Chemical, Biological, Radiological, and Nuclear Risk Assessments:
DHS Should Establish More Specific Guidance for Their Use
GAO-12-272: Published: Jan 25, 2012. Publicly Released: Jan 25, 2012.
What GAO Found
Since 2004, DHSs use of its CBRN risk assessments to inform its CBRN response plans has varied, from directly influencing information in the plans to not being used at all. DHS guidance states that response planning and resource decisions should be informed by risk information. GAOs analysis showed that DHS used its CBRN risk assessments to directly inform 2 of 12 CBRN response plans GAO identified because planners considered the risk assessments to be more accurate than earlier DHS planning assumptions. For another 7 of the 12 plans, DHS officials said that the assessments indirectly informed the plans by providing background information prior to plan development. However, GAO could not independently verify this because DHS officials could not document how the risk assessments influenced the information contained in the plans. GAOs analysis found general consistency between the risk assessments and the plans. For the remaining 3 plans, DHS officials did not use the risk assessments to inform the plans; for 2 of the 3 plans DHS officials told GAO they were not aware of the assessments. DHS officials also noted that there was no departmental guidance on when or how the CBRN risk assessments should be used when developing such plans.
Since 2004, DHSs use of its CBRN risk assessments to inform its CBRN-specific capabilities has varied, from directly impacting its capabilities to not being used at all. Of the 7 capabilities GAO reviewed, one was directly informed by the risk assessments; DHS used its biological agent risk assessments to confirm that its BioWatch program could generally detect the biological agents posing the greatest risk. For 5 of the 7 capabilities, DHS officials said they used the risk assessments along with other information sources to partially inform these capabilities. For example, DHS used its chemical agent risk assessments to determine whether its chemical detectors and the risk assessments were generally aligned for the highest risk agents. For 3 of these 5 capabilities, GAO could not independently verify that they were partially informed by the risk assessments because DHS officials could not document how the risk assessments influenced the capabilities. DHS did not use its CBRN risk assessments to inform the remaining CBRN capability because the assessments were not needed to meet the capabilitys mission.
DHS and its components do not have written procedures to institutionalize their use of DHSs CBRN risk assessments for CBRN response planning and capability investment decisions. Standards for internal control in the federal government call for written procedures to better ensure managements directives are enforced. DHS does not have procedures that stipulate when and how DHS officials should use the departments CBRN risk assessments to inform CBRN response planning and capability investment decisions, and GAO found variation in the extent to which they were used. DHS officials agree with GAO that without written procedures, the consistent use of the departments CBRN risk assessments by DHS officials may not be ensured beyond the tenure of any given agency official. DHS could better help to ensure that its CBRN response plans and capabilities are consistently informed by the departments CBRN risk assessments by establishing written procedures detailing when and how DHS officials should consider using the risk assessments to inform their activities.
Why GAO Did This Study
The 2001 anthrax attacks in the United States highlighted the need to develop response plans and capabilities to protect U.S. citizens from chemical, biological, radiological, and nuclear (CBRN) agents. Since 2004, the Department of Homeland Security (DHS) has spent at least $70 million developing more than 20 CBRN risk assessments. GAO was requested to assess, from fiscal year 2004 to the present, the extent to which DHS has used its CBRN risk assessments to inform CBRN response plans and CBRN capabilities, and has institutionalized their use. GAO examined relevant laws, Homeland Security Presidential Directives, an Executive Order, DHS guidance, and all 12 relevant interagency CBRN response plans developed by DHS. Based on a review of a United States governmentwide CBRN database and DHS interviews, among other things, GAO selected a nongeneralizable set of seven DHS capabilities used specifically for detecting or responding to CBRN incidents to identify examples of DHSs use of its CBRN risk assessments. GAO also interviewed relevant DHS officials. This is a public version of a classified report that GAO issued in October 2011. Information DHS deemed sensitive or classified has been redacted.
What GAO Recommends
GAO recommends that DHS develop more specific guidance, including written procedures, that details when and how DHS components should consider using the departments CBRN risk assessments to inform related response planning efforts and capability investment decision making. DHS agreed with the recommendation.
For more information, contact William O. Jenkins, Jr. at (202) 512-8777 or firstname.lastname@example.org.
Recommendation for Executive Action
Comments: On February 24, 2014, officials from the DHS Science & Technology Directorate (S&T) stated that S&T's Homeland Security Advanced Research Projects Agency (HSARPA) is currently working to draft a policy statement for the department that will include the following: (1) summary of the purpose of, and methodology used for developing, the DHS Integrated Terrorism Risk Assessment (ITRA), which is based upon analyses contained in the department's various biological, chemical, and radiological/nuclear terrorism risk assessments; (2) summary of the benefits that can be achieved by incorporating the ITRA and related risk analyses into DHS's program planning activities; (3) summary of the limitations associated with such risk analyses; and (4) an outline of a process that DHS components can follow in order to incorporate the results from the ITRA and related risk analyses in their program planning activities. According to S&T officials, upon completion of HSARPA's internal review of the draft policy statement--targeted to occur during March 2015--the policy will be submitted to the DHS Office of Policy for department-wide review by April 3, 2015. Upon completion of this latter review, the final draft policy will be submitted to S&T senior leadership and DHS's Joint Requirements Council (JRC)--which identifies common capability needs and challenges across DHS components--for consideration for formal adoption. We will review the policy statement for its consistency with our recommendation upon its finalization and adoption by the department. The envisioned policy statement may address our recommendation if (1) the department ensures that the finalized policy is adopted by the department as department-wide guidance, and (2) the policy details when and how DHS components should consider using the department's CBRN risk assessments to inform related response plan and capability investment decision making.
Recommendation: To better ensure the consistent use of DHS's CBRN risk assessments at the department's components and agencies, the Secretary of Homeland Security should establish more specific guidance, including written procedures, that details when and how DHS components should consider using the department's CBRN risk assessments to inform related response plan and capability investment decision making.
Agency Affected: Department of Homeland Security