offer two broad conclusions regarding the impact of utiliz- ing QRC acquisition for biometrics equipment. First, as noted by U.S. Joint Forces Com- mand, and GAO, “Without a formal program for biometrics, not all steps associated with safeguards in DoD’s acquisition process for new technological systems are occurring.”27 Second, QRCs force trade-offs between capabilities currently available on the market and long- term needs. In other words, DoD accepted capabilities with some limitations because they were readily available commercially and could be fielded quickly. This report does not suggest that using QRCs was inappropriate; in fact, it recognizes their benefit in providing the war- fighter with tactical collection devices whose need was unforeseen by strategic planning.
26 GAO, 2008a; GAO, 2011. 27 GAO, 2008a.
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
30 An Assessment of the Executive Agent for DoD Biometrics
We know efforts are under way to update and improve the current systems, which makes writing an assessment and status report more difficult. We also know the EA supported a wide range of other “pilot” studies and research projects, but the information we received did not reveal any instances of those projects being fielded or transitioned to operations. Further, GAO noted in a 2008 report the inability to definitively track programs through spending, particularly short-term OCO-funded pilot programs.28 Therefore, rather than writing about speculation or moving targets, we chose to discuss the systems that are currently fielded. It is worth noting that the EA is working on or supporting multiple pilot-scale efforts and studies, and these should be examined in subsequent annual assessments.
The technologies being used have three main functions: biometric data collection, data storage, and matching. The devices used by DoD include handheld collection devices, tabletop collection devices with local storage and matching capability, and the authoritative database for storing and matching data on red and gray forces.
As QRCs, the fielded systems do not have documented performance thresholds and objectives vetted by the Joint Requirements Oversight Council (JROC)—a process designed to ensure user requirements will be met. While we cannot comment on or report current device performance as measured against vetted user requirements, we can present current, fielded capability. While these capabilities may differ from those documented in evolving, draft CDDs and capability production documents (CPDs), we are providing an assessment and status report based on the biometrics program as it is, rather than as it is planned to be.
The EA is also developing two new PoRs: BEC Increment 1 for the authoritative database (replacing ABIS); and JPIv2 for mobile and handheld collection devices (replacing BAT, HIIDE, and SEEK II). The status and implications of the new PoRs are discussed later in this report.
Assessment of EA Assignments and Arrangements Supporting the Biometrics Cycle and End-User Needs
Apart from assessing the assignments and arrangements of the EA in terms of managing its responsibilities from a process perspective, it is also necessary to examine the assignments and arrangements in terms of support to warfighting needs. In other words, is the EA supporting a functioning process for collecting, transmitting, storing, matching, sharing, and analyzing biometrics?
The basic answer is yes. Biometrics information is being collected and has been used to identify individuals against prior encounters and forensic evidence. The authoritative database for red and gray forces is growing steadily, and the processes in the field are becoming increas- ingly routinized. In that sense, hard work and concerted efforts by many involved have pro- duced a functioning biometrics cycle that is helping identify bad actors and verify the identities of other personnel.
28 GAO, 2008a.
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 31
A deeper examination, however, suggests risks and room for improvement. To explicate as much, we use a heuristic metric that assumes the perfect biometrics cycle is one in which warfighters can collect accurate biometrics, have them analyzed within the limits set by tech- nology (typically, in a few minutes), stored indefinitely and securely, and shared with others. Correspondingly, the actual biometrics cycle can be assessed in terms of risks to operation, actual impediments, and potential failure modes. Our analytical method, then, is to examine each stage of the cycle for potential impediments and risks. Some can be traced back to issues associated with the EA’s management approach, but some of them are issues that may be influ- enced but not determined by the EA.
In the sections that follow, we discuss our assessment of each segment of the biometrics cycle, with a focus on issues that reduce or potentially reduce cycle efficiency and effectiveness. The tables presented with each section summarize the issues with that portion of the cycle, implications, status of the issues, and the reasons.
We attempted to differentiate between our assessments of high- and medium-risk issues (shown by “H” and “M”). High-risk issues are those already creating a risk of failure, or highly likely to do so in the future. Medium-risk issues are those that could pose a risk of failure in the future.
The goal is to highlight only those areas we assessed as posing some risk to the cycle. The discussion and tables that follow cover potential faults in the cycle. The tables highlight the link between the potential fault, the implications if a fault occurs, and the reason for the poten- tial fault. We do not intend to portray the EA’s assignments and arrangements as all negative. Rather, in the absence of overarching goals and objectives, we focused on areas where the EA could make changes to potentially improve how the cycle functions. We acknowledge the dif- ference between “high” and “medium” risk is somewhat subjective, but we believe these are the issues posing the greatest risks to the biometrics cycle based on the data we collected.
Issues: Task/Direct
All biometrics work starts with a task or direction, either implicit or explicit, to collect the biometrics before transmitting or processing them. Hence the question: Under what circum- stances should biometrics be collected?
Ordinarily, like most military taskings, this would be a decision best left to the local com- mander who has an operation to conduct and a set of resources with which to conduct it. The decision to collect biometrics would seem to fall into the category of unquestioned local control; time is a valuable resource, and time spent collecting biometrics cannot be spent otherwise.
Upon re-examination, however, the answer is less straightforward. People move from place to place, even from theater to theater. Al Qaeda, for its part, has a global reach, and someone encountered in Iraq may be re-encountered in Afghanistan, in PACOM’s area of responsibility (AOR), or even attempting to enter the United States, and failure to collect bio- metrics in one location could prevent warfighters in another location from realizing that the person they are encountering has movements that may suggest problematic associations. The fact that information collected in one theater can influence operations in another suggests that
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
32 An Assessment of the Executive Agent for DoD Biometrics
some consistency in biometrics collection may be beneficial. (Whether it is beneficial enough to mandate a vigorous collection policy everywhere is another issue.)
Current red-force biometrics collection requirements are inconsistent across AORs. This is not the EA’s fault inasmuch as combatant commanders have the authority to set local prac- tices regarding such issues. However, it must be noted that the EA did not outline a clear direc- tion to govern the collection of biometrics, and correspondingly, did not impress upon theater commanders some de minimus level of performance.
A second potential risk in the task-and-direct component of the biometrics cycle is a dis- connect between the capabilities chosen for development and the capabilities that best reflect warfighter requirements. Our interviews indicated that although the EA is sensitive to Army requirements, it is less sensitive to requirements arising from the Marine Corps, Navy, CENT- COM, SOCOM, and the IC. The result has been that several of the communities, notably the Navy, have decided to look elsewhere to meet their needs.
A final risk is associated with the path biometric data takes from the war zone into the database. The Army has sent its material to NGIC and from there to the authoritative database ABIS, operated by BIMA-WV, where it then becomes available for others to use.29 But NGIC has announced that it may restrict its services to Army customers alone, once biometrics activi- ties are no longer funded under OCO accounts. Further, the flow of data has not been satis- factory to all users. CENTCOM “has had a requirement for four years to have an automatic guard in place to move biometrics records [from classified to unclassified systems for direct transmission to ABIS] with no success.”30 SOCOM has developed, and the Marines have pilot-tested, other pathways into ABIS. SOCOM’s procedure involves satellites and web-based portals with direct priority access to ABIS and the latent print examiners at BIMA-WV, which has the advantage of guaranteeing a rapid response to their urgent requests. But allowing the various biometrics-collection communities to use different paths to the same goal has to come at the cost of efficiency. It is difficult to avoid the impression that the EA’s priorities are tilted toward Army requirements even though the office holds a DoD-wide charter. Table 3.2 sum- marizes the issues with the Task/Direct portion of the cycle.
Issues: Collect
We identified several problems that may hobble the collection part of the biometrics cycle. Although none is a show-stopper individually, collectively they degrade the efficiency and effectiveness of the overall effort.
The first problem is that the various instruments currently in the field for collection—the HIIDE, BAT, and BISA—all produce non-standard data. SEEK II is expected to produce standard data, but as of this writing, none of these units has been fielded (except for SEEK
29 CENTCOM, however, has not been satisfied with this arrangement. In 2008 it submitted a requirement to put an auto- mated cross-domain solution (a classified-to-unclassified “automated guard”) put in place to move biometrics—but with little success to date. 30 CENTCOM comments, May 2012.
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 33
devices procured separately by SOCOM).31 There are two implications of collection devices not meeting standards: First, the data files’ quality fail to meet minimum levels; and second, the data are not in the right format. In the first case, data could not be used everywhere. With fingerprints, the usual problem is that while the center of each finger is recorded (as it would be in flat or “slap” prints), the side of the finger is not (as it would be in rolled prints), and thus its usefulness for forensic investigation is substantially reduced. In the second case, data could not be interchanged between devices, or images produced by one device could not be used with the matching algorithm associated with the authoritative database. That noted, in practice, there have been few complaints about the inability to match individuals. However, it is possible that crimes and attacks (e.g., using IEDs) cannot be ascribed to an individual because the finger- prints left at the scene do not include enough of the finger.
The world of biometrics—which, among other tasks, converts observations of the real world into zeroes and ones—is consequently ringed with standards, and adhering to them is important in making the enterprise run smoothly. Standards, as a rule, cover two broad areas: performance and conformance. A performance standard for biometrics, for instance, is one that says that an acceptable fingerprint image provides at least 500 pixels to the inch; an image that boasts a sharper resolution would also meet standards.32 A conformance standard speci- fies how something is expressed. The Electronic Biometric Transmission Specification (EBTS) suite of standards delineates how the information required to transfer biometric information is
31 That noted, there are multiple software configurations and proprietary standards associated with processing data from different SEEK vendors. 32 U.S. Department of Commerce, National Institute of Standards and Technology, NIST Special Publication 500–271: Information Technology: American National Standards for Information Systems—Data Format for the Interchange of Finger- print, Facial, & Other Biometric Information – Part 1, ANSI/NIST-ITL 1-2007, Gaithersburg, Md.: Information Access Division, Information Technology Laboratory, National Institute of Standards and Technology, May 2007.
Table 3.2 Issues Associated with the Task/Direct Portion of the Biometrics Cycle
Cycle Issues Implications Risk Reason
Inconsistent collection across AOrs both in terms of whom to collect on and what data to collect (Collection plans are not an EA responsibility)
Bad actors detected in one theater may not be detected in another
M DoD has not outlined clear guidance for collection in terms of targets and data to be collected
Capability development does not meet warfighter priorities relevant to circumstances
Devices not available for full range of potential missions
h Lack of inter-military service requirements prioritization for QrCs
product development funding in pM’s control, and pM priorities appear to differ from warfighter’sa
a pM-Biometrics comments, April 2012. pM-Biometrics stated that “its priorities are completely in synch with the warfighters’ ... what the warfighter fails to understand is that it is the pM’s responsibility to provide the best solution to the problem and not just to provide what the warfighter requests.”
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
34 An Assessment of the Executive Agent for DoD Biometrics
to be encoded (in Extensible Markup Language [XML]). A nonstandard encoding would be one in which the wrong words were used or the categories associated with a specific description (e.g., meaningful error conditions) are not identical with those of the standard (e.g., a term used in the submission overlaps in definition with parts of two terms in the standard). Here, the point is not to exceed the standard but to line up with it. But even conformance standards can have some performance issues; for example, a substandard record could be one in which information was not provided for required fields.
The EBTS standards in DoD have been a source of confusion and frustration. In December 2009, BIMA brought the issue of retiring DoD EBTS 1.2 before its Biometrics Standards Work- ing Group (BSWG), which voted to mandate EBTS 2.0 and retire EBTS 1.2 in the DISR. The change technically became effective in March 2010. However, none of the fielded systems were EBTS 2.0 compliant, and other work was already in progress based on EBTS 1.2. After learning of the potential change to EBTS 2.0, the Navy requested implementation guidance in November 2009 for its IDS program, which was working toward a design review for March 2010. BIMA responded to that request in April 2010 by granting a waiver to EBTS 2.0, allowing the Navy to continue based on EBTS 1.2. Similarly, in May 2010, PM-Biometrics requested a waiver because the ABIS upgrade would not be able to accommodate EBTS 2.0 while the data being received from collection devices were still conforming with EBTS 1.2. According to the Navy, EBTS 2.0 implementation guidance had not been provided as of May 2012.
Deficiency in the collection devices also originates with the QRC process. QRCs are intended to prioritize equipment that can be rapidly fielded over the so-called 100 percent solution.33 For example, the HIIDE procured as a QRC had limited capability to ensure speedy deployment. It was known at the time of acquisition that the HIIDE did not meet agreed-to EBTS interagency fingerprint-sharing standards, but the technology was the best that was commercially available and could be fielded quickly. The problem, our interviews found, was that the HIIDE continued to be purchased and fielded even after improved commercial off-the-shelf technology became available—namely the SEEK II, which meets interagency data-sharing standards. We are still unclear why the HIIDE QRC was retained with its substandard fingerprint component when an improved device could have been fielded sooner within the same QRC framework.34
A problem of greater consequence is that soldiers are not very proficient at data collection or entry, resulting in some number of biometrics records not meeting quality standards.35 In some cases, the captured biometrics are not easily readable. In other cases, elementary mistakes are made and not caught, e.g., identifying the left hand’s fingerprints as the right hand’s and vice versa. While OCO funding was available, soldiers’ shortcomings could be overcome by paying for contractors to take biometrics in the field, but this expedient did not create a legacy
33 U.S. Army, Army Regulation 71-9: Warfighting Capabilities Determination, Washington, D.C.: U.S. Army, December 2009. 34 Repeated JUONS indicated issues with HIIDE, including poor test performance. PM-Biometrics argues that it was able to purchase HIIDEs and not SEEKs because it had sole-source purchasing authority for one but not the other. 35 BIMA maintains that there is no biometric image quality requirement for DoD collections.
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 35
base of knowledge to build upon, and, now that the Army has to fund biometrics from its own budget, is unlikely to be tomorrow’s solution.
A cause of such shortcomings is the lack of biometrics education in the DoD schoolhouses. This was explained by the fact that Army doctrine does not permit formal training programs on devices that are not products of PoRs. Presumably, as the Army is rolling out the products of the PoRs (circa FY15), such gaps will be addressed. Nevertheless, the problem of inadequate train- ing and education will continue, and as noted by GAO, “biometrics training for leaders does not provide detailed instructions on how to effectively use and manage biometrics collection tools.”36 The Army will require substantial time to fund, develop, and actually implement new training modules. Table 3.3 summarizes the issues with the “Collect” portion of the cycle.
Issues: Transmit
Neither Afghanistan nor Iraq (at least when U.S. forces were operating there) can be described as places with good wired or wireless infrastructure. Thus, transmitting information from the field to ABIS—something that would be easy in this country—instead became another risk in the cycle. Those who collect biometrics often must wait until the data captured in the hand- held devices are transferred to BAT terminals wired to the SIPRNet. Such a delay is measured in hours, sometimes days, partly because the HIIDE cannot transmit data directly and partly because of the sparse wireless network and available bandwidth in theater. In theory, the BAT terminal can match data locally to avoid the need for ABIS-based responses for all inquiries, but according to PM-Biometrics, this can only happen for high-quality fingerprints compared
36 GAO, 2012.
Table 3.3 Issues Associated with the Collect Portion of the Biometrics Cycle
Cycle Issues Implications Risk Reason
hIIDE, BAt, and BISA produce nonstandard data
Inefficient sharing of data among mainstays of DoD biometrics collection and interagency partners
M Standards not enforced with QrCs
Excessive retention of legacy QrCs
hIIDE does not meet collection standards
SEEKs, which meet more standards, planned for fielding in FY12
Uncertainty/failure-to-match rate greater than best practice and limits sharing with interagency partnersa
M Indefinite retention of legacy QrCs
training is ad hoc
Soldiers not proficient at data collection or entry
Inconsistent, inaccurate and unusable data
h No por with corresponding training programs
a BIMA comments, April 2012. BIMA maintains that there are no defined best practices in regards to failure-to- match rates for handheld devices.
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
36 An Assessment of the Executive Agent for DoD Biometrics
against equally high-quality fingerprints already stored with the subset of data on the BAT, referred to as “lights out” matches by PM-Biometrics staff.37 In practice, if biometrics are loaded into a BAT device, sufficient SIPRNet bandwidth is available to conduct a matching inquiry through ABIS in West Virginia.
As noted, there are three entry points for biometrics: BISA, BAT (including data collected by the portable HIIDE device used by conventional forces), and the portable SEEK device used by SOCOM. If the biometrics are acquired by conventional forces in connected locations (such as detention centers), the prints are sent to NGIC to strip out biographical and contextual data on the individuals whose biometrics have been captured. Once such data are stripped, the unclas- sified biometric data are transferred from SIPRNet to NIPRNet by means of a dedicated cross- domain tool (also known as a network guard) and forwarded to ABIS for a biometrics match.
SOCOM’s frustration with this process prompted it to acquire a capability to communi- cate from the field through a satellite link to a web-based portal that is accessed by BIMA on the other end, which allows SOCOM’s match requests to get high priority.38 The result seems to have satisfied SOCOM’s requirements, despite the added cost of using satellite instead of landline bandwidth, as long as examiners at BIMA-WV remain available to give SOCOM top priority.
In late 2011, consistent with the Army’s evolving approach to its joint requirements, NGIC announced that, as of March 1, 2012, it would phase out its services to all warfighting components apart from the Army’s. Army has since begun considering a range of options for potentially supporting non-Army requirements. Whether this will create major delays for bio- metrics collected by the Marines and the Navy rests on how successfully and quickly ABIS can get its own SIPR-to-NIPR cross-domain solution operating. In November 2011, their expected go-live date was December 2011, but it slipped to April 2012. This remains a high warfighter priority, and the technology has existed for decades.
The EA acknowledged both its role in communications architecture and the limits of its ability to influence the field, which is mainly outside the EA’s purview. The EA (through BIMA) provided approximately half the funding for the pilot study of the Last Tactical Mile (LTM), a CENTCOM-initiated JUONS to send biometric data to ABIS from a handheld device via mobile wireless communication vehicles, fixed towers, and a CENTCOM-operated server.39 Table 3.4 summarizes the issues with the Transmit portion of the cycle.
37 Interview with PM-Biometrics personnel, 2011. There is a cost of somewhat fewer matches because ABIS has three times as many stored files as the BAT system does. 38 Records from SIPRNet are manually stepped down to NIPRNet so they can be fed into ABIS for matching. 39 GAO, 2012. CENTCOM “was responsible for conducting the Last Tactical Mile pilot project during 2011 to provide the warfighter with a rapid response time on biometrics data submissions. In the pilot project, matching is initially against a biometrically enabled watch list stored on the warfighter’s handheld device before searching against data stored in a stand- alone computer server in Afghanistan prior to transmission to ABIS—the authoritative database. The Last Tactical Mile project originated as a joint urgent operational need to utilize wireless infrastructure to transmit biometrics enrollments from a handheld biometrics collection device to a wireless communications tower ... Army officials told us that expanding the Last Tactical Mile pilot project across all of Afghanistan would cost approximately $300 million, in large part due to the number of wireless communications towers that would be necessary to provide connectivity ... DOD has not completed its evaluation of the Last Tactical Mile pilot project at the time of our review.”
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 37
Issues: Match
When we began the study, ABIS was reaching its throughput capacity for ingesting data and conducting match inquiries. An inability to handle matching requirements would either mean that biometrics are queued for processing—meaning the average biometric record has to wait longer (and what took minutes may take hours or days)—or given a lower priority to keep the rest of the inquiries flowing, with the hope that those biometrics will just be processed much later. However, the EA increased ABIS transaction capability from a peak of about 8,000 transactions per day to about 18,500 per day during our study, and plans call for fur- ther increases. Further, DoD’s matching requirements are likely dropping: Mass enrollment is ending in Afghanistan and already ended in Iraq. Future large additions of data will likely arise from processing international partners’ data, such as 800,000 fingerprint cards received from the Philippines, which will not be time-sensitive transactions. Nevertheless, the true impact of ABIS’s limited throughput capacity is reflected in the inability to share robustly with inter- agency partners (see Share/Reference below).
Another factor lowering the efficiency of the matching process has been the prevalence of non-standard data, primarily from field devices (e.g., the HIIDE) that connect to the BAT. Non-standard data increase the work involved in the matching process and can lead to a failure to match when comparing individuals’ fingerprints with latent ones collected from artifacts,
Table 3.4 Issues Associated with the Transmit Portion of the Biometrics Cycle
Cycle Issues Implications Risk Reason
Field matches against ABIS subset replicated to each device.a
Only SOCOM and BISA have satellite communication-enabled field access to BIMA for matching against ABIS records
Field matches against dated database
Large expense to manually replicate data to BAt
Inability to match against interagency data
M hIIDE and BAt developed as QrCs without process to ensure interoperability with other systems and requiring adherence to standards
Architecture will be modified with expected FY13 deployment of BAt- Av5 and will fully change JpIv2 fielded in FY16.
No high capacity direct link between field & ABIS
Cross-domain solution only serves BAt portion of architecture
Uncoordinated activity as military services seek alternative to NGIC
Marines tested SOCOM’s web-based portal
Inhibited ability to share with interagency partners
h Non-BAt cross-domain solution not developed despite being warfighter priority
a CENtCOM comments, May 2012. CENtCOM states they submitted a JUONS to address the BAt data replication architecture that was never completed by pM-Biometrics.
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
38 An Assessment of the Executive Agent for DoD Biometrics
Table 3.5 Issues Associated with the Match Portion of the Biometrics Cycle
Cycle Issues Implications Risk Reason
Non-standard data sent for matches Significant inefficiencies in the matching process and potential missed matching opportunities
M Standards not enforced for QrC acquisition
proprietary and incompatible matching algorithms for irises and faces
Significant inefficiencies in the matching process
M Capability developed as QrC without process to address proprietary software issue
such as recovered components of an IED. The EA has had time to revisit the QRCs in light of the longer-term future of the biometrics enterprise, but has not done so.
A third issue, which originated outside the EA’s immediate control, is that matching algorithms for irises and faces are proprietary. In an era when, as BIMA officials note, irises are becoming more important as a matching tool among biometrics, the failure to develop a stan- dard matching process that can be applied across the U.S. government may result in signifi- cant inefficiencies and potential errors in identifying individuals. This issue could be addressed by ensuring both DoD-wide licenses for algorithms and that all data created by devices meet DoD EBTS standards. Table 3.5 summarizes the issues with the Match portion of the cycle.
Issues: Store
A potential risk arises if the demand for record storage exceeds actual capacity. Although the capacity of ABIS was increased from approximately eight million to approximately 12 million records during our study, BIMA would have to face unpleasant options if plans to increase capac- ity in the future are delayed. One is that new biometrics will not enter the database or would be delayed indefinitely, e.g., cards from overseas partners being queued for entry. Another is that records currently in the database would have to be removed, at least temporarily. A third is that the information present in each biometric would have to be systematically truncated, leading to lower resolution matches (e.g., fewer fingerprint minutiae), or a reduced capacity for certain types of matches (e.g., against latent fingerprints). EA component staff members appear confident that sufficient funding will to be available for future ABIS storage capacity increases.40
A more serious issue is that the EA has made inadequate provisions for a COOP site, or “hot” backup. ABIS currently has a “warm” backup, which can come online in the event of expected downtime (e.g., a software upgrade), as long as the database managers have at least six hours’ notice (which they may not necessarily have if the upgrade is forced upon managers as a result of a security breach). Plans are under way to establish a true COOP site following an initial requirement established in approximately 2007, but the go-live date continues to recede
40 ABIS stores all submissions as separate records regardless of whether there are multiple submissions for the same person. Questions were raised outside the EA about whether ABIS could be operated more efficiently if records were consolidated in a way that still preserved all data, but the EA believes efficiency would suffer.
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 39
following multiple proposals and at least one failed attempt. Table 3.6 summarizes the issues with the Store portion of the cycle.
Issues: Share/Reference
Although ABIS operates well with FBI databases, it has problems with its counterparts in DHS and within the IC. In the case of DHS, the problems include not only deficient throughput and storage capacity (at least for the time being), but also communications and protocol issues. The latter are being worked out through DoD-DHS interoperability meetings. Data that DHS collects are not directly matched against ABIS outside of regular exchanges of the BEWL and some pilot efforts of DHS components to transmit requests to ABIS. DHS’s biometrics require- ments have risen sharply with the introduction of the US-VISIT program wherein all foreign visitors entering on a visa are required to have their fingerprints checked against DHS’s database, the Automated Biometric Identification System (known as “IDENT”). Consequently, the EA is under pressure to increase ABIS capacity specifically to meet DHS’s needs, but the small inter- section between fingerprints collected by DoD (other than those in the BEWL) and those col- lected by DHS has somewhat attenuated the need. The large price tag to increase ABIS’s transac- tion capacity has also given EA components pause. Nevertheless, in its Functional Requirements Document, DHS said it needs to be able to send more than 100,000 biometrics inquiries per day to ABIS by early 2013.41 DoD and DHS are working to address the interoperability problem between ABIS and IDENT and increase ABIS’s capacity enough to allow two-way inquiries, but in the meantime, DHS only has access to a subset of DoD’s data. This means unwanted individu- als can conceivably slip through the cracks at U.S. ports of entry, if DHS sees them but does not know they have been previously identified by DoD (or by states that provide biometrics to the United States, such as the Philippines or the Dominican Republic).
Interoperation with classified biometrics data is a more difficult problem, since it cannot be solved simply by increasing throughput or capacity. ABIS is an unclassified system, fed by unclassified lines, and stored in unclassified spaces. Individuals who work on the final steps of the matching process are not always cleared to the highest level. Adding a cross-domain solution (also known as an automated “trusted guard”) between the classified and unclassified
41 BIMA comments, May 2012. BIMA observed that this 100,000 figure is at variance with the requirement of 14,000 in DHS’s Systems Requirements Specification.
Table 3.6 Issues Associated with the Store Portion of the Biometrics Cycle
Cycle Issues Implications Risk Reason
ABIS is reaching its storage capacity Biometric data could fail to reach the authoritative database
M Database upgrade failures and delays
ABIS has no “hot” backup
A “warm” backup exists with a six- hour changeover
possible loss of database access h Not prioritized by the EA, and lack of coordination
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
40 An Assessment of the Executive Agent for DoD Biometrics
Table 3.7 Issues Associated with the Share/Reference Portion of the Biometrics Cycle
Cycle Issues Implications Risk Reason
ABIS not interoperable with DhS’s IDENt
DoD and DhS are engaged in an ongoing interoperability effort to resolve this issue
Fewer matches, weaker analysis h poor or lack of interagency coordination
ABIS cannot handle DhS processing load Fewer matches, weaker analysis h Limited processing performance
Classified biometric files cannot be matched against ABIS records
Fewer matches, weaker analysis h ABIS cannot handle classified data; no provision has been made to mirror ABIS data into classified systems
networks (as BIMA is doing to exploit SIPRNet connectivity) would not solve the problem. Thus, highly classified biometrics cannot be sent to or stored by ABIS and may not necessarily be examined by BIMA personnel.
Although both the classified databases and ABIS have access to the BEWL (which has only a subset of ABIS’s data), neither has access to one another. This means records in the unclassified or classified databases could be incomplete and/or potentially fail to produce matches. Feeding ABIS’s data into classified networks would provide a more complete picture for the IC, particularly with respect to people appearing in multiple geographic areas, which could ultimately inform strategic collection efforts. However, DoD has not taken any steps to replicate ABIS’s data in the classified realm. The possibility of placing ABIS on the classified network exclusively was raised during our interviews, but this would inhibit ABIS sharing data with interagency partners because FBI’s Integrated Automated Fingerprint Identification System (IAFIS) and DHS’s IDENT both operate on unclassified networks. Table 3.7 summa- rizes the issues with the Share/Reference portion of the cycle.
Issues: Analyze and Decide/Act
Finally, there appears to be an organizational and conceptual mismatch between the biomet- rics activities and all-source intelligence activities. The EA, for instance, controls analyst billets even though BEI analysis is not a designated EA responsibility. The BEWL has also been man- aged by the EA even though it is not a designated EA responsibility, and there is little planning for the evolution of BEWL management, maintenance, and development. DIA is designated as responsible for the BEWL in DoDD 8521.01E but has only recently begun considering options for carrying out that function.
The seriousness of this problem is strongly related to what one thinks the role of the biomet- rics community should be. The biometrics enterprise could be simply a supplier of services to the IC (in the same sense that parcel delivery is a service to e-commerce), in which case its role is to convert disparate contacts into a person’s unified history by indicating where ostensibly different individuals are really the same person under different aliases. The biometrics enterprise essentially
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 41
provides a bit of information, i.e., these two individuals are or are not the same person. If so, the biometrics and intelligence communities do not have to be tightly coupled.
Alternatively, one could envision the biometrics enterprise as an enabler of intelligence on people. If identity could only be established through physical contact (e.g., taking fingerprints, photographing irises at short range) then the amount of “new” information available on any individual is likely to be small. If, however, identity could be established at a distance, then the number of potential contacts would be much larger, and changes in intelligence collection such as automated surveillance would enable a richer set of information to be analyzed. In the latter case, integrated planning between the biometrics enterprise and the IC (or at least that part interested in unofficial individuals) would be compelling because changes in biometric technology could drive new or expanded strategic collections for the IC. The biometrics com- munity should then understand the evolution of intelligence requirements, and the intelligence analysts should be aware of opportunities provided by advances in biometrics.
So the biometrics community is a service and nothing more, or it is an enabler and thereby needs to evolve concurrently with the IC. But the current posture that the biometrics community is an enabler that essentially evolves independently of the IC is inefficient and could degrade effectiveness over time. Further, the lack of integration of available biometric data into intelligence functions limits the ability of biometrics to inform decision-makers. Table 3.8 summarizes the issues with the Analyze and Decide/Act portions of the cycle.
Table 3.8 Issues Associated with the Analyze and Decide/Act Portions of the Biometrics Cycle
Cycle Issues Implications Risk Reason
EA assignments do not encompass the full end-to-end biometric capability
(EA controls preponderance of biometric analyst billets, even though BEI analysis is not a specifically designated EA responsibility)
COCOM BEI analytical needs may not be met
weakened analysis and underutilization of biometric data
M Lack of requirements and coordination
Lack of institutionalized BEI training
No plan for future BEwL management, maintenance, and development
(BEwL has been managed by EA even though it is not a designated EA responsibility)
Decide/Act weakened M DIA has not assumed responsibility per DoDD 8521.01E
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
This content downloaded from �������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms