Establishing Effective Mechanisms for Sharing and Managing Terrorism-Related Information to Protect the Homeland
GAO designated terrorism-related information sharing as high risk in 2005 because the government faces significant challenges in analyzing and disseminating this information in a timely, accurate, and useful manner. GAO has since monitored federal efforts to implement the Information Sharing Environment (Environment)an approach that is intended to serve as an overarching solution to strengthening the sharing of intelligence, terrorism, law enforcement, and other information among federal, state, local, tribal, international, and private sector partners. Recent homeland security incidents and the changing nature of domestic threats make continued progress in improving information sharing critical to reducing the risks of threats to the homeland.
 See 6 U.S.C. § 485(a)(3), (b).
The Office of the Program Manager for the Environment (Program Manager) is situated within and funded through amounts appropriated to the Office of the Director of National Intelligence (ODNI). GAO has reported that the Program Manager, as well as key departmentsthe Departments of Homeland Security (DHS), Justice, State, and Defense, as well as ODNIare critical to developing and implementing the Environment and have taken steps to address the five criteria that GAO uses to determine whether an area should be removed from the high risk list. The Program Manager and departments have also taken steps to address action items that GAO identified in a June 2011 letter to the Program Manager that need to be addressed to resolve the high-risk designation. GAO has found that the federal governments leadership structure is committed to enhancing the sharing and management of terrorism-related information and has made significant progress defining a governance structure to implement the Environment. However, the federal government has not yet estimated and planned for the resources needed to resolve risks or fill gaps in the planning they have undertaken to implement the Environment. Also, the Program Manager and key departments need to more fully develop and implement some actions they have underway, such as continuing to mature a performance measurement system that focuses on results achieved in terms of improved sharing and overall homeland security. The Program Manager and key departments will also need to work collaboratively to ensure that departments terrorism-related information sharing initiatives, such as departments efforts to identify important terrorism-related data, are being appropriately leveraged to reduce gaps in sharing throughout the Environment. As a result, this issue remains high risk.
Within the context of addressing GAOs high-risk designation, the Program Manager and key departments will also need to address actions GAO identified in its June 2011 letter to the Program Manager. As shown in table 5, the Program Manager and key departments have fundamentally met two action items, made progress in addressing six of the action items, and made no substantial progress in addressing one action item. Table 6 contains the action items as well as the current status of each action item.
Table 6: Status of Action Items
Action item status
Demonstrate that the Information Sharing and Access Interagency Policy Committee has needed authority, is leveraging participating departments, and is producing results.
Update the vision for the Environmentthe information sharing capabilities and procedures that need to be in place to help ensure terrorism-related information is accessible and identifiable to relevant federal, state, local, private, and foreign partners.
Demonstrate that departments are defining incremental costs they will need to fund in order to complete their responsibilities and activities to substantially achieve the Environment.
Continue to identify technological capabilities and services that can be shared collaboratively within and across the Environment, consistent with a federated architecture approach.
Demonstrate that initiatives within individual departments are, or will be, leveraged to benefit all relevant federal, state, local, and private security stakeholders participating in the Environment.
Establish an enterprise architecture management capability and demonstrate that it will be used to guide selection of projects for substantially achieving the Environment.
No substantial progress
Demonstrate that stakeholders generally agree with the strategy, plans, time frames, and their responsibilities and activities for substantially achieving the Environment.
Demonstrate that the federal government can show the extent to which sharing has improved under the Environment, or has actions underway to more fully develop a set of metrics and processes to measure results achieved, both from individual projects and activities, as well as from the overall Environment.
Demonstrate that established milestones and time frames are being used as baselines to track and monitor progress on individual projects and in substantially achieving the overall Environment.
Leadership commitment. The federal government has a sustainable leadership structure for information sharing in place consistent with law and executive policy. In accordance with section 1016 of the Intelligence Reform and Terrorism Prevention Act of 2004 (Intelligence Reform Act), as amended, the President created the Environment. Pursuant to this provision, the President designated a Program Manager to, among other things, plan for, oversee the implementation of, and manage the Environment. Also, in July 2009, the administration established the Information Sharing and Access Interagency Policy Committee (Policy Committee)composed of senior department officialsto develop policies, procedures, guidelines, roles, and standards necessary to establish, implement, and maintain the Environment. The Program Manager and the National Security Staff Senior Director for Information Sharing and Security co-chair the Policy Committee, and the five key departments participate in the committee. As co-chair, the Program Manager has influenced the departments information sharing priorities, which has helped to ensure that the leadership structure has sufficient authority to direct departments participation in the Environment.
In addition, in October 2011in response to concerns about securing data after the Wikileaks breachthe President issued an executive order that established the Senior Information Sharing and Safeguarding Steering Committee (Steering Committee). The Steering Committee is intended to exercise overall responsibility and ensure senior-level accountability for the coordinated interagency development and implementation of policies and standards regarding the sharing and safeguarding of classified information on computer networks. According to department officials, both committees collaborated on the National Information Sharing and Safeguarding Strategy to reflect this dual focus. As the leadership structure continues to evolve, it will be important to ensure that stakeholders, including executives from the key departments, continue to work together to implement Environment priorities.
Further, in 2008, GAO reported that the Program Manager had yet to determine the desired results to be achieved by the Environment and recommended that the Program Manager work with stakeholders to define the Environments vision. The Program Manager generally agreed and has since defined the Environments vision and overall mission and included it in the Information Sharing Environment 2012 Annual Report to Congress, providing stakeholders with a high-level understanding of what the Environment is intended to achieve. All five key departments concurred with the 2012 report, including the Environments vision and overall mission.
Capacity to resolve risks. In a constrained budget environment, departments are facing challenges in funding information sharing priorities. In 2011, GAO recommended that the Program Managerin coordination with the Policy Committee and the Office of Management and Budget (OMB)task the key departments to define the incremental costs needed to help ensure successful implementation of the Environment. The Office of the Program Manager generally agreed with the recommendation. Departments are submitting estimates of some related costs to OMB, such as those related to planned technology investments. However, the Program Manager and key departments have not yet identified other incremental costs they will realize in designing and implementing specific Environment initiatives, such as program management and training activities. Also, while the Office of the Program Manager can provide small amounts of startup funds for information sharing initiatives, agencies are ultimately responsible for funding most of these initiatives, and funding constraints have delayed some department efforts. For example, at least one key department has faced funding shortfalls that have delayed information sharing initiatives. DHS officials explained that information sharing initiatives are considered integral to, and not separate from, the departments fundamental mission activities and are to be funded through the DHS components respective budgets. However, in September 2012, GAO reported that five of DHSs top eight priority information sharing initiatives faced funding shortfalls, and DHS had to delay or scale back at least four of them. Thus, according to the DHS component officials, in a constrained budget environment, the departments components were faced with difficult decisions regarding how to spread funding among information sharing and other mission activities. Until the Program Manager and the key departments define the incremental costs for building out the Environment, and plan for these costs in future budget cycles or otherwise determine how initiatives will be funded or how budget shortfalls will be mitigated, it will be difficult for them to ensure that they have the needed funding capacity to implement the Environment.
The Program Manager and key departments have also taken steps to define and develop technological capabilities and services to improve information sharing and safeguarding. For example, the Office of the Program Manager is participating in efforts to develop an automated means to determine who is authorized to access data and establish a shared service for verifying user identities. The Program Manager is also promoting the adoption of standards to improve information sharing and enable improved interoperability among systems and networks. It will be important for the Program Manager and key departments to continue to develop and refine these capabilities and services, as needed.
Plans that provide corrective measures. The Program Manager and key departments have made progress in developing plans to correct shortcomings that pose risks to information sharing, but have not ensured that all department information sharing initiatives are being leveraged to benefit sharing throughout the government, or established an enterprise architecture management plan for the Environment. Specifically, they have defined projects and activities to guide Environment planning effortsincluding an implementation roadmap and related guidanceas well as department priorities and responsibilities to address known information sharing gaps. For example, the implementation roadmap calls for the development and implementation of a fusion center performance framework to guide resource allocation. Further, the Program Manager works with OMB to identify annual information sharing priorities to guide department planning efforts. OMB communicates higher-level priorities through its annual programmatic guidance, then the Program Manager issues corresponding guidancedeveloped in collaboration with the five key departmentsto provide specific actions for implementing information sharing priorities. The Program Manager has acknowledged gaps in the plans, however, including how the government will improve sharing with private sector owners and operators of critical infrastructure. In addition, according to the 2012 annual report to Congress, about half of the agencies that participate in the Environment have not implemented plans for interconnecting certain information networks that carry sensitive information for use in assessing threats. GAO recognizes that the Program Manager and key departments will need to continue developing plans and guidance as new priorities emerge. For example, the National Strategy for Information Sharing and Safeguarding (Strategy) was published in December 2012 and identified a number of priority objectives, including the top five priorities, which are intended to guide stakeholders as they work to develop corresponding implementation plans.
In its 2011 report, GAO found that the Environment could benefit from leveraging individual departments information sharing initiatives and recommended that the Program Managerin consultation with the Policy Committee and key departmentsdetermine to what extent the Environment could better leverage such initiatives to realize benefits government-wide. The Program Manager generally agreed with the recommendation and initiated an effort to catalogue departments high value terrorism-related data. More specifically, the Program Manager asked departments to identify their high value terrorism-related information and datasets to determine the extent to which they could be shared and leveraged with Environment partners. One of the key departments, however, did not participate in this effort. Until all key departments are participating in key Environment initiatives, stakeholders cannot ensure that the departments have comprehensively defined and are implementing the corrective actions needed to reduce risks from gaps in sharing terrorism-related information.
The Program Manager and key departments also have not yet developed an enterprise architecture management plan for the Environment. In 2011, GAO recommended that the Program Managerin consultation with appropriate stakeholdersestablish such a plan that, among other things, reflects time frames for improving enterprise architecture management practices and defines accountability mechanisms to help ensure that this plan is implemented. The Program Manager generally agreed, and officials from the Office of the Program Manager have since noted that they expect to issue a plan to address this recommendation by the end of fiscal year 2013. Establishing this plan is critical to improving collaboration and coordination of departments activities, and driving the planning and management of operational and technological capabilities and services for the nationwide Environment. These capabilities and services include a federated search capabilitythe ability for users to effectively and efficiently query and search for terrorism-related information across multiple departments databases.
Monitor and validate effectiveness of corrective measures. The Program Manager established a framework in 2011 to measure the performance of key departments in completing corrective measures included in the Environment implementation plan, which is aligned with the Executive Office of the Presidents priorities for information sharing. Although departments, to some extent, have their own measures to assess the performance of individual initiatives they are implementing, the Program Manager has established a performance framework that is intended to provide a collective measurement of the impacts that the overall Environment is having on the sharing of terrorism-related information. All five of the key departmentsin addition to other Environment stakeholdersparticipated in the 2012 Performance Assessment Questionnaire, which is designed to allow the Program Manager to assess department performance across several priorities. For example, through the annual questionnaire, the Program Manager measures participation in key Environment initiatives, such as the Nationwide Suspicious Activity Reporting Initiative. As the Environment matures, it will be important for the Program Manager and key departments to continue to develop outcome-based metrics that evolve from counting the number of departments that participate in Environment initiatives to measuring the information sharing results achieved from these initiatives. Information on results can help to inform future funding and program decisions.
More recently, officials from the Office of the Program Manager and departments have developed a set of homeland security scenarios to help define what effective information sharing capabilities look like and target levels of capabilities departments should have in place over set time frames, thereby providing a way to monitor the effectiveness of corrective measures. For example, one scenario describes how departments need to mature their capabilities over the next 7 years from the situation where an analyst has to manually check numerous databases to see if there is information related to a suspicious activity to the situation where the analyst has a single point of entry and can conduct one, federated search of linked databases. GAO found, however, that some key departments are not yet using these scenarios, which were established in the fall of 2011, to assess performance. It will be important to monitor the extent to which the scenarios provide a useful means to hold departments accountable for improved capabilities and result in improved sharing.
Demonstrate progress implementing corrective measures. The Program Manager, OMB, and departments use a mix of methodssuch as programmatic and implementation guidance with time frames and goals for specific department initiatives and the annual performance questionnaire, among other thingsto track progress in implementing corrective measures. The Program Manager publicly accounts for this progress in the annual reports the Program Manager submits to Congress. The report is evolving from a catalogue of information sharing activities to an account of progress against goals, objectives, and baselines that can help to inform future decisions. However, the Program Manager and departments have not yet fully developed an integrated way to measure and demonstrate progress in implementing corrective actions and key initiatives. More specifically, all of the plans and corrective actions that GAO has called for, such as the enterprise architecture management plan, as well as emerging priorities, such as those published in the December 2012 National Strategy for Information Sharing and Safeguarding, have yet to be fully defined. The Program Manager, Policy Committee, Steering Committee, and key departments will then need to define corresponding implementation plans and ways to demonstrate progress against those plans. It will be important to monitor how well the Program Manager, OMB, the Policy and Steering committees, and the departments can measure and demonstrate progress against the new Strategy, plans, and priorities.
 GAO letter to the Program Manager for the Information Sharing Environment (Washington, D.C.: June 29, 2011).
 See Pub. L. No. 108-458, § 1016, 118 Stat. 3638, 3664-70 (2004) (codified as amended at 6 U.S.C. § 485). See also 6 U.S.C. § 482 (requiring the establishment of procedures for the sharing of homeland security information).
 See Exec. Order No. 13,587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, 76 Fed. Reg. 63,811(Oct. 13, 2011).
 GAO, Information Sharing Environment: Definition of the Results to Be Achieved in Improving Terrorism-Related Information Sharing Is Needed to Guide Implementation and Assess Progress, GAO-08-492 (Washington, D.C.: June 25, 2008).
 GAO, Information Sharing Environment: Better Road Map Needed to Guide Implementation and Investments, GAO-11-455 (Washington, D.C.: July 21, 2011).
 OMB Circular A-11, Preparation, Submission, and Execution of the Budget (July 2010).
 GAO, Information Sharing: DHS Has Demonstrated Leadership and Progress, but Additional Actions Could Help Sustain and Strengthen Efforts, GAO-12-809 (Washington, D.C.: Sept. 18, 2012).
 An enterprise architecture, or modernization blueprint, provides a clear and comprehensive picture of an entity, whether it is an organization (e.g., federal department or agency) or a functional or mission area that cuts across more than one organization (e.g., financial management). This picture consists of snapshots of the enterprises current and target operational and technological environments and contains a road map for transitioning from the current to the target environment. An enterprise architecture program management plan would, among other things, (1) reflect Environment enterprise architecture program work activities, events, and time frames for improving Environment enterprise architecture management practices and addressing needed architecture content and (2) define accountability mechanisms to help ensure that the plan is implemented.
 A fusion center is as a collaborative effort of two or more federal, state, local, or tribal government agencies that combines resources, expertise, or information with the goal of maximizing the ability of such agencies to detect, prevent, investigate, apprehend, and respond to criminal or terrorist activity.
 Although the Program Manager issues milestones and time frames that the departments agree to, officials at the Office of the Program Manager explained that the Program Manager does not have the authority to hold departments accountable for these activities.
 The Nationwide Suspicious Activity Reporting Initiative is to establish a national capacity for gathering, documenting, processing, analyzing, and sharing reports of suspicious activity that is potentially terrorism-related.
 See 6 U.S.C. § 485(h).
Going forward, the Program Manager and key departments, with OMB oversight and support, need to continue working to address remaining action items informed by GAOs five high-risk criteria, thereby helping to reduce risks and enhance the sharing and management of terrorism-related information:
- Capacity to resolve risks.
- The Program Manager and Policy Committee should demonstrate that departments are defining incremental costs they will need to fund in order to complete their responsibilities and activities to substantially achieve the Environment, consistent with the Intelligence Reform Act, as amended. In addition, the Program Manager, in coordination with the key departments, should define the strategies being taken to mitigate the risks that potential funding shortfalls could have on key Environment initiatives and information sharing priorities.
- The Program Manager and key departments, in coordination with OMB, should continue to identify technological capabilities and services that can be shared collaboratively within and across the Environment, consistent with the Environment enterprise architecture approach that the office of the Program Manager expects to issue in fiscal year 2013.
- Plans that provide corrective measures.
- The Policy Committee should develop methods to help ensure that important sharing initiatives within individual departments are, or will be, leveraged to benefit all relevant federal, state, local, private sector, and international stakeholders participating in the Environment. In addition, the Program Manager, along with key departments, should work to identify and address remaining gaps in sharing information, including gaps in sharing information with private sector owners and operators of critical infrastructure.
- The Program Manager, along with the Policy Committee and OMB, should issue an Environment enterprise architecture program management plan that (1) reflects Environment enterprise architecture program work activities, events, and time frames for improving enterprise architecture management practices and addressing missing architecture content and (2) defines accountability mechanisms to help ensure that this program management plan is implemented.
- Monitor and validate effectiveness of corrective measures.
- The Program Manager, in coordination with the Policy Committee and key departments, should continue to develop the Environments performance framework by developing metrics that measure the performance of, and results achieved by, the overall Environment and individual departments projects and activities. More specifically, the performance metrics used by the Program Manager will need to evolve from measuring department participation in key initiatives to the results achieved by key initiatives.
- Demonstrate progress implementing corrective measures.
- The Program Manager, in conjunction with the Policy and Steering committees, should demonstrate how the new Strategy, plans, guidance, and priorities are linked and integrated in a way that provides the means to track, monitor, and publicly account for progress on individual projects and in substantially achieving the overall Environment, including setting baselines, milestones, and time frames.
 See, e.g., 6 U.S.C. § 485(e)(3).