CBP Did Not Thoroughly Plan for CBP OneTM Risks, and Opportunities to Implement Improvements Exist

Date Issued

Wednesday, August 21, 2024

Submitting OIG

Department of Homeland Security OIG

Other Participating OIGs

Department of Homeland Security OIG

Agencies Reviewed/Investigated

Department of Homeland Security

Components

United States Customs and Border Protection (CBP)

Report Number

OIG-24-48

Report Description

Although U.S. Customs and Border Protection (CBP) responded to CBPOne™ application weaknesses after implementation, it did not formallyassess and mitigate the technological risks involved with expanding theapplication to allow undocumented noncitizens (noncitizens) to scheduleappointments to present themselves for processing at Southwest BorderPorts of Entry (POEs). We found that CBP did not initially consider criticalfactors such as the design of the CBP One™ Genuine Presencefunctionality, adequacy of supporting application infrastructure,sufficiency of language translations, and equity of appointmentdistribution. As a result, noncitizens initially using the new featureexperienced application crashes, received frequent error messages, facedlanguage barriers, and may not have always had an equal opportunity tosecure an appointment.

Report Type

Inspection / Evaluation

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 3 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	No	$0	$0
We recommend CBP’s Office of Field Operations develop and implement a formalized risk assessment process when developing, expanding, or modifying mobile applications.
2	No	$0	$0
We recommend CBP’s Office of Field Operations implement a mechanism to analyze CBP One™ advanced information for trends and patterns of fraudulent behaviors by users of CBP One™ and communicate its results to the eight ports of entry that process CBP One™ appointments.
3	No	$0	$0
We recommend CBP’s Office of Information Technology implement a mechanism to routinely assess CBP applications and supporting infrastructure operating systems for configuration and patch management vulnerabilities and timely implement corrective actions.