Can you help me critique this article?
Chapter Title: Assessment of the Assignments and Arrangements of the Executive
Agent
Book Title: An Assessment of the Assignments and Arrangements of the Executive
Agent for DoD Biometrics and Status Report on the DoD Biometrics Enterprise
Book Author(s): Douglas Shontz, Martin C. Libicki, Rena Rudavsky and Melissa A.
Bradley
Published by: RAND Corporation
Stable URL: https://www.jstor.org/stable/10.7249/j.ctt3fh0n8.10
JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide
range of content in a trusted digital archive. We use information technology and tools to increase productivity and
facilitate new forms of scholarship. For more information about JSTOR, please contact support@jstor.org.
Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at
This content is licensed under a RAND Corporation License. To view a copy of this license, visit
https://www.rand.org/pubs/permissions.html.
RAND Corporation is collaborating with JSTOR to digitize, preserve and extend access to An
Assessment of the Assignments and Arrangements of the Executive Agent for DoD Biometrics
and Status Report on the DoD Biometrics Enterprise
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
https://www.jstor.org/stable/10.7249/j.ctt3fh0n8.10
17
ChAptEr thrEE
Assessment of the Assignments and Arrangements of the
Executive Agent
This chapter begins with a description of the EA organization, roles, and responsibilities. It
then describes the biometric capabilities that fall under the purview of the EA. The third sec-
tion assesses the assignments and arrangements of the EA and describes issues with each of
the eight stages of the biometrics cycle and qualitatively assesses the risk that certain identified
issues pose to the cycle.
The EA is supporting a functioning biometrics cycle that meets some level of warfighter
needs and has had significant success identifying bad actors. Aspects of the EA’s assignments
and arrangements show some deficiencies in managing biometrics responsibilities and pose
risks to the biometrics cycle and ability to provide for user needs. However, this assessment
examines ten years of activity and was conducted at a single point in time. Thus, it does not
fully capture the recent efforts by the EA to improve operations, many of which were ongo-
ing during our research. The EA has worked to increase automation, formalize activities, and
develop metrics that demonstrate the impact of biometrics work. R AND expects that the
required future annual assessments will track these continued changes and efforts to improve
effectiveness and efficiency.
Assignments and Arrangements of the Executive Agent
The responsibilities and functions of SECARMY acting as the EA for DoD Biometrics are
spelled out in DoDD 8521.01E, paragraph 5.12, a document released by DoD in 2008 to pro-
mote a joint and coordinated organizational structure for a DoD-wide biometric capability.
DoDD 8521.01E lists discrete tasks the EA must accomplish, but, in keeping with standard
DoD practice, the directive does not dictate how the Army must specifically organize its vari-
ous biometrics functions to carry out its responsibilities.
The Biometrics Cycle
However, before describing the specifics of the EA’s management and functions, it is useful to
briefly summarize what the EA is currently executing. In general, the EA executes those func-
tions needed to enable and support the biometrics cycle for red- and gray-force information.
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
18 An Assessment of the Executive Agent for DoD Biometrics
Figure 3.1 describes the biometrics cycle as derived from the PSA’s description, DoD documen-
tation, and interviews.
The EA’s role in enabling and supporting the cycle includes developing, procuring, and
fielding biometric collection, storage, and analytical technology, operating the authoritative
database for red and gray forces, promulgating standards for biometric data, and collecting
common biometric requirements.1
For most biometric records, the cycle currently operates as follows: An individual is
“enrolled” by collecting (ideally) ten fingerprints, iris scans, a facial photograph, and biographic
information (name, height, weight, etc.); the data are sent to the Automated Biometric Iden-
tification System (ABIS) to determine if a biometric match can be made to existing records;
a match/no match response is sent to a recipient who may or may not be the person who sub-
mitted the request.2 Most fingerprint records submitted to ABIS can be resolved by automated
analysis, but some (approximately 9.5 percent as of January 2012 according to BIMA) must be
reviewed by a human forensic examiner. Submissions are prioritized based on urgency, with
SOCOM inquiries receiving higher priority than detention center inquiries (as well as Navy
maritime interdiction operations, and FBI Hostage Rescue Team operations). Results of bio-
metric submissions are also analyzed in conjunction with other available information about
the identified person. As of January 2012, ABIS contained 7.1 million records linked to 4.5
million unique identities, and ABIS was processing, on average, approximately 6,500 transac-
tions per day.
In addition to this process, BIMA employs latent print examiners who try to match ABIS
records to partial fingerprints collected from various sources, e.g., IEDs. Fingerprint records
are also received from partner nations working in cooperation with the United States.
1 The EA is also responsible for blue-force biometric work, but the current level of activity is much lower as described later
in this report.
2 One might suppose the cycle would terminate when a match/no match response is sent back to the field. It does not
unless the match is to someone on the BEWL or the match request came from SOCOM. According to CENTCOM
sources, the Project Manager for DoD Biometrics (PM-Biometrics) has had a requirement to implement a function in Bio-
metrics Automated Toolkit (BAT) to be able to receive responses, but it has not been implemented.
Figure 3.1
The Biometrics Cycle
RAND TR1290/1-3.1
Task/Direct Collect Transmit Match
Decide/Act Analyze Share/Reference Store
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 19
EA Roles and Responsibilities
Prior to describing the biometrics-specific functions of the EA listed in DoDD 8521.01E, it is
useful to reference DoDD 5101.1, which defines the general role of an EA within DoD. Con-
ceptually, an EA is designated to ensure proper coordination among DoD components, iden-
tify requirements and resources, and monitor and report results of performance for capabilities
not clearly within the purview of a single DoD component.3 DoDD 5101.1 explicitly describes
the role of an EA:
• “5.2.1. Execute DoD Executive Agent responsibilities, consistent with applicable law,
DoD Directive 5100.3 (reference (d)), DoD Directive 5100.73 (reference (e)), and this
Directive.
• “5.2.2. Ensure proper coordination with the DoD Components for the responsibilities
and activities assigned to provide continuous, sustainable, and global support as required
by end-users. Ensure effective planning throughout operations by developing a coordi-
nated process and support plans for transition from peacetime to wartime and/or contin-
gency operations.
• “5.2.3. Identify requirements and resources, including force structure to the extent per-
mitted by law, necessary to execute assigned responsibilities and functions. Submit these
requirements to the cognizant Head of the DoD Component to be included in their
respective budget documentation.
• “5.2.4. Monitor resources used in performing assigned responsibilities and functions.
• “5.2.5. Develop, maintain, and report results of performance of DoD Executive Agent
responsibilities and functions, as may be required by law, Secretary of Defense decision,
or other Congressional requirements.
• “5.2.6. Obtain reports and information, consistent with DoD Directive 8910.1 (reference
(f )), as necessary, to carry out assigned DoD Executive Agent responsibilities, functions,
and authorities.
• “5.2.7. Establish, maintain, and preserve information as records, consistent with DoD
Directive 5015.2 (reference (g)), that document the transaction of business and mission
of the DoD Executive Agent.
• “5.2.8. Designate a focal point to coordinate matters regarding assigned DoD Executive
Agent responsibilities, functions, and authorities.”
DoDD 8521.01E specifies the role of the Biometrics EA in light of DoDD 5101.1 and the
development and deployment of common biometric technology, operating the authoritative
database, promulgation of data standards, and collection of requirements, among other things.
In considering these duties, it is important to remember two things: First, the assignments
and arrangements of an EA in general are meant to be monitored regularly for effectiveness in
meeting end-user requirements. Second, DoDD 8521.01E preceded formalized strategy for a
3 DoD, “DoD Executive Agent,” DoD Directive 5101.1, May 9, 2003.
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
20 An Assessment of the Executive Agent for DoD Biometrics
coordinated DoD biometric capability and thus is merely an initial step. In light of these cave-
ats, DoDD 8521.01E by itself does not (and cannot) serve as the basis for assessing the EA’s
assignments and arrangements. Instead, the directive is a framework for the entire biometrics
program, including the EA’s role, that is meant to be further specified by other implementation
measures such as a DoD Instruction (DoDI). DoDD 8521.01E lists the explicit responsibilities
of the Biometrics EA:
• “5.12.1. Execute responsibilities of the DoD EA for DoD Biometrics in accordance with
Reference (w) and this Directive.
• “5.12.9. Develop, publish, and update as appropriate a DoD Biometrics Security Clas-
sification Guide.
• “5.12.8. Coordinate all component biometric requirements with DoD Component mem-
bers of the DoD Biometrics EXCOM.
• “5.12.6. Program for and budget sufficient resources to support common enterprise
requirements documentation, architecture development, materiel development, test and
evaluation, lifecycle management, prototyping, exercises, records management, demon-
strations, and evaluations to include efforts at maturing viable technologies and standards.
• “5.12.7. Program for and budget sufficient resources to support common biometric data
management, training, operations, and lifecycle support.
• “5.12.3. Provide for, manage, and maintain a biometrics center of excellence.
• “5.12.2. Appoint an Executive Manager for DoD Biometrics, who shall be a G/FO or
SES equivalent, with responsibilities as outlined in Enclosure 4.
• “5.12.4. Appoint a single Program Management Office, under the authority of the
Army Acquisition Executive, responsible for the development, acquisition, and field-
ing of common biometrics enterprise systems to support common, Service, and joint
requirements.”4
We gathered additional information through interviews and document reviews to gain a
more complete understanding of the EA’s activities.
First, the EA appoints the Executive Manager for DoD Biometrics, who is currently the
Director of BIMA. The Executive Manager is responsible for biometrics standards and prom-
ulgation, among other things. BIMA is an agency created by the Army responsible for carrying
out the Executive Manager’s functions, including managing the “authoritative DoD reposito-
ries of biometric samples on those individuals not issued a DoD credential.”5
Second, the EA provides for, manages, and maintains “a biometrics center of excellence.”6
4 DoD, 2008s.
5 DoD, 2008a, paragraph E4.11.
6 DoD, 2008a, paragraph 5.12.3.
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 21
Third, the EA appoints “a single Program Management Office” for biometrics, cur-
rently PM-Biometrics, which is “responsible for the development, acquisition, and fielding of
common biometrics enterprise systems to support common, Service, and joint requirements.”7
Fourth, the EA, “when applicable … make[s] recommendations to [the Under Secretary
of Defense for Acquisition, Technology and Logistics] USD(AT&L) concerning acquisition
category and milestone decisions for all biometric acquisition programs.”8
Fifth, the EA is tasked with programming and budgeting resources to support common
requirements. Currently, and over the last ten years, these resources have come overwhelmingly
from OCO funding. This funding source relieved the Army of having to make trade-offs in
its base budget between DoD-wide biometrics support and other Army needs. However, once
OCO funding ends—a factor already starting to impinge on the FY13 program—biometrics
will have to compete for funding and will therefore need a strong rationale in favor of surviving
as an enduring DoD capability in some form. Furthermore, without OCO funding, biomet-
rics requirements must be supported with formal PoRs created by the Army. As of this writ-
ing, the Army has initiated this effort, but it has moved only through Army’s internal staffing
process and must still complete joint staffing.
Sixth, the EA is responsible for programming and budgeting “sufficient resources to sup-
port common biometric data management, training, operations, and lifecycle support.” Train-
ing has been ad hoc so far because formal training cannot be developed without PoRs.
Seventh, the EA is responsible for coordinating “all component biometric requirements
with DoD Component members” of the DoD Biometrics Executive Committee (EXCOM),
and, by extension, using these requirements in developing its acquisitions.
Finally, the EA is responsible for developing, publishing, and updating “a DoD Biomet-
rics Security Classification Guide.”
The EA has taken on and engaged in additional biometrics activities not specified in
DoDD 8521.01E by virtue of additional OSD guidance, past practice, and the consequences
of deployed systems. We identified these activities during the study and incorporated them into
our understanding of the assignments and arrangements as appropriate.
The EA’s management structure described by DoDD 8521.01E, officially formed by the
EA, guided by ADMs, and as carried out in practice, is shown in Figure 3.2. Beyond the
DoDD-required Executive Manager (BIMA) and PM-Biometrics, the management structure
includes requirements and (in the future) training functions formally assigned to U.S. Army
TR ADOC, as well as BEI functions carried out by the National Ground Intelligence Center
(NGIC). The EA components’ primary functions and responsibilities as identified during this
study are summarized in Table 3.1. For purposes of this report, we assumed all other EA func-
tions are retained by the EA.
As described by the DoDDs discussed above, a PSA—currently the Assistant Secretary of
Defense for Research and Engineering—oversees the EA’s activities. For biometrics, the PSA
7 DoD, 2008a, paragraph 5.12.4.
8 DoD, 2008a, paragraph 5.12.5.
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
22 An Assessment of the Executive Agent for DoD Biometrics
accomplishes his oversight primarily by chairing the EXCOM, which is the coordinating body
for DoD biometrics. The EA is represented at EXCOM meetings by the Executive Manager,
and the EA components provide the PSA with updates on biometrics activities. Other DoD
components also participate in the EXCOM as needed.
Shortly after the publication of DoDD 8521.01E in 2008, DoD released the Biometrics
Enterprise Strategic Plan (BESP). This document firmly prioritizes support of military opera-
tions for DoD biometrics, but, as discussed in Chapter Four, its goals are vague. As discussed
in Chapter Two, when we tried to apply a logic model approach to track the program inputs to
intended outcomes, we found the documents were inconsistent among themselves. This led us
to use the approach that focuses on the biometrics cycle.
Assessment of EA Management Assignments and Arrangements
Several aspects of the EA’s assignments and arrangements for carrying out its biometrics respon-
sibilities are stovepiped, unclear, and duplicative, which could contribute to reduced effective-
ness and efficiency of biometrics capabilities for end-users. R AND identified three factors as
the likely root causes of management deficiencies:
• EA responsibilities spread across Army in a somewhat nontraditional manner
Figure 3.2
Executive Agent Management Structure
RAND TR1290/1-3.2
Assistant Secretary of
Defense (Research
and Engineering
(PSA)
Organizations with known or designated key EA functions
Secretary of the
Army (EA)
Deputy Chief of Staff
for Intelligence
(G-2)
Deputy Chief of Staff
for Operations and
Plans (G-3/5/7)
Training and
Doctrine Command
(TRADOC)
National Ground
Intelligence Center
PM-Biometrics
Intelligence and
Security Command
BIMA (Executive
Manager)
Capability Manager
for Biometrics and
Forensics
(TRADOC)
Assistant Secretary of
the Army for
Acquisition, Logistics,
and Technology
Program Executive
Office—Enterprise
Information Systems
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 23
• continued reliance on OCO funding and quick reaction capabilities (QRCs)
• lack of objectives and metrics.
First, as noted above, the EA’s functions—both those formally assigned and others taken
on—are spread across the Army and only meet organizationally at the EA himself, SECARMY.
The management arrangement is mostly typical within the Army, with separate roles for col-
lecting requirements, procuring technology, and operating systems. However, the complicat-
ing factors in this case are the EA’s Executive Manager and the need for centralized operations.
Normally, requirements are gathered, equipment is acquired and fielded, and Army units use
the equipment independently. With biometrics, the equipment must be used in concert with a
central database that supports all of DoD. The EA’s Executive Manager operates the database
and has assumed some roles in technology development and requirements. Further, the EA’s
Executive Manager only has authority over BIMA, with no ability to coordinate the EA’s func-
tions and components.
Consequently, the closest approximation to the true role of Executive Manager has been
taken on more by the PSA’s representative, the Director of Defense Biometrics. However, as an
Table 3.1
Summary of Executive Agent Component Primary Functions and Responsibilities Identified in RAND
Research
EA Component Functions Notes
BIMA – Executive
Manager
• Vice chair of Biometrics EXCOM
• Manage database for red and gray forces
• technology “support”
• Standards
• Develop tools to facilitate interoperability
• Coordinate on continuity of operations (COOp)
site
responsible for all Executive
Manager responsibilities listed in
DoDD 8521.01E
pM-Biometrics • Develop, acquire, and field biometrics systems
• Database COOp site
reports to program Executive
Office and Asst. Sec. Army on
acquisition matters
trADOC • Gather biometrics requirements through
tCM-B&F
• Develop Capability Development Documents
(CDDs) for pors through tCM-B&F
• Develop and conduct training
NGIC • Operate BEwL
• provide BEI through analysts funded by the
Military Intelligence program (MIp) and
National Intelligence program (NIp)
• handle biometric data
BEwL and BEI functions directed
to DIA in DoDD 8521.01E, but
Army NGIC has been carrying
them out
SOUrCE: DoD, 2008a; and interviews with U.S. government personnel.
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
24 An Assessment of the Executive Agent for DoD Biometrics
OSD office responsible for oversight and guidance, the PSA lacks directive authority over the
EA’s components. According to BIMA, “The EA’s responsibilities in DoDD 8521.01E include
additional items beyond what is included in DoDD 5101.1, thus distorting the perception
of who has the responsibility to lead the DoD Biometrics Program. By allocating additional
responsibilities to the PSA … the EA focal point [in this case the Executive Manager] does not
have the authority and responsibilities to adequately manage the DoD Biometrics Program.”9
We do not believe “additional” PSA responsibilities are hindering the Executive Manager, but
the practical effect is that SECARMY, as the EA, remains the single point of management at a
level in the Army that does not have the time to devote to the day-to-day minutiae of biomet-
rics activities. The impact of this organizational positioning is shown in several instances. All
non-Army personnel interviewed by R AND were unsure or unaware of which EA components
are responsible for the EA’s functions, and in fact, several Army personnel were also unsure
about roles within the EA.
Because of its limited organizational reach, BIMA is unable to properly promulgate and
enforce standards for biometric technology. Under DoDD 8521.01E, the DoD components
are responsible for complying with the standards, and BIMA stated that the Biometric Stan-
dards Working Group, which BIMA chairs, has formally recommended standards to the DoD
Information Technology Standards and Profile Registry (DISR) regularly since 2006. How-
ever, BIMA has not enforced the data standards, and technology has been procured that does
not meet the standards.
Because of unclear responsibilities or unclear management direction, BIMA and TCM-
B&F both ran requirements working groups, despite this function normally residing with a
TCM. BIMA attempts to differentiate its working group by stating that it focuses on “col-
laboration among the services and federal partners,” but TCM also works to include the other
military services in the course of validating requirements.10 Both TCM-B&F and G-3 said
that having two groups operating in the requirements space is duplicative and inefficient. This
duplication of effort—and potential lack of clarity about who was ultimately responsible—may
have contributed to the approximately three years required to develop and complete the CDDs
for BEC and Joint Personnel Identification version 2 (JPIv2), discussed in greater detail below.
A lack of collaboration between EA components has led to direct failures. PM-Biometrics
and BIMA are both responsible for ABIS; BIMA for day-to-day management of operations and
PM-Biometrics for fielding, upgrades, and maintenance. However, the organizations blamed
each other for multiple failed ABIS upgrades—the most recent occurring in August 2011, with
each group claiming the other failed to provide adequate information for the upgrade. Because
of the stovepiped management structure, the conflict could only be resolved by the EA himself.
Similarly, both PM-Biometrics and BIMA play a role in the COOP site for ABIS. DoD and
9 Comments from BIMA to R AND on the draft of this report, April 2012; DoDD 5101.1 lays out the general framework
and scope of responsibilities for EAs, while DoDD 8521.01E provides the specific responsibilities and functions for the Bio-
metrics EA.
10 Biometrics and Identity Management Agency comments to R AND, April 2012.
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 25
Army policy require COOP contingencies, and the EA has had a standing request for an ABIS
COOP site since approximately 2007. As of this report, the COOP site is scheduled to be run-
ning in the first quarter of FY13, five years after the requirement was issued. At least one failed
attempt to set up the COOP site has been made on the West Coast since 2007. PM-Biometrics
stated, “It is the PM’s job to establish a COOP site, but the PM has been unable to accomplish
this mission because of lack of concurrence from BIMA.”11
Second, most of the biometrics activities have been supported by OCO funding and have
focused on procuring QRCs because of wartime environment demands. Much of the Army
has been forced to respond to urgent operational needs from Iraq and Afghanistan, which
resulted in tools and technology being rapidly developed and fielded without adhering to DoD
standards, formal performance measures, and operational testing and evaluation requirements.
This was seen as important for early fielding given the pressure of wartime. However, the
biometrics enterprise continued operating under this paradigm, lacking firm deadlines and
accountability measures, according to a G-3/5/7 interview. The absence of structure and stra-
tegic planning contributed to the proliferation of devices that are not completely interoperable
and to conflicts between end-users and EA components over which tasks were given priority.
For example, PM-Biometrics was criticized by part of the Army for prioritizing work on the
Biometric Identification System for Access (BISA) rather than the BAT, which was in greater
use at the time. PM-Biometrics claimed the apparent difference in effort was due to BISA’s
code having “greater maintainability and sustainability.”12
Third, the EA lacks metrics to determine the sufficiency and efficiency of its activities.
When R AND first requested performance metrics from the EA components, the responses
largely consisted of budget execution (i.e., spending) and staffing levels. BIMA-WV explained
how it tracks ABIS daily transactions, number of matches, and downtime, but these are met-
rics with mostly self-imposed (i.e., BIMA-imposed) thresholds and objectives and without a
basis to determine sufficiency, i.e., whether warfighter needs are being adequately met.13 As
discussed below, DoD as a whole lacks goals for using biometrics and implementing biometric
technology, but the EA is still responsible for developing organizational goals and objectives
to provide guidance and enforce accountability. BIMA identified the DoD BESP 2008-2015,
issued August 27, 2008, as a source of goals and objectives. However, the strategic plan is vague
and generally tracks DoD’s broad mission of supporting the warfighter. Also, the strategic plan
was issued in 2008 while BIMA was still known as the BTF, U.S. troops were still present in
Iraq, and no formal PoRs had been developed.
These root causes of management issues are inherently linked and manifest in different ways
within the EA’s components. PM-Biometrics could take any approach it deemed appropriate—
and as approved by its immediate superior, Program Executive Office for Enterprise Information
11 Comments from PM-Biometrics to R AND on the draft of this report, April 2012.
12 PM-Biometrics comments, April 2012.
13 BIMA comments, April 2012. BIMA noted that the threshold of the maximum time to respond to SOCOM inquiries
was set by SOCOM.
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
26 An Assessment of the Executive Agent for DoD Biometrics
Systems (PEO-EIS)—to address the urgent operational needs and requests for changes in bio-
metrics equipment. However, these decisions essentially were made in a vacuum because there
were no programmatic goals or metrics and no links between OCO funding and programmatic
output. Further, the organizational stovepipes meant PM-Biometrics did not have to collaborate
with BIMA in making decisions. According to CENTCOM, more than 80 percent of validated
requirements submitted from theater to PM-Biometrics were not completed.
Despite these issues, the biometrics capability maintained by the EA has helped make
more than 900 matches to the High Value Individual Watch List and deny more than 80,000
attempts by people to gain employment, access, or training at U.S. or coalition facilities.14
It is important to note that beginning in 2008, GAO wrote multiple reports highlighting
some of these problems with management.15 The EA also hired ANSER Analytic Services (and
a team of study partners) to provide a series of reports.16
The EA is taking some initial steps to correct highlighted problems, such as imposing the
structure and discipline of formal PoRs and moving ABIS operations from BIMA to another
Army organization.17 However, the three root causes—stovepiped management, OCO fund-
ing of QRCs, and a lack of objectives—remain essentially unchanged and therefore will likely
continue causing difficulties. How the EA manages biometrics responsibilities through the
various components is discussed in greater detail in the following section.
EA Management: BIMA and PM-Biometrics
BIMA (and predecessor organizations) and PM-Biometrics have played the most prominent
roles for the EA because they have specifically designated roles and are collectively responsible
for most of the biometrics technology and data.
BIMA and predecessor organizations have had significant successes in supporting war-
fighter needs for biometrics matching, but they have struggled to define themselves over approxi-
mately 12 years. Responsibilities were initially split between the BMO and BFC under G-6 in
July 2000. The organizations were merged into the BTF under G-3/5/7 in June 2006, which was
then changed to BIMA in March 2010.18 BIMA’s responsibilities are being reorganized again as
of the end of our research effort, and BIMA’s functions will be made subordinate to the Office
of the Provost Marshal General by the end of FY12. This instability of role and management has
likely been at the root of some of BIMA’s (and predecessor organizations’) internal management
deficiencies described here. BIMA has mostly self-imposed performance objectives for operating
ABIS, its most important function, and no organizational metrics or goals that were shared with
14 BIMA comments, April 2012.
15 GAO, 2008a; GAO, 2008b; GAO, 2011; GAO, 2012.
16 See, e.g., Team ANSER, 2009a, 2009b, 2009c.
17 John M. McHugh, Secretary of the Army, “Future of the Biometrics Identity Management Agency,” memorandum,
Washington, D.C., March 12, 2012.
18 At least one interviewee stated that G-2 had responsibility for part of the biometrics mission between G-6 and G-3/5/7.
This was denied by BIMA but is a further indication of the lack of clarity about roles and responsibilities.
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 27
RAND. BIMA notes that it has a threshold requirement of 8,000 transactions per day for ABIS
and that actual performance recently increased to 18,500 per day. This self-imposed threshold
is easily achieved, given current performance, and is not based on a DoD-wide (and potentially
U.S. government-wide) understanding of the true need, which could be higher or lower. BIMA
has spent millions of dollars on multiple pilot efforts without a transition plan for any technology
it develops, and without any successful transition of technology to DoD users. Exact figures were
unavailable, but in recent years, these efforts have averaged in excess of $3 million per year. As
one BIMA staff member indicated, BIMA in recent years has self-initiated research efforts with-
out a specific request or an obvious need from an end-user.19
BIMA’s inability to effectively promulgate and enforce standards (discussed in greater
detail below) for biometric data collection contributed to the multiple devices procured across
DoD that are not fully interoperable and, in the case of the Handheld Interagency Identity
Detection Equipment (HIIDE), did not record data that meet the FBI’s fingerprint standard.
BIMA has taken steps to improve procedures for ensuring that biometrics equipment conforms
to standards by obtaining accreditation from the National Institute of Standards and Technol-
ogy (NIST) under the National Voluntary Laboratory Accreditation Program. However, as
highlighted by GAO, “the current DODD 8521.01E already requires such compliance testing
for new biometrics acquisitions, but DOD noted and we [GAO] agree that the directive does
not fully address quick reaction capabilities such as the Handheld Interagency Identity Detec-
tion Equipment (HIIDE).”20 Thus, the first significant opportunities to prove the value of these
efforts will not come until new equipment is under development through the new PoRs.
In contrast to BIMA, PM-Biometrics has a relatively clear set of responsibilities for pro-
curing and developing biometrics technology, but the execution of these responsibilities lacks
any measures of sufficiency or efficiency and has been criticized by biometrics users in the field,
among others. The most frequent complaint about PM-Biometrics from interviewees was that
it did not work on the top user priorities, focusing efforts instead on priorities of its own choos-
ing. CENTCOM noted that PM-Biometrics has not completed the four JUONS submitted
since 2009, with only the replacement for the HIIDE nearing completion. CENTCOM also
stated that PM-Biometrics did not complete “89% of Army [Department of Army] DA G3
Validated Requirements in over 4[-plus] years.”21 Assertions about PM-Biometrics’s approach
are further supported to some extent by the fact that the only performance metrics PM-
Biometrics initially provided R AND were numbers of staff and funds expended.
PM-Biometrics’ response to this criticism, in part, was to point out that it does not have
formal requirements. However, PM-Biometrics noted that its work priorities are captured in
Configuration Change Boards. Also, as noted above, the lack of goals and objectives is a defi-
ciency throughout the EA and all of DoD. This is highlighted by recent delays and changes in
schedules and funding. Between December 2011 and January 2012, PM-Biometrics pushed
19 Interview with BIMA staff member, September 2011.
20 GAO-11-276, March 2011.
21 Comments from CENTCOM to R AND on the draft of this report, May 2012.
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
28 An Assessment of the Executive Agent for DoD Biometrics
back the estimated date to replace the HIIDE devices with Secure Electronic Enrollment Kit
version II (SEEK II) devices by at least three months.22 PM-Biometrics explained that U.S.
Forces Afghanistan (USFOR-A) had added a requirement that the new SEEK II needed to be
able to communicate through the BAT infrastructure, which, according to PM-Biometrics,
“is a step backwards for the SEEK as it perpetuates the BAT-[Army version 4]Av4 inefficient
architecture.” However, PM-Biometrics’s original plan for the SEEK appeared to rely on BISA,
which is being phased out. Further, between November 2011 and January 2012, BEC fund-
ing for FY13 through FY16 was decreased from $35 million per year to $3 million per year.23
Without formal PoRs that impose deadlines and accountability measures, PM-Biometrics
appears to some users to be setting its own priorities (with approval from PEO-EIS), while
PM-Biometrics complains of being forced to maintain existing inefficient technology. Neither
approach is based on true measures of performance and effectiveness.
Moreover, DoD lacks a process for prioritizing JUONS, so PM-Biometrics may be receiv-
ing multiple requests that are competing for limited resources. According to G-3, the Army has
put in place a process to track JUONS and the responses to them, but DoD as a whole lacks
a process to prioritize JUONS. BIMA stated that “Part of the issue also resides with the [Joint
Rapid Acquisition Cell] JR AC for approving and validating JUONS that were not feasible
([e.g.,] JUONS 0434), instead of requesting a capability and describing a problem the JUONS
has [sic] approved as [a] wish list of solutions.”24 However, this only partly explains CENT-
COM’s statement that PM-Biometrics has not completed the four validated JUONS submitted
by CENTCOM since 2009.
EA Management: TRADOC and NGIC
To date, TR ADOC’s most important functions related to biometrics have been to assign
TCM-B&F responsibility for gathering requirements and developing the CDDs for the BEC
and JPIv2 PoRs. As noted above, the CDDs were approximately three years in the making (the
delays attributed to various and conflicting reasons), but G-3/5/7 complimented TCM-B&F’s
work and inclusiveness in collecting and documenting the requirements.
TR ADOC’s most notable deficiency is the fact that no formal biometrics training pro-
gram can exist for equipment that did not originate from a PoR. Training remains ad hoc
despite biometrics technology being fielded and used for almost ten years. TCM-B&F, which
is not responsible for the eventual formal training program, has taken steps to develop bio-
metrics training simulations, but even these are not being provided in sufficient quantity for
pre-deployment training. However, BIMA claims TCM-B&F “continue to do development
associated with BAT, [Multilingual Automated Response System] MARS, et al [sic] despite not
having acquisition authority in biometrics.”25
22 PM-Biometrics comments, April 2012.
23 Comments from Army personnel to R AND on the draft of this report, January 2012.
24 BIMA comments, April 2012.
25 BIMA comments, April 2012.
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 29
As noted above, NGIC is not formally called out as part of the EA, but it has assumed
some EA functions as well as some of DIA’s assigned functions for biometrics. NGIC has been
acting as an intermediary between the field and ABIS for matching requests and has provided
BEI for all DoD components through MIP- and NIP-funded analysts and resources. In late
2011, Army announced it would no longer provide analytical support to non-land forces and
potentially all non-Army organizations (as of February 2012, G-2 and DIA were staffing and
discussing possible options). This uncertainty creates difficulty for non-Army component plan-
ning. Moreover, Army is reluctant to relinquish control over the NIP-funded resources despite
not having official control over them. These issues need to be resolved to ensure sufficient ana-
lytical resources are available for non–Army-specific missions going forward.
Current Biometrics Capability Under EA Purview
The biometrics capabilities currently under the EA purview comprise a variety of technological
solutions that arose by matching available technology to operational needs on a quick reaction
basis. No structured, programmed capabilities existed prior to OCOs in Iraq and Afghanistan,
and DoD biometrics priorities before that did not include tactical collection. The operational
demands of two wars required the EA to begin providing tactical equipment, which diverged
from the EA’s original assignments that were based on more hypothetical ambitions of DoD
biometrics. This divergence was not fully resolved in DoDD 8521.01E. In an unintended fash-
ion, the tactical collection devices—which were not part of any articulated vision or procure-
ment strategy of the DoD biometrics community—have become the foundation of DoD’s
biometrics collection capability.
The limitations of the technology currently under the EA purview are well known,
particularly in the PoR requests for the BEC and JPIv2. The GAO reports about the
DoD Biometrics Program also highlighted deficiencies in the enterprise.26 We do not
attempt in this report to characterize specific root causes for technological constraints of
each technology; instead, we offer two broad conclusions regarding the impact of utiliz-
ing QRC acquisition for biometrics equipment. First, as noted by U.S. Joint Forces Com-
mand, and GAO, “Without a formal program for biometrics, not all steps associated
with safeguards in DoD’s acquisition process for new technological systems are occurring.”27
Second, QRCs force trade-offs between capabilities currently available on the market and long-
term needs. In other words, DoD accepted capabilities with some limitations because they
were readily available commercially and could be fielded quickly. This report does not suggest
that using QRCs was inappropriate; in fact, it recognizes their benefit in providing the war-
fighter with tactical collection devices whose need was unforeseen by strategic planning.
26 GAO, 2008a; GAO, 2011.
27 GAO, 2008a.
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
30 An Assessment of the Executive Agent for DoD Biometrics
We know efforts are under way to update and improve the current systems, which makes
writing an assessment and status report more difficult. We also know the EA supported a
wide range of other “pilot” studies and research projects, but the information we received did
not reveal any instances of those projects being fielded or transitioned to operations. Further,
GAO noted in a 2008 report the inability to definitively track programs through spending,
particularly short-term OCO-funded pilot programs.28 Therefore, rather than writing about
speculation or moving targets, we chose to discuss the systems that are currently fielded. It is
worth noting that the EA is working on or supporting multiple pilot-scale efforts and studies,
and these should be examined in subsequent annual assessments.
The technologies being used have three main functions: biometric data collection, data
storage, and matching. The devices used by DoD include handheld collection devices, tabletop
collection devices with local storage and matching capability, and the authoritative database
for storing and matching data on red and gray forces.
As QRCs, the fielded systems do not have documented performance thresholds and
objectives vetted by the Joint Requirements Oversight Council (JROC)—a process designed
to ensure user requirements will be met. While we cannot comment on or report current
device performance as measured against vetted user requirements, we can present current,
fielded capability. While these capabilities may differ from those documented in evolving,
draft CDDs and capability production documents (CPDs), we are providing an assessment
and status report based on the biometrics program as it is, rather than as it is planned to be.
The EA is also developing two new PoRs: BEC Increment 1 for the authoritative database
(replacing ABIS); and JPIv2 for mobile and handheld collection devices (replacing BAT, HIIDE,
and SEEK II). The status and implications of the new PoRs are discussed later in this report.
Assessment of EA Assignments and Arrangements Supporting the
Biometrics Cycle and End-User Needs
Apart from assessing the assignments and arrangements of the EA in terms of managing its
responsibilities from a process perspective, it is also necessary to examine the assignments and
arrangements in terms of support to warfighting needs. In other words, is the EA supporting
a functioning process for collecting, transmitting, storing, matching, sharing, and analyzing
biometrics?
The basic answer is yes. Biometrics information is being collected and has been used to
identify individuals against prior encounters and forensic evidence. The authoritative database
for red and gray forces is growing steadily, and the processes in the field are becoming increas-
ingly routinized. In that sense, hard work and concerted efforts by many involved have pro-
duced a functioning biometrics cycle that is helping identify bad actors and verify the identities
of other personnel.
28 GAO, 2008a.
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 31
A deeper examination, however, suggests risks and room for improvement. To explicate
as much, we use a heuristic metric that assumes the perfect biometrics cycle is one in which
warfighters can collect accurate biometrics, have them analyzed within the limits set by tech-
nology (typically, in a few minutes), stored indefinitely and securely, and shared with others.
Correspondingly, the actual biometrics cycle can be assessed in terms of risks to operation,
actual impediments, and potential failure modes. Our analytical method, then, is to examine
each stage of the cycle for potential impediments and risks. Some can be traced back to issues
associated with the EA’s management approach, but some of them are issues that may be influ-
enced but not determined by the EA.
In the sections that follow, we discuss our assessment of each segment of the biometrics
cycle, with a focus on issues that reduce or potentially reduce cycle efficiency and effectiveness.
The tables presented with each section summarize the issues with that portion of the cycle,
implications, status of the issues, and the reasons.
We attempted to differentiate between our assessments of high- and medium-risk issues
(shown by “H” and “M”). High-risk issues are those already creating a risk of failure, or highly
likely to do so in the future. Medium-risk issues are those that could pose a risk of failure in
the future.
The goal is to highlight only those areas we assessed as posing some risk to the cycle. The
discussion and tables that follow cover potential faults in the cycle. The tables highlight the
link between the potential fault, the implications if a fault occurs, and the reason for the poten-
tial fault. We do not intend to portray the EA’s assignments and arrangements as all negative.
Rather, in the absence of overarching goals and objectives, we focused on areas where the EA
could make changes to potentially improve how the cycle functions. We acknowledge the dif-
ference between “high” and “medium” risk is somewhat subjective, but we believe these are the
issues posing the greatest risks to the biometrics cycle based on the data we collected.
Issues: Task/Direct
All biometrics work starts with a task or direction, either implicit or explicit, to collect the
biometrics before transmitting or processing them. Hence the question: Under what circum-
stances should biometrics be collected?
Ordinarily, like most military taskings, this would be a decision best left to the local com-
mander who has an operation to conduct and a set of resources with which to conduct it. The
decision to collect biometrics would seem to fall into the category of unquestioned local control;
time is a valuable resource, and time spent collecting biometrics cannot be spent otherwise.
Upon re-examination, however, the answer is less straightforward. People move from
place to place, even from theater to theater. Al Qaeda, for its part, has a global reach, and
someone encountered in Iraq may be re-encountered in Afghanistan, in PACOM’s area of
responsibility (AOR), or even attempting to enter the United States, and failure to collect bio-
metrics in one location could prevent warfighters in another location from realizing that the
person they are encountering has movements that may suggest problematic associations. The
fact that information collected in one theater can influence operations in another suggests that
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
32 An Assessment of the Executive Agent for DoD Biometrics
some consistency in biometrics collection may be beneficial. (Whether it is beneficial enough
to mandate a vigorous collection policy everywhere is another issue.)
Current red-force biometrics collection requirements are inconsistent across AORs. This
is not the EA’s fault inasmuch as combatant commanders have the authority to set local prac-
tices regarding such issues. However, it must be noted that the EA did not outline a clear direc-
tion to govern the collection of biometrics, and correspondingly, did not impress upon theater
commanders some de minimus level of performance.
A second potential risk in the task-and-direct component of the biometrics cycle is a dis-
connect between the capabilities chosen for development and the capabilities that best reflect
warfighter requirements. Our interviews indicated that although the EA is sensitive to Army
requirements, it is less sensitive to requirements arising from the Marine Corps, Navy, CENT-
COM, SOCOM, and the IC. The result has been that several of the communities, notably the
Navy, have decided to look elsewhere to meet their needs.
A final risk is associated with the path biometric data takes from the war zone into the
database. The Army has sent its material to NGIC and from there to the authoritative database
ABIS, operated by BIMA-WV, where it then becomes available for others to use.29 But NGIC
has announced that it may restrict its services to Army customers alone, once biometrics activi-
ties are no longer funded under OCO accounts. Further, the flow of data has not been satis-
factory to all users. CENTCOM “has had a requirement for four years to have an automatic
guard in place to move biometrics records [from classified to unclassified systems for direct
transmission to ABIS] with no success.”30 SOCOM has developed, and the Marines have
pilot-tested, other pathways into ABIS. SOCOM’s procedure involves satellites and web-based
portals with direct priority access to ABIS and the latent print examiners at BIMA-WV, which
has the advantage of guaranteeing a rapid response to their urgent requests. But allowing the
various biometrics-collection communities to use different paths to the same goal has to come
at the cost of efficiency. It is difficult to avoid the impression that the EA’s priorities are tilted
toward Army requirements even though the office holds a DoD-wide charter. Table 3.2 sum-
marizes the issues with the Task/Direct portion of the cycle.
Issues: Collect
We identified several problems that may hobble the collection part of the biometrics cycle.
Although none is a show-stopper individually, collectively they degrade the efficiency and
effectiveness of the overall effort.
The first problem is that the various instruments currently in the field for collection—the
HIIDE, BAT, and BISA—all produce non-standard data. SEEK II is expected to produce
standard data, but as of this writing, none of these units has been fielded (except for SEEK
29 CENTCOM, however, has not been satisfied with this arrangement. In 2008 it submitted a requirement to put an auto-
mated cross-domain solution (a classified-to-unclassified “automated guard”) put in place to move biometrics—but with
little success to date.
30 CENTCOM comments, May 2012.
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 33
devices procured separately by SOCOM).31 There are two implications of collection devices
not meeting standards: First, the data files’ quality fail to meet minimum levels; and second,
the data are not in the right format. In the first case, data could not be used everywhere. With
fingerprints, the usual problem is that while the center of each finger is recorded (as it would be
in flat or “slap” prints), the side of the finger is not (as it would be in rolled prints), and thus its
usefulness for forensic investigation is substantially reduced. In the second case, data could not
be interchanged between devices, or images produced by one device could not be used with the
matching algorithm associated with the authoritative database. That noted, in practice, there
have been few complaints about the inability to match individuals. However, it is possible that
crimes and attacks (e.g., using IEDs) cannot be ascribed to an individual because the finger-
prints left at the scene do not include enough of the finger.
The world of biometrics—which, among other tasks, converts observations of the real
world into zeroes and ones—is consequently ringed with standards, and adhering to them is
important in making the enterprise run smoothly. Standards, as a rule, cover two broad areas:
performance and conformance. A performance standard for biometrics, for instance, is one
that says that an acceptable fingerprint image provides at least 500 pixels to the inch; an image
that boasts a sharper resolution would also meet standards.32 A conformance standard speci-
fies how something is expressed. The Electronic Biometric Transmission Specification (EBTS)
suite of standards delineates how the information required to transfer biometric information is
31 That noted, there are multiple software configurations and proprietary standards associated with processing data from
different SEEK vendors.
32 U.S. Department of Commerce, National Institute of Standards and Technology, NIST Special Publication 500–271:
Information Technology: American National Standards for Information Systems—Data Format for the Interchange of Finger-
print, Facial, & Other Biometric Information – Part 1, ANSI/NIST-ITL 1-2007, Gaithersburg, Md.: Information Access
Division, Information Technology Laboratory, National Institute of Standards and Technology, May 2007.
Table 3.2
Issues Associated with the Task/Direct Portion of the Biometrics Cycle
Cycle Issues Implications Risk Reason
Inconsistent collection across AOrs
both in terms of whom to collect on
and what data to collect
(Collection plans are not an EA
responsibility)
Bad actors detected in
one theater may not be
detected in another
M DoD has not outlined clear guidance
for collection in terms of targets and
data to be collected
Capability development does not
meet warfighter priorities relevant
to circumstances
Devices not available for
full range of potential
missions
h Lack of inter-military service
requirements prioritization for QrCs
product development funding in
pM’s control, and pM priorities
appear to differ from warfighter’sa
a pM-Biometrics comments, April 2012. pM-Biometrics stated that “its priorities are completely in synch with the
warfighters’ … what the warfighter fails to understand is that it is the pM’s responsibility to provide the best
solution to the problem and not just to provide what the warfighter requests.”
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
34 An Assessment of the Executive Agent for DoD Biometrics
to be encoded (in Extensible Markup Language [XML]). A nonstandard encoding would be
one in which the wrong words were used or the categories associated with a specific description
(e.g., meaningful error conditions) are not identical with those of the standard (e.g., a term
used in the submission overlaps in definition with parts of two terms in the standard). Here,
the point is not to exceed the standard but to line up with it. But even conformance standards
can have some performance issues; for example, a substandard record could be one in which
information was not provided for required fields.
The EBTS standards in DoD have been a source of confusion and frustration. In December
2009, BIMA brought the issue of retiring DoD EBTS 1.2 before its Biometrics Standards Work-
ing Group (BSWG), which voted to mandate EBTS 2.0 and retire EBTS 1.2 in the DISR. The
change technically became effective in March 2010. However, none of the fielded systems were
EBTS 2.0 compliant, and other work was already in progress based on EBTS 1.2. After learning
of the potential change to EBTS 2.0, the Navy requested implementation guidance in November
2009 for its IDS program, which was working toward a design review for March 2010. BIMA
responded to that request in April 2010 by granting a waiver to EBTS 2.0, allowing the Navy to
continue based on EBTS 1.2. Similarly, in May 2010, PM-Biometrics requested a waiver because
the ABIS upgrade would not be able to accommodate EBTS 2.0 while the data being received
from collection devices were still conforming with EBTS 1.2. According to the Navy, EBTS 2.0
implementation guidance had not been provided as of May 2012.
Deficiency in the collection devices also originates with the QRC process. QRCs are intended
to prioritize equipment that can be rapidly fielded over the so-called 100 percent solution.33 For
example, the HIIDE procured as a QRC had limited capability to ensure speedy deployment. It
was known at the time of acquisition that the HIIDE did not meet agreed-to EBTS interagency
fingerprint-sharing standards, but the technology was the best that was commercially available
and could be fielded quickly. The problem, our interviews found, was that the HIIDE continued
to be purchased and fielded even after improved commercial off-the-shelf technology became
available—namely the SEEK II, which meets interagency data-sharing standards. We are still
unclear why the HIIDE QRC was retained with its substandard fingerprint component when an
improved device could have been fielded sooner within the same QRC framework.34
A problem of greater consequence is that soldiers are not very proficient at data collection
or entry, resulting in some number of biometrics records not meeting quality standards.35 In
some cases, the captured biometrics are not easily readable. In other cases, elementary mistakes
are made and not caught, e.g., identifying the left hand’s fingerprints as the right hand’s and
vice versa. While OCO funding was available, soldiers’ shortcomings could be overcome by
paying for contractors to take biometrics in the field, but this expedient did not create a legacy
33 U.S. Army, Army Regulation 71-9: Warfighting Capabilities Determination, Washington, D.C.: U.S. Army, December
2009.
34 Repeated JUONS indicated issues with HIIDE, including poor test performance. PM-Biometrics argues that it was able
to purchase HIIDEs and not SEEKs because it had sole-source purchasing authority for one but not the other.
35 BIMA maintains that there is no biometric image quality requirement for DoD collections.
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 35
base of knowledge to build upon, and, now that the Army has to fund biometrics from its own
budget, is unlikely to be tomorrow’s solution.
A cause of such shortcomings is the lack of biometrics education in the DoD schoolhouses.
This was explained by the fact that Army doctrine does not permit formal training programs on
devices that are not products of PoRs. Presumably, as the Army is rolling out the products of the
PoRs (circa FY15), such gaps will be addressed. Nevertheless, the problem of inadequate train-
ing and education will continue, and as noted by GAO, “biometrics training for leaders does not
provide detailed instructions on how to effectively use and manage biometrics collection tools.”36
The Army will require substantial time to fund, develop, and actually implement new training
modules. Table 3.3 summarizes the issues with the “Collect” portion of the cycle.
Issues: Transmit
Neither Afghanistan nor Iraq (at least when U.S. forces were operating there) can be described
as places with good wired or wireless infrastructure. Thus, transmitting information from the
field to ABIS—something that would be easy in this country—instead became another risk in
the cycle. Those who collect biometrics often must wait until the data captured in the hand-
held devices are transferred to BAT terminals wired to the SIPRNet. Such a delay is measured
in hours, sometimes days, partly because the HIIDE cannot transmit data directly and partly
because of the sparse wireless network and available bandwidth in theater. In theory, the BAT
terminal can match data locally to avoid the need for ABIS-based responses for all inquiries,
but according to PM-Biometrics, this can only happen for high-quality fingerprints compared
36 GAO, 2012.
Table 3.3
Issues Associated with the Collect Portion of the Biometrics Cycle
Cycle Issues Implications Risk Reason
hIIDE, BAt, and BISA produce
nonstandard data
Inefficient sharing of data among
mainstays of DoD biometrics
collection and interagency partners
M Standards not enforced
with QrCs
Excessive retention of
legacy QrCs
hIIDE does not meet collection
standards
SEEKs, which meet more standards,
planned for fielding in FY12
Uncertainty/failure-to-match rate
greater than best practice and limits
sharing with interagency partnersa
M Indefinite retention of
legacy QrCs
training is ad hoc
Soldiers not proficient at data
collection or entry
Inconsistent, inaccurate and
unusable data
h No por with
corresponding training
programs
a BIMA comments, April 2012. BIMA maintains that there are no defined best practices in regards to failure-to-
match rates for handheld devices.
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
36 An Assessment of the Executive Agent for DoD Biometrics
against equally high-quality fingerprints already stored with the subset of data on the BAT,
referred to as “lights out” matches by PM-Biometrics staff.37 In practice, if biometrics are
loaded into a BAT device, sufficient SIPRNet bandwidth is available to conduct a matching
inquiry through ABIS in West Virginia.
As noted, there are three entry points for biometrics: BISA, BAT (including data collected
by the portable HIIDE device used by conventional forces), and the portable SEEK device used
by SOCOM. If the biometrics are acquired by conventional forces in connected locations (such
as detention centers), the prints are sent to NGIC to strip out biographical and contextual data
on the individuals whose biometrics have been captured. Once such data are stripped, the unclas-
sified biometric data are transferred from SIPRNet to NIPRNet by means of a dedicated cross-
domain tool (also known as a network guard) and forwarded to ABIS for a biometrics match.
SOCOM’s frustration with this process prompted it to acquire a capability to communi-
cate from the field through a satellite link to a web-based portal that is accessed by BIMA on
the other end, which allows SOCOM’s match requests to get high priority.38 The result seems to
have satisfied SOCOM’s requirements, despite the added cost of using satellite instead of landline
bandwidth, as long as examiners at BIMA-WV remain available to give SOCOM top priority.
In late 2011, consistent with the Army’s evolving approach to its joint requirements,
NGIC announced that, as of March 1, 2012, it would phase out its services to all warfighting
components apart from the Army’s. Army has since begun considering a range of options for
potentially supporting non-Army requirements. Whether this will create major delays for bio-
metrics collected by the Marines and the Navy rests on how successfully and quickly ABIS can
get its own SIPR-to-NIPR cross-domain solution operating. In November 2011, their expected
go-live date was December 2011, but it slipped to April 2012. This remains a high warfighter
priority, and the technology has existed for decades.
The EA acknowledged both its role in communications architecture and the limits of
its ability to influence the field, which is mainly outside the EA’s purview. The EA (through
BIMA) provided approximately half the funding for the pilot study of the Last Tactical Mile
(LTM), a CENTCOM-initiated JUONS to send biometric data to ABIS from a handheld
device via mobile wireless communication vehicles, fixed towers, and a CENTCOM-operated
server.39 Table 3.4 summarizes the issues with the Transmit portion of the cycle.
37 Interview with PM-Biometrics personnel, 2011. There is a cost of somewhat fewer matches because ABIS has three times
as many stored files as the BAT system does.
38 Records from SIPRNet are manually stepped down to NIPRNet so they can be fed into ABIS for matching.
39 GAO, 2012. CENTCOM “was responsible for conducting the Last Tactical Mile pilot project during 2011 to provide
the warfighter with a rapid response time on biometrics data submissions. In the pilot project, matching is initially against
a biometrically enabled watch list stored on the warfighter’s handheld device before searching against data stored in a stand-
alone computer server in Afghanistan prior to transmission to ABIS—the authoritative database. The Last Tactical Mile
project originated as a joint urgent operational need to utilize wireless infrastructure to transmit biometrics enrollments
from a handheld biometrics collection device to a wireless communications tower … Army officials told us that expanding
the Last Tactical Mile pilot project across all of Afghanistan would cost approximately $300 million, in large part due to
the number of wireless communications towers that would be necessary to provide connectivity … DOD has not completed
its evaluation of the Last Tactical Mile pilot project at the time of our review.”
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 37
Issues: Match
When we began the study, ABIS was reaching its throughput capacity for ingesting data and
conducting match inquiries. An inability to handle matching requirements would either mean
that biometrics are queued for processing—meaning the average biometric record has to wait
longer (and what took minutes may take hours or days)—or given a lower priority to keep
the rest of the inquiries flowing, with the hope that those biometrics will just be processed
much later. However, the EA increased ABIS transaction capability from a peak of about
8,000 transactions per day to about 18,500 per day during our study, and plans call for fur-
ther increases. Further, DoD’s matching requirements are likely dropping: Mass enrollment is
ending in Afghanistan and already ended in Iraq. Future large additions of data will likely arise
from processing international partners’ data, such as 800,000 fingerprint cards received from
the Philippines, which will not be time-sensitive transactions. Nevertheless, the true impact
of ABIS’s limited throughput capacity is reflected in the inability to share robustly with inter-
agency partners (see Share/Reference below).
Another factor lowering the efficiency of the matching process has been the prevalence
of non-standard data, primarily from field devices (e.g., the HIIDE) that connect to the BAT.
Non-standard data increase the work involved in the matching process and can lead to a failure
to match when comparing individuals’ fingerprints with latent ones collected from artifacts,
Table 3.4
Issues Associated with the Transmit Portion of the Biometrics Cycle
Cycle Issues Implications Risk Reason
Field matches against ABIS subset
replicated to each device.a
Only SOCOM and BISA have satellite
communication-enabled field access to
BIMA for matching against ABIS records
Field matches against dated
database
Large expense to manually
replicate data to BAt
Inability to match against
interagency data
M hIIDE and BAt developed
as QrCs without process to
ensure interoperability with
other systems and requiring
adherence to standards
Architecture will be
modified with expected
FY13 deployment of BAt-
Av5 and will fully change
JpIv2 fielded in FY16.
No high capacity direct link
between field & ABIS
Cross-domain solution only serves BAt
portion of architecture
Uncoordinated activity
as military services seek
alternative to NGIC
Marines tested SOCOM’s
web-based portal
Inhibited ability to share
with interagency partners
h Non-BAt cross-domain
solution not developed
despite being warfighter
priority
a CENtCOM comments, May 2012. CENtCOM states they submitted a JUONS to address the BAt data replication
architecture that was never completed by pM-Biometrics.
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
38 An Assessment of the Executive Agent for DoD Biometrics
Table 3.5
Issues Associated with the Match Portion of the Biometrics Cycle
Cycle Issues Implications Risk Reason
Non-standard data sent for matches Significant inefficiencies in the
matching process and potential
missed matching opportunities
M Standards not enforced for
QrC acquisition
proprietary and incompatible
matching algorithms for irises and
faces
Significant inefficiencies in the
matching process
M Capability developed
as QrC without process
to address proprietary
software issue
such as recovered components of an IED. The EA has had time to revisit the QRCs in light of
the longer-term future of the biometrics enterprise, but has not done so.
A third issue, which originated outside the EA’s immediate control, is that matching
algorithms for irises and faces are proprietary. In an era when, as BIMA officials note, irises are
becoming more important as a matching tool among biometrics, the failure to develop a stan-
dard matching process that can be applied across the U.S. government may result in signifi-
cant inefficiencies and potential errors in identifying individuals. This issue could be addressed
by ensuring both DoD-wide licenses for algorithms and that all data created by devices meet
DoD EBTS standards. Table 3.5 summarizes the issues with the Match portion of the cycle.
Issues: Store
A potential risk arises if the demand for record storage exceeds actual capacity. Although the
capacity of ABIS was increased from approximately eight million to approximately 12 million
records during our study, BIMA would have to face unpleasant options if plans to increase capac-
ity in the future are delayed. One is that new biometrics will not enter the database or would be
delayed indefinitely, e.g., cards from overseas partners being queued for entry. Another is that
records currently in the database would have to be removed, at least temporarily. A third is that
the information present in each biometric would have to be systematically truncated, leading to
lower resolution matches (e.g., fewer fingerprint minutiae), or a reduced capacity for certain types
of matches (e.g., against latent fingerprints). EA component staff members appear confident that
sufficient funding will to be available for future ABIS storage capacity increases.40
A more serious issue is that the EA has made inadequate provisions for a COOP site, or
“hot” backup. ABIS currently has a “warm” backup, which can come online in the event of
expected downtime (e.g., a software upgrade), as long as the database managers have at least six
hours’ notice (which they may not necessarily have if the upgrade is forced upon managers as
a result of a security breach). Plans are under way to establish a true COOP site following an
initial requirement established in approximately 2007, but the go-live date continues to recede
40 ABIS stores all submissions as separate records regardless of whether there are multiple submissions for the same person.
Questions were raised outside the EA about whether ABIS could be operated more efficiently if records were consolidated
in a way that still preserved all data, but the EA believes efficiency would suffer.
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 39
following multiple proposals and at least one failed attempt. Table 3.6 summarizes the issues
with the Store portion of the cycle.
Issues: Share/Reference
Although ABIS operates well with FBI databases, it has problems with its counterparts in DHS
and within the IC. In the case of DHS, the problems include not only deficient throughput
and storage capacity (at least for the time being), but also communications and protocol issues.
The latter are being worked out through DoD-DHS interoperability meetings. Data that DHS
collects are not directly matched against ABIS outside of regular exchanges of the BEWL and
some pilot efforts of DHS components to transmit requests to ABIS. DHS’s biometrics require-
ments have risen sharply with the introduction of the US-VISIT program wherein all foreign
visitors entering on a visa are required to have their fingerprints checked against DHS’s database,
the Automated Biometric Identification System (known as “IDENT”). Consequently, the EA is
under pressure to increase ABIS capacity specifically to meet DHS’s needs, but the small inter-
section between fingerprints collected by DoD (other than those in the BEWL) and those col-
lected by DHS has somewhat attenuated the need. The large price tag to increase ABIS’s transac-
tion capacity has also given EA components pause. Nevertheless, in its Functional Requirements
Document, DHS said it needs to be able to send more than 100,000 biometrics inquiries per
day to ABIS by early 2013.41 DoD and DHS are working to address the interoperability problem
between ABIS and IDENT and increase ABIS’s capacity enough to allow two-way inquiries, but
in the meantime, DHS only has access to a subset of DoD’s data. This means unwanted individu-
als can conceivably slip through the cracks at U.S. ports of entry, if DHS sees them but does not
know they have been previously identified by DoD (or by states that provide biometrics to the
United States, such as the Philippines or the Dominican Republic).
Interoperation with classified biometrics data is a more difficult problem, since it cannot
be solved simply by increasing throughput or capacity. ABIS is an unclassified system, fed by
unclassified lines, and stored in unclassified spaces. Individuals who work on the final steps
of the matching process are not always cleared to the highest level. Adding a cross-domain
solution (also known as an automated “trusted guard”) between the classified and unclassified
41 BIMA comments, May 2012. BIMA observed that this 100,000 figure is at variance with the requirement of 14,000 in
DHS’s Systems Requirements Specification.
Table 3.6
Issues Associated with the Store Portion of the Biometrics Cycle
Cycle Issues Implications Risk Reason
ABIS is reaching its storage capacity Biometric data could fail to reach the
authoritative database
M Database upgrade
failures and delays
ABIS has no “hot” backup
A “warm” backup exists with a six-
hour changeover
possible loss of database access h Not prioritized by
the EA, and lack of
coordination
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
40 An Assessment of the Executive Agent for DoD Biometrics
Table 3.7
Issues Associated with the Share/Reference Portion of the Biometrics Cycle
Cycle Issues Implications Risk Reason
ABIS not interoperable with DhS’s IDENt
DoD and DhS are engaged in an ongoing
interoperability effort to resolve this issue
Fewer matches, weaker analysis h poor or lack of
interagency coordination
ABIS cannot handle DhS processing load Fewer matches, weaker analysis h Limited processing
performance
Classified biometric files cannot be
matched against ABIS records
Fewer matches, weaker analysis h ABIS cannot handle
classified data; no
provision has been made
to mirror ABIS data into
classified systems
networks (as BIMA is doing to exploit SIPRNet connectivity) would not solve the problem.
Thus, highly classified biometrics cannot be sent to or stored by ABIS and may not necessarily
be examined by BIMA personnel.
Although both the classified databases and ABIS have access to the BEWL (which has
only a subset of ABIS’s data), neither has access to one another. This means records in the
unclassified or classified databases could be incomplete and/or potentially fail to produce
matches. Feeding ABIS’s data into classified networks would provide a more complete picture
for the IC, particularly with respect to people appearing in multiple geographic areas, which
could ultimately inform strategic collection efforts. However, DoD has not taken any steps to
replicate ABIS’s data in the classified realm. The possibility of placing ABIS on the classified
network exclusively was raised during our interviews, but this would inhibit ABIS sharing
data with interagency partners because FBI’s Integrated Automated Fingerprint Identification
System (IAFIS) and DHS’s IDENT both operate on unclassified networks. Table 3.7 summa-
rizes the issues with the Share/Reference portion of the cycle.
Issues: Analyze and Decide/Act
Finally, there appears to be an organizational and conceptual mismatch between the biomet-
rics activities and all-source intelligence activities. The EA, for instance, controls analyst billets
even though BEI analysis is not a designated EA responsibility. The BEWL has also been man-
aged by the EA even though it is not a designated EA responsibility, and there is little planning
for the evolution of BEWL management, maintenance, and development. DIA is designated as
responsible for the BEWL in DoDD 8521.01E but has only recently begun considering options
for carrying out that function.
The seriousness of this problem is strongly related to what one thinks the role of the biomet-
rics community should be. The biometrics enterprise could be simply a supplier of services to the
IC (in the same sense that parcel delivery is a service to e-commerce), in which case its role is to
convert disparate contacts into a person’s unified history by indicating where ostensibly different
individuals are really the same person under different aliases. The biometrics enterprise essentially
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
Assessment of the Assignments and Arrangements of the Executive Agent 41
provides a bit of information, i.e., these two individuals are or are not the same person. If so, the
biometrics and intelligence communities do not have to be tightly coupled.
Alternatively, one could envision the biometrics enterprise as an enabler of intelligence on
people. If identity could only be established through physical contact (e.g., taking fingerprints,
photographing irises at short range) then the amount of “new” information available on any
individual is likely to be small. If, however, identity could be established at a distance, then
the number of potential contacts would be much larger, and changes in intelligence collection
such as automated surveillance would enable a richer set of information to be analyzed. In the
latter case, integrated planning between the biometrics enterprise and the IC (or at least that
part interested in unofficial individuals) would be compelling because changes in biometric
technology could drive new or expanded strategic collections for the IC. The biometrics com-
munity should then understand the evolution of intelligence requirements, and the intelligence
analysts should be aware of opportunities provided by advances in biometrics.
So the biometrics community is a service and nothing more, or it is an enabler and
thereby needs to evolve concurrently with the IC. But the current posture that the biometrics
community is an enabler that essentially evolves independently of the IC is inefficient and
could degrade effectiveness over time. Further, the lack of integration of available biometric
data into intelligence functions limits the ability of biometrics to inform decision-makers.
Table 3.8 summarizes the issues with the Analyze and Decide/Act portions of the cycle.
Table 3.8
Issues Associated with the Analyze and Decide/Act Portions of the Biometrics Cycle
Cycle Issues Implications Risk Reason
EA assignments do not encompass
the full end-to-end biometric
capability
(EA controls preponderance
of biometric analyst billets,
even though BEI analysis is not
a specifically designated EA
responsibility)
COCOM BEI analytical needs may not
be met
weakened analysis and
underutilization of biometric data
M Lack of requirements and
coordination
Lack of institutionalized
BEI training
No plan for future BEwL
management, maintenance, and
development
(BEwL has been managed by EA
even though it is not a designated
EA responsibility)
Decide/Act weakened M DIA has not assumed
responsibility per DoDD
8521.01E
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms
This content downloaded from
�������������50.86.49.172 on Sun, 30 Jan 2022 00:58:22 UTC��������������
All use subject to https://about.jstor.org/terms