Chemical, Biological, Radiological, and Nuclear Risk Assessments:
DHS Should Establish More Specific Guidance for Their Use
GAO-12-272: Published: Jan 25, 2012. Publicly Released: Jan 25, 2012.
What GAO Found
Since 2004, DHSs use of its CBRN risk assessments to inform its CBRN response plans has varied, from directly influencing information in the plans to not being used at all. DHS guidance states that response planning and resource decisions should be informed by risk information. GAOs analysis showed that DHS used its CBRN risk assessments to directly inform 2 of 12 CBRN response plans GAO identified because planners considered the risk assessments to be more accurate than earlier DHS planning assumptions. For another 7 of the 12 plans, DHS officials said that the assessments indirectly informed the plans by providing background information prior to plan development. However, GAO could not independently verify this because DHS officials could not document how the risk assessments influenced the information contained in the plans. GAOs analysis found general consistency between the risk assessments and the plans. For the remaining 3 plans, DHS officials did not use the risk assessments to inform the plans; for 2 of the 3 plans DHS officials told GAO they were not aware of the assessments. DHS officials also noted that there was no departmental guidance on when or how the CBRN risk assessments should be used when developing such plans.
Since 2004, DHSs use of its CBRN risk assessments to inform its CBRN-specific capabilities has varied, from directly impacting its capabilities to not being used at all. Of the 7 capabilities GAO reviewed, one was directly informed by the risk assessments; DHS used its biological agent risk assessments to confirm that its BioWatch program could generally detect the biological agents posing the greatest risk. For 5 of the 7 capabilities, DHS officials said they used the risk assessments along with other information sources to partially inform these capabilities. For example, DHS used its chemical agent risk assessments to determine whether its chemical detectors and the risk assessments were generally aligned for the highest risk agents. For 3 of these 5 capabilities, GAO could not independently verify that they were partially informed by the risk assessments because DHS officials could not document how the risk assessments influenced the capabilities. DHS did not use its CBRN risk assessments to inform the remaining CBRN capability because the assessments were not needed to meet the capabilitys mission.
DHS and its components do not have written procedures to institutionalize their use of DHSs CBRN risk assessments for CBRN response planning and capability investment decisions. Standards for internal control in the federal government call for written procedures to better ensure managements directives are enforced. DHS does not have procedures that stipulate when and how DHS officials should use the departments CBRN risk assessments to inform CBRN response planning and capability investment decisions, and GAO found variation in the extent to which they were used. DHS officials agree with GAO that without written procedures, the consistent use of the departments CBRN risk assessments by DHS officials may not be ensured beyond the tenure of any given agency official. DHS could better help to ensure that its CBRN response plans and capabilities are consistently informed by the departments CBRN risk assessments by establishing written procedures detailing when and how DHS officials should consider using the risk assessments to inform their activities.
Why GAO Did This Study
The 2001 anthrax attacks in the United States highlighted the need to develop response plans and capabilities to protect U.S. citizens from chemical, biological, radiological, and nuclear (CBRN) agents. Since 2004, the Department of Homeland Security (DHS) has spent at least $70 million developing more than 20 CBRN risk assessments. GAO was requested to assess, from fiscal year 2004 to the present, the extent to which DHS has used its CBRN risk assessments to inform CBRN response plans and CBRN capabilities, and has institutionalized their use. GAO examined relevant laws, Homeland Security Presidential Directives, an Executive Order, DHS guidance, and all 12 relevant interagency CBRN response plans developed by DHS. Based on a review of a United States governmentwide CBRN database and DHS interviews, among other things, GAO selected a nongeneralizable set of seven DHS capabilities used specifically for detecting or responding to CBRN incidents to identify examples of DHSs use of its CBRN risk assessments. GAO also interviewed relevant DHS officials. This is a public version of a classified report that GAO issued in October 2011. Information DHS deemed sensitive or classified has been redacted.
What GAO Recommends
GAO recommends that DHS develop more specific guidance, including written procedures, that details when and how DHS components should consider using the departments CBRN risk assessments to inform related response planning efforts and capability investment decision making. DHS agreed with the recommendation.
For more information, contact William O. Jenkins, Jr. at (202) 512-8777 or firstname.lastname@example.org.
Recommendation for Executive Action
Status: Closed - Not Implemented
Comments: On April 12, 2016, officials from the DHS Science & Technology Directorate (S&T) stated that the department has placed an indefinite hold on developing a written policy and associated procedures to address our recommendation that the department establish more specific guidance that details when and how DHS components should consider using the department's CBRN risk assessments to inform related response plan and capability investment decision making. S&T officials explained that the department is in the process of considering and potentially developing additional analytics and tools for practical decision-support application of the CBRN risk assessments. According to officials, this project, referred to as the DHS CBRN Mitigation Optimization and Net Assessment (MONA), identified 102 DHS programs that have some ability to influence national CBRN terrorism risk. S&T officials are working to estimate the amount of CBRN terrorism risk that each program could potentially "buy down" if implemented fully. Officials stated that the goal of MONA is to create decision support tools for CBRN terrorism risk and performance management at the department. For example, one goal of the program is for DHS officials to be able to estimate an optimized CBRN program portfolio based in part on the cumulative CBRN terrorism risk buy-down metric. As of April 2016, S&T officials stated that they were in the early stages of producing these new analyses and tools and that any potential related policies and procedures on the use of the CBRN risk assessments would not be developed until these new analyses and tools are developed and socialized among DHS component officials responsible for CBRN related activities. As it is unclear if or when DHS will develop the guidance called for in our recommendation, we are closing this recommendation as unimplemented.
Recommendation: To better ensure the consistent use of DHS's CBRN risk assessments at the department's components and agencies, the Secretary of Homeland Security should establish more specific guidance, including written procedures, that details when and how DHS components should consider using the department's CBRN risk assessments to inform related response plan and capability investment decision making.
Agency Affected: Department of Homeland Security