Key Issues > High Risk > Establishing Effective Mechanisms for Sharing and Managing Terrorism-Related Information to Protect the Homeland
High Risk Medallion

Establishing Effective Mechanisms for Sharing and Managing Terrorism-Related Information to Protect the Homeland

This information appears as published in the 2015 High Risk Report.

View the 2015 Report

  1. Share with Facebook 
  2. Share with Twitter 
  3. Share with LinkedIn 
  4. Share with mail 

The government faces significant challenges in analyzing and disseminating terrorism-related information in a timely, accurate, and useful manner. Since designating this issue as high risk in 2005, we have monitored federal efforts to implement the Information Sharing Environment (Environment)—an overarching approach to strengthening the sharing of intelligence, terrorism, homeland security, law enforcement, and other information among federal, state, local, tribal, international, and private sector partners.[1],[2] Continued progress toward improved information sharing is critical, in order to reduce the risks of threats to the homeland—such as the Boston Marathon bombings in 2013—and to respond to the changing nature of domestic threats. The Program Manager for the Information Sharing Environment (Program Manager), the individual responsible for planning, overseeing and managing the Environment, along with the key departments—the Departments of Homeland Security, Justice, State, and Defense, and the Office of the Director of National Intelligence (ODNI)—are critical to developing and implementing the Environment.[3]

[1]The Information Sharing Environment was established in accordance with section 1016 of the Intelligence Reform and Terrorism Prevention Act of 2004 (Intelligence Reform Act), as amended. See Pub. L. No. 108-458, § 1016, 118 Stat. 3638, 3664-70 (2004) (codified as amended at 6 U.S.C. § 485). See also 6 U.S.C. § 482 (requiring the establishment of procedures for the sharing of homeland security information).

[2]Intelligence, terrorism, homeland security, law enforcement, and other information is collectively referred to as terrorism-related information in the context of this section.

[3]The Office of the Program Manager for the Environment is situated within and funded through amounts appropriated to ODNI. Additional agencies and departments also participate in the Environment, including Air Force Intelligence, Central Intelligence Agency, Department of Commerce, Department of Energy, Department of Health and Human Services, Department of Interior, Department of Transportation, Department of Treasury, National Counterterrorism Center, National Geospatial Intelligence Agency, and National Reconnaissance Office.

Establishing Effective Mechanisms for Sharing and Managing Terrorism-Related Information to Protect the Homeland

The federal government has made significant progress in promoting the sharing of information on terrorist threats, in meeting our criteria for leadership commitment and capacity, and in partially meeting the remaining criteria for this high-risk area. The government has made significant progress by developing a more structured approach to achieving the Environment and by defining the highest priority initiatives to accomplish. In our 2013 high-risk update, we reported that the federal government had demonstrated leadership commitment by establishing and sustaining an interagency policy committee and by defining the vision for the Environment. In 2013, the Program Manager released the Strategic Implementation Plan for the National Strategy for Information Sharing and Safeguarding (Implementation Plan).[1]The Implementation Plan provides detailed guidance for the 16 priority objectives that are fundamental to creating the standards, technologies, and cooperation necessary to advance information sharing. However, additional actions could help ensure that the government also measures the extent to which these initiatives have improved information sharing, by demonstrating progress—such as meeting key milestones and time frames described in the Implementation Plan—and by monitoring results (including evolving metrics).

The federal government made progress in this high-risk area largely by developing the Implementation Plan, which identifies 16 priority objectives that are critical to implementing the Environment. Each priority objective is housed within a governance entity (e.g., a department, agency, subcommittee, or working group) and is assigned a steward. The steward is responsible for ensuring that participating agencies communicate and collaborate to complete the objective, while also raising to senior management any issues that might hinder progress. Stewards are to communicate these issues via the Information Sharing and Access Interagency Policy Committee (Policy Committee)—located within the Executive Office of the President—which is responsible for resolving these barriers.[2]The Implementation Plan also outlines specific milestones and time frames for each priority objective, which is to allow the Policy Committee and key departments to measure progress towards achieving Environment initiatives.

Program officials from each of the five key departments noted that the Implementation Plan has been useful in providing a structure in which numerous departments leverage capabilities and services that advance the Environment, and work collaboratively to protect against terrorist threats. Additionally, shifts in how key departments approach funding to implement Environment priorities, combined with recently released enterprise architecture guidance, have also helped move the Environment forward.[3]

In our 2011 report on the Environment, we recommended that key departments better define incremental costs for information sharing activities, so as to plan and budget for these costs.[4] Additionally, we recommended establishing an enterprise architecture management plan to improve collaboration and coordination of departments’ activities, as a management plan also would drive the management of operational and technological capabilities and services for the Environment nationwide.[5]In our 2013 high-risk update, we included defining incremental costs as a key action item for successful implementation of the Environment.

In 2014, officials from each of the five key departments said that information sharing activities are a daily activity that go hand in hand with the mission of the agency and related budgets, and are not separate mandates to fund. Therefore, there is no need to separately identify incremental costs since information sharing activities and costs are embedded within the agency’s mission operations. Further, the 2013 Implementation Plan includes actions for developing aspects of an architecture for the Environment. In addition, the Program Manager has issued the Information Interoperability Framework (I2F), which begins to describe key elements intended to help link systems across departments to enable information sharing (i.e. interoperability). For example, the I2F calls for a common profile for achieving interoperability among systems, which provides (among other things) an approach for identifying core sets of standards and specifications across organizations. Maritime partners have used this framework to enhance interoperability among themselves and to increase their shared awareness of anything associated with the global maritime environment that could adversely affect the security, safety, economy, or environment of the United States.

To mitigate remaining potential risks, the Program Manager and key departments have several additional actions to complete. Such actions include demonstrating that (1) concepts outlined in the Enterprise Architecture framework are executed as planned, (2) metrics have evolved to the point that they measure the extent to which initiatives have improved sharing and achieved homeland security results, in addition to measuring activities completed, and (3) a process exists to ensure that identified time frames and milestones for completing priority objectives are met.

In our 2013 high-risk update, we listed nine action items that were critical for moving the Environment forward. In that report, we determined that two of those action items—demonstrating that the leadership structure has the needed authority to leverage participating departments and updating the vision for the Environment—had been completed. Since then, the Program Manager and key departments have achieved four of the seven remaining action items and have made progress on the remaining three actions. Achieving all nine actions would—in effect—address our high-risk criteria. Table 8 summarizes the Program Manager’s and key departments’ progress in achieving the action items.

Table 8: Status of Action Items

Action Items

Action Item Status

High Risk Category

Demonstrate that the Information Sharing and Access Interagency Policy Committee has needed authority, is leveraging participating departments, and is producing results.


Leadership Commitment

Update the vision for the Environment—the information sharing capabilities and procedures that need to be in place to help ensure terrorism-related information is accessible and identifiable to relevant federal, state, local, private, and foreign partners.


Leadership Commitment

Demonstrate that departments are defining incremental costs and funding needed to complete the responsibilities and activities which substantially achieve the Environment.


Capacity to resolve risk

Continue to identify technological capabilities and services that can be shared collaboratively within and across the Environment, consistent with a federated architecture approach.


Capacity to resolve risk

Demonstrate that initiatives within individual departments are, or will be, leveraged to benefit all relevant federal, state, local, and private security stakeholders participating in the Environment.


Plans that provide corrective measures

Establish an enterprise architecture management capability and demonstrate that it will be used to guide selection of projects for substantially achieving the Environment.

Partially Met

Plans that provide corrective measures

Demonstrate that stakeholders generally agree with the strategy, plans, time frames, their responsibilities, and their activities for substantially achieving the Environment.


Plans that provide corrective measures

Demonstrate that the federal government can show the extent to which sharing has improved under the Environment, or can show it has actions underway to more fully develop a set of metrics and processes to measure results achieved, both from individual projects and activities, as well as from the overall Environment.

Partially Met

Monitor and validate the effectiveness of corrective measures

Demonstrate that established milestones and time frames are being used as baselines to track and monitor progress on individual projects and in substantially achieving the overall Environment.

 Partially Met

Demonstrated Progress

Source: GAO. | GAO-15-290.

aIn our 2013 high-risk report we determined that these actions had been completed.


Leadership Commitment: In our 2013 high-risk update, we reported that the federal government had fundamentally met this high-risk criterion—primarily because the government had put into place the Policy Committee and defined the vision for the Environment. Since then, the government has issued the Implementation Plan and I2F, among other actions which demonstrate continued leadership commitment. Key departments have also played an increased leadership role by serving as stewards for the priority objectives in the Implementation Plan. Additionally, key departments have taken various actions to govern their own information sharing activities and to coordinate with the Environment. For example, as we reported in 2012, the Department of Homeland Security (DHS) has established a governance board to serve as the decision-making body for DHS information sharing issues.[6]This board has identified information-sharing gaps and has developed a list of key initiatives to help address those gaps. Many of these initiatives—such as those related to information safeguarding—are consistent with established priorities for the Environment.

Capacity to Resolve Risk: The government has met this high-risk criterion by changing its approach to funding information-sharing activities: funding is now a part of mission activities and operations. Additionally, the Implementation Plan defines the fundamental technological capabilities and services for advancing the Environment. The Program Manager and key departments also continue to make progress in identifying and establishing technological services consistent with a federated architecture approach.[7]

Specifically, regarding the government’s approach to funding, senior officials in each key department explained that any incremental costs related to implementing the Environment are now embedded within each department’s mission activities and operations and do not require separate funding. The Program Manager and department officials also noted that the Implementation Plan assigns priority objectives to those departments whose mission most aligns to the initiatives under each objective, thereby helping to ensure that the activities receive funding.

The Program Manager and key departments have also made progress in continuing to define and establish technological capabilities and services which improve information sharing and the safeguarding of data. For example, a key initiative to develop capacity for the Environment is the Federal Identity Credential and Access Management (FICAM) program, which is also identified as a priority objective in the Implementation Plan. FICAM’s goal is to control access to sensitive information on computer networks while also providing authorized users the information they need. FICAM comprises (among other things) the technologies and services used to create trusted digital credentials that can be used to verify and provide authorized access to an agency’s information. This is useful for ensuring that information can be shared without the threat of security breaches. The 2014 Environment Performance Assessment Questionnaire noted that 8 out of 11 agencies in the Environment had made progress implementing FICAM standards in the sensitive but unclassified information domain.[8]Having agencies adopt these standards represents an important step in federal capabilities that will allow agencies to establish individual accountability and facilitate the appropriate level of information access.

An additional capacity-related priority objective in the Implementation Plan involves the discovery and access of information—the ability to identify the existence of information and retrieve it. According to the results of the 2014 questionnaire, over 80 percent of agencies reported improvement in their ability to discover, access, and retrieve information necessary to accomplish their mission. In addition, the intelligence community is moving its data to a cloud-computing environment—a system that uses on-demand access to shared computing resources to centralize data storage, among other things—which could allow agencies to share information and services much more easily. The Implementation Plan also has an objective dedicated to standards-based acquisition, which seeks to ensure that future products and services are interoperable. The goal of this objective is to develop common technical standards that are available to all departments and agencies as a guide when making acquisition decisions. Continued focus on implementing standards—through the annual questionnaire and the Policy Committee’s monitoring of progress on the implementation plan—will help to ensure that agencies strive for more comprehensive adoption of these standards.-The Implementation Plan also identifies capacity-related activities consistent with a federated architecture approach, such as identifying technological capabilities and services to be used across communities of interest. For example, Environment stakeholders are to develop a plan in fiscal year 2015 that includes development and maintenance of a repository of capabilities and services. According to officials from the office of the Program Manager, the office has already developed a web-based collection of tools, best practices, and frameworks for improving information interoperability which is an example of such a repository. Another initiative identified in the Implementation Plan is the use of an Environment capability roadmap to select priority pilots. Although not specifically defined by the Implementation Plan, such a roadmap might help define the capabilities needed by the Environment over time and the steps needed to achieve those capabilities—including the establishment of priority pilot projects. Officials from the Program Manager’s office cited the Maritime Domain Awareness initiative, which aims to help improve information sharing at sea and on other waterways, as one example of such a pilot. Since information-sharing services are shared across the government, rather than being funded and controlled by an individual agency, the Implementation Plan also states that the Federal Chief Information Officers Council’s Shared Services Sub Committee will determine a mechanism for resolving budget, appropriation, and procurement issues associated with federal-wide shared services.[9]

Action Planning: The government has made progress in meeting this high-risk criterion by developing the Implementation Plan. The government achieved additional progress by leveraging information-sharing initiatives across the government and by issuing guidance to improve enterprise architecture management—both actions that we recommended in our 2011 report on the Environment.[10] The development of the Implementation Plan was an important step for the Environment and, as we have reported, is one of the characteristics that can enhance the usefulness of national strategies.[11] However, the Program Manager has not yet demonstrated that key departments are implementing the approach and interoperability concepts described by the I2F across the Environment.

In addition to identifying key initiatives—such as those intended to control information access, safeguard information, increase a user’s ability to search for relevant information, and increase interoperability among data systems—the Implementation Plan seeks to address gaps in information sharing that Environment stakeholders identified and that we highlighted in our 2013 high-risk report. For example, the plan establishes a priority objective dedicated to information sharing with the private sector. This objective seeks to ensure that processes and procedures are in place for identifying threats, including those related to cybersecurity and to critical infrastructure—such as financial institutions, commercial facilities, and energy production and transmission facilities, among others.

Additionally, in the 2013 high-risk report, we noted that the Environment could benefit from leveraging individual departments’ information sharing initiatives and that the Program Manager—in consultation with the Policy Committee and key departments—should determine potential ways to realize such benefits government-wide. The 2013 Annual Report to Congress identified several instances where key agencies were incorporating other agencies’ initiatives.[12]For example, the Federal Bureau of Investigation’s (FBI) eGuardian system allows law enforcement agencies to submit suspicious activity reports into a single system that is accessible by thousands of law enforcement personnel. In the 2013 annual report, 11 of 15 agencies that participate in the Environment indicated that they use the FBI’s eGuardian system. In the 2014 Performance Assessment Questionnaire, numerous agencies also mentioned fusion center information sharing as an initiative that they were leveraging.[13]Specifically, all agencies that answered the 2014 question related to fusion center progress reported satisfaction with improvements made in the last year to enhance the capabilities and performance of the national network of fusion centers. This included improving the sharing of threat and encounter information between the federal government and state, local, and private partners. In November 2014, we reported on federal efforts to improve fusion center capabilities and results.[14] Additionally, we have reported on the work of fusion centers in the past. For example, in April 2013 we reported that fusion centers, along with other field-based information sharing entities, provided a variety of analytical activities which resulted in benefits, such as intelligence products.[15]

The Program Manager has also made progress by issuing guidance to improve the Environment’s enterprise architecture management. For example, the Implementation Plan includes tasks and time frames associated with establishing aspects of the Environment architecture. Such tasks and time frames include improving interoperability by developing the Information Interoperability Framework (I2F), defining needed capabilities and services, and developing a plan for a repository of these capabilities and services. This plan will help ensure that the information-sharing community is aware of the available capabilities and services. The Program Manager has issued an initial version of I2F to guide the implementation of information-sharing capabilities. I2F begins to describe key information sharing elements, including how different departments might be able to align their enterprise architectures with interoperability concepts described in I2F. In addition, this framework outlines (among other things) an approach for establishing core sets of standards and specifications across organizations. For example, officials from the office of the Program Manager stated that the framework helped provide technical specifications for a Maritime Information Sharing Environment, including specifications to publish and search for information about a ship’s location.

However, the Program Manager has not yet demonstrated that key departments are implementing over time the approach and interoperability concepts described by I2F. Additionally, the Program Manager has not yet demonstrated how he will hold key departments and entities accountable over time for executing key architecture-related tasks described in the Implementation Plan and for achieving associated outcomes. We will continue to monitor these enterprise architecture activities in this high-risk area to ensure that they are sustained over time.

Monitoring: The Program Manager has made progress in meeting this high-risk criterion by continuing to devise and implement ways to measure the impact the Environment is having on the sharing of information to address terrorist and other threats to the homeland. However, the Program Manager should continue developing metrics that measure the performance and results achieved by the overall Environment, in addition to measuring department participation in key initiatives.

The Program Manager and key departments have created a performance management framework to measure the performance of key departments in completing Environment initiatives, many of which are included in the Implementation Plan. This framework consists of several measures, including the Performance Assessment Questionnaire and homeland security scenarios that define information-sharing capabilities agencies are to achieve over time. Additionally, the Program Manager has used this information to support the 2014 Annual Report to Congress and has supplemented its website with additional performance data not included in the annual report.

The performance management framework is intended to assess the maturity of the nation’s ability to detect and respond to terrorism. All five of the key departments—in addition to other Environment stakeholders—participated in the 2014 Performance Assessment Questionnaire, which is designed to allow the Program Manager to assess department performance against national strategy goals and is a main component of the framework. For example, through the annual questionnaire, the Program Manager measures results from key Environment initiatives, such as the extent that information gathered from international partners is integrated into the process the government uses to screen individuals for potential terrorist threats. As such, it will be important for the annual questionnaire to continue to incorporate measures that demonstrate results and benefits achieved from information sharing, rather than counting departmental activities accomplished—such as the number of agencies with information-sharing governance boards.

Officials from the Office of the Program Manager also developed a set of homeland security scenarios in 2011 to assist key departments in planning for and executing the Environment’s initiatives. The scenarios are designed to demonstrate information-sharing capabilities relevant to an agency’s mission as well as to allow the Program Manager and departments to determine if the Environment is achieving desired capabilities. For example, one scenario describes how departments need to mature their capabilities over the next 7 years such that an analyst does not have to manually check numerous databases to find information related to a suspicious activity, but rather can conduct one search of linked databases from a single point of entry. However, key departments are not using these scenarios to assess performance. For example, Department of Justice officials noted that the scenarios needed to be more real-world and law-enforcement specific for them to be useful. Given that the annual questionnaire is still evolving into an outcome-based document and departments have not adopted the scenarios, we will continue to monitor this issue.

Demonstrated progress: The Program Manager and the key departments have identified time frames and milestones for meeting each priority objective listed in the Implementation Plan, among other things. However, it will be critical for all involved in the Environment to make sure that these time frames and milestones are being met. There are differing opinions among the key departments about the accountability for achieving these time frames. For example, a State department official noted that the time frames for that agency’s objectives are flexible and can be pushed back to accommodate needs. On the other hand, DHS program officials—who are responsible for a majority of the priority objectives—noted that they have not needed to shift any time frames or milestones and have developed many detailed plans to meet the time frames. Additionally, the Implementation Plan assigns stewards to each priority objective—in most cases, a senior official within a key department—who have primary responsibility for coordinating, integrating, and synchronizing activities to achieve the priority objectives within the time frames established. Stewards for the key departments all noted that the Implementation Plan is useful for clarifying and guiding the activities of the Environment. However, concerns have been raised about the staff resources and administrative burdens associated with implementing 16 priority objectives. For example, FBI officials have noted that the same individuals are responsible for ensuring that multiple objectives are achieved and, therefore, a conversation around the structure and approach of the Environment might be useful. As of October 2014, the Program Manager and key departments were discussing the potential for prioritizing or streamlining aspects of the Implementation Plan or Environment structure. We will continue to monitor any potential changes to the Environment to determine how they might affect stated time frames and milestones.

While the Implementation Plan contains specific objectives and milestones, the Program Manager stated that he has no ability to direct the actions of the agencies in the Environment. Rather, he noted that he serves to coordinate agency activity, but that the agencies have the central role in managing their participation. The Program Manager does have some ability to indirectly influence the process by, for example, publicly accounting for the progress in meeting the national strategy objectives in the annual reports that he submits to Congress. The Policy Committee also provides a forum for updates on the status of achieving time frames and allows the co-chairs to monitor overall progress.

Due to the relatively recent introduction of the Implementation Plan, the Program Manager, Policy Committee, and key departments should continue to closely monitor stakeholders’ progress and make any necessary adjustments to ensure that stakeholders are meeting milestones. The Implementation Plan denotes critical milestones through fiscal year 2018. As a result, we will continue to monitor the progress of stakeholders in meeting these time frames and milestones.

[1] In December 2012, the President signed the National Strategy for Information Sharing and Safeguarding (National Strategy) which provides guidance on the implementation of policies, standards and technologies that promote secure and responsible national security information sharing. This document builds on the 2010 National Security Strategy and the 2007 National Strategy for Information Sharing. The National Strategy identifies priority objectives, which have been incorporated into the Environment Implementation Plan.

[2] The Policy Committee is the national decision-making body for high-level, cross-cutting information sharing and safeguarding policy matters. The Policy Committee is co-chaired by the Program Manager for the Information Sharing Environment and a member of the National Security Council Staff. Membership of the committee includes representatives for each of the five key departments.

[3] An enterprise architecture, or modernization blueprint, is intended to provide a clear and comprehensive picture of an entity, whether it is an organization (e.g., federal department or agency) or a functional or mission area that cuts across more than one organization (e.g., financial management). This picture consists of snapshots of the enterprise’s current and target operational and technological environments, and contains a road map for transitioning from the current to the target environment.

[4] GAO, Information Sharing Environment: Better Road Map Needed to Guide Implementation and Investments, GAO‑11‑455 (Washington, D.C.: July 21, 2011).

[6] GAO, Information Sharing: DHS Has Demonstrated Leadership and Progress, but Additional Actions Could Help Sustain and Strengthen Efforts, GAO‑12‑809 (Washington, D.C.: September 18, 2012).

[7] Under a federated approach, the architecture consists of a family of coherent but distinct member architectures that conform to an overarching corporate or parent architecture approach. As such, member architectures (e.g., component, subordinate, or subsidiary architectures) are substantially autonomous, but they also inherit certain rules, policies, procedures, and services from the parent architectures.

[8] The annual Environment Performance Assessment Questionnaire (PAQ) surveys the federal agencies involved in the Environment to gain an understanding of the overall state of information sharing among and between federal agencies.

[9] The federal Chief Information Officer Council is the principal interagency forum to improve agency practices on such matters as the design, modernization, use, sharing, and performance of agency information resources.

[11] GAO, Combating Terrorism: Evaluation of Selected Characteristics in National Strategies Related to Terrorism, GAO‑04‑408T (Washington, D.C.: Feb. 3, 2004).

[12] The Information Sharing Environment Annual Report to Congress examines the extent to which the mandate in the Intelligence Reform and Terrorism Prevention Act of 2004, as amended, to establish an information sharing environment, and for the sharing of terrorism-related information in general, is being implemented. See 6 U.S.C. § 485(h).

[13] In general, fusion centers serve as the focal point within the state and local environment for the receipt, analysis, gathering, and sharing of threat-related information between the federal government and state, local, tribal, territorial and private sector partners.

[14] GAO, Information Sharing: DHS Is Assessing Fusion Center Capabilities and Results, but Needs to More Accurately Account For Federal Funding Provided to Centers, GAO‑15‑155 (Washington, D.C.: Nov. 4, 2014).

[15] GAO, Information Sharing: Agencies Could Better Coordinate to Reduce Overlap in Field-Based Activities, GAO‑13‑471 (Washington, D.C.: April 4, 2013).

Going forward, in addition to maintaining leadership commitment and capacity, the Program Manager and key departments will need to continue working to address remaining action items informed by our five high-risk criteria, thereby helping to reduce risks and enhance the sharing and management of terrorism-related information.

Action Planning

The program manager, in coordination with the Policy Committee and key departments, should demonstrate over time that Environment participants are implementing the approach and concepts described by the March 2014 I2F across the Environment. The Program Manager should also demonstrate that departments and entities are executing key architecture-related tasks described in the Implementation Plan and are achieving related outcomes.


The Program Manager, in coordination with the Policy Committee and key departments, should continue developing metrics that measure not only actions accomplished, but tangible results achieved, such as improved decisions based on information sharing plans and investments. These metrics should cover both department participation in key information sharing initiatives as well as the overall Environment.

Demonstrated Progress

The Program Manager, in coordination with the Policy Committee and key departments, should demonstrate that established time frames and milestones are being used to track progress of the objectives in the Implementation Plan. Achieving these objectives is critical for advancing the overall goals of the Environment. If time frames or milestones begin to slip, it will be important for the Policy Committee to provide the leadership to ensure that initiatives are able to get back on track. As key milestones come due in future fiscal years, it will be important for departments to demonstrate they are meeting these milestones so that the work of the Environment can move forward.

  • portrait of David C. Maurer
    • David C. Maurer
    • Director, Homeland Security and Justice
    • (202) 512-9627