The attacks on 9/11 underscored the federal government's need to facilitate terrorism-related information sharing among government, private sector, and foreign stakeholders. In response, the Intelligence Reform and Terrorism Prevention Act of 2004 mandated the creation of the Information Sharing Environment (ISE), which is described as an approach for the sharing of terrorism-related information. A presidentially appointed Program Manager oversees ISE development with assistance from the Information Sharing Council (ISC), a forum for 16 information sharing officials from federal agencies and departments. GAO was asked to report on (1) what actions have been taken to guide the design and implementation of the ISE and (2) what efforts have been made to report on progress in implementing the ISE. To perform this work, GAO reviewed related laws, directives, guidance, and ISE planning and reporting documents and interviewed officials from the Program Manager's office and key agencies who serve on the ISC.

To guide ISE design and implementation, the Program Manager has issued an implementation plan, completed a number of tasks therein, and included other information sharing initiatives in the ISE, but the plan does not include some important elements to implement the ISE. The plan provides an initial structure and approach for ISE design and implementation. For example, the plan includes steps toward protecting information privacy and describes a two-phased approach for implementing the ISE by June 2009 consisting of 89 action items. Completed activities include, among others, development of proposed common terrorism information sharing standards. In addition, other federal, state, and local initiatives to enhance information sharing across the government are being incorporated in the ISE. These initiatives include partnering with state and local area fusion centers--created primarily to improve information sharing within a state or local area--to develop a national network of these centers. Nevertheless, Office of the Program Manager officials said that the 89 action items do not address all the activities that must be completed to implement the ISE. Work remains, including defining and communicating the ISE's scope, such as determining all terrorism-related information that should be part of the ISE, and communicating that information to stakeholders involved in the development of the ISE. In addition, the desired results to be achieved by the ISE, that is, how information sharing is to be improved, the specific milestones, and the individual projects--or initiatives--to achieve these results have not yet been determined. Defining the scope of a program, desired results, milestones, and projects are essential in providing a road map to effectively implement a program. Without such a road map, the Program Manager and stakeholders risk not being able to effectively manage implementation of the ISE. To report on progress in implementing the ISE, the Program Manager issued an annual report in September 2007, which highlighted individual accomplishments and included several annual performance goals, and has since begun to develop performance measures, but neither effort provides for an assessment of overall progress in ISE implementation and of how much work remains. Some individual accomplishments contributing to the ISE occurred under the implementation plan; others, prior to and separate from ISE creation efforts. In keeping with federal guidance, GAO's work, and the work of others in strategic planning, performance measurement, and program management, the implementation plan contained six strategic goals and the annual report four performance goals for 2008. Also, the Program Manager has begun to develop some performance measures, but they focus on counting activities accomplished rather than results achieved. For example, the measures include the number of ISE organizations with a procedure in place for suspicious activity reports, but not how the reports are used and what difference they are making in sharing to help prevent terrorist attacks. GAO acknowledges that creating such measures is difficult, particularly since the program is still being designed, but until these measures are refined, future attempts to measure and report on progress will be hampered.