DHS Faces Major Management and Performance Challenges

Major Management and Performance Challenges Facing the Department of Homeland Security

OIG-26-02 January 2026

OFFICE OF INSPECTOR GENERAL U.S. Department of Homeland Security

Washington, DC 20528 | www.oig.dhs.gov January 9, 2026 MEMORANDUM FOR: The Honorable Kristi Noem Secretary

FROM: Joseph V. Cuffari, Ph.D. Inspector General SUBJECT: Major Management and Performance Challenges Facing the

The Office of Inspector General supports the Department of Homeland Security’s mission by conducting investigations, audits, evaluations, and inspections on behalf of the American public. The Reports Consolidation Act of 2000 requires OIG to complete an annual report on 1 what it determines to be the top management challenges facing the Department. These challenges highlight the need for enhanced management attention to ensure the effective operation of Department programs and the advancement of its strategic goals. The 2025 Major Management and Performance Challenges report focuses on challenges related to fragmentation of key mission areas and overlap of programs and resources. We identified three main challenges in the areas of fragmented hiring processes, financial stewardship, and information management and security as well as two critical issues in screening and vetting and transportation security. Twenty years after DHS’ establishment, persistent silos amongst DHS operational components still exist and foster resource duplication and inconsistent outcomes across the DHS enterprise. The challenges outlined in this report are based on our judgment and independent research, including discussions with internal and Department component Senior Leaders. We also considered prior audit, inspection, and investigative oversight work, our analyses of data and risks, Congressional testimony, U.S. Government Accountability Office reports, and the Department’s Strategic Plan and annual performance reports.

, Public Law 106-531, Nov. 22, 2000. Reports Consolidation Act of 20001

Department of Homeland Security | Washington, DC 20528 | U.S.

These challenges are not wholly representative of the vulnerabilities confronting the Department. We publish reports throughout the year that highlight specific opportunities to improve programs and operations. We remain committed to conducting independent oversight and making recommendations to help the Department address these major management and performance challenges and ensure the effectiveness of its operations. Consistent with our responsibility under the Inspector General Act of 1978, as amended, we will provide copies of our report to congressional committees with oversight and appropriation responsibility over the Department. We will post the report on our website for public dissemination. Please contact me with any questions, or your staff may contact Chief of Staff, Dustin Razsi, at (202) 981-6201. Attachment

Department of Homeland Security | Washington, DC 20528 | U.S.

Contents

Introduction ......................................................................................................................... 1

Challenge 1 ........................................................................................................................... 3

Fragmented Hiring Processes ............................................................................................. 3

Fragmented Law Enforcement Officer Hiring ......................................................................... 3

Inconsistent DHS Cybersecurity, IT, and AI Workforce Hiring ................................................ 4

Centralized Hiring Efforts ........................................................................................................ 5

Challenge 2 ........................................................................................................................... 7

Financial Stewardship ........................................................................................................ 7

Legacy and Siloed Systems ..................................................................................................... 8

Gaps in Spend Planning and Internal Controls ...................................................................... 9

Fragmented Approach to Risk............................................................................................... 10

Grant Allocation .................................................................................................................... 11

Challenge 3 ......................................................................................................................... 12

Information Management and Security ........................................................................... 12

Information Security Gaps .................................................................................................... 12

Inconsistent Mobile Device Security .................................................................................... 13

Looking Forward ............................................................................................................... 14

Spotlight on Critical Issues................................................................................................. 15

Screening and Vetting .......................................................................................................... 15

Transportation Security ....................................................................................................... 16

Appendix A: Acronyms ........................................................................................................ 17

Appendix B: Resources ....................................................................................................... 18

Management Response ...................................................................................................... 21

OIG-26-02

Introduction

The Department of Homeland Security, Office of the Inspector General is required by statute to produce the Major Management and Performance Challenges report (MMPC) each year. 2 The MMPC identifies the challenges facing DHS, summarizes the most pressing challenges, and assesses the Department’s progress in addressing such challenges. The MMPC is based on OIG’s independent research, assessment of our prior oversight, interviews, and professional judgment. For fiscal year 2025, DHS OIG identified $8,148,905,859 in questioned costs and $1,539,250,951 in funds put to better use, resulting in a return on investment of $44.02 for every $1 spent on DHS OIG. When DHS was created, it brought together a collection of existing agencies that had long operated independently. More than two decades later, many of these components still function separately, rather than as parts of a unified Department with one overarching mission. This independence has led to fragmentation within the Department, where responsibility for key mission areas is divided among multiple components with limited coordination. It has also resulted in overlap, where different components pursue similar goals, activities, and strategies to address the same national priorities. Together, fragmentation and overlap reduce efficiency, blur accountability, and strain resources. By fostering greater cohesion across its components, DHS can strengthen collaboration, eliminate duplication, and achieve greater impact and cost-effectiveness in delivering its mission. In this 2025 MMPC, we focus on three major challenge areas where divided responsibilities and duplicated efforts have hindered DHS’ ability to operate as one cohesive Department. Each component has a unique mission and must retain some flexibility to meet its specific operational needs. However, this decentralized structure also creates barriers, slowing the Department’s capacity to drive timely change, realign with leadership priorities, manage risk across the DHS enterprise, and respond swiftly and collaboratively to emerging challenges.

, Public Law 106-531, Nov. 22, 2000. Reports Consolidation Act of 20002

OIG-26-02

Strong management functions are essential to delivering operational success across the Department. By harnessing, coordinating, and aligning hiring, financial resources, and information management, DHS will be able to better coordinate and align its operations, improve effectiveness, and serve the American people. This year, we focused on three major challenge areas with fragmentation and overlap that are summarized below and identified two critical issues in screening and vetting and transportation security at the end of the report. Fragmented Hiring Processes: Human capital challenges span the entire spectrum of the Department’s mission and are exacerbated by fragmented hiring processes. Mission success hinges on deploying the right number of well-trained people with the appropriate technology in the right place at the right time. Without astute Department-centric workforce planning, these efforts could be less than successful. Financial Stewardship: Sound financial stewardship becomes an increasingly critical function with the enactment of the law referred to as the One Big Beautiful Bill Act (OBBBA). However, U.S. Government Accountability Office (GAO) has 3 included the Department on its High-Risk List for financial management since its inception in 2003. Without interconnected financial systems, thoughtful spend plans, and robust internal controls, the increased funding is at risk of ineffective management and execution. Information Management and Security: DHS personnel handle sensitive information around the globe, including at ports of entry, regional offices, and attaché offices overseas. Having unified, strong Information Technology (IT) systems oversight is critical to ensuring the timely identification and remediation of threats and protecting DHS’ critical information. The ever-changing cyber threat landscape will heighten risks of data breaches, unauthorized access, and system vulnerabilities if proper safeguards are not in place across the Department.

, July 4, 2025. Public Law 119-213

OIG-26-02 Challenge 1

Fragmented Hiring Processes

DHS faces ongoing human capital challenges that are intensified by fragmented hiring processes across the Department. Each component independently manages its own recruitment, qualification standards, and onboarding procedures, resulting in inconsistent and often duplicative approaches. This lack of coordination prevents DHS from functioning as a single employer and slows efforts to fill critical positions in law enforcement, cybersecurity, and IT. The situation is further complicated by new funding under the OBBBA, which supports growth in law enforcement and support personnel at Immigration and Customs Enforcement (ICE), Customs and Border Protection (CBP), and the United States Secret Service (USSS). This increase in funding heightens internal competition among 4 components for the same talent pools. At the same time, DHS competes externally with the private sector and other levels of government for cybersecurity and IT professionals, while also contending with pay disparities, departmental budget limitations, and a shortage of qualified cybersecurity candidates. The Department's decentralized hiring approach limits 5 its ability to attract, hire, and retain the skilled workforce necessary to meet its mission needs.

Fragmented Law Enforcement Officer Hiring

There is overlapping, competitive, law enforcement hiring among ICE, CBP, and USSS. These competing interests can undermine the hiring process when conducted without department- wide planning. Law enforcement hiring will endure additional stresses in the coming years due to the OBBBA, which funds an increase in departmental law enforcement personnel. In addition, the former CBP Commissioner testified to Congress in April 2024 that there will be an increase in the number of CBP law enforcement personnel eligible to retire in FY 2028, later confirmed to be a 340 percent increase by CBP, further complicating hiring requirements. The former Commissioner explained that CBP will need to over-hire in FY 2026 and FY 2027 to mitigate the impact of the projected attrition spike in 2028. 6 Public Law 119-21 , See Sections 90002 and 100052, July 4, 2025. 4 , GAO-25-106795, Jan. 16, Cybersecurity Workforce: Departments Need to Fully Implement Key Practices5

2025.

Budget Hearing – Fiscal Year 2025 Request for Customs and Border Protection , at 50 to 52 minutes, Apr. 30, 6

2024.

OIG-26-02

The Department’s Federal law enforcement officer hiring is further complicated by inconsistent vetting requirements and application processes across components. While some variation is necessary to meet component-specific missions, even similar law enforcement positions often follow different hiring standards. Although all positions share basic requirements such as citizenship, background checks, and medical examinations, components differ in areas like polygraph and entrance exams, acceptance of medical and security clearances from other components, and age requirements. These inconsistencies make it difficult to implement a more centralized, efficient hiring process, resulting in duplication of effort, higher costs, and slower onboarding across the Department.

Inconsistent DHS Cybersecurity, IT, and AI Workforce Hiring

The Department has persistent difficulties recruiting qualified cybersecurity, IT, and Artificial Intelligence (AI) personnel. These challenges are especially acute for AI-skilled personnel. DHS OIG found that DHS Office of Intelligence and Analysis and the U. S. Coast Guard (USCG) are experiencing administrative challenges that relate to recruiting personnel with AI-related skillsets, which may delay future efforts to adopt, acquire, and develop AI for intelligence collection and analysis. These challenges are magnified by inconsistent hiring practices 9 across components, pay disparities with the private sector, and complex clearance requirements. The Department launched its Cybersecurity Talent Management System (CTMS) in 2021 as an attempt to mitigate some of these challenges. CTMS launched with a slow and limited scope rollout that only covered certain components. While CTMS was estimated to fill more than 2,000 vacancies, total hiring numbers were in the hundreds. As a result, Congress rescinded “over $50 million [in FY 2022 funds] because of how slow hiring” had been at the Cybersecurity and Infrastructure Security Agency (CISA). These issues were echoed in a 10 2024 hearing where leadership stated that the CTMS hiring rate was “slower than expected” and rollout delays hindered the Department’s ability to close its cyber workforce gaps. 11

These positions are eligible for enhanced benefits. Law enforcement officer is defined under the Civil Service 7 Retirement System as an employee “whose primary duties are the investigation or detention of individuals suspected or convicted of offenses against the criminal laws of the United States,” and under the Federal Employees’ Retirement System also includes employees whose primary duties are the protection of officials of Retirement Benefits for Federal Law Enforcement the United States against threats to personal safety. See , Congressional Research Service, R42631, Aug. 8, 2024. Personnel DHS Law Enforcement Eligibility Requirements DHS Hiring: Additional Actions Needed to , last updated May 8, 2025; 8Enhance Vetting Processes Across the Department , GAO-24-106153, June 11, 2024. DHS Initiated Efforts to Use Artificial Intelligence to Improve Intelligence Collection and Analysis , OIG-25-06, 9 Dec.16, 2024. Homeland Security Hearing, A Review of the Fiscal Year 2024 Request for the Department of Homeland 10 , Apr. 19, 2023. Security Finding 500,000: Addressing America’s Cyber Workforce Gap, House Homeland Security Committee Hearing, June 11 26, 2024.

OIG-26-02

CISA’s Cyber Incentive Program offers two retention incentives for eligible cyber employees who would otherwise be likely to leave Federal service for higher pay in the private sector. These incentives include a 10 percent group incentive based on position duties aligned with Workforce Framework for Cyber the National Institute of Standards and Technology’s Security , and a 20 or 25 percent individual incentive based on how an employee’s certifications align with CISA’s approved certification list. OIG found that CISA “did not properly design, implement, or manage” its program, paid ineligible employees, and did not maintain records. 12 Ineligible CISA employees received payments because CISA lacked adequate controls to verify eligibility and the Department (specifically the Office of Chief Human Capital Officer as the CTMS owner) did not provide adequate oversight and guidance. CISA broadened program requirements instead of focusing on retaining the employees with unusually high or unique qualifications in mission critical cyber positions, resulting in the program’s funds not being used efficiently or effectively. Across the Federal Government, there is a “severe shortage” of staff with AI expertise, a gap that GAO warns is compounded by uncompetitive Federal salaries and slow hiring processes. 13 The 2025 White House AI Action Plan reinforces the importance of quickly building strong AI and technical workforce capability across government. The Plan also emphasizes the 14 importance of aligning workforce strategies with broader Federal modernization goals. Centralizing hiring functions could reduce redundant costs, streamline applicant processing, and better align the Department with the AI Action Plan’s vision for an agile, AI-ready workforce.

Centralized Hiring Efforts

To meet its recruiting goals, the Department has conducted centralized Career Expos where multiple components are present to review resumes, conduct interviews, and extend tentative job offers to qualified candidates on site. Successful candidates initiated the security clearance process within hours of receiving an offer. Additionally, ICE has focused on hiring prior law enforcement personnel to leverage recruits who have already undergone security background checks, leading to fewer problems and faster processing of applicants. The Department held virtual and in-person Expos in June, August, and September 2025. In a June 2025 interview, a Senior DHS Official said the June Expo generated 1,000 job offers.

, CISA Mismanaged Cybersecurity Retention Incentive Program and Wasted Funds, Risking Critical Talent Retention12OIG-25-38, Sept. 11, 2025. Fraud and Improper Payments: Data Quality and a Skilled Workforce Are Essential for Unlocking the Benefits of 13Artificial Intelligence; GAO-25-108412, Apr. 9, 2025. , White House, July 24, 2025. Winning the Race: America’s AI Action Plan14

OIG-26-02

Also, the Department has made progress using the DHS Cybersecurity Service portal to centralize and better process certain cyber hiring. Although there has been some success using CTMS, the Department continuously improves it in partnership with hiring managers to make it a more effective tool. These centralized hiring efforts are a step in the right 15 direction. However, it is unclear that these hiring efforts are sufficient to meet the hiring surges required by the OBBBA or keep pace with evolving Department needs as AI and machine learning are integrated into all operations. Since previous hiring surges did not achieve intended outcomes, DHS should pivot to more successful recruitment methods. 16 While the Career Expos show progress in recruitment practices, a centralized approach to filling common component positions could reduce duplication. For example, centralized hiring processes and standardized requirements for law enforcement positions would make it easier for components to successfully utilize law enforcement personnel across the Department. Without this, components struggle to hire appropriately skilled and trained staff. DHS OIG found that USSS relied on personnel from other DHS components due to chronic understaffing of its own snipers. Additionally, some USSS counter snipers did not meet mandatory weapons requalification requirements. 17

Finding 500,000: Addressing America’s Cyber Workforce Gap , House Homeland Security Committee Hearing, June 15Statement of Eric Hysen, Chief Information Officer and Chief Artificial Intelligence Officer U.S. 26, 2024; see also . Management Alert - CBP Needs to Address Serious Performance Issues on the Accenture Hiring Contract , OIG-16Homeland Security: Actions Needed to Address Longstanding Gaps in Human Resources IT19-13, Dec. 6, 2018; , Special Report: Challenges Facing DHS in Its Attempt to Hire 15,000 Border Patrol GAO-25-107233, Sept. 2025; Agents and Immigration Officers DHS is Slow to Hire Law Enforcement Personnel , OIG-17-98 SR, July 27, 2017; , OIG-17-05, Oct. 30, 2016. (REDACTED), OIG-25-37 The Secret Service’s Counter Sniper Team Is Not Staffed to Meet Mission Requirements 17Aug. 29, 2025.

OIG-26-02 Challenge 2

Financial Stewardship

DHS’ financial management functions remain highly decentralized, with components operating largely independent financial systems and processes. This fragmentation limits the Department’s ability to manage resources strategically and consistently across the enterprise, a challenge that will intensify under the OBBBA. The 2025 legislation provides a significant funding increase of more than $190 billion through September 30, 2029. The Congressional Budget Office (CBO) estimates approximately $168 billion over 10 years is dedicated solely to immigration and border security programs. Strengthening department- wide financial integration and oversight will be critical to ensuring this unprecedented funding is used efficiently, transparently, and in alignment with mission priorities. The sheer scale and rapid pace of spending envisioned under the OBBBA may overwhelm the Department’s existing capacity in areas like contracting, hiring, grant oversight, and project management. The Department experienced a similar situation when the Federal Emergency Management Agency (FEMA) used approximately $98 billion it received for COVID-19 and additional disaster relief funding to provide Federal assistance to states, territories, tribes, and individuals. Our current work identified FEMA did not prevent more than 13 percent, or $13.5 billion, of COVID-19 funding from being wasted on ineligible recipients and unallowable and unsupported costs. ICE and CBP may not meet hiring goals without proper plans and controls in place. The CBO noted significant uncertainty regarding how quickly CBP can construct border barriers and facilities with OBBBA funds. Outlays could differ considerably from projections based on factors like contractor availability, permitting delays, and land acquisition pace. Similarly, ICE’s enforcement and detention funding under the OBBBA represents a substantial increase over prior budgets. Historically, significant funding increases can take years to translate into operational outputs, potentially leading to accumulated unspent balances if planning lags. The Department will need to implement exceptionally rigorous and coordinated spend plans across all components to avoid such pitfalls.

OIG-26-02

Legacy and Siloed Systems

The Department faces persistent challenges in achieving unified financial stewardship due to its decentralized structure. GAO has consistently highlighted the need for financial systems 18 modernization as a reason the Department has remained on GAO’s High-Risk List for financial management. Despite evident leadership commitment and the existence of corrective 19 action plans, the lack of standardization across components continues to impede unified oversight and streamlined reporting. This structural weakness is particularly concerning given significant OBBBA funding, which includes major cross- component investments in areas such as border security, cybersecurity, and AI capabilities. The Department’s IT infrastructure does not meet Federal Financial Management Improvement Act requirements. Legacy systems lack full compliance with Federal accounting standards and financial system requirements, and do not always employ a standard general ledger at the transaction level. Fragmented financial databases and the 20 absence of uniform, real- time data tracking make reliable aggregation and analysis of department-wide spending difficult. To combat these challenges, the Department is undertaking a multi-year financial systems modernization initiative to upgrade core accounting systems, but progress has been slow. Similarly, FEMA continues to rely on six separate finance, procurement, and grants management systems. FEMA is currently on track to replace most of these systems with a modern enterprise resource planning system in FY

1. The Department’s full implementation of its Financial Systems Modernization initiative is projected to take until the end of the decade, leaving it vulnerable to execution and oversight challenges in the near term.

Independent Auditors’ Report on the Department of Homeland Security's Consolidated Financial Statements for FYs 182023 and 2022 and Internal Control over Financial Reporting , OIG-24-06, Nov. 13, 2023. DHS Financial Management: Actions Needed to Improve Systems Modernization and Address Coast Guard Audit 19Issues High-Risk Series: Heightened Attention Could Save Billions More and Improve , GAO-23-105194, Feb. 28, 2023; Government Efficiency and Effectiveness , GAO-25-107743, Feb. 25, 2025.

, GAO-25-107743, Feb. 25, 2025.

OIG-26-02

Gaps in Spend Planning and Internal Controls

The Department needs strong spend plans and internal controls to link its strategic plans to resource allocation and spending to manage the increased amount of funds in its upcoming budget. For example, a May 2024 GAO review revealed ICE components did not revise spending forecasts when new appropriations or major budget changes occurred. This led to outdated and incomplete expenditure data, hindering the ability of the Department and Congress to effectively oversee the utilization of funds. GAO recommended the Department and ICE clarify spend plan update policies and enforce compliance. In July 2024, ICE revised its guidance to require spend plan updates at key points, such as when new appropriations are passed, or mid-year adjustments occur.21 The OIG reported material weaknesses in the Department’s financial reporting processes, including lacking consistent reviews of journal entries at certain components, financial disclosures, and component-level reporting. One material misstatement required correction, and OIG warned there is a reasonable possibility that other errors could go undetected. As 22 a result, the Department was noncompliant with Federal Managers’ Financial Integrity Act 23 and Federal Financial Management Improvement Act,which undermines confidence in the 24 accuracy and timeliness of its financial statements. The Department is aware of its budget execution challenges and has initiated efforts to address them. Leadership is committed to improving financial management and continues to update its high-risk corrective action plans and policies in response to GAO and OIG recommendations. The Department has set a target of achieving a clean audit opinion on 25 internal controls over financial reporting by FY 2028, a milestone that was previously delayed due to ongoing system overhauls. Achieving this target would signify a much stronger 26 control environment for tracking funds. Given the increase of funds through the OBBBA, tracking budget execution in real time may prevent reoccurrences of past spend plan issues. The Department must also continue to address challenges with system modernization and internal controls to ensure efficient budget execution. Financial Management: Additional Steps Needed to Improve ICE's Budget Projections and Execution , GAO-24-106550, 21

May 15, 2024. Independent Auditors’ Report on the Department of Homeland Security's FYs 2024 and 2023 Consolidated Financial 22Statements and Internal Control over Financial Reporting , OIG-25-05, Nov.15, 2024. Federal Managers’ Financial Integrity Act of 1982 , P.L. 97-255, Sept. 8, 1982. 23 , P.L. 104-208, Division A; Omnibus Consolidated Appropriations Act, 1997 Federal Financial Management 24Improvement Act of 1996 High-Risk Series: Heightened Attention Could Save Billions More and , Title VIII, Sept. 30, 1996; , GAO-25-107743, Feb. 25, 2025. Improve Government Efficiency and Effectiveness Financial Management Systems: DHS Should Improve Plans for Addressing Its High-Risk Area and Guidance for 25 , GAO-24-106895, July 30,2024. Independent Reviews

26 , GAO-25-107743, Feb. 25, 2025.

OIG-26-02

Fragmented Approach to Risk

The Department continues to face significant challenges in establishing a mature, department-wide approach to risk management. A RAND study found the Department’s institutional risk analysis capability remains at the “implementing” stage of maturity, with risk practices fragmented across components. No common enterprise-wide methods or 27 governance framework are in place though FEMA and CISA have developed more advanced risk models. RAND noted the Department lacks a central authority to standardize risk tools or tolerance levels, or train leaders in risk analysis, resulting in the inconsistent application of risk methodologies across missions. Similarly, the Organization for Economic Co-operation and Development (OECD), in its 2025 Emerging Risk Country Case Studies report, observed 28 that the Science and Technology Directorate’s Emerging Risk and Technology Program is working on processes to identify emerging risks, but there is no “single office charged with comprehensive risk assessment at DHS.” Both RAND and OECD note the absence of an enterprise-wide office or mechanism to integrate risk assessment across the Department which leaves it vulnerable to decision-making in silos. RAND’s recommendations, aimed at promoting consistency across components, include the development and publication of a unified risk management handbook, clear departmental risk tolerance standards, and mandatory risk training for senior executives. OECD likewise 29 highlighted that without integrated after-action reviews and clear lines of responsibility, risk prioritization will default to ad-hoc leadership direction rather than evidence-based enterprise governance. Both entities credit the Department for adopting more flexible, 30 cross-sector approaches, including scenario-agnostic planning and enhanced engagement with public and private partners. Nevertheless, RAND concludes that until the Department develops a cohesive enterprise framework with stronger governance and oversight structures, its risk management posture will continue to be reactive and fragmented.

Institutional Risk Analysis Maturity at the U. S. Department of Homeland Security , RAND, Apr. 30, 2025. 27Managing Emerging Critical Risks: Case Studies and Cross-Country Synthesis Report , OECD (2025). 28Institutional Risk Analysis Maturity at the U. S. Department of Homeland Security , RAND, Apr. 30, 2025. 29 , OECD (2025). Managing Emerging Critical Risks: Case Studies and Cross-Country Synthesis Report30

OIG-26-02

Grant Allocation

FEMA’s insufficient oversight resulted in poor financial stewardship of billions of Federal funds for disaster recovery and pandemic relief. For COVID-19 emergency protective measure grants, FEMA over-obligated at least $1.5 billion and did not determine the cost allowability of another $8.1 billion. A sample of 20 other grants identified approximately $32.8 million in improper payments. Also, our COVID-19 related investigations resulted in 31 307 indictments, 71 criminal informations, 228 convictions, and more than $62 million in recoveries, restitution, and fines as of November 30, 2025. Regarding disaster recovery grants, FEMA did not ensure the timely rebuilding of Puerto Rico’s electrical grid in the aftermath of 2017’s Hurricanes Maria and Irma. FEMA obligated more than $13 billion to rebuild Puerto Rico’s grid. However, as of February 2025, 92 percent of approved and obligated construction projects were incomplete and $3.7 billion of available permanent work funding had not been obligated for construction of projects. FEMA does not know when Puerto Rico’s electrical grid will be completely rebuilt. The grid remains unstable, inadequate, and vulnerable to interruptions. We further noted that FEMA’s 32 Hermit’s Peak/Calf Canyon Claims Office did not always determine compensation amounts within the 180-day timeframe required because of inadequate staffing resulting in potential delays of billions of dollars from reaching claimants. 33 FEMA faces unique cohesion challenges stemming from its role in a disaster recovery process that spans more than 30 Federal entities, as well as from limited coordination among its own programs. In 2025, GAO added the need for FEMA to improve delivery of Federal disaster assistance to its High-Risk List, citing the increasing cost and frequency of natural disasters that have severely strained FEMA and its workforce. GAO also reported on the potential for fraud in 34 FEMA disaster relief programs.

FEMA’s Insufficient Oversight of COVID-19 Emergency Protective Measures Grants Led to Over $8.1 Billion in 31Questioned Costs and $1.5 Billion in Over-obligated Funds , OIG-25-13, Jan. 31, 2025. FEMA Must Provide Additional Technical Assistance to Support the Timely Rebuilding of Puerto Rico’s 32Electrical Grid, OIG-25-39, Sept. 11, 2025. FEMA Established a Process to Review Hermit’s Peak Assistance Claims but Did Not Meet Required Processing 33and Reporting Timeframes , OIG-25-18, Feb. 25, 2025.

34 , GAO-25-107743, Feb. 2025.

OIG-26-02 Challenge 3

Information Management and Security

DHS operates more than 800 information systems across 23 components, but fragmented management and inconsistent implementation of security policies continue to create inefficiency and cybersecurity risks. A unified enterprise approach is essential to safeguard systems, protect information, and ensure secure integration of emerging technologies.

Information Security Gaps

DHS continues to face significant challenges in ensuring consistent implementation of information security policies and controls across its components, leaving systems vulnerable to cyber threats. The Federal Information Security Modernization Act (FISMA) requires Federal agencies to develop, document, and implement agency-wide information security programs. However, the latest FISMA audit by OIG recommended the Department’s Chief Information Officer (CIO) strengthen oversight to ensure components adhere to the Departments’ policies to remediate all known information security weaknesses in a timely manner. In addition, OIG's 35 cybersecurity assessments in FY 2025 for DHS headquarters and multiple components found data on missing security patches and non-compliant configuration management settings. These assessments also identified vulnerabilities on the CISA's Known Exploited Vulnerabilities Catalog which could leave the Department vulnerable to cyber-attacks. Assessments 36 identified major issues with access controls, lack of the use of multi-factor authentication, insecure application code, use of weak passwords and encryption, and use of vulnerable mobile device applications. Internal controls, such as ensuring policies are implemented 37 including security patches and configuration settings, would facilitate policy compliance and organizational cohesion. Addressing these weaknesses requires stronger centralized oversight and clear department-wide direction, both of which depend on a unified IT strategy to guide information security management.

Evaluation of DHS’ Information Security Program for Fiscal Year 2024 , OIG-25-28, June 30, 2025. 35CBP's Deficient Mobile Device Management Places Information at Increased Risk (REDACTED) , OIG-25-42, Sept. 36Inadequate Cybersecurity Rendered DHS Headquarters High-Value System Vulnerable to Attack22, 2025; , OIG- 25-43, Sept. 23, 2025. , OIG-25-08, Jan. 15, 2025; Cybersecurity System Review of a Selected High Value Asset at CISA Evaluation of 37 , OIG-25-28, June 30, 2025. DHS’ Information Security Program for Fiscal Year 2024

OIG-26-02

Despite the challenges, DHS is actively working to address these issues. In FY 2025 and FY 2026, the Department has launched key initiatives to provide real-time, data-driven visibility into cyber risks, enable proactive mitigation, and automate detection and response to accelerate remediation and improve coordination. The DHS Office of the Chief Information Officer (OCIO) continues to strengthen cyber resilience by standardizing enterprise tools. According to the DHS CIO office, the Department does not currently have an approved IT strategic plan and may not have informed all components that the previous plan is no longer in effect. An approved, published IT strategic plan would likely focus departmental resources on priorities to mitigate national security risks including cybersecurity. The DHS IT Strategic Plan is under revision to comply with Presidential Executive Orders and the President Management Agenda. Once published, the IT strategic plan combined with the FY 2025 – FY 2028 Cybersecurity Strategic Plan should help improve organizational cohesion.

Inconsistent Mobile Device Security

Since July 2023, OIG has repeatedly identified mobile device security concerns across various DHS components. Our number of findings has increased with each successive audit: FEMA 38 received 4 recommendations in July 2023, followed by 8 recommendations for ICE in September 2024, and 14 recommendations for CBP in 2025. These audits uncovered 39 problems, such as FEMA’s inability to consistently secure information on mobile devices, ICE’s inability to implement proper security settings, and ICE and CBP’s inadequate use of Mobile Device Management systems, including insufficient monitoring for devices used outside the United States. This body of work underscores the need for greater organizational cohesion and oversight to enable swift, coordinated responses to mobile device threats. DHS OCIO has taken several actions to address these mobile device recommendations. The DHS OCIO Office of the Chief Information Security Officer validated Mobile Device Management systems and have implemented required technical controls, such as allowlist and block policies. DHS also published revised policy Directive 4300A Attachment to reinforce these requirements along with a DHS Mobile Rules of Behavior.

OIG is currently reviewing I&A and USSS mobile device security and management. 38FEMA Did Not Always Secure Information Stored on Mobile Devices to Prevent Unauthorized Access , OIG-23-32; 39ICE Did Not Always Manage and Secure Mobile Devices to Prevent Unauthorized Access to Sensitive July 7, 2023; , OIG-24-61, Sept. 26, 2024; Information CBP’s Deficient Mobile Device Management Places Information at , OIG-25-42 REDACTED, Sept. 22, 2025. Increased Risk (REDACTED)

OIG-26-02

Looking Forward

DHS must make critical mission support functions more efficient. Specifically, the Department faces significant challenges in human capital, financial stewardship, and information management and security. The success of the Department’s mission, fueled by substantial resource growth, hinges on strengthening internal controls and adopting a more cohesive approach to improve its workforce capacity and system integration. Among the tools available to the Department in this effort is the Annual Evidence Plan, which DHS plans to produce in place of quadrennial Learning Agendas and Annual Evaluation Plans. The Annual Evidence Plan fulfills the requirements of the Foundations for Evidence- Based Policymaking Act of 2018 to produce an agency evidence-building plan. Most 40 upcoming evaluations and other evidence building activities planned by the Department are component specific rather than enterprise-wide. Most performance measures tracked in the FY 2024 Annual Performance Plan are component- level outputs with no discussion of enterprise-wide outcomes. For example, measures for 41 “Administer the Nation’s Immigration System” included U.S. Citizenship and Immigration Services (USCIS) processing timelines and ICE removal numbers while “Secure and Manage Our Borders” focuses on CBP interdictions and inspections. Although each component tracks its own performance, the Department does not measure performance to track the total effect of departmental activities. For example, ICE, CBP, USCG, and USCIS missions overlap, but these components do not share definitions concerning key metrics making it difficult to track the overall results of departmental efforts. Further, outdated strategic planning documents make it more difficult for the Department to align its operations with its budget. 42 Strategic foresight could also help address these challenges. OMB’s Circular A-11 calls for 43 integrating foresight into strategic planning. A department-wide foresight capability could unify these component efforts, strengthen the Department’s ability to anticipate risks, and promote greater cohesion across programs.

Foundations for Evidence-Based Policymaking Act of 2018 , Public Law 115–435, Jan. 14, 2019. 40FY 2024 Annual Performance Report, Appendix D: Measure Descriptions, Data Collection Methodologies and 41Completeness and Reliability Information , DHS, Jan. 16, 2025. Oversight Reports Identify Recurring Challenges with DHS Strategic Planning , OIG-24-64, Sept. 30, 2024. 42Circular No. A-11, Section 200 , p. 6 (definition of Foresight), OMB, Aug. 2025. 43

OIG-26-02

Spotlight on Critical Issues

In addition to the three Major Management and Performance Challenges, we are including information on two important areas that either remain unresolved or have Congressional interest. These two critical issues are screening and vetting and transportation security.

Screening and Vetting

Several audits and reviews in recent years have revealed significant challenges with the Department’s ability to comprehensively screen and vet populations entering the country. Since 2020, the United States granted 800,000 people parole but did not have necessary 44 information to conduct complete vetting of all parolees before being admitted into the United States, a process to effectively track and monitor parole status, and share 45 46 derogatory information between components. This population includes evacuees from 47 Afghanistan who were admitted into the United States under Operation Allies Refuge and Operation Allies Welcome. Ensuring that the Department has an established process for continuing to vet admitted parolees and for acting if derogatory information is uncovered is incredibly important to ensure that the parolees do not pose a threat to the American public. Beyond parolees, between 2020 and 2024, the Department of State issued more than 12 million nonimmigrant visas without conducting in-person interviews or collecting fingerprints. CBP frontline officers at U.S. ports of entry conducting inspections were not made aware that some foreign nationals had not been fully screened by the State Department, and CBP has yet to conduct a comprehensive risk assessment on those persons admitted to the United States. OIG has several ongoing projects examining aspects of the 48 Department’s screening and vetting processes to determine their effectiveness. For additional insight on OIG screening and vetting findings, please see the Screening and Vetting section under Resources. DHS Needs to Improve Oversight of Parole Expiration for Select Humanitarian Parole Processes, OIG-25-30, 44

July 2, 2025. DHS Encountered Obstacles to Screen, Vet, and Inspect All Evacuees during the Recent Afghanistan Crisis 45(REDACTED) , OIG-22-64, Sep. 6, 2022. DHS Needs to Improve Oversight of Parole Expiration for Select Humanitarian Parole Processes, OIG-25-30, 46 July 2, 2025. DHS Has a Fragmented Process for Identifying and Resolving Derogatory Information for Operation Allies 47 Welcome Parolees DHS Needs to Improve Oversight of Parole Expiration for Select , OIG-24-24, May 6, 2024; Humanitarian Parole Processes, OIG-25-30, July 2, 2025. CBP Has Not Evaluated the Security Risks of Interview-Waived Nonimmigrant U.S. Visa Holders (REDACTED), 48 OIG-25-50, Sept. 30, 2025.

OIG-26-02

Transportation Security

OIG reviews since 2004 have revealed significant challenges in Transportation Security Administration’s (TSA) security. In November 2025, we issued our seventh report with results of our covert testing of TSA’s airport checkpoint security screening effectiveness. We 49 identified vulnerabilities with TSA’s checkpoint screening technologies, related procedures, and actions of transportation security officers to prevent threat items from being brought onto commercial aircraft. Since 2004, OIG has issued 58 recommendations for TSA to improve security screening. Seven of these recommendations remain open and should be addressed to mitigate ongoing risks to aviation security. In addition to OIG’s extensive work on covert testing, we have conducted oversight of other TSA security programs. During a cybersecurity review of a TSA high value IT system, we identified multiple critical and high- risk vulnerabilities. We also conducted a review of how TSA handles misconduct allegations 50 and found that conflicting management directives impeded collaboration and potentially jeopardize the ability to mitigate insider threats. OIG currently has ongoing audits and 51 reviews of TSA’s vetting of airport workers, use of biometrics for screening and vetting of passengers, TSA’s efforts to secure Watchlist data, and oversight of the aviation sector cybersecurity readiness. For additional insight on OIG TSA security, please see the Transportation Security section under Resources.

Covert Testing of TSA’s Checkpoint Security Screening Effectiveness, OIG-26-01, Nov. 1, 2025 49Cybersecurity System Review of the Transportation Security Administration’s Selected High Value Asset, OIG-50 23-44, Aug. 28, 2023. TSA Policies Impede Effective Coordination and Investigation of Misconduct Allegations (REDACTED) , OIG-25-51 32, Aug. 13,2025.

OIG-26-02

Appendix A: Acronyms

AI Artificial Intelligence CBO Congressional Budget Office CBP Customs and Border Protection CIO Chief Information Officer CISA Cybersecurity and Infrastructure Security Agency CTMS Cybersecurity Talent Management System FEMA Federal Emergency Management Agency FISMA Federal Information Security Modernization Act GAO U.S. Government Accountability Office ICE Immigration and Customs Enforcement IT Information Technology MMPC Major Management and Performance Challenges OBBBA One Big Beautiful Bill Act OCIO Office of the Chief Information Officer OECD Organization for Economic Co-operation and Development TSA Transportation Security Administration USCG U. S. Coast Guard USCIS U.S. Citizenship and Immigration Services USSS United States Secret Service

OIG-26-02

Appendix B: Resources

DHS OIG DHS OIG For all audits, inspections, and evaluations published in FY 2025, please visit Reports. Screening and Vetting CBP Has Not Evaluated the Security Risks of Interview-Waived Nonimmigrant U.S. Visa Holders (REDACTED), OIG-25-50, Sept. 30, 2025. DHS Has a Fragmented Process for Identifying and Resolving Derogatory Information for Operation Allies Welcome Parolees , OIG-24-24, May 6, 2024. DHS Needs to Improve Oversight of Parole Expiration for Select Humanitarian Parole Processes, OIG-25-30, July 2, 2025. The Unified Coordination Group Struggled to Track Afghan Evacuees Independently Departing U.S. Military Bases, OIG-22-79, Sept. 29, 2022. CBP and ICE Did Not Have an Effective Process for Detaining and Removing Inadmissible Travelers at an International Airport (REDACTED), OIG-24-30, June 12, 2024. CBP Has Inconsistent Processes for Identifying Special Interest Aliens and Did Not Complete Requests for Interviewing [REDACTED] Aliens (REDACTED), OIG-25-29, July 1,

2025.

Transportation Security Passenger Checkpoint: Covert Testing of TSA’s Screening Checkpoint Effectiveness, OIG-17-112 (D.1.PRG.1), Sept. 27, 2017. Covert Testing of Transportation Security Administration's Passenger Screening Technologies and Processes at Airport Security Checkpoints, OIG-15-150, Sept. 22, 2015. (U) TSA Penetration Testing of Advanced Imaging Technology, OIG-12-06, Nov. 2011. Evaluation of Newly Deployed and Enhanced Technology and Practices at the Passenger Screening Checkpoint (Unclassified Summary), OIG-10-75, Mar. 2010. Follow-Up Audit of Passenger and Baggage Screening Procedures at Domestic Airports (Unclassified Summary), OIG-05-16, Mar. 2005. Audit of Passenger and Baggage Screening Procedures at Domestic Airports, OIG-04-37, Sept. 2004. Covert Testing of TSA’s Checkpoint Security Screening Effectiveness, OIG-26-01, Nov. 1, 2025.

OIG-26-02

Checked Baggage: Vulnerabilities Continue to Exist in TSA's Checked Baggage Screening, OIG-22-61, Aug. 18, 2022. (U) Vulnerabilities Exist in TSA's Checked Baggage Screening Operations, OIG-14-142, Sep.

2014.

Audit of Airport Passenger and Checked Baggage Screening Performance (Unclassified Summary), OIG-08-25, Feb. 2008. Audit of the Effectiveness of the Checked Baggage Screening System and Procedures Used to Identify and Resolve Threats (Unclassified Summary), OIG-09-42, Mar. 2009. Access Control: Covert Testing of Access Controls to Airport Secure Areas, OIG-19-21, Feb. 13, 2019. (U) Covert Testing of Access Controls to Secured Airport Areas, OIG-12-26, Jan. 2012. Penetration Testing of Law Enforcement Credential Used to Bypass Screening (Unclassified Summary), OIG-09-99, Sept. 2009. Audit of Access to Airport Secured Areas (Unclassified Summary), OIG-07-35, Mar. 2007. GAO U.S. Coast Guard Left Short Staffed Amidst Recruitment and Retention Challenges , GAO Blog, May 20, 2025. Coast Guard: Enhanced Data and Planning Could Help Address Service Member Retention Issues, GAO-25-107869, Apr. 23, 2025. Coast Guard: Progress Made to Address Recruiting Challenges but Additional Actions Needed , GAO-25-107224, May 14, 2025. Coast Guard: Actions Needed to Address Cutter Maintenance and Workforce Challenges , GAO- 25-107222, June 25, 2025. U.S. Customs and Border Protection: Efforts to Improve Recruitment, Hiring, and Retention of Law Enforcement Personnel , GAO-24-107029, Sept. 25, 2024. Coast Guard Recruitment and Retention Challenges Persist , GAO-23-106750, May 11, 2023. Coast Guard: Workforce Planning Action Needed to Address Growing Cyberspace Mission Demands , GAO-22-105208, Sept. 27, 2022. Border Security: Additional Actions Needed to Strengthen CBP Efforts to Mitigate Risk of Employee Corruption and Misconduct , GAO-13-59, Dec. 4, 2012. Homeland Security: Information on Training New Border Patrol Agents , GAO-07-540R, Mar. 30, 2007. DHS Integrated Strategy for High-Risk Management 2025 , Mar. 2025. Law Enforcement , Office of Homeland Security Statistics, Dec. 20, 2024. The U.S. Border Patrol, the U.S. Secret Service, and the U.S. Coast Guard are Breaking Recruitment Records Under President Trump and Secretary Noem , May 16, 2025. DHS Components Secret Service Recruiting Bonuses , USSS, accessed July 22, 2025. FY19-FY22 Assault Incident and Officers/Agents Assaulted Data Set , CBP, accessed July 25,

2025.

OIG-26-02

Mission success! Coast Guard exceeds 2024 recruitment target , USCG, Sept. 25, 2024. Coast Guard releases Force Alignment plan for AY25 , USCG, Aug. 9, 2024. Coast Guard adjusts operations plan to mitigate 2024 workforce shortage , USCG, Oct. 31,

1. USCG, Cutters are defined as vessels 65 feet or longer. The USCG has 241 cutters. See The Cutters, Boats, and Aircraft of the U.S. Coast Guard for definition and GAO-25-107222 for number of cutters. Force Design 2028 , USCG, accessed July 24, 2025. Hiring Incentives , USCG, accessed July 24, 2025. U.S. Coast Guard receives historic investment to rebuild under President Trump’s One Big Beautiful Bill , USCG, July 4, 2025. Congress Subcommittee Hearing on “Assessing the Shortage of United States Mariners and Recruitment and Retention in the United States Coast Guard” , Committee on Transportation Assessing the Shortage of United States Mariners and and Infrastructure, May 5, 2023 and Recruitment and Retention in the United States Coast Guard Hearing , May 11, 2023. Reconciliation Recommendations of the House Committee on Homeland Securit y, Congressional Budget Office, May 9, 2025. The One Big Beautiful Bill Makes America Safe Again , Congressional Budget Office, Cost Estimate for the One Big Beautiful Bill Act (H.R.119-21), July 8, 2025. White House Enhancing Public Safety in the Interior of the United States , Executive Order 13768, Jan. 30,

2017.

Border Security and Immigration Enforcement Improvements , Executive Order 13767, Jan. 30, 2017. President Bush Addresses the Nation on Immigration Reform , White House, May 15, 2006. RAND Leading with Artificial Intelligence , RAND, Oct. 2024. U.S. Department of Homeland Security Planning, Programing, Budgeting, and Execution Process: A Primer , RAND, July 22, 2024. Other Crossing the line: Corruption at the border , Accessed on Internet Archive’s Wayback Machine, Center for Investigative Reporting, July 22, 2025. ICE Cancels Proposed Contract for Help in Hiring Thousands of Deportation Officers , Government Executive, May 31, 2018. Compensation Flexibilities to Recruit and Retain Cybersecurity Professionals , OPM, accessed July 24, 2025. Special Rates , OPM, accessed Dec. 18, 2025.

OIG-26-02

U.S. Department of Homeland Security Washington, DC 20528 Hoilleland Security

January 9, 2026 MEMORANDUM FOR: Joseph V. Cuffari, Ph.D. Inspector General ~ FROM: Holly C. Mehringer Senior Official Performmg t e Duties Chief Financial Officer Management Response to Draft Report: "Major Management and SUBJECT: Performance Challenges Facing the Department of Homeland Security" Thank you for the opportunity to comment on this major management and performance challenges report. The U.S. Department of Homeland Security (DHS, or the Department) appreciates the work of the Office oflnspector General (OIG) in developing and issuing this report. We value your office's earlier engagement with DHS and Components, the clearer report structure, and your inclusion of information about our progress in addressing challenges. DHS and Component leadership at all levels will review the report and consider how the perspectives contained in it could best impact the way we carry out our mission. The Department continually works to address challenges described as "divided responsibilities and duplicated efforts" in the report. DHS is evolving, and the Administration is taking bold steps to improve operations. Regarding hiring, we appreciate OIG's recognition of our Career Expos, which are helping increase law enforcement hiring to support immigration and border enforcement. On financial stewardship, the Department achieved its goal of Full Operational Capability in 2025 for the DHS Financial Management System supporting the Countering Weapons of Mass Destruction Office, the Transportation Security Administration, and the U.S. Coast Guard. With respect to information management and security, DHS had numerous accomplishments during the past year to strengthen our cybersecurity posture, improve compliance and vulnerability management, and enhance risk management. As just one example, DHS demonstrated a strong commitment to risk mitigation by creating over 12,000 new Plans of Action and Milestones for Sensitive Systems and successfully closing nearly all of them within the year. The Department acknowledges the risks noted in the report about One Big Beautiful Bill Act (OB3) funding. This legislation provided a historic investment in the department and its missions and DHS will diligently manage the hiring, financial, and information management and security risks that may arise. To ensure unified oversight, the Secretary of Homeland Security designated the Senior Official Performing the Duties of the Under Secretary for Management as

the OB3 Principal Executive Officer responsible for Department-wide governance of all related functions. In addition, each Component receiving funding has named dedicated senior executives to manage this important priority, ensuring accountability and coordination across the Department. We remain committed to working with the dedicated men and women of the OIG in their important work, and to address challenges highlighted in this report. DHS previously submitted technical comments addressing several accuracy, contextual and other concerns under a separate cover for consideration, as appropriate. Please contact me with any questions. We look forward to working with you in the future.

The mission of the Office of Inspector General is to provide independent oversight and promote excellence, integrity, and accountability within DHS. To report fraud, waste, or abuse, visit our website at www.oig.dhs.gov and click on the red “Hotline” tab. If you cannot access our website, call our hotline at (800) 323-8603 or write to us at: Department of Homeland Security, Office of Inspector General, Mail Stop 0305 Attention: Hotline 245 Murray Drive, SW Washington, DC 20528-0305 For further information or questions, please contact Office of Inspector General Public Affairs at: DHS-OIG.OfficePublicAffairs@oig.dhs.gov

OIG-26-02