Kansas Bureau of Investigation ABIS Project (Quarter Ending March 31, 2020)
State law (K.S.A. 46-1135) requires us to monitor ongoing IT projects to identify signs the project might fail. Post Audit Committee Rule 6-2 requires a risk assessment of all IT projects reported to the Enterprise Project Management Office (EPMO). This risk assessment helps us develop a project monitoring plan. That plan must be presented to our committee at the start of each legislative session.
In July 2019, we conducted a risk assessment of 30 IT projects reported to the EPMO. Although not included in the EPMO report published in May 2019, we learned that the KBI planned to replace its Automated Fingerprint Identification System (AFIS). At an estimated cost of about $8 million, it is not one of the state’s most expensive projects. However, it is very important to law enforcement agencies and is time sensitive. Additionally, the Legislature raised some concerns about KBI’s communication about it. As a result, we decided to monitor this project starting in 2020.
Objectives, Scope, & Methodology
The objectives of our work include:
- Identify, as early as possible, when a project is at risk of failure due to scope, schedule, or cost problems.
- Evaluate whether monitored IT projects have adequately planned for the implementation of required security controls.
We also evaluate whether a project complies with relevant state statutes, Information Technology Executive Council policies, and other best practices. We communicate any risks we identify to project leadership, legislators, or other stakeholders to get those projects back on track.
We reviewed relevant EPMO reports and project documentation to understand and familiarize ourselves with the KBI project. We also attended several communication meetings from January 1, 2020 through March 31, 2020. We reviewed additional project documents as they became available. Lastly, we interviewed members of the project team as necessary.
Due to their continuous nature, these audits are not conducted in accordance with generally accepted government auditing standards.
We determined the Automated Biometric Identification System (ABIS) project’s status was satisfactory after evaluating its scope, schedule, cost, and security.
KBI started planning for a replacement of the state’s Automated Fingerprint Identification System (AFIS) in 2016.
- The KBI maintains the state’s Automated Fingerprint Identification System (AFIS). The system collects, stores, and compares fingerprint records. The system also scans and digitally encodes fingerprints to match against federal and state databases. This is done for both criminal justice and non-criminal justice purposes (e.g. fingerprint checks for hiring purposes). AFIS contains over 1.7 million adult and juvenile fingerprint-based criminal history records.
- The AFIS cannot be supported beyond 2022. The current system is based on a model manufactured by MorphoTrack. The vendor most recently refreshed the system in 2012. Kansas is the last state in the nation that still uses this model. Its hardware and software cannot be upgraded any longer. Maintenance cannot be extended beyond 2022, and the system will become completely obsolete at that time. Currently, the system’s old technology results in missed identifications, and all Kansas palm prints are no longer accepted by the FBI. The system does not meet current information security standards.
- Initial planning for a new Automated Biometrics Identification system (ABIS) started in 2016. KBI officials told us staff had contacted other states in 2016 to identify options for replacing its old fingerprinting system. In May 2017, the KBI submitted a plan to the executive branch Chief Information Technology Officer to replace its old system. The planned project includes fingerprint and biometric features such as iris scanning and facial recognition. In February 2018, the KBI contracted with a vendor to complete a feasibility study of the new system. But KBI canceled the contract because the study’s deliverables were sub-standard and not timely.
The project scope for ABIS appears satisfactory.
- In October 2019, agency officials completed an internal feasibility study and developed a high-level scope and plan for the system. The proposed plan was to purchase and configure Automated Biometric Identification System components. This plan intends to leverage the benefits of similar systems deployed and working in other states. It also allows the KBI flexibility to accommodate specific Kansas requirements.
- In late January 2020, KBI awarded a $62,000 contract to design and refine the requirements for the ABIS project. The contractor (AFIS and Biometric Consulting, Inc.) is responsible for completing detailed level requirements, a cost estimate, and a Request For Proposal (RFP) by April 2020. As of March 31, project documents for this sub-project show the contractor is on track to complete those tasks, which will help shape the scope for the main project.
- We determined the scope for the main project is satisfactory. Based on our review of the feasibility study, other project documents, and participation in the status meetings, we think the scope for the ABIS project is reasonable. KBI officials told us they plan to file project materials for the main project with the state’s Enterprise Management Project Office upon completion of the sub-contract. Those project documents as well as the main contract award for the new ABIS system will lock in the scope for the ABIS project.
The project schedule for ABIS is satisfactory.
- The schedule for the planning project appears on track. In February, KBI signed a contract to refine the requirements and create an RFP for the main project. This planning project is scheduled to be complete May 13. According to the project documentation, 3 of the 7 contract deliverables were completed at the end of this calendar quarter. Two additional deliverables (drafting the RFP and high-level Work Breakdown Schedule) are in progress. At the end of March, the planning project had a Schedule Performance Index of 0.95, indicating the project is slightly behind schedule. This status is commendable because the COVID-19 pandemic limited travel for the contractor and the availability of KBI staff.
- We determined the schedule for the main project is satisfactory. In February, KBI expected to award the contract for the ABIS project in July 2020 and have the new system deployed by December 2022. Delays with releasing the RFP could jeopardize the award and the project completion deadline. The execution deadline is crucial because maintenance on the current AFIS cannot be extended beyond 2022. The state’s current fingerprinting system will become completely obsolete at that time. The ongoing pandemic, as well as a financial issue discussed below, could put this planned schedule at risk.
The project cost for ABIS is satisfactory but budget uncertainty could threaten the project’s success.
- The cost for the planning project is on track. Based on project documents, KBI has received $29,582 in deliverables from the $61,632 contract. At the end of March, the planning project had a Cost Performance Index of 1.10, indicating it is under budget.
- The cost estimate for the main project being finalized is satisfactory. The agency’s internal feasibility study estimated the project cost at almost $8 million. The current planning project requires the contractor to produce a more precise cost estimate based on the contractor’s expertise. We participated in several status meetings related to this estimate, which included onsite and cloud options. Estimates also included itemized hardware costs, testing, back-up systems, and maintenance costs for 10 years. Cost estimates were refined several times based on stakeholders’ feedback. Although the final estimate is still confidential, the interactive process being used appeared reasonable.
- Budget approval for the project is threatened due to the current pandemic. KBI officials requested an $8 million budget enhancement during the past two budget submission cycles. The Division of Budget removed the enhancement both times because they wanted a more precise estimate. The Governor agreed to make a recommendation to the 2020 Legislature once the agency had a more precise cost estimate based on the current RFP work. During a recent House Transportation and Public Safety Budget committee hearing, legislators were made aware of this enhancement request. However, the current pandemic limited the regular legislative budget approval process. It is unclear if and when the Governor would create the necessary budget enhancement for this project to feed into this years’ final appropriations process. The ABIS project will be at serious jeopardy without this funding.
The project security for ABIS is satisfactory.
- Appropriate security planning helps ensure IT systems are built with necessary security controls. This includes state and federal security requirements and some emerging best practices. Having to “bolt on” necessary security features at the end often results in higher costs. We generally review whether project officials appropriately plan for implementing IT security requirements.
- KBI’s feasibility study for this project included requirements for security standard compliance. The study outlined the current system’s security weaknesses, including unreliable and nonconforming message protocols. Additionally, the current system’s performance is unreliable, and it does not have adequate disaster recovery capabilities. The study also included 55 mandatory security requirements for the new ABIS project. These requirements included fixing current security concerns. They also focus on ensuring compliance with KBI best practices, Kansas Criminal Justice Information System (KCJIS) policies, and National Institute of Standards and Technology (NIST) requirements.
- The planning project included work to review and refine KBI’s security requirements. The contract deliverables included creating detailed requirements including security parameters, a cost estimate, and a work breakdown structure for the main project. We participated in several meetings and reviewed project documentation. We confirmed these deliverables all included further work on security and governance requirements.
We did not make any recommendations for this audit.
On April 8, 2020 we provided the draft audit report to the Kansas Bureau of Investigation. The agency did not have to submit a formal response because we did not make recommendations. Agency officials requested a couple of technical changes which we made. The agency generally agreed with our findings and conclusions and chose not to provide a formal response.