Kansas Bureau of Investigation ABIS Project (Quarter Ending June 30, 2020)
State law (K.S.A. 46-1135) requires us to monitor ongoing IT projects to identify signs they might fail. Post Audit Committee rules require us to assess risks for all IT projects reported to the Enterprise Project Management Office (EPMO).
In July 2019, we conducted a risk assessment of 30 IT projects reported to the EPMO. Although not included in that report, we learned that the KBI planned to replace its Automated Fingerprint Identification System (AFIS). At an estimated cost of about $8 million, it is not one of the state’s most expensive projects. However, it is very important to law enforcement agencies and is time sensitive. Additionally, the Legislature had expressed some concerns about KBI’s communication about it. As a result, we decided to monitor this project starting in 2020.
Objectives, Scope, & Methodology
The objectives of our work include:
- Identify, as early as possible, when a project is at risk of failure due to scope, schedule, or cost problems.
- Evaluate whether monitored IT projects have adequately planned for the implementation of required security controls.
We also evaluate whether a project complies with relevant state statutes, Information Technology Executive Council policies, and other best practices. We communicate any risks we identify to project leadership, legislators, or other stakeholders to get those projects back on track.
In the previous quarter, we reviewed relevant EPMO reports and project documents to better understand the KBI project. During this quarter, we attended several meetings with KBI and contract staff. We also reviewed additional project documents as they became available. Lastly, we interviewed members of the project team as necessary.
Our project monitoring work is not conducted in accordance with generally accepted government auditing standards.
We determined the Automated Biometric Identification System (ABIS) project’s status was satisfactory after evaluating its scope, schedule, cost, and security.
KBI started planning for a replacement of the state’s Automated Fingerprint Identification System (AFIS) in 2016.
- The KBI maintains the state’s Automated Fingerprint Identification System (AFIS), which cannot be supported beyond 2022. The system collects, stores, and compares fingerprint records. The system also scans and digitally encodes fingerprints to match against federal and state databases. This is done for both criminal justice and non-criminal justice purposes (e.g. fingerprint checks for hiring purposes). AFIS contains over 1.7 million adult and juvenile fingerprint-based criminal history records. Its hardware and software cannot be upgraded any longer. Maintenance cannot be extended beyond 2022, and the system will become completely obsolete at that time. The system does not meet current information security standards.
- Initial planning for a new Automated Biometrics Identification system (ABIS) started in 2016. KBI officials told us staff had contacted other states in 2016 to identify options for replacing its old fingerprinting system. In May 2017, the KBI submitted a replacement plan to the executive branch Chief Information Technology Officer. The planned project includes fingerprint and biometric features such as iris scanning and facial recognition. In October 2019, agency officials completed an internal feasibility study to develop a high-level scope and plan for the system.
The project scope for ABIS appears satisfactory.
- In late May 2020, KBI completed its planning project to design and refine the requirements for the ABIS project. KBI’s contractor (AFIS and Biometric Consulting, Inc.) was responsible for completing detailed level requirements, a cost estimate, and a Request for Proposal (RFP). As of June 30, this sub-project had been completed. We confirmed the agency has developed a scope for the main project based on that project and the deliverables. KBI officials told us they received the Chief Information Technology Officer’s (CITO’s) approval for the high-level project documents they submitted toward the end of this quarter.
- We determined the scope for the main project is satisfactory. Based on our review of the feasibility study, planning project documents, and participation in the status meetings, we think the scope for the ABIS project is reasonable. KBI officials have finalized the scope of the main project and have documented it in the RFP (published June 15, 2020). The RFP and resulting contract award for the new ABIS system locked in the project scope.
The project schedule for ABIS is satisfactory.
- The planning project was slightly behind schedule but has been completed. In January, KBI signed a contract to refine the requirements and create an RFP for the main project. This planning project was scheduled to be completed by May 13. The project and all deliverables were completed by May 29, only 12 business days late. This status is commendable because the COVID-19 pandemic limited travel for the contractor and reduced the availability of KBI staff.
- We determined the schedule for the main project is satisfactory. With the RFP for the main project released later than originally planned, KBI staff pushed back the project award deadline from July to early November 2020. That will start the execution phase and allow the contractor roughly 2 years to produce a working system by December 2022, when the current AFIS becomes obsolete. Awarding the contract by November and ensuring contractor progress will be crucial to maintain a satisfactory project schedule.
The project cost for ABIS is satisfactory.
- The cost for the planning project was on track and has been paid. On May 29,KBI completed the planning project and had received all the deliverables for its $61,632 contract.
- The cost estimate for the main project has been finalized. The agency’s internal feasibility study estimated the project cost at almost $8 million. The planning project required the contractor to produce a more precise cost estimate based on the contractor’s expertise. We participated in several status meetings related to this cost estimate, which included onsite and cloud options. Estimates also included itemized hardware costs, testing, back-up systems, and maintenance costs for 10 years. Cost estimates were refined several times based on stakeholders’ feedback. Although the final cost estimate is confidential, the interactive process used appeared reasonable. KBI will use this more precise cost estimate to analyze bidders’ responses to the RFP.
- The Legislature appropriated necessary funding for the project. During the 2020 session, officials expected the Governor would recommend a budget enhancement for ABIS. However, the ongoing COVID pandemic cut the legislation session short and left the main ABIS project unfunded. The Legislature’s appropriations bill (Senate Bill 66) set aside $50 million in State General Funds to help support coronavirus response efforts in FY 2020 and FY 2021. KBI officials requested $6.8 million for the ABIS project from those funds. The Legislative Budget Committee approved the agency’s request during its June 17 hearing. The Legislative Coordinating Council also approved this funding the following day. This funding will allow agency officials to sign a contract with suitable vendor to develop the new system.
The project security for ABIS is satisfactory.
- Appropriate security planning helps ensure IT systems are built with necessary security controls. This includes state and federal security requirements and some emerging best practices. Having to “bolt on” necessary security features at the end often results in higher costs. We generally review whether project officials appropriately plan for implementing IT security requirements.
- KBI’s feasibility study for this project included requirements for security standard compliance. The study outlined the current system’s security weaknesses, including unreliable and nonconforming message protocols, and inadequate disaster recovery capabilities. The study also included 55 mandatory security requirements for the new ABIS project. These requirements address current security concerns. They also focus on ensuring compliance with KBI best practices, Kansas Criminal Justice Information System (KCJIS) policies, and National Institute of Standards and Technology (NIST) requirements.
- The deliverables from the completed planning project includes ABIS’s security requirements. The planning project’s deliverables included creating detailed requirements with security parameters, a cost estimate, and a work breakdown structure for the main project. We confirmed the finalized RFP includes various security and governance requirements for the system.
We did not make any recommendations for this audit.
On July 27, 2020 we provided the draft audit report to the Kansas Bureau of Investigation. The agency did not have to submit a formal response as we did not make recommendations. The agency generally agreed with our conclusions. The agency did not request any changes and chose not to provide a formal response.