United States Government Accountability Office GAO Report to Congressional Requesters September 2012 INFORMATION SHARING DHS Has Demonstrated Leadership and Progress, but Additional Actions Could Help Sustain and Strengthen Efforts GAO-12-809 September 2012 INFORMATION SHARING DHS Has Demonstrated Leadership and Progress, but Additional Actions Could Help Sustain and Strengthen Efforts Highlights of GAO-12-809, a report to congressional requesters Why GAO Did This Study What GAO Found Recent planned and attempted acts of The Department of Homeland Security (DHS) has made progress in achieving its terrorism on U.S. soil underscore the information-sharing mission, but could take additional steps to improve its efforts. importance of the need to ensure that Specifically, DHS has demonstrated leadership commitment by establishing a terrorism-related information is shared governance board to serve as the decision-making body for DHS information- with stakeholders across all levels of sharing issues. The board has enhanced collaboration among DHS components government in an effective and timely and identified a list of key information-sharing initiatives. The board has also manner. DHS, through its Office of developed and documented a process to prioritize some of the initiatives for Intelligence and Analysis, has additional oversight and support. However, because DHS has not revised its responsibility for sharing this policies and guidance to include processes for identifying information-sharing information and has established an gaps and the results; analyzing root causes of those gaps; and identifying, information-sharing vision for 2015— which includes ensuring that the right assessing, and mitigating risks of removing incomplete initiatives from its list, it information gets to the right people at does not have an institutional record that would help it replicate and sustain the right time. GAO was asked to those information-sharing efforts. Overall, DHS’s key information-sharing examine the extent to which DHS initiatives have progressed, and most have met interim milestones. However, (1) has made progress in achieving its progress has slowed for half of the 18 key initiatives, in part because of funding information-sharing mission, and constraints. For example, 5 of DHS’s top 8 priority information-sharing initiatives (2) tracks and assesses information- currently face funding shortfalls. The board has not been able to secure sharing improvements. GAO analyzed additional funds for these initiatives because they ultimately compete for funding relevant DHS documents, such as within the budgets of individual components, but DHS officials noted that the strategic planning documents and board’s involvement has kept some initiatives from experiencing funding cuts. those related to DHS’s governance DHS is also developing plans that will be important in managing its information- structure, among others, and sharing efforts, such as a revised strategy for information sharing and a related interviewed DHS officials. implementation plan. What GAO Recommends DHS has taken steps to track its information-sharing efforts, but has not yet fully GAO recommends that DHS revise its assessed how they have improved sharing. Specifically, DHS is tracking the policies and guidance to include implementation progress of key information-sharing initiatives, but the processes for identifying information- department does not maintain completion dates and does not fully assess the sharing gaps, analyzing root causes of impact initiatives are having on sharing. Determining and documenting initiative those gaps, and identifying, assessing, completion dates and how initiatives affect sharing, where feasible, would help and mitigating risks of removing the board better track progress in implementing the initiatives and make any incomplete initiatives from its list; better necessary course corrections if completion dates are delayed. Further, DHS has track and assess the progress of key begun to assess the extent to which its technology programs, systems, and information-sharing initiatives; and initiatives—which include the key information-sharing initiatives—have establish the level of capabilities implemented critical information-sharing capabilities, such as secure user access programs must implement to meet its authorization. However, DHS has not yet determined the specific capabilities vision for 2015. DHS agreed with these recommendations and identified each particular program must implement for DHS to conclude that it has actions taken or planned to implement improved information sharing enough to achieve its information-sharing vision for them. 2015. Establishing the level of capabilities programs must implement could help DHS prioritize programs, and track and assess progress toward its vision. In addition, DHS is in the process of implementing customer feedback measures on the usefulness of information provided and has taken steps to assess customers’ information needs. DHS has not yet developed measures that determine the impact of its information-sharing efforts on homeland security, but plans to View GAO-12-809. For more information, develop ways to assess information-sharing results toward achieving its 2015 contact Eileen Larence at (202) 512-6510 or firstname.lastname@example.org. vision. DHS’s time frames for completing this effort are to be included in forthcoming plans currently being developed. United States Government Accountability Office Contents Letter 1 Background 5 DHS Has Made Progress in Advancing Key Information-Sharing Initiatives, but Additional Steps Could Help Sustain Such Efforts 8 DHS Has Taken Steps to Track Information-Sharing Efforts, but Has Not Yet Fully Assessed How They Have Improved Sharing 23 Conclusions 39 Recommendations for Executive Action 40 Agency Comments and Our Evaluation 41 Appendix I Objectives, Scope, and Methodology 44 Appendix II Comments from the Department of Homeland Security 49 Appendix III GAO Contact and Staff Acknowledgments 52 Table Table 1: DHS’s Eight Priority Information-Sharing Initiatives, as of September 2012 13 Figures Figure 1: DHS’s Visions, Missions, and Goal 5 Figure 2: Composition of the Information Sharing and Safeguarding Governance Board 10 Figure 3: Summary of Overall Status of DHS Key Information- Sharing Initiatives, as of June 2012 17 Figure 4: Generic Quad Chart for Key Information-Sharing Initiatives 25 Page i GAO-12-809 DHS Information Sharing Abbreviations AWN Alerts, Warnings, and Notifications CBP Customs and Border Protection CHISE Controlled Homeland Information Sharing Environment CIO Chief Information Officer DHS Department of Homeland Security DOJ Department of Justice EA enterprise architecture FBI Federal Bureau of Investigation HSIN Homeland Security Information Network I&A Office of Intelligence and Analysis ICE Immigration and Customs Enforcement ISA IPC Information Sharing and Access Interagency Policy Committee ISE Information Sharing Environment LEISI Law Enforcement Information Sharing Initiative NCTC National Counterterrorism Center QHSR Quadrennial Homeland Security Review SAR Suspicious Activity Reporting This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Page ii GAO-12-809 DHS Information Sharing United States Government Accountability Office Washington, DC 20548 September 18, 2012 Congressional Requesters Recent planned and attempted acts of terrorism on U.S. soil underscore the importance of ensuring that terrorism-related information is shared with stakeholders across all levels of government, the private sector, and foreign countries in an effective and timely manner. 1 Consistent with the Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Commission Act) and the Intelligence Reform and Terrorism Prevention Act of 2004 (Intelligence Reform Act), among other statutes, the Department of Homeland Security (DHS) has responsibility for sharing terrorism-related information with federal, state, local, tribal, territorial, international, and private sector partners. 2 DHS is also one of five key agencies tasked with responsibilities related to establishing the Information Sharing Environment (ISE)—a statutorily mandated governmentwide approach to facilitate the sharing of terrorism-related information. We have designated terrorism-related information sharing as high risk because the government faces formidable challenges in analyzing and disseminating this information in a timely, accurate, and useful manner. 3 Our work on this high-risk area has primarily focused on the government’s efforts to implement the ISE. As part of the ISE, DHS has been working to improve its sharing of terrorism-related information. In a September 2010 letter to DHS, we identified steps that the department could take to 1 For purposes of this report, terrorism-related information encompasses terrorism information, which includes weapons of mass destruction information, and homeland security information consistent with section 1016 of the Intelligence Reform and Terrorism Prevention Act of 2004, as amended, as well as law enforcement information relating to terrorism or the security of the homeland. See Pub. L. No. 108-458, § 1016(a), 118 Stat. 3638, 3664-65 (2004) (codified as amended at 6 U.S.C. § 485(a)). See also Pub. L. No. 107-296, § 892(f), 116 Stat. 2135 (2002) (codified at 6 U.S.C. § 482(f)). 2 See generally Pub. L. No. 110-53, 121 Stat. 266 (2007), Pub. L. No. 108-458, 121 Stat. 3638 (2004). See also, generally, Pub. L. No. 107-296, 116 Stat. 2135 (2002). 3 Terrorism-related information sharing remained a high-risk area for our February 2011 update. See GAO, High-Risk Series: An Update, GAO-11-278 (Washington, D.C.: Feb. 16, 2011) for the most recent update. See also Determining Performance and Accountability Challenges and High Risks, GAO-01-159SP (Washington, D.C.: Nov. 1, 2000). Page 1 GAO-12-809 DHS Information Sharing improve its sharing, which, among other things, included the development of a strategy for how DHS will achieve its information-sharing mission, demonstration of the existence of a clear governance structure for information sharing, and demonstration that DHS is making progress in providing terrorism-related information to its customers. DHS in turn identified related actions it was taking and provided us periodic updates on its progress, which are discussed later in this report. In response to your request, this report addresses the extent to which DHS (1) has made progress since 2010 in achieving its information-sharing mission, and what related challenges exist, if any, and (2) tracks and assesses information-sharing improvements. 4 To address the first objective, we analyzed relevant strategic planning documents, as well as documents related to DHS’s governance structure, plans and initiatives, and budget and technology framework for information sharing. 5 We also interviewed program officials within DHS’s Office of Intelligence and Analysis (I&A), as well as officials from DHS’s Office of the Chief Information Officer (CIO) to obtain information on the department’s efforts to improve information sharing and related challenges. We selected one DHS information-sharing initiative—the Law Enforcement Information Sharing Initiative (LEISI) led by U.S Immigration and Customs Enforcement (ICE)—to analyze as a case study example of DHS’s actions related to information-sharing initiatives, and discussed it with ICE officials. 6 We selected LEISI because it is one of DHS’s information-sharing priorities and an established program. We assessed DHS’s efforts against Standards for Internal Control in the Federal 4 Although the high-risk area focuses on sharing terrorism-related information, many of the programs and efforts discussed in this report relate to DHS’s efforts to share types of information beyond terrorism-related information. 5 DHS has made recent efforts to also improve the safeguarding of information—in response to the release of classified and diplomatic documents by the website Wikileaks in 2010—but this was outside the scope of our review and therefore is not addressed in this report. 6 LEISI was 1 of DHS’s 18 key information-sharing initiatives as of September 2012. Page 2 GAO-12-809 DHS Information Sharing Government and criteria that we use in assessing high-risk issues. 7 We also reviewed DHS’s efforts related to its Segment Architecture against our prior report and federal guidance on defining architecture content. 8 To address the second objective, we analyzed documentation and examples of DHS’s mechanisms for tracking and assessing the progress and results from its information-sharing efforts, including documentation and data on DHS’s performance measures for customer feedback and customer information needs, among other areas, for fiscal years 2011 and 2012. We assessed the reliability of these data by, for example, analyzing performance measurement documentation, and determined that they were sufficiently reliable for the purposes of this report. We also interviewed program officials within I&A and from DHS’s Office of the CIO. In addition, we obtained information from customers of DHS’s information sharing, including 10 of 77 fusion centers, where states and major urban areas collaborate with federal agencies to improve information sharing; 1 of 7 DHS operational components who participate in the DHS Intelligence Enterprise, ICE; and 2 of DHS’s 16 intelligence community customers, the Office of the Director of National Intelligence (ODNI) and the Federal Bureau of Investigation (FBI). 9 We selected fusion centers based on, among other things, geographic dispersion and variation in risk based on the Department of Justice’s (DOJ) 25 Cities 7 See GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov. 1, 1999). We have also established five criteria to assess when the government has made sufficient progress so that an issue no longer poses significant risk and can be removed as a high-risk area: demonstrated top leadership commitment to reduce risks; capacity, such as funding and other resources to reduce risks; a corrective action plan to identify and address root causes of risks; mechanisms to monitor effectiveness of corrective measures; and demonstrated progress in implementing corrective measures. See GAO-01-159SP. Because DHS is one of five key agencies responsible for establishing the ISE, its efforts to improve information sharing will not, on their own, result in removing the issue as a high-risk area. 8 A segment architecture defines a road map to enhance business operations and achieve measurable performance improvements for a portion, or segment, of the enterprise. See GAO, Information Sharing Environment: Better Road Map Needed to Guide Implementation and Investments, GAO-11-455 (Washington, D.C.: July 21, 2011). See also Federal Segment Architecture Working Group, Federal Segment Architecture Methodology Version 1.0, December 2008. 9 According to the Under Secretary for Intelligence and Analysis, departmental intelligence programs, projects, activities, and personnel—including the intelligence elements of key operational components, as well as I&A—make up the DHS Intelligence Enterprise. Page 3 GAO-12-809 DHS Information Sharing Project. 10 We selected ICE, ODNI, and the FBI because they are key customers of DHS’s intelligence products or partner with I&A to create these products. ICE is a DHS component that shares terrorism-related information and leads two of DHS’s key information-sharing initiatives. ODNI and the FBI are federal agencies that have key roles in analyzing terrorism threats to the United States and jointly issue products with DHS. The FBI also has the primary role in carrying out investigations within the United States of threats to national security. Because we selected a nonprobability sample of customers to contact, the information we obtained from these customers may not be generalized to all customers nationwide, but it provided us with a general understanding of the perspectives about DHS’s information sharing held by different customer types nationwide. We assessed DHS’s efforts for tracking and assessing information-sharing improvements against criteria for practices in program management. 11 We conducted this performance audit from November 2011 through September 2012 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Additional details on our scope and methodology are contained in appendix I. 10 The 25 Cities Project refers to the High-Risk Metropolitan Area Interoperability Assistance Project, a DOJ Wireless Management Office grant program that identified the top 25 metropolitan areas that were considered likely targets for terrorist attack and provided communication solutions to federal and local authorities such as fire, police, and emergency medical services. Projects differ from city to city. 11 For example, see Project Management Institute, The Standard for Program Management® (Newtown Square, PA: 2006); GAO, Managing for Results: Enhancing Agency Use of Performance Information for Management Decision Making, GAO-05-927 (Washington, D.C.: Sept. 9, 2005), and Program Evaluation: Studies Helped Agencies Measure or Explain Program Performance, GAO/GGD-00-204 (Washington, D.C.: Sept. 29, 2000). Page 4 GAO-12-809 DHS Information Sharing Background Overview of DHS Roles Figure 1 shows DHS’s homeland security and information-sharing visions, and Responsibilities and missions, and goal. 12 the Information Sharing Environment Figure 1: DHS’s Visions, Missions, and Goal a According to DHS officials, information sharing is a cross-cutting capability for all mission areas. b According to DHS documentation, the homeland security enterprise is composed of the federal, state, local, tribal, territorial, nongovernmental, and private sector entities, as well as individuals, families, and communities who share a common national interest in the safety and security of the United States. I&A is the lead DHS component with responsibilities for sharing terrorism- related information with all levels of government and the private sector. I&A performs a variety of functions related to information sharing, including gathering customer information needs, developing and 12 According to DHS officials, DHS’s information-sharing vision statement and goal will be updated when DHS publishes its Fiscal Year 2012-2017 DHS Information Sharing and Safeguarding Strategy. Page 5 GAO-12-809 DHS Information Sharing distributing intelligence reports, and gathering customer feedback on the information I&A provides. I&A, along with the Office of the CIO, also has a key role in the overall governance structure DHS has created to manage information sharing throughout the department, which is discussed more fully later in this report. I&A is headed by the Under Secretary for Intelligence and Analysis who has responsibilities for, among other things, providing homeland security intelligence and information to the Secretary of Homeland Security; other federal officials and agencies, such as members of the intelligence community; Members of Congress; departmental component agencies; and the department’s state, local, tribal, territorial, and private sector partners, such as fusion centers. In addition to I&A, multiple other DHS components—such as ICE, U.S. Customs and Border Protection (CBP), and the Transportation Security Administration (TSA)—share information within and outside DHS on threats more specific to their mission areas, such as travel information. Among other things, these agencies develop and distribute intelligence reports about these areas to customers, such as the intelligence community. DHS is one of five key agencies responsible for establishing the ISE. 13 Section 1016 of the Intelligence Reform Act, as amended by the 9/11 Commission Act, requires the President to take action to facilitate the sharing of terrorism-related information through the creation of the ISE. 14 In April 2005, the President designated a Program Manager—within the Office of the Director of National Intelligence—to, among other things, plan for, oversee implementation of, and manage the ISE. In July 2011, we recommended that in defining a road map for the ISE, the Program Manager ensure that relevant initiatives individual agencies were implementing are leveraged across the government, among other 13 In total, there are 15 ISE departments and agencies. In addition to the 5 key agencies (DHS, the Department of Justice, the Department of State, the Department of Defense, and the Office of the Director of National Intelligence), the other departments and agencies include the Central Intelligence Agency, the Department of Commerce, the Department of Energy, the Department of Health and Human Services, the Department of the Interior, the Department of Transportation, the Department of the Treasury, the FBI, and the National Counterterrorism Center, as well as the Joint Chiefs of Staff. See, e.g., appendix A of the July 2010 ISE Annual Report to the Congress. 14 See 6 U.S.C. § 485. Page 6 GAO-12-809 DHS Information Sharing things. 15 The Program Manager generally agreed with our recommendations and has actions under way to address them. DHS noted that the department remained committed to continuing its work with the Program Manager and relevant stakeholders to further define and implement a fully functioning ISE. DHS’s Office of the CIO is responsible for the department’s information technology management and is developing the department’s enterprise architecture (EA), which is designed to establish an agencywide road map to achieve its mission. An EA can be viewed as a reference or “blueprint” for guiding an organization’s transition to its future environment that includes maximizing information sharing within and across organizational boundaries. Along with I&A, the Office of the CIO is responsible for overseeing this transition. Federal Statutes and Since the terrorist attacks of September 11, 2001, several statutes have Strategies Governing been enacted into law that relate to enhancing the sharing of terrorism- Information Sharing related information among federal, state, and local agencies as well as other stakeholders, and the federal government has developed related strategies and guidelines to meet its statutory obligations. Pursuant to the Homeland Security Act, as amended, I&A has responsibility for, among other things, assessing, receiving, and analyzing law enforcement, intelligence, and other information in order to (1) identify and assess the nature and scope of terrorist threats to the homeland, (2) detect and identify threats of terrorism against the United States, and (3) understand such threats in light of actual and potential vulnerabilities to the homeland. 16 Further, pursuant to the 9/11 Commission Act, the Secretary of Homeland Security—through the Under Secretary for I&A—shall 15 GAO-11-455. In this report, we made recommendations at the national level to the Program Manager for the ISE and did not make any recommendations to DHS or other individual key agencies that support the ISE. 16 See 6 U.S.C. § 121.The Homeland Security Act established a Directorate of Information Analysis and Infrastructure Protection, within which the Assistant Secretary for Information Analysis carried out the department’s primary intelligence functions. See Pub. L. No. 107- 296, § 201, 116 Stat. at 2145-49. The 9/11 Commission Act subsequently eliminated the directorate and established separate offices for Intelligence and Analysis, headed by an Under Secretary, and for Infrastructure Protection, headed by an Assistant Secretary. See Pub. L. No. 110-53, § 531, 121 Stat. at 332-35. Page 7 GAO-12-809 DHS Information Sharing integrate the information and standardize the format of the terrorism- related products of the department’s intelligence components. 17 In October 2007, the President issued the National Strategy for Information Sharing, which identifies the federal government’s information-sharing responsibilities. The strategy calls for authorities at all levels of government to work together to obtain a common understanding of the information needed to prevent, deter, and respond to terrorist attacks. On the basis of the National Strategy, DHS developed a strategy in 2008 to direct the department’s information-sharing efforts and is drafting a Fiscal Year 2012-2017 DHS Information Sharing and Safeguarding Strategy. DHS plans to finalize and release this new strategy after the Executive Office of the President issues a new National Strategy for Information Sharing and Safeguarding, and DHS then plans to release an implementation plan that is to describe in more detail how the department will implement its strategy along with related milestones. 18 DHS’s new strategy is intended to update the 2008 strategy to reflect the department’s growing and increasingly complex mission and include information safeguarding—in response to the release of classified and diplomatic documents by the website Wikileaks in 2010—as well as information sharing. DHS has established a decision-making body—the Information Sharing DHS Has Made and Safeguarding Governance Board (the board)—that demonstrates Progress in Advancing senior executive-level commitment to improving information sharing. The board has identified information-sharing gaps and developed a list of key Key Information- initiatives to help address those gaps, but additional steps could help Sharing Initiatives, DHS sustain these efforts. Board and department attention has helped but Additional Steps achieve progress on many of the key initiatives, but funding challenges have slowed some efforts. DHS has also made progress in developing Could Help Sustain and implementing DHS’s Information Sharing Segment Architecture, but Such Efforts has not yet fully developed this architecture. The board plans to update the DHS Information Sharing Strategy and develop a related implementation plan, which will be important in managing information- sharing efforts. 17 See 6 U.S.C. § 124a(a). 18 As of early September 2012, the new National Strategy for Information Sharing and Safeguarding had not been released. Page 8 GAO-12-809 DHS Information Sharing The Governance Board The Information Sharing and Safeguarding Governance Board serves as Demonstrates Leadership DHS’s senior executive-level decision-making body for information- Commitment to Improving sharing issues. According to the board’s charter, DHS established the board in 2007 to serve as the “arbiter of data access denials or delays Information Sharing that cannot be resolved at the component level” and to work with DHS operational components to monitor their information management processes and ensure respect for legal protections. In the aftermath of the release of classified and diplomatic documents by the website Wikileaks, in 2011 DHS revised the board’s charter to reflect its responsibility to govern both information sharing and safeguarding and expanded the board’s membership to incorporate components with information-safeguarding responsibilities. 19 The board includes senior executive-level representation from almost every DHS component, as shown in figure 2. 19 According to the board’s charter, as revised, the President, through the August 2, 2011, memorandum entitled FY 2013 Programmatic Guidance for the Information Sharing Environment, directed departments and agencies in the Information Sharing Environment to strengthen governance processes for the sharing and safeguarding of critical information, both classified and unclassified, and to improve capabilities at the agency level to address and mitigate vulnerabilities. The revised charter also provides that pursuant to Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, issued on October 7, 2011, all federal departments and agencies must, among other things, institute a governance mechanism that synchronizes information sharing and safeguarding. See 76 Fed. Reg. 63,811 (Oct. 13, 2011). Page 9 GAO-12-809 DHS Information Sharing Figure 2: Composition of the Information Sharing and Safeguarding Governance Board The Under Secretary for Intelligence and Analysis serves as the board’s chair. According to DHS officials, as the DHS representative to the interagency policy committee for information sharing, the Under Secretary brings knowledge of governmentwide information-sharing efforts. 20 The DHS Chief Information Officer serves as the board’s vice chair, also bringing knowledge as the authority over DHS’s technology-related information-sharing projects. Board minutes show that senior-level officials attend the board’s quarterly meetings, demonstrating DHS leadership commitment to the board’s work. The board is responsible for approving the department’s information-sharing and -safeguarding vision and strategy, establishing information-sharing goals and priorities, and overseeing implementation across DHS components. According to DHS 20 For example, the Under Secretary for I&A participates in the Information Sharing and Access Interagency Policy Committee (ISA IPC). In July 2009, the administration established the ISA IPC within the Executive Office of the President to, among other things, identify information-sharing priorities going forward. The ISA IPC assumed the functions and responsibilities of the former White House Information Sharing Council, which had been established pursuant to section 1016(g) of the Intelligence Reform Act. See 6 U.S.C. § 485(g). The committee—with representation of participating ISE agencies and communities—is intended to provide oversight and guidance to the ISE. Page 10 GAO-12-809 DHS Information Sharing officials, the board periodically reports its results to the Secretary of Homeland Security. The Information Sharing Coordinating Council serves as an advisory body to the board and supports it by recommending policies and procedures for information sharing, preparing for board meetings, and helping to track information-sharing initiatives. 21 The board has advanced DHS information sharing in several ways. First, the board has raised visibility—that is, has increased awareness of— information-sharing initiatives. Both the Office of the CIO and ICE officials noted that visibility improves stakeholder coordination across initiatives and facilitates access to high-level officials who can help initiatives overcome roadblocks. For example, ICE officials said that the board has increased the visibility of LEISI—DHS’s main initiative for sharing law enforcement information with state and local partners—and that other DHS components are now more likely to coordinate with LEISI in their law enforcement information-sharing activities. An official from the Office of the CIO also noted that the board provides information-sharing initiatives with organizational support at higher levels across DHS, which can remove roadblocks within or across components. For example, the official noted that one information-sharing initiative—the Homeland Security Information Network (HSIN), which DHS uses to share information with federal, state, and local partners—cannot succeed without this visibility and now has better stakeholder coordination than ever before. Second, according to DHS officials, the board has helped to reduce redundancies across DHS components. For example, through board activities, members recognized that DHS components were independently developing over 20 systems to collect, share, and display the information that components and other stakeholders need to plan for and respond to threats and hazards, known as Common Operating Picture systems. The board worked with the components involved to examine each component’s Common Operating Picture systems and identify opportunities for cooperation, thereby reducing redundancies and saving funds. 21 The board has two additional subordinate bodies—the Law Enforcement Shared Mission Community, which serves as an advisory board on law enforcement information- sharing issues, and the Information Safeguarding and Risk Management Council, which serves as an advisory board on information-safeguarding issues. Page 11 GAO-12-809 DHS Information Sharing In February 2012, the board also established an Information Sharing Environment Coordination Activity—with staff from I&A and the Office of the CIO—to facilitate decision making related to DHS’s Information Sharing Segment Architecture transition plans. The group’s responsibilities include developing recommendations and advising on policy development, resource allocation, acquisition management, and program management processes. In addition, the group is responsible for assessing whether departmental investments in new and existing technology programs include critical information-sharing capabilities, and whether investments present opportunities to deploy capabilities as enterprise services, such as computer-to-computer mechanisms to deliver information between systems. We discuss this group’s role in several information-sharing efforts later in this report. Because the group is relatively new, it was too early for us to determine its impact. DHS’s actions to establish an information-sharing governance structure and related activities demonstrate DHS leadership’s commitment to improving information sharing. DHS Has Identified Key Information-Sharing Initiatives to Fill Gaps, but Additional Steps Could Help Sustain this Process Key Information-Sharing DHS has identified a list of initiatives that it determined are key to Initiatives advancing information sharing within the department and with its customers, which DHS refers to as its Information Sharing Roadmap. According to DHS officials, to develop this list, the board hosted a series of meetings from April 2010 through December 2011 with relevant components in each of its five mission areas. 22 According to I&A officials, 22 The Quadrennial Homeland Security Review is a DHS strategic framework that includes DHS’s vision for a secure homeland, specifies key mission priorities, and outlines goals for each DHS mission area. As part of this review, DHS identified five homeland security missions and assessed DHS efforts to mature and strengthen the homeland security enterprise itself. See DHS, “Quadrennial Homeland Security Review Report,” February 2010. According to DHS officials, information sharing is not a mission unto itself, but a “force multiplier” that enables the department to achieve its mission objectives faster and at reduced risk and cost. DHS structured the discussions for each mission area to identify gaps related to (1) people and cultural issues, (2) policy and legal issues, and (3) technology issues. Page 12 GAO-12-809 DHS Information Sharing these meetings included in-depth conversations with DHS and component executives about their information-sharing activities and gaps, and presentations from subject matter experts on these issues. The board selected a list of 22 initiatives that it determined represented DHS’s greatest opportunities to improve information sharing. Some of these initiatives were information-sharing programs that components were already implementing as part of their mission activities, while others were new projects designed to address specific information-sharing gaps. According to DHS officials, the process of identifying departmental information-sharing gaps evolved progressively over the course of 2 years as the board continually sought to improve its methods. According to DHS officials, in July 2011, the board’s chair requested that board members prioritize the list of initiatives and select a smaller and more manageable list to receive additional support in the DHS budget process. Using a weighted scoring and voting system, each board member selected 5 top-priority initiatives based on four criteria: cross- departmental impact, linkage to mission areas, enterprisewide information-sharing enabler, and level of DHS component support. After compiling these rankings across members, the board determined that 8 initiatives were clustered near the top of the list and established these initiatives as its priority efforts, as shown in table 1. Table 1: DHS’s Eight Priority Information-Sharing Initiatives, as of September 2012 Initiative Responsible component(s)a Function Controlled Homeland Information I&A, Office of the CIO, and Developing an integrated, searchable index to consolidate Sharing Environment (CHISE) Screening Coordination Office and streamline access to intelligence, law enforcement, and other information across DHS. Information Sharing Segment I&A and Office of the CIO Overseeing the Segment Architecture Transition Plan—that Architecture (Segment is, the actionable steps and milestones needed to implement Architecture) Transition the key capabilities required for the DHS information sharing environment. Law Enforcement Information ICE Sharing law enforcement information with state and local Sharing Initiative partners. This initiative includes formulating uniform law enforcement information-sharing policies for DHS, expanding and enhancing information technology to support information sharing, simplifying customer access to federal law enforcement and homeland security information, and ensuring that DHS law enforcement officers and analysts have the systems needed to access information from federal, state, and local partners. Common Operating Picture/User- Office of Operations Coordination Developing an application that collects, shares, and displays Defined Operating Picture and Planning and Office of the the information DHS components need to plan for and CIO respond to threats and hazards. Page 13 GAO-12-809 DHS Information Sharing Initiative Responsible component(s)a Function TECS Modernization CBP and ICE Modernizing the infrastructure of TECS—a key system for border enforcement and the sharing of information about people who are inadmissible to the United States under the law or pose a potential threat. Private Sector Information Sharing Private Sector Office and National Developing better engagement tools, processes, and Work Plan Protection and Programs methods to encourage and promote two-way information Directorate sharing with private sector partners. Homeland Secure Data Network I&A and Office of the CIO Developing a secure network that gives DHS the ability to collect, disseminate, and exchange information with federal, state, and local partners up to the secret level. Homeland Security Information I&A and Office of the CIO Developing a secure, web-based sensitive but unclassified Network network for information sharing and collaboration with federal, state, local, tribal, territorial, private sector, and international partners. Source: GAO analysis of DHS documents. a The Screening Coordination Office within the DHS Office of Policy was established to integrate, where appropriate, the wide range of DHS screening and credentialing activities to enhance DHS missions of keeping dangerous people and things out of the United States and securing critical infrastructure. The Office of Operations Coordination and Planning is responsible for monitoring the security of the United States on a daily basis and coordinating activities within DHS and with governors and law enforcement partners, among others. The Private Sector Office, within the Office of Policy, is responsible for, among other things, promoting public-private partnerships and best practices to improve homeland security. The National Protection and Programs Directorate has responsibility for advancing DHS’s risk reduction mission by addressing various physical and virtual threats. To improve the process it used to select the priority initiatives, DHS formed the Criteria Working Group in 2011. According to the working group’s briefing materials, the group developed new criteria for selecting priority initiatives—such as mission criticality and feasibility—that it will use in future prioritization efforts and a new process for integrating component input on which initiatives to choose as priorities. According to DHS officials, the board also recognized the need to periodically add and remove initiatives from the broader list of key information-sharing initiatives and developed and documented processes to do so. Therefore, in December 2011, the board elected to begin reviewing the list of initiatives on a semiannual basis, evaluating the initiatives for continued relevancy and considering newly emerging requirements. According to I&A officials, the board could remove an initiative from the list because (1) the initiative has “graduated”—that is, it has achieved all of its information-sharing goals or (2) the initiative has languished because components have not provided needed funding or DHS did not have a lead component to manage the initiative. These latter initiatives would be removed from the list and set aside for potential reevaluation if a component agrees to lead the initiative at a later date. In Page 14 GAO-12-809 DHS Information Sharing May 2012, DHS issued the Information Sharing and Safeguarding Roadmap Implementation Guide to document and describe goals and elements of the list of key initiatives and provide guidance for development, management, and oversight of the list. 23 In 2012, the board added 5 new initiatives to the list in order to reflect the board’s new emphasis on information safeguarding. 24 The board also consolidated 3 initiatives into a single initiative, split 1 initiative into 2 separate initiatives, and removed 3 from the list because, according to I&A officials, they were better handled by other entities and no longer required board involvement. As of September 2012, DHS had 18 key information-sharing initiatives and 5 safeguarding initiatives on its list of key initiatives. Steps to Sustain Efforts DHS’s efforts to identify information-sharing gaps and select initiatives to address them have advanced information-sharing efforts, but additional steps could help DHS sustain these efforts. First, DHS has not documented its process for identifying information-sharing gaps in each of its mission areas or the list of gaps it identified. Documenting this process and its results could help DHS replicate and sustain this process in the future. Federal internal control standards require agencies to clearly document significant activities. 25 DHS officials noted the board did not document the process because its efforts were in early stages and the process was revised as the board learned from experience. Processes for selecting key information-sharing initiatives are documented in DHS’s Roadmap Implementation Guide—the department’s policies and procedures for managing key initiatives. However, because DHS’s assessment of gaps drives the selection of key information-sharing initiatives, documenting the process for identifying gaps and the results of that process in the Roadmap Implementation Guide or other related policies and procedures would provide DHS with an institutional record to better replicate, and therefore sustain, a key step in its efforts to improve information sharing. 23 DHS, Information Sharing and Safeguarding Roadmap Implementation Guide, May 2012. 24 DHS’s five safeguarding priorities in the 2012 list of initiatives are Address the Insider Threat, Improve Access Control, Improve Enterprise Audit, Reduce Removable Media Use, and Reduce User Anonymity. 25 GAO/AIMD-00-21.3.1. Page 15 GAO-12-809 DHS Information Sharing Second, DHS did not analyze the root causes of information-sharing gaps to ensure that its key initiatives target the correct problems. According to DHS officials, DHS did not do this because the root causes of DHS’s information-sharing problems—such as challenges in incorporating diverse agencies into a single department—are well known and have been discussed at high levels within the executive branch, in the context of the formation of DHS, in the 9/11 Commission Report, and through subsequently enacted laws. 26 These broad, overarching issues help inform DHS’s efforts to improve information sharing, but documenting and implementing a process for analyzing the specific causes of DHS’s information-sharing gaps within each mission area would help DHS ensure that it invests in the correct information-sharing solutions. For example, diagnosing whether specific gaps are caused by DHS’s own funding decisions and constraints, by its organizational structure, or by technological limitations would allow DHS to better choose appropriate solutions. Furthermore, our work on high-risk programs has shown that analyzing root causes of program gaps or limitations can help in designing effective solutions to reduce risks. 27 Third, DHS has not established and documented a process for identifying and assessing the risks of removing an initiative from the list when the initiative does not have funding or component support, and does not have a documented process for mitigating the risk of removing incomplete initiatives. Given that DHS selects key information-sharing initiatives based on identified information-sharing gaps, it is important to assess the risks of removing an initiative and determine whether alternative solutions are needed to mitigate these risks in order to address information-sharing gaps. Internal control standards also require agencies to comprehensively identify risks and decide how to manage them. 28 The board’s deliberations on updates to its strategy recognize the need to institutionalize risk management into daily mission operations for information sharing. However, officials stated that the board has not accounted for the risk of removing items to date because (1) the processes for developing the list of initiatives are relatively new and (2) the only items DHS has removed so far are ones that continue to be 26 The National Commission on Terrorist Attacks Upon the United States, The 9/11 Commission Report (Washington, D.C.: July 2004). 27 GAO-01-159SP. 28 GAO/AIMD-00-21.3.1. Page 16 GAO-12-809 DHS Information Sharing managed by another entity within the department, which mitigated the risk of removal. Nevertheless, as we describe in the following section, funding and other constraints may require DHS to remove items from the list in the future, and establishing and documenting processes for potential future use could help guide these decisions. DHS officials stated that such processes could improve information-sharing efforts. By establishing and documenting processes for identifying and assessing the risks of removing an incomplete initiative from its list and working to mitigate that risk, DHS could be better positioned to identify the effects that removal may have on its information-sharing efforts and sustain these efforts. DHS Has Advanced Key Since DHS developed its list of key information-sharing initiatives, many Information-Sharing of those initiatives have proceeded and met interim program milestones. Initiatives, but Progress As of June 2012, 15 of the 18 key information-sharing initiatives met at least one interim milestone, and DHS fully completed 1 initiative— Has Slowed for Half of developing a training course designed to improve and increase sharing of Them in Part because of terrorism information by promoting a culture of awareness. However, as Funding Constraints shown in figure 3, progress has slowed or stopped for 10 of the 18 key information-sharing initiatives presented to the board in June 2012. Figure 3: Summary of Overall Status of DHS Key Information-Sharing Initiatives, as of June 2012 Funding constraints are a primary reason why progress has slowed or stopped for some initiatives. For example, among the 8 priority information-sharing initiatives, 5 faced risks as of June 2012 because of lack of funding, and DHS has had to delay or scale back at least 4 of them. More specifically, according to ICE documents, LEISI has met milestones related to several activities—including developing a strategic plan, implementing a performance metrics tracking system, and Page 17 GAO-12-809 DHS Information Sharing expanding information sharing with federal, state, and local partners—but inadequate funding threatens the ability of ICE to further expand the LEISI user base and share additional data, among other things. Also, DHS’s top information-sharing priority (CHISE)—an initiative to develop an integrated, searchable index to consolidate and streamline access to intelligence, law enforcement, and other information across DHS—has not been fully funded, but efforts to explore possible funding options continue, according to DHS officials. The officials noted that CHISE is intended to streamline access to terrorism-related information and help analysts synthesize this information. The officials added that until CHISE is developed, analysts will continue to separately access numerous data sets from across the department, which requires a larger number of analysts, is more time consuming, and may result in missing connections among data in different data sets. According to I&A officials, for the fiscal year 2012 budget, the board made a concerted effort to advocate for additional funding to support priority initiatives and emphasize information sharing during the DHS planning and budgeting process. According to I&A officials, the board was not able to obtain increased funding for the initiatives but plans to continue its efforts. The officials noted that the board does not have budget authority within the department, and therefore does not have the authority or resources to fund the priority initiatives. They explained that under the DHS budget process, the initiatives are considered integral to, and not separate from, an agency’s fundamental mission activities and are funded through the DHS components responsible for each initiative. Thus, according to the officials, in a constrained budget environment, components are faced with difficult decisions in deciding whether to fund mission activities or information-sharing activities. However, DHS officials stated that the board’s involvement has kept some of these initiatives from experiencing funding cuts. In addition, as we reported in July 2012, the board serves as the portfolio governance board for information sharing, which provides guidance and investment recommendations for future year planning, programming, and budgeting. 29 According to DHS officials, as the department’s information technology governance process matures, the board will have a more formal role and processes for affecting funding decisions. 29 GAO, Information Technology: DHS Needs to Further Define and Implement Its New Governance Process, GAO-12-818 (Washington, D.C.: July 25, 2012). Page 18 GAO-12-809 DHS Information Sharing Moving forward, DHS plans to collect and publish data on the annual and long-term funding the department budgets and spends on its information- sharing and -safeguarding programs and activities. 30 According to DHS officials, the ability for the department to generate reliable cost estimates for these sharing and safeguarding programs and activities will lower the risk to the public and minimize overruns, missed deadlines, and performance shortfalls. The officials added that cost estimates will also allow decision makers to prioritize future investments and demonstrate a continued commitment to support the capability and capacity of DHS components to share and safeguard information. These cost estimates could also allow us to determine the extent to which DHS has the capacity to implement its plans. We will continue to monitor DHS’s implementation of these plans and its ability to address funding shortfalls for key initiatives, particularly in a challenging budget environment. DHS Has Made Important DHS has developed architecture guidance to support the implementation Progress, but Has Yet to of its target DHS information sharing environment. 31 Specifically, in May Fully Implement Its 2009, DHS published version 2.1 of its Information Sharing Segment Architecture. In July 2011, we reported that the Segment Architecture did Information-Sharing not include key architecture content, such as a transition plan for moving Architecture to the target DHS information sharing environment and a conceptual solution architecture that provides an integrated view of proposed systems and services. 32 In response, DHS has made important progress in addressing the missing architecture content. For example, in January 2012, DHS updated its Segment Architecture to include a transition plan that provides a conceptual road map to implement the key capabilities needed to achieve the target DHS information sharing environment. 30 According to DHS officials, this effort and related milestones will be discussed in the implementation plan for the forthcoming DHS Information Sharing and Safeguarding Strategy. As noted earlier in this report, DHS officials stated that they are waiting to release this strategy until after the new National Information Sharing and Safeguarding Strategy is released. 31 The target DHS information sharing environment contains four technology layers (information access, information presentation, information discovery, and information delivery), which represent the functional groupings of information processes necessary to realize the target information sharing environment. 32 GAO-11-455. In this report, we made ISE recommendations at the national level to the Program Manager for the ISE and did not make any recommendations to the individual key agencies, including DHS, that support the ISE. Page 19 GAO-12-809 DHS Information Sharing DHS has also taken actions to identify and define its key business and information requirements, an initial important step in building an effective architecture to determine technology solutions it will need to achieve its information-sharing goals. According to guidance issued by the Program Manager for the ISE, agencies should create an inventory of assets to effectively share terrorism-related information. 33 According to the executive director of the DHS Information Sharing Environment Office, DHS has completed an inventory of the data assets (e.g., databases containing terrorism-related information) that each of the components across the department owns, such as border-crossing records. More specifically, DHS has cataloged more than 800 data assets across the department and identified the basic information available in each asset. Also according to the executive director, the Information Sharing Environment Coordination Activity will then determine with what other stakeholders DHS needs to share these data assets. DHS has determined that 80 of the data assets contain information with potential value in counterterrorism efforts. Of those 80, DHS identified the top 20 most valuable data assets and included them in the CHISE initiative, which is to organize these data assets into searchable indices to facilitate fast information retrieval. Since 2008, we have reported on the importance of agencies taking an inventory of what information they own as the first step to then determining who needs to have this information and how agencies will share it with key partners. 34 DHS’s inventory efforts should help it to more systematically determine where it has gaps in sharing or additional opportunities to use the information it owns to protect the homeland. DHS has also developed a conceptual solution architecture, which, according to the guidance issued by the Program Manager for the ISE, is to provide an integrated view of the combined systems, services, and technology for the target ISE, as well as the interfaces between them. This conceptual solution architecture provides an integrated view of 33 Program Manager for the ISE, Information Sharing Environment Profile and Architecture Implementation Strategy version 2.0, June 2009. 34 GAO, Information Sharing Environment: Definition of the Results to Be Achieved in Improving Terrorism-Related Information Sharing Is Needed to Guide Implementation and Assess Progress, GAO-08-492 (Washington, D.C.: June 25, 2008). Page 20 GAO-12-809 DHS Information Sharing systems, such as Homeland Secure Data Network, 35 and services, such as Enterprise Service Bus message services, 36 which allow information to flow among disparate applications across multiple hardware and software platforms. This is important since it defines specific technology resources for implementing DHS’s information sharing environment. In addition, DHS officials stated the department is using its shared space to share terrorism-related information with other agencies. 37 For example, the officials stated DHS plans to use its Suspicious Activity Reporting (SAR) shared space to share SAR data with the Department of Justice. 38 DHS has made important progress, but issues remain to effectively implement its information-sharing architecture. According to the guidance issued by the Program Manager for the ISE, agencies should align data assets with the ISE business mission processes. DHS stated that it has aligned its data assets with the ISE SAR business process and made progress in aligning data assets with the ISE Terrorist Watchlist mission business process. 39 However, it has not aligned data assets with the ISE Alerts, Warnings, and Notifications (AWN) mission business process. 40 DHS stated that it will document the AWN data assets’ alignment after the 35 Homeland Secure Data Network is a classified wide-area network for DHS that serves as a consolidated backbone that brings together multiple, legacy secret-level classified networks across DHS and provides interconnections to intelligence community and federal law enforcement resources. 36 Enterprise Service Bus is an integration technology that provides the capability to bridge disparate information technology networks and platforms. 37 Shared spaces are repositories used to make standardized terrorism-related information, applications, and services accessible to all ISE agencies and other relevant entities. 38 The Nationwide Suspicious Activity Reporting Initiative is to establish a national capacity for gathering, documenting, processing, analyzing, and sharing reports of suspicious activity that is potentially terrorism-related. 39 The ISE Terrorist Watchlist mission business process is a component of the identification and screening mission process and encompasses the receiving and sharing of reported information and the nomination, export, screening, encounter, redress, and updates to the Terrorist Screening Database. The FBI’s Terrorist Screening Center maintains this database of known or suspected terrorists, which is used during security- related and other screening processes. 40 Alerts, Warnings, and Notifications refers to an ISE mission business process that supports the preparation of and ensures timely dissemination and handling of terrorism alerts and warnings among ISE participants, at appropriate security levels. Page 21 GAO-12-809 DHS Information Sharing Program Manager for the ISE issues a national-level standard that describes business context and information exchanges for AWN. According to the Deputy Program Manager for the ISE, the Office of the Program Manager plans to work with DHS and other agencies on the development of standard information exchanges for AWN in fiscal year 2013. The alignment of DHS data assets with the ISE mission business processes is important because it would support better discovery and sharing of relevant terrorism-related information. In addition, while DHS has developed a conceptual solution architecture, it has not yet determined how well its current systems and technology environment support target business and information requirements. According to guidance from the Program Manager for the ISE, ISE agencies should assess the systems and technology environment for alignment with business and information requirements. According to DHS officials, from April through July 2012, the DHS Information Sharing Environment Coordination Activity conducted an initial baseline assessment of major programs to determine whether current systems and technologies can satisfy target architecture requirements, such as business and data requirements. Also according to DHS, it will review other segment architectures (e.g., screening) being developed to assess alignment with information-sharing capabilities described in the information-sharing architecture. By taking these actions, DHS could achieve cost avoidance and cost savings in implementing the DHS information sharing environment. 41 Upcoming Information DHS’s activities to assess gaps, select initiatives, and ensure that Sharing Strategy and information-sharing programs have the capabilities needed to promote Implementation Plan Will sharing are in the early development and implementation phases. As a result, DHS is taking steps to institutionalize some of its policies and Be Important in Managing practices, including developing key strategies and plans, that will be Information-Sharing important in planning and managing its information-sharing efforts. In our Efforts September 2010 letter to DHS, we stated that DHS should develop a strategy and commensurate plans to achieve its information-sharing mission, among other things. According to DHS officials, the department is taking steps to update and develop other strategies and related plans in 41 Additional information on the status of the Information Sharing Environment Coordination Activity’s efforts is discussed later in this report. Page 22 GAO-12-809 DHS Information Sharing addition to its list of key information-sharing initiatives that could address steps we have identified for DHS to take in information sharing. For example, as discussed earlier in this report, DHS is working to update the DHS Information Sharing Strategy, in part to be consistent with governmentwide efforts to update the related National Strategy. DHS officials stated that they expect to issue the updated strategy after the National Strategy is released, although the date of this latter action is uncertain. In deliberating on the updates, DHS is working to ensure that the DHS strategy outlines its information-sharing vision and mission, and addresses important components, such as goals and objectives on sharing and safeguarding information, methods it plans to achieve key outcomes as well as manage any potential risks, and steps it plans to take to ensure efforts receive the resources they need. Subsequent to releasing its strategy, DHS plans to release the Information Sharing and Safeguarding Implementation Plan within 90 days that is to describe in more detail how DHS will implement its strategy and include related milestones for the efforts described in the plan. We will continue to monitor implementation of these strategies and plans for taking corrective actions to improve information sharing. DHS is tracking the progress key information-sharing initiatives are DHS Has Taken Steps making toward interim milestones but the department generally does not to Track Information- track when the initiatives will be completed, so as to make course corrections if completion dates are delayed, or assess what impact they Sharing Efforts, but are having on achieving needed sharing. DHS also has taken several Has Not Yet Fully steps to implement the information-sharing capabilities it needs to share Assessed How They information but has not yet defined the level of capabilities that initiatives and other programs must have in place to help it achieve the Have Improved department’s information-sharing vision. Customer feedback can help Sharing assess information sharing by indicating how useful customers find the products DHS disseminates; DHS has taken steps to survey its customers to determine their satisfaction as well as assess their needs. DHS has not yet developed measures that determine the impact of sharing on its homeland security efforts, but plans to develop more meaningful ways to assess information-sharing results and progress toward achieving its vision. Page 23 GAO-12-809 DHS Information Sharing DHS Is Tracking Progress Our work has shown that being able to track the progress of initiatives of Key Initiatives but Does that address program barriers as well as assess the effectiveness of Not Track Completion initiatives, or the results they achieve, can help agencies minimize the risks in key programs such as information sharing. 42 DHS is tracking the Dates or Assess Impacts implementation progress of key information-sharing initiatives, but the on Information Sharing department does not track how close the initiatives are to completion and could better assess how the initiatives are improving information sharing or helping DHS achieve its 2015 vision, which includes ensuring that the right information gets to the right people at the right time. DHS has developed a tool to track implementation of key information- sharing initiatives, referred to as Roadmap Quad Charts, but it does not include information on how close the initiatives are to completion. According to I&A documents, the purpose of the charts is to report an initiative’s implementation progress to the board. Components are responsible for providing the information tracked in the charts and submitting monthly updates to I&A. The tool contains an overall health indicator, key milestones, risks, and other data, as shown in figure 4. 42 GAO-01-159SP. Page 24 GAO-12-809 DHS Information Sharing Figure 4: Generic Quad Chart for Key Information-Sharing Initiatives The left quadrants of the chart define interim activities and milestones, and track progress toward both. Components categorize the health of each initiative as having no impediments (green), or that its progress has slowed (yellow) or stopped (red). The right quadrants contain narrative information, including issues facing the initiative—such as inadequate funding or technological or legal difficulties encountered—and risks to Page 25 GAO-12-809 DHS Information Sharing progress, such as the impact of an initiative’s inability to meet time frames. 43 The board reviews the Quad Charts on a quarterly basis to track and oversee progress, and can question components on the initiatives and the status of milestones. For example, one initiative (Common Operating Picture/User-Defined Operating Picture Integrated Project Team) experienced challenges in setting milestones, which was reflected in its chart. Subsequently, the board pushed the relevant components to set more aggressive milestones, and, as a result, DHS expects to begin transitioning components from over 20 different common operating pictures to about 5 common operating pictures in March 2013, which, according to DHS officials, is earlier than would have been possible without the board’s involvement. When the transition has been completed, DHS will have streamlined the applications that collect, share, and display the information components need to plan for and respond to threats and hazards, which will increase efficiencies, according to DHS officials. The Quad Charts track progress that initiatives are making toward interim activities and milestones, but do not include information regarding completion dates or what difference the initiatives are making in improving information sharing. For example, a LEISI program official said that LEISI identifies milestones for the charts that can be accomplished each year, but the LEISI chart does not show how much closer that year’s targets will advance the initiative toward completing its information- sharing functions. Including completion dates in the charts could help the board better understand the overall progress initiatives made, make more informed decisions on which initiatives it will advocate should receive additional funding, and generally provide better oversight by holding components accountable for these completion dates. In addition, the charts do not provide information on how effective initiatives have been. For example, the charts do not provide a sense of any improvements in how ICE shares law enforcement information with key stakeholders as a 43 The charts only track progress on the information-sharing portions of component programs and not the overall programs. For example, CBP and ICE are updating the system they use to track and manage cases involving decisions about whether individuals planning to enter the United States are admissible or pose a security threat (TECS Modernization). While CBP and ICE are responsible for managing the overall program, the board uses the Quad Chart to track progress on efforts to share information from the system with internal and external customers. Page 26 GAO-12-809 DHS Information Sharing result of implementing LEISI, such as how many more data sets are available to share or the increase in the number of users with access to these data sets. Including such information in the Quad Chart could help the board assess how initiatives improve DHS information sharing, including the impact of any risks identified in the chart. According to DHS officials, the lower left quadrant of the chart is intended to show longer- term activities and milestones leading toward completion, but our review shows that 15 of the 18 initiatives did not have completion milestones as of June 2012. DHS officials stated that it will not be possible to identify completion dates for some initiatives, such as for CHISE, because they are in the early planning stages and responsible components cannot yet estimate their completion. Moreover, other initiatives, such as the Nationwide Suspicious Activity Reporting Initiative, are secretarial priorities that DHS will not remove from the list of key initiatives because they are ongoing initiatives with no date for completion. DHS officials recognize they need to better track the progress of key initiatives and assess how they affect sharing with customers, but related efforts are just beginning and DHS did not have further details on what changes they will make. Program management practices note the importance of establishing a timeline for program milestones and deliverables, including when a program is complete, which helps lay the groundwork for the program and position it for successful execution. These practices also note that it is important to track intermediate and final results of a program as well as the benefits a program delivers, which helps ensure the organization will realize and sustain the benefits from its investment. 44 We recognize that completion dates cannot be provided in each case. However, determining and documenting initiative completion dates and assessing how initiatives affect sharing, where feasible, would help the board better track progress in implementing the initiatives, make any necessary course corrections if completion dates are delayed, and demonstrate how initiatives enhance information sharing and homeland security. 44 Project Management Institute, The Standard for Program Management®. Page 27 GAO-12-809 DHS Information Sharing DHS Is Assessing In addition to identifying and tracking key information-sharing initiatives it Technology and Fusion needs to implement, DHS has also taken several steps to assess the Center Capabilities capabilities that programs need so that key partners can access and share information the department owns. First, DHS has begun to assess Needed to Share the extent to which its technology programs have implemented critical Information, but Could information-sharing capabilities. DHS officials stated that from April Better Determine How through July 2012, the Information Sharing Environment Coordination Technology Capabilities Activity conducted initial baseline assessments of approximately 160 Are Helping Achieve 2015 technology programs, systems, and initiatives—which include the key Vision information-sharing initiatives—to determine the extent to which they have critical information-sharing capabilities in place. Capabilities include, for example, ways to determine that a user who is trying to access DHS information is authorized to access it and the ability to subsequently audit or track who has accessed this information. 45 DHS officials noted that the Office of the CIO and board plan to track the progress that individual information-sharing programs and initiatives achieve in implementing these capabilities, as applicable, and develop a mechanism to provide DHS better visibility over the capabilities that programs have implemented and still need to implement. DHS officials stated that they plan to introduce this capability-tracking mechanism in early 2013. DHS’s planned capability-tracking mechanism may not include an important step to help DHS determine its progress toward its 2015 information-sharing vision. The Information Sharing Segment Architecture Transition Plan discusses major milestones and time frames for implementing the critical capabilities in order for DHS to achieve its information-sharing vision by 2015. However, this plan does not detail— and DHS officials said that they have not determined—the specific capabilities each particular program must implement for DHS to conclude that it has improved information sharing enough to achieve the 2015 information-sharing vision. For example, the transition plan notes that DHS is to have begun developing the framework for establishing how to 45 The seven critical capabilities are (1) information sharing environment governance and implementation; (2) service-oriented architecture, which is to help the department move away from manual data exchanges and more quickly exchange information; (3) identity, credential, and access management; (4) electronic directory services, which allow users to find the location of people, organizations, and data across security domains within DHS and with partners; (5) discovery service, which provides a repository for information- sharing agreements, among other things; (6) delivery service; and (7) user presentation/interface. According to DHS officials, not all programs will need to implement all of the capabilities. Page 28 GAO-12-809 DHS Information Sharing authorize user access by the end of fiscal year 2012, but it does not include which programs this capability is relevant for, and how many of them must implement this capability for DHS to be able to conclude that it has made meaningful progress in that capability by 2015. DHS officials recognize the importance of measuring progress toward the 2015 vision, but the department’s efforts to define critical capabilities are new and it has not yet taken this step. Including this step in the department’s efforts to develop its capability-tracking mechanism would help DHS better understand which programs to prioritize to improve information sharing. Our past work and the experience of leading organizations have demonstrated that measuring performance allows organizations to track progress they are making toward intended results—including goals, objectives, and targets they expect to achieve—and gives managers critical information on which to base decisions for improving their programs. 46 The Information Sharing Environment Coordination Activity charter also notes that this group is to provide the board with the ability to prioritize and oversee steps DHS is taking to achieve its information- sharing vision. Determining the specific capabilities certain programs must implement in order for DHS to achieve its 2015 vision and subsequently tracking annual progress could help DHS prioritize programs and track and assess progress toward ensuring that the right information is getting to the right people at the right time to meet their homeland security responsibilities. Second, in addition to tracking the capabilities of its own programs, DHS, in conjunction with the Department of Justice, is collecting information on the extent to which fusion centers are putting in place certain capabilities that the two agencies and other federal interagency partners have determined are critical for ensuring these centers can effectively operate in a national information-sharing network. States and major urban areas originally created fusion centers to provide information about threats within the centers’ jurisdictions. The federal government, particularly through DHS, has been leveraging such centers to further disseminate federal information on threats and to collect information on threats and pass it on to federal agencies, among other things. I&A collaborated with the fusion center directors and their interagency partners to design and 46 For example, see GAO-05-927, and Program Evaluation: Studies Helped Agencies Measure or Explain Program Performance, GAO/GGD-00-204 (Washington, D.C.: Sept. 29, 2000). Page 29 GAO-12-809 DHS Information Sharing implement the 2011 Fusion Center Assessment, which is to help DHS track the progress of fusion centers in achieving key capabilities. These include the capability to receive, analyze, and further disseminate information on terrorist threats and crimes that can be precursors to terrorism. DHS completed its initial assessment in October 2011 and issued a report on its results in June 2012. 47 The assessment found that overall capability scores for the 72 fusion centers that participated ranged from 29 to 97 out of 100, with an average score of 77. The report stated that the national network is a long-term investment and made recommendations on how DHS and its federal interagency partners can help fusion centers fill gaps over the next 4 years. DHS officials said that they will look at trends in individual fusion center scores to identify what capability gaps exist across the National Network of Fusion Centers and work with centers to focus any federal resources they receive on filling these gaps. DHS plans to monitor the improvements that centers make over time in filling capability gaps as an indicator of the effectiveness of fusion centers. Third, as part of its continued efforts to integrate the various components that were folded into DHS when it was created, I&A led an effort to review all of the legacy information-sharing agreements that different components had in place to help ensure components had the capability to share information seamlessly with each other. To track the progress of this effort, DHS developed a performance measure on the percentage of existing external information-sharing and access agreements that allow for sharing of information with all DHS components that have an authorized purpose for that information. 48 For example, if ICE had an agreement with a foreign country to share law enforcement information, other DHS components that have an authorized purpose for that information would also have access to that information. DHS increased the percentage of agreements that provided for sharing across all of DHS from less than 3 percent in fiscal year 2009 to 97 percent in fiscal year 2012, which exceeded the fiscal year 2012 target of 85 percent. As a result, DHS officials stated that the department plans to retire this performance measure and replace it with one that measures the 47 DHS, 2011 National Network of Fusion Centers: Final Report (Washington D.C.: May 2012). 48 Information-sharing and access agreements are vehicles used by DHS to exchange, receive, and share information from external (non-DHS) parties. Page 30 GAO-12-809 DHS Information Sharing outcomes of executing these agreements. Specifically, DHS plans to assess customer satisfaction of the recipients of multiple data sets received through these agreements beginning in October 2012. Customer Feedback Can DHS’s key initiatives and capabilities should help to increase the Provide Perspectives on department’s ability to make components’ information available to the Usefulness of important customers, and to disseminate components’ products and reports created for these customers. 49 However, determining whether the Information Shared right people have the right information at the right time requires obtaining views from customers about the accuracy, usefulness, and timeliness of information provided and shared. DHS components are in the process of implementing customer feedback mechanisms that should help to provide customers’ perspectives of how well DHS is meeting its 2015 vision. Information and Intelligence DHS has taken steps to survey customers to measure how satisfied they Products are with the information and intelligence products that DHS components disseminate, such as homeland security assessments and homeland information notes. 50 Such customer satisfaction data are important measures that help to gauge the usefulness of the information provided. DHS recognizes that there is a potential for bias in survey results, but DHS is taking steps to obtain feedback in additional ways, such as meeting with its customers to assess their needs, as a means to improve intelligence products. DHS measures customer satisfaction by attaching surveys to information and intelligence products or sending surveys separately to customers following the dissemination of a product. I&A and TSA have developed and implemented surveys that gauge customer satisfaction with the usefulness of information in these products and other DHS intelligence 49 For the purposes of this report, DHS customers are entities that consume DHS intelligence products. These entities include federal, state, local, tribal, territorial, and private sector partners. In addition, DHS components consume intelligence products developed and distributed by other DHS components, such as I&A. 50 Homeland security assessments provide in-depth analysis based on detailed research. Homeland security notes provide information or analysis on a recent or current event or development of interest to DHS customers. Page 31 GAO-12-809 DHS Information Sharing components are following suit. 51 Component surveys include a common question that asks customers to rate satisfaction on a five-point scale— very satisfied, somewhat satisfied, neither satisfied nor dissatisfied, somewhat dissatisfied, or very dissatisfied—and DHS customer satisfaction performance measures report the percentage of intelligence products rated somewhat satisfied or very satisfied. DHS plans to aggregate survey results on this question from across the DHS Intelligence Enterprise components, use the data as a gauge on how the information provided contributed to success in achieving goals for missions areas—such as preventing terrorist attacks—and publish the results in the department’s Annual Performance Report as performance measures, beginning in 2013. For example, TSA disseminated about 11,000 incident reports that pertain to preventing terrorist attacks during the first two quarters of 2012 and received about 5,800 responses. Over the same time period, I&A distributed 41 reports pertaining to preventing terrorist attacks and received over 700 responses. 52 These data show that customers who responded to the surveys said that they were generally satisfied with the reports they reviewed during that time frame. I&A data for fiscal year 2011 also show that customers said they were generally satisfied with products disseminated that year. These customer feedback mechanisms should help to provide customers’ perspectives of how well DHS is meeting its 2015 vision. However, I&A recognizes that the survey results may not be representative of the entire population of customers that received those products because customers voluntarily choose whether or not to provide feedback. In internal documents and external reports on customer feedback, such as the I&A annual report to Congress, I&A cautions readers that survey results are subject to bias that prevents the organization from drawing conclusions about the entire I&A customer 51 As of June 2012, U.S. Citizenship and Immigration Services—the agency responsible for overseeing lawful immigration to the United States—and ICE have also implemented a survey but have not received any feedback to support the associated performance measures. Ultimately, the survey will also be used by the Coast Guard and CBP. 52 According to DHS officials, it is not possible to calculate a response rate because they do not know how many customers have read the reports. Page 32 GAO-12-809 DHS Information Sharing population. 53 For example, a bias is created by the requirement that a customer read a product in order to take the survey—meaning that the feedback of those who read the product and chose to provide feedback may not be representative of those customers that decided not to read an I&A product. Given this potential for bias in I&A data, any performance measures drawn from that data will carry that bias, providing DHS, Congress, and taxpayers with a potentially incomplete account of progress made in improving information sharing. According to DHS officials, because of technological limitations in tracking the dissemination of products, I&A does not know the number of recipients or readers of each product, which prevents I&A from knowing the full impact of this bias. I&A has taken a number of steps to obtain feedback in other ways and help ensure it provides customers with the right information at the right time. For example, according to I&A officials, I&A has initiated a core customer study designed to establish a common definition of core customers, allowing I&A to identify and directly survey representative samples of customers from across each segment on their satisfaction with I&A’s intelligence support. However, the study is in the beginning phases; thus I&A has not yet established a completion date and it is too early to evaluate the results. In addition, I&A has established a Customer Feedback Working Group to analyze feedback-related issues and devise ways to improve products. For example, on the basis of feedback that I&A products did not contain enough relevant local content, the group has begun a project to improve the regional content in intelligence products, according to I&A officials. Further, I&A conducts targeted surveys on high-interest topical issues to assess its performance on sharing terrorism-related intelligence and information. Our discussions with various DHS customers indicate varying levels of satisfaction with terrorism-related information from DHS and its components, including I&A and TSA. According to DHS officials, the department has prioritized its customers, and the department funds 53 See I&A, Voluntary Feedback from State, Local, Tribal, and Private Sector Consumers, 2010 Report to Congress (November 8, 2010). Pursuant to the Homeland Security Act of 2002, as amended, the Secretary of DHS is to submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives an annual report describing consumer feedback it obtains and, if applicable, how DHS adjusts its production of intelligence products in response to such consumer feedback. See 6 U.S.C. § 124h(g). Page 33 GAO-12-809 DHS Information Sharing information-sharing initiatives according to these priorities. This, in turn, can affect how relevant some of the customers find DHS and its components’ information to their mission. For example, fusion centers are higher-priority customers than customers in the intelligence community, such as the FBI, according to the I&A Strategic Plan. As a result, DHS officials stated that the department focuses more of its funding and initiatives on fusion centers. We interviewed senior officials from 10 state and major urban area fusion centers, ICE, ODNI, and the FBI. 54 We supplemented our discussions with additional information, such as the results of a 2012 fusion center survey about counterterrorism intelligence and our prior survey on TSA customers. 55 The results of our analysis are summarized below. • Fusion centers: Directors and other senior officials in 8 of 10 fusion centers we spoke with generally found I&A information to be useful. 56 For example, officials at 1 fusion center reported that I&A products keep officials up to date on national and global terrorism trends that may have an impact on their region. In addition, officials at another fusion center stated that reports, such as the Joint Intelligence Briefing from DHS and the FBI on the 10th anniversary of 9/11, and special assessments of security at sporting events, have helped the fusion center provide guidance to state and local law enforcement. Further, in response to an I&A report on radicalization of prison inmates, 1 fusion center’s detectives met with corrections department staff to enhance their awareness of prison radicalization and held trainings on suspicious activities and radicalization indicators. Moreover, officials at this center noted that the timely dissemination of reports has improved, that reports are more specific to regional needs than in the past, and that I&A has responded to fusion center feedback. However, officials at 2 other fusion centers we met with stated that I&A information was not always timely. These officials 54 Because we selected a nonprobability sample of customers to contact, the information we obtained may not be generalized to all customers. We discussed with these entities their satisfaction with information from DHS components, and I&A specifically, but not all entities provided responses for each of these sources of information, and others provided satisfaction with the department as a whole. 55 GAO, Transportation Security Information Sharing: Stakeholders Generally Satisfied but TSA Could Improve Analysis, Awareness, and Accountability, GAO-12-44 (Washington, D.C.: Nov. 21, 2011). 56 Two fusion centers did not directly answer the question. Page 34 GAO-12-809 DHS Information Sharing reported that sometimes, I&A information is already available through media outlets or other information sources. According to one official, although this practice can be considered a method to verify the recent news media information, the volume of information tends to flood the network and can lead to reduced attention being paid to I&A products. In addition, officials at 2 fusion centers we met with reported that I&A distributes too many reports that are not specific to their region. Further, results from a 2012 Homeland Security Policy Institute survey that asked fusion center staff to order their most important sources of information suggest that DHS may have opportunities to better meet customer needs. 57 On the basis of the fusion center officials who responded—which, according to survey authors come from traditional law enforcement backgrounds that may influence their rankings—DHS ranked sixth after sources such as law enforcement and Joint Terrorism Task Forces. Other sources, such as the National Counterterrorism Center and other fusion centers, ranked lower than DHS. 58 • TSA customers: We previously reported on the extent to which TSA customers are satisfied with the security-related information products they receive and found that they were generally satisfied. 59 Specifically, TSA has developed a series of products to share security-related information with transportation stakeholders, such as annual modal threat assessments that provide an overview of threats to each transportation mode—including aviation, rail, and highway— and related infrastructure. Fifty-seven percent of the customers we surveyed (155 of 275 who answered this question) indicated that they were satisfied with the products they receive. • ICE: ICE directors and analysts in the Homeland Security Intelligence Office did not comment on the information contained in I&A reports, but noted that they were generally dissatisfied with I&A reports primarily because they found it difficult to determine which reports are most relevant to their needs. For example, the officials stated that I&A is not proactive in informing ICE about the products it completes and 57 The George Washington University Homeland Security Policy Institute, Counterterrorism Intelligence: Fusion Center Perspectives (Washington D.C.: June 2012). 58 The survey results are based on a nonprobability sample. Although these results are not generalizable, they indicate variability in satisfaction among DHS’s customer base. 59 GAO-12-44. Page 35 GAO-12-809 DHS Information Sharing would find useful. ICE officials stated that connectivity and access to I&A products have improved since 2010, but the ease of finding these products and understanding what is relevant to ICE remains problematic. • ODNI: ODNI officials stated that they were generally satisfied with the department’s responsiveness to information needs and that collaboration with DHS has improved since 2010. For example, if circumstances necessitate ODNI obtaining passenger manifest data, DHS provides such information more quickly than in the past. In addition, ODNI has successfully used DHS data to counter potential terrorist threats. For example, by cross-checking refugee application data from DHS with other data, ODNI has facilitated numerous arrests and removed over 500 people who posed a potential threat from the refugee stream prior to their arrival in the United States. However, ODNI officials stated that some DHS intelligence reports are not timely enough for their needs. Further, DHS’s finished intelligence products are generally not as valuable to the intelligence community because they are generally written for state and local customers. 60 • FBI: Two FBI headquarters divisions responsible for sharing terrorism- related information reported on their satisfaction with information from DHS. Specifically, officials from one of the two FBI divisions reported that, overall, the division was neither satisfied nor dissatisfied with I&A information, and officials from the other division reported their division was somewhat satisfied. These same officials also reported that they were very satisfied with the information received from CBP, ICE, and TSA. For example, the FBI officials reported that its Counterterrorism Division and ICE have enhanced the consistency with which information is shared and have worked toward a transparent and coordinated effort for developing, sharing, and distributing terrorism- related information. The FBI reported that DHS intelligence products are generally not produced for the FBI’s use specifically, and that the FBI collaborates with DHS to develop reports on a variety of topics, such as potential terrorist attacks. Reports Responding to DHS also monitors the extent to which I&A finished intelligence products Customer Needs address issues that state, local, and tribal customers deemed as most 60 Finished intelligence has been reviewed and correlated with data from other available sources. Page 36 GAO-12-809 DHS Information Sharing critical to their needs, which could increase customer satisfaction with products. Customers articulate their critical needs based on 10 threat- based categories, such as Terrorism and Illicit Drug Operations. 61 I&A tags its intelligence products and information reports with relevant “standing information needs” prior to distribution, which enables I&A to monitor the extent to which I&A is distributing products and reports that match customers’ needs. 62 The 2011 annual performance report shows that I&A determined that 85 percent of finished intelligence products were directly responsive to its state, local, and tribal customers’ information needs, which met the performance target for this measure. I&A data show that the department reached similar conclusions during the first two quarters of 2012. 63 According to DHS officials, additional components are beginning to tag their information reports and intelligence products with relevant standing information needs, which will enable DHS to assess departmentwide contributions to addressing crucial customer needs. Requests for Information I&A also provides customers with information based on specific requests and collects data on the extent to which I&A is timely in its responses and customers are satisfied with those responses. Customer satisfaction is based on three factors: quality of communication, the accuracy of the information provided, and satisfaction with the process. Specifically, customers request certain information from I&A—such as background information for a person of interest—and I&A officials are to respond to that request by an agreed-upon time frame. 64 The 2011 annual performance report shows that I&A answered 85 percent of requests 61 According to an I&A official, going forward, DHS will not report this measure externally because management decided the measure does not broadly apply to the department. However, I&A plans to continue to track the measure and use it for decision making. 62 I&A defines these critical needs as “any subject, general or specific, for which there is a continuing need for intelligence, which will establish a foundation for guiding intelligence collection efforts and reporting activities.” Examples include the need for information on individuals or groups that are capable of attacking critical infrastructure and key resources, and emerging cross-border connections between transnational criminal organizations or gangs. 63 First quarter 2012 data show that 87 percent of DHS reports were directly responsive to its customers’ information needs, while second quarter results were 85 percent. 64 DHS also collects customer satisfaction data on requests customers send to the National Operations Center. This entity collects and fuses information from more than 35 federal, state, territorial, tribal, local, and private sector agencies. The National Operations Center coordinates information sharing to help deter, detect, and prevent terrorist acts and to manage domestic incidents. Page 37 GAO-12-809 DHS Information Sharing within the time frame I&A and the customer agreed upon to the customer’s satisfaction. Since I&A is currently updating this measure to include other DHS entities, 2012 is a baseline year that the department plans to use to evaluate the extent to which timeliness and satisfaction of information requests are improving over time. Therefore, this measure should help DHS determine to what extent customers are getting the right information at the right time. Carrying Through on Plans DHS has plans that could help it better assess the impact of the to Develop More department’s information sharing on homeland security. After DHS Meaningful Ways to Assess releases its new Information Sharing and Safeguarding Strategy, the department plans to develop and implement a new DHS sharing and the Impacts of safeguarding performance management program that is to include the Information-Sharing development of performance measures that determine the outcomes its Efforts Will Be Important information sharing is to achieve. Our work has shown that DHS is evolving from utilizing process measures that are relatively easy to implement—for example, counting the number of issued reports—to more meaningful measures that determine customer satisfaction with the usefulness of the information provided. 65 Demonstrating results is a standard practice in performance measurement. DHS continues to recognize that it must develop measures that demonstrate the results of its efforts, and department officials noted that such measures will be a crucial part of the Information Sharing and Safeguarding Implementation Plan the department is to develop. Specifically, the department’s draft planning documents note that the board is to develop information-sharing outcome measures to determine whether federal and nonfederal customers receive DHS information that is timely, accurate, trusted, and useful; meets their needs; and contributes to securing the homeland. For example, DHS could enhance its customer satisfaction performance measures by asking customers what difference the product they reviewed 65 See, for example, GAO, Information Sharing: DHS Could Better Define How it Plans to Meet Its State and Local Mission and Improve Performance Accountability, GAO-11-223 (Washington D.C.: Dec. 16, 2010); Aviation Security: A National Strategy and Other Actions Would Strengthen TSA’s Efforts to Secure Commercial Airport Perimeters and Access Controls, GAO-09-399 (Washington, D.C.: Sept. 30, 2009); and Department of Homeland Security: Progress Report on Implementation of Mission and Management Functions, GAO-07-454 (Washington, D.C.: Aug. 17, 2007). Performance measures can be categorized as (1) output measures, which describe the direct products or services delivered by a program or activity; (2) process measures, which address the type or level of program activities conducted, such as timeliness or quality; or (3) outcome measures, which describe the results of carrying out a program or activity. Page 38 GAO-12-809 DHS Information Sharing made on their ability to ensure a safe and secure homeland. The board is also to develop measures that assess the impact of information sharing on preventing terrorism and enhancing security, as well as other missions. Further, the board is to develop measures that assess the degree of budget and outcome alignment, and calculate the cost of achieving information-sharing outcomes and target levels of performance. 66 We will continue to monitor DHS’s efforts to assess the results and impact of its sharing efforts. Our work has shown that having the ability to monitor progress and demonstrate results helps to lower the risks posed from implementing programs critical to the nation, such as the sharing of information on terrorist threats. Executing its plans to develop better measures should help DHS assess the progress in sharing information and monitor the extent to which the department is achieving its 2015 vision to provide the right information to the right people at the right time. Ensuring that terrorism-related information is shared in an efficient Conclusions manner with stakeholders across all levels of government, the private sector, and foreign countries is a challenging and critical task. DHS has demonstrated a strong commitment to advance information-sharing efforts; its key information-sharing initiatives have made progress, and most have met interim milestones. The department has also taken steps to track its information-sharing efforts and developed information-sharing performance measures that monitor the effectiveness of some information-sharing efforts. However, additional steps could help DHS sustain these efforts. For example, in its Roadmap Implementation Guide or other policies and procedures, documenting processes for identifying information-sharing gaps and the results; documenting and implementing a process for analyzing the root causes of those gaps; and establishing and documenting a process for potential future use for identifying, assessing, and mitigating the risk of removing an incomplete initiative from the list would provide DHS with an institutional record to better replicate, and therefore sustain, its information-sharing efforts. Moreover, defining the milestones that initiatives must achieve in order to be 66 According to DHS officials, these plans are tied to the forthcoming DHS Information Sharing and Safeguarding Strategy and its associated implementation plan. As noted earlier in this report, DHS officials stated that they are waiting to release this strategy until after the new National Information Sharing and Safeguarding Strategy is released. Page 39 GAO-12-809 DHS Information Sharing considered complete and determining what difference the initiatives are making in information sharing could help the board better track progress in implementing the initiatives, make any necessary course corrections, and make future investment decisions. Further, determining the specific capabilities certain programs must implement in order for DHS to achieve its 2015 vision and subsequently tracking annual progress toward achieving these capabilities could help DHS prioritize programs and investments, and track and assess progress toward meeting homeland security responsibilities. We recommend that the Secretary of Homeland Security take the Recommendations for following five actions. Executive Action • To address information-sharing gaps and risks, direct the Information Sharing and Safeguarding Governance Board to, in either its Roadmap Implementation Guide or other related policies and procedures, • document its processes for identifying information-sharing gaps and the results; • document and implement a process for analyzing the root causes of those gaps; and • establish and document processes for identifying and assessing risks of removing initiatives from the list, as well as determining whether other initiatives or alternative solutions are needed to mitigate any significant risks related to the relevant information- sharing gap. • To improve DHS’s ability to track and assess key information-sharing initiatives, • direct the Information Sharing and Safeguarding Governance Board to incorporate into the board’s existing tracking process milestones with time frames that initiatives must achieve to be considered complete, where feasible, and information to show the impact initiatives are having on information sharing, and • direct the Information Sharing and Safeguarding Governance Board and the Office of the CIO to include in the mechanism the board is developing to track programs’ achievement of key capabilities the specific capabilities certain programs must implement in order to achieve the department’s 2015 information- sharing vision. Page 40 GAO-12-809 DHS Information Sharing We provided a draft of this report to DHS, ODNI, and the FBI on August Agency Comments 14, 2012, for review and comment. On September 5, 2012, DHS provided and Our Evaluation written comments, which are reprinted in appendix II. In commenting on the report, DHS stated that it concurred with all five recommendations and identified actions taken or planned to implement them. DHS concurred with the first recommendation, to direct the Information Sharing and Safeguarding Governance Board to document its processes for identifying information-sharing gaps and the results. DHS stated that the department, through the board, has recently initiated an effort to draft a DHS-wide Information Sharing and Safeguarding Implementation Plan. The implementation plan is to ensure that DHS’s sharing and safeguarding activities align with the forthcoming Fiscal Year 2012–2017 DHS Information Sharing and Safeguarding Strategy. DHS stated that the templates that the department will use to develop the implementation plan will identify information-sharing and -safeguarding gaps and the anticipated results. DHS also plans to update its Roadmap Implementation Guide to provide the department with an institutional record to better replicate, and therefore sustain, ongoing and future implementation efforts to improve information-sharing and -safeguarding. DHS also concurred with the second recommendation, to direct the Information Sharing and Safeguarding Governance Board to document and implement a process for analyzing the root causes of those gaps. DHS stated that the templates that the department will use to develop the implementation plan will identify the specific root causes of information- sharing and -safeguarding gaps for the initiatives contained in the implementation plan. DHS also plans to update its Roadmap Implementation Guide to document the processes by which it identifies the root causes of the gaps. DHS stated that this effort will better ensure that the department invests in the correct information-sharing solutions and effectively reduces risks. DHS concurred with the third recommendation, to direct the Information Sharing and Safeguarding Governance Board to establish and document processes for identifying and assessing risks of removing initiatives from the list, as well as determining whether other initiatives or alternative solutions are needed to mitigate any significant risks related to the relevant information-sharing gap. DHS stated that it plans to establish and document such processes, and also plans to update its Roadmap Implementation Guide to document the processes by which it identifies and assesses risks. DHS stated that preliminary planning to address this recommendation has begun. DHS concurred with the fourth recommendation, to direct the Information Sharing and Safeguarding Governance Board to incorporate into the Page 41 GAO-12-809 DHS Information Sharing board’s existing tracking process milestones with time frames that initiatives must achieve to be considered complete, where feasible, and information to show the impact initiatives are having on information sharing. DHS stated that the board will incorporate the recommended changes into its tracking process, and that preliminary planning to address this recommendation has begun. DHS also concurred with the fifth recommendation, to direct the Information Sharing and Safeguarding Governance Board and the Office of the CIO to include in the mechanism the board is developing to track programs’ achievement of key capabilities the specific capabilities certain programs must implement in order to achieve the department’s 2015 information-sharing vision. DHS stated that the board and the Office of the CIO will include the recommended changes in the mechanism, and stated that preliminary planning to address this recommendation has begun. If fully implemented, DHS’s planned efforts will address the intent of the five recommendations. DHS and the FBI also provided us with technical comments, which we considered and incorporated in the report where appropriate. ODNI did not have comments on the draft report. We are sending copies of this report to the Secretary of Homeland Security, the Director of National Intelligence, the Attorney General, and appropriate congressional committees. This report is also available at no charge on GAO’s web site at http://www.gao.gov. If you or your staff have any questions, please contact me at (202) 512- 6510 or email@example.com. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Staff acknowledgments are provided in appendix III. Eileen R. Larence Director Homeland Security and Justice Issues Page 42 GAO-12-809 DHS Information Sharing List of Requesters The Honorable Joseph I. Lieberman Chairman The Honorable Susan Collins Ranking Member Committee on Homeland Security and Governmental Affairs United States Senate The Honorable Peter T. King Chairman The Honorable Bennie G. Thompson Ranking Member Committee on Homeland Security House of Representatives The Honorable Patrick Meehan Chairman The Honorable Brian Higgins Ranking Member Subcommittee on Counterterrorism and Intelligence Committee on Homeland Security House of Representatives Page 43 GAO-12-809 DHS Information Sharing Appendix I: Objectives, Scope, and Appendix I: Objectives, Scope, and Methodology Methodology Our reporting objectives were to review the extent to which the Department of Homeland Security (DHS) (1) has made progress since 2010 in achieving its information-sharing mission, and what related challenges exist, if any, and (2) tracks and assesses information-sharing improvements. 1 To determine the extent to which DHS has made progress in achieving its information-sharing mission, we analyzed relevant strategic planning documents, such as DHS’s January 2011 Integrated Strategy for High Risk Management, the DHS Information Sharing Strategy, the 2007 National Strategy for Information Sharing, and the Office of Intelligence & Analysis (I&A) Strategic Plan 2011-2018. 2 In addition, to determine the extent of DHS leadership’s demonstrated commitment to information sharing, we analyzed documents related to DHS’s governance structure for information sharing, including charters that are current as of September 2012 and meeting minutes for relevant governing bodies from January 2011 through April 2012. To determine the extent to which DHS has developed information-sharing plans and identified key efforts, we analyzed documents related to DHS’s plans and initiatives for sharing, such as DHS’s list of key information- sharing initiatives, and analyzed documents from one initiative—the Law Enforcement Information Sharing Initiative (LEISI)—which is led by DHS’s U.S. Immigration and Customs Enforcement (ICE). We selected this initiative as an example case study of DHS’s actions related to information-sharing initiatives because it is a priority initiative and an established program. 3 To determine the extent to which DHS’s other key information-sharing initiatives have made progress, we analyzed DHS documents tracking those initiatives. To determine the extent to which DHS has the resources needed to achieve its information-sharing mission, we analyzed documents related to DHS’s budget, including the DHS fiscal year 2013 Budget in Brief, and the funding status of key information-sharing initiatives. To determine the extent to which DHS has the technology needed for information sharing, we analyzed documents related to DHS’s technology framework for information sharing, such as 1 Although the high-risk area focuses on sharing terrorism-related information, many of the programs and efforts discussed in this report relate to DHS’s efforts to share types of information beyond terrorism-related information. 2 While DHS has made recent efforts to also improve the safeguarding of information, this was outside the scope of our review and is therefore not addressed in this report. 3 LEISI was 1 of DHS’s 18 key information-sharing initiatives as of September 2012. Page 44 GAO-12-809 DHS Information Sharing Appendix I: Objectives, Scope, and Methodology the Information Sharing Segment Architecture Transition Plan, among other things. In addition, we interviewed program officials within DHS’s I&A to obtain information on the department’s information-sharing mission, goals, programs, activities, and funding; the Segment Architecture; efforts to improve terrorism-related information sharing; and related challenges. We interviewed ICE officials about LEISI’s progress and their experiences working with I&A on improving DHS’s information sharing. To determine the progress DHS has made on the technology framework for information sharing and on the funding of information-sharing programs, we interviewed officials from DHS’s Office of the Chief Information Officer (CIO). We assessed DHS’s plans and efforts against Standards for Internal Control in the Federal Government and criteria that we use in assessing high-risk issues. 4 We also reviewed DHS’s efforts related to its Segment Architecture against our prior report and federal guidance on defining architecture content. 5 To determine the extent to which DHS tracks and assesses information- sharing improvements, we analyzed relevant strategic planning documents, such as the I&A Strategic Plan for fiscal years 2011-2018 and the February 2010 Quadrennial Homeland Security Review (QHSR). Furthermore, to determine how DHS tracks progress and results in its information-sharing initiatives, we analyzed documentation and examples of DHS’s tracking mechanisms for its information-sharing efforts. We analyzed documentation and data on DHS’s performance measures for fiscal years 2011 and 2012 to determine the extent to which DHS is monitoring the effectiveness of information sharing. We also used these DHS performance measurement data to determine if DHS could demonstrate progress in information sharing by analyzing data for customer feedback and customer information needs, among other areas. To assess the reliability of the data obtained from DHS, we analyzed performance measurement documentation and interviewed officials knowledgeable about the controls over the integrity of the data. On the basis of our assessments, we determined that the performance measurement data were sufficiently reliable for the purposes of this 4 See GAO/AIMD-00-21.3.1 and GAO-01-159SP. 5 See GAO-11-455. See also Federal Segment Architecture Working Group, Federal Segment Architecture Methodology Version 1.0, December 2008. Page 45 GAO-12-809 DHS Information Sharing Appendix I: Objectives, Scope, and Methodology report. In addition, we interviewed program officials within I&A and from DHS’s Office of the CIO on I&A’s and DHS’s progress in sharing terrorism-related information, and on mechanisms they use to monitor effectiveness. To supplement the steps we took to assess how DHS tracks and assesses information-sharing improvements, we also obtained information from various customers of DHS’s information sharing on the usefulness of I&A and other DHS components’ products. Specifically, we obtained information from 10 of 77 fusion center customers, 1 of 7 DHS operational components who participate in the DHS Intelligence Enterprise, and 2 of DHS’s 16 intelligence community customers. 6 We interviewed or received written input from directors and other senior officials from 10 fusion centers—where states and major urban areas collaborate with federal agencies to improve information sharing— including the President of the National Fusion Center Association. The national network of fusion centers is the hub of much of the two-way intelligence and information flow between the federal government and state, local, tribal and territorial partners, making fusion centers key customers of I&A’s intelligence reports. Because we selected a nonprobability sample of fusion centers to contact, the information we obtained from these locations may not be generalized to all fusion centers nationwide. However, because we selected these centers based on, among other things, geographic dispersion and variation in risk based on the Department of Justice’s (DOJ) 25 Cities Project, the information we gathered from these locations provided us with an understanding of similarities and differences in fusion centers’ satisfaction with DHS’s information sharing across different centers. 7 We interviewed ICE officials 6 According to the Under Secretary for Intelligence and Analysis, departmental intelligence programs, projects, activities, and personnel—including the intelligence elements of key operational components, as well as I&A—make up the DHS Intelligence Enterprise. 7 The 25 Cities Project refers to the High-Risk Metropolitan Area Interoperability Assistance Project, a DOJ Wireless Management Office grant program that identified the top 25 metropolitan areas that were considered likely targets for terrorist attack and provided communication solutions to federal and local authorities such as fire, police, and emergency medical services. Projects differ from city to city. Page 46 GAO-12-809 DHS Information Sharing Appendix I: Objectives, Scope, and Methodology from the Homeland Security Investigations and Intelligence office 8 and officials from the Office of the Director of National Intelligence’s (ODNI) National Counterterrorism Center (NCTC). 9 Further, we received written input from two headquarters divisions of the Federal Bureau of Investigation (FBI) that are responsible for sharing terrorism-related information. We selected ICE, ODNI, and the FBI because they are key customers of DHS’s intelligence products or partner with I&A to create these products. ICE is a DHS component that shares terrorism-related information and leads two of DHS’s key information-sharing initiatives. ODNI and the FBI are federal agencies that have key roles in analyzing terrorism threats to the United States and jointly issue products with DHS. The FBI also has the primary role in carrying out investigations within the United States of threats to national security. The views of ICE, ODNI, and the FBI are not generalizable to all of DHS’s federal customers, but they provided us with a general understanding of the perspectives about DHS’s information sharing held by different customer types nationwide. To supplement these views, we reviewed our prior work on DHS customer satisfaction and analyzed a report from a survey on information sharing conducted by the George Washington University Homeland Security Policy Institute and discussed the report with a representative who conducted the survey. 10 In January and February 2012, the institute administered a 78 question self-completion survey to individuals working in 72 state and major urban area fusion centers, and 71 individuals voluntarily took the survey. On average, 48 to 49 individuals answered each question. Our analysis included reviewing the methodology and assumptions of the study, and discussing the study’s scope and conclusions with the George Washington University Homeland Security 8 ICE’s Homeland Security Investigations directorate is responsible for investigating a wide range of domestic and international activities arising from the illegal movement of people and goods into, within, and out of the United States. The Homeland Security Investigations Intelligence Office is an intelligence force that supports the enforcement needs of ICE’s executive leadership and operational field units. 9 NCTC serves as the primary organization in the federal government for integrating and analyzing intelligence pertaining to counterterrorism, except for information pertaining exclusively to domestic terrorism. NCTC integrates foreign and domestic analysis from across the intelligence community and produces a wide range of detailed assessments designed to support senior policymakers and other members of the policy, intelligence, law enforcement, defense, homeland security, and foreign affairs communities. 10 See GAO-12-44 and the George Washington University Homeland Security Policy Institute, Counterterrorism Intelligence: Fusion Center Perspectives. Page 47 GAO-12-809 DHS Information Sharing Appendix I: Objectives, Scope, and Methodology Policy Institute. 11 As a result of our review and analysis, we determined that the study and its results were appropriate for use in our report. We assessed DHS’s mechanisms to track and assess information-sharing improvements against criteria for practices in program management. 12 We conducted this performance audit from November 2011 through September 2012 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. 11 Founded in 2003, the George Washington University Homeland Security Policy Institute is a nonpartisan think tank whose mission is to build bridges between theory and practice to advance homeland security through an interdisciplinary approach. 12 For example, see Project Management Institute, The Standard for Program Management®; GAO-05-927; and GAO/GGD-00-204. Page 48 GAO-12-809 DHS Information Sharing Appendix II: Comments from the Department Appendix II: Comments from the Department of Homeland Security of Homeland Security Page 49 GAO-12-809 DHS Information Sharing Appendix II: Comments from the Department of Homeland Security Page 50 GAO-12-809 DHS Information Sharing Appendix II: Comments from the Department of Homeland Security Page 51 GAO-12-809 DHS Information Sharing Appendix III: GAO Contact and Staff Appendix III: GAO Contact and Staff Acknowledgments Acknowledgments Eileen R. Larence, (202) 512-6510 or firstname.lastname@example.org GAO Contact In addition to the contact named above, David A. Powner (Director), Eric Staff Erdman (Assistant Director), Anh Le (Assistant Director), Paul A. Hobart, Acknowledgments Karl W. Seifert, Rebecca Kuhlmann Taylor, and Ashley D. Vaughan made significant contributions to the report. Also contributing to this report were Virginia A. Chanley, Tracy J. Harris, Eric D. Hauswirth, Kevin J. Heinz, Lisa Humphrey, Jeff R. Jensen, Justine C. Lazaro, Thomas Lombardi, Jan B. Montgomery, Jessica S. Orr, Anthony K. Pordes, and William M. Reinsberg. (441021) Page 52 GAO-12-809 DHS Information Sharing GAO’s Mission The Government Accountability Office, the audit, evaluation, and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO’s commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no Obtaining Copies of cost is through GAO’s website (http://www.gao.gov). Each weekday GAO Reports and afternoon, GAO posts on its website newly released reports, testimony, and correspondence. To have GAO e-mail you a list of newly posted Testimony products, go to http://www.gao.gov and select “E-mail Updates.” Order by Phone The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s website, http://www.gao.gov/ordering.htm. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. Connect with GAO on Facebook, Flickr, Twitter, and YouTube. Connect with GAO Subscribe to our RSS Feeds or E-mail Updates. Listen to our Podcasts. Visit GAO on the web at www.gao.gov. Contact: To Report Fraud, Waste, and Abuse in Website: http://www.gao.gov/fraudnet/fraudnet.htm E-mail: email@example.com Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470 Katherine Siggerud, Managing Director, firstname.lastname@example.org, (202) 512- Congressional 4400, U.S. Government Accountability Office, 441 G Street NW, Room Relations 7125, Washington, DC 20548 Chuck Young, Managing Director, email@example.com, (202) 512-4800 Public Affairs U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, DC 20548 Please Print on Recycled Paper.
Information Sharing: DHS Has Demonstrated Leadership and Progress, but Additional Actions Could Help Sustain and Strengthen Efforts
Published by the Government Accountability Office on 2012-09-18.
Below is a raw (and likely hideous) rendition of the original report. (PDF)