This page lists the most recent reports and testimonies related to homeland security issued since April 1997. http://www.gao.gov/docsearch/featured/homelandsecurity.html Sun, 22 Nov 2009 21:39:36 -0500 GAO http://www.gao.gov/images/title_object.jpg http://www.gao.gov/ Feed provided by GAO. Click to visit. http://www.gao.gov/new.items/d1013.pdf The Department of Homeland Security's (DHS) U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) program stores and processes biometric and biographic information to, among other things, control and monitor the entry and exit of foreign visitors. Currently, an entry capability is operating at almost 300 U.S. ports of entry, but an exit capability is not. The Government Accountability Office (GAO) has previously reported on limitations in DHS's efforts to plan and execute its efforts to deliver US-VISIT exit, and made recommendations to improve these areas. GAO was asked to determine (1) the status of DHS's efforts to deliver a comprehensive exit solution and (2) to what extent DHS is applying an integrated approach to managing its comprehensive exit solution. To accomplish this, GAO assessed US-VISIT exit project plans, schedules, and other management documentation against relevant criteria, and it observed exit pilots. DHS has established a Comprehensive Exit project within its US-VISIT program that consists of six components that are at varying stages of completion. To DHS's credit, the US-VISIT program office has established integrated project management plans for, and has adopted an integrated approach to, interacting with and involving stakeholders in its Comprehensive Exit project. However, it has not adopted an integrated approach to scheduling, executing, and tracking the work that needs to be accomplished to deliver a comprehensive exit solution. Rather, it is relying on several separate and distinct schedules to manage individual components and the US-VISIT prime contractor's work that supports these components. Moreover, neither of the two component schedules that GAO reviewed are reliable because they have not been derived in accordance with relevant guidance. Specifically, both the Air Exit Pilots schedule and the Temporary Worker Visa Exit Pilot schedule only fully meet one of nine key schedule estimating practices, and either partially, minimally, or do not meet the remaining eight. In contrast, the prime contractor's schedule is largely reliable, as it fully or substantially meets all nine practices. Without a master schedule for the Comprehensive Exit project that is integrated and derived in accordance with relevant guidance, DHS cannot reliably commit to when and how the work will be accomplished to deliver a comprehensive exit solution to its almost 300 ports of entry, and it cannot adequately monitor and manage its progress toward this end. Thu, 19 Nov 2009 00:00:00 -0500 http://www.gao.gov/new.items/d10236t.pdf The Federal Protective Service (FPS) within the Department of Homeland Security (DHS) is responsible for providing law enforcement and related security services for nearly 9,000 federal facilities under the control and custody of the General Services Administration (GSA). In 2004 GAO identified a set of key protection practices from the collective practices of federal agencies and the private sector, which included allocation of resources using risk management, strategic management of human capital, leveraging of technology, information sharing and coordination, and performance measurement and testing. This testimony is based on past reports and testimonies and discusses (1) limitations FPS faces in protecting GSA buildings and resulting vulnerabilities; and (2) actions FPS is taking. To perform this work, GAO used its key practices as criteria, visited a number of GSA buildings, surveyed tenant agencies, analyzed pertinent laws and DHS and GSA documents, conducted covert testing at 10 judgmentally selected high-security buildings in four cities, and interviewed officials from DHS, GSA, and tenant agencies, and contractors and guards. FPS's approach to securing GSA buildings reflects some aspects of key protection practices; however, GAO found limitations in each area and identified vulnerabilities. More specifically: (1) FPS faces obstacles in allocating resources using risk management. FPS uses an outdated risk assessment tool and a subjective, time-consuming process to assess risk. In addition, resource allocation decisions are the responsibility of GSA and tenant agencies. This leads to uncertainty about whether risks are being mitigated. Also, FPS continues to struggle with funding challenges that impede its ability to allocate resources effectively. (2) FPS does not have a strategic human capital management plan to guide its current and future workforce planning efforts, making it difficult to discern how effective its transition to an inspector-based workforce will be. Furthermore, because contract guards were not properly trained and did not comply with post orders, GAO investigators concealing components for an improvised explosive device passed undetected by FPS guards at 10 of 10 high-security facilities in four major cities. (3) FPS lacks a systematic approach for leveraging technology, and inspectors do not provide tenant agencies with an analysis of alternative technologies, their cost, and the associated reduction in risk. As a result, there is limited assurance that the recommendations inspectors make are the best available alternatives, and tenant agencies must make resource allocation decisions without key information. (4) FPS has developed information sharing and coordination mechanisms with GSA and tenant agencies, but there is inconsistency in the type of information shared and the frequency of coordination. (5) FPS lacks a reliable data management system for accurately tracking performance measurement and testing. Without such a system, it is difficult for FPS to evaluate and improve the effectiveness of its efforts, allocate resources, or make informed risk management decisions. FPS is taking actions to better protect GSA buildings, in part as a result of GAO's recommendations. For example, FPS is developing a new risk assessment program and has recently focused on improving oversight of its contract guard program. Additionally, GAO has recommended that FPS implement specific actions to make greater use of key practices and otherwise improve security. However, FPS has not completed many related corrective actions and FPS faces implementation challenges as well. Nonetheless, adhering to key practices and implementing GAO's recommendations in specific areas would enhance FPS's chances for future success, and could position FPS to become a leader and benchmark agency for facility protection in the federal government. Wed, 18 Nov 2009 00:00:00 -0500 http://www.gao.gov/new.items/d10252t.pdf The Department of Homeland Security's (DHS) Domestic Nuclear Detection Office (DNDO) is responsible for addressing the threat of nuclear smuggling. Radiation detection portal monitors are key elements in the nation's defenses against such threats. DHS has sponsored testing to develop new monitors, known as advanced spectroscopic portal (ASP) monitors, to replace radiation detection equipment being used at ports of entry. DNDO expects that ASPs may offer improvements over current-generation portal monitors, particularly the potential to identify as well as detect radioactive material and thereby to reduce both the risk of missed threats and the rate of innocent alarms, which DNDO considers to be key limitations of radiation detection equipment currently used by Customs and Border Protection (CBP) at U.S. ports of entry. However, ASPs cost significantly more than current generation portal monitors. Due to concerns about ASPs' cost and performance, Congress has required that the Secretary of Homeland Security certify that ASPs provide a significant increase in operational effectiveness before obligating funds for full-scale ASP procurement. In May 2009, GAO issued a report (GAO-09-655) on the status of the ongoing ASP testing round. This testimony (1) discusses the principal findings and recommendations from GAO's May report on ASP testing and (2) updates those findings based on information from DNDO and CBP officials on the results of testing conducted since the report's issuance. DHS, DNDO, and CBP's oral comments on GAO's new findings were included as appropriate. GAO's May 2009 report on ASP testing found that DHS increased the rigor in comparison with previous tests and thereby added credibility to the test results. However, GAO's report also questioned whether the benefits of the ASPs justify its high cost. In particular, the DHS criteria for a significant increase in operational effectiveness require only a marginal improvement in the detection of certain weapons-usable nuclear materials, which DNDO considers a key limitation of current-generation portal monitors. The marginal improvement required of ASPs is particularly notable given that DNDO has not completed efforts to fine-tune current-generation equipment to provide greater sensitivity. Moreover, the test results showed that ASPs performed better than current-generation portal monitors in detection of such materials concealed by light shielding approximating the threat guidance for setting detection thresholds, but that differences in sensitivity were less notable when shielding was slightly below or above that level. Finally, DNDO had not yet updated its cost-benefit analysis to take into account the results of ASP testing and did not plan to complete computer simulations that could provide additional insight into ASP capabilities and limitations prior to certification even though test delays have allowed more time to conduct the simulations. DNDO officials believed the other tests were sufficient for ASPs to demonstrate a significant increase in operational effectiveness. GAO recommended that DHS assess ASPs against the full potential of current-generation equipment and revise the program schedule to allow time to conduct computer simulations and to uncover and resolve problems with ASPs before full-scale deployment. DHS agreed to a phased deployment that should allow time to uncover ASP problems but disagreed with the other recommendations, which GAO believes remain valid. The results of DNDO's most recent round of field testing raise continuing issues. In July 2009, DNDO resumed the field testing of ASPs that it initiated in January 2009 but suspended because of serious performance problems. However, the July tests also revealed critical performance deficiencies. For example, the ASP had a high number of false positive alarms for the detection of certain nuclear materials. According to CBP, these false alarms are very disruptive in a port environment because any alarm for this type of nuclear material causes CBP to take enhanced security precautions. To address these false alarms, DNDO plans to modify the ASP to make these monitors less sensitive to these nuclear materials and thereby diminishing the ASPs' capability. As GAO reported earlier this year, previous testing results demonstrated that the ASPs represented a marginal improvement in detecting these materials. By reducing the sensitivity to nuclear materials even further, it is uncertain exactly what improvement in detecting these materials the ASPs are providing or whether DNDO might be able to achieve a similar level of performance as the modified ASPs by improving the current-generation portal monitors that are already in place. In addition, the July 2009 testing also identified a critical equipment failure, including an alert malfunction, which DNDO is taking steps to resolve for future testing. Tue, 17 Nov 2009 00:00:00 -0500 http://www.gao.gov/new.items/d1064.pdf The Department of Homeland Security, through the Federal Emergency Management Agency (FEMA), awards grants to fire departments and other organizations for equipment, staffing, and other needs. As of July 2009, FEMA had received about 25,000 and 22,000 applications for its fiscal years 2007 and 2008 fire grant programs, respectively, and had awarded more than 5,000 grants in both years. GAO was congressionally directed to review the application and award process for these grants. This report addresses the (1) extent to which FEMA has met statutory and program requirements for distributing the grant funds; (2) actions FEMA has taken to provide assistance to grant applicants and involve the fire service community in the grant process; and (3) extent to which FEMA has ensured that its grant process is accessible, clear, and consistent with requirements, including its grant guidance. GAO analyzed relevant laws and interviewed 36 randomly selected grant applicants to obtain their views, but the results are not generalizable. FEMA met seven of eight statutory requirements and two of three FEMA established program requirements for distributing fiscal years 2007 and 2008 grant funds. (GAO used fiscal year 2007 data for two requirements because not all fiscal year 2008 funds had been awarded by July 2009.) For example, FEMA met the statutory requirement that volunteer and combination fire departments (which have both paid and volunteer firefighters) collectively receive at least a minimum of 55 percent of fiscal year 2008 grant funds, and also met the program requirement that volunteer departments receive at least 22 percent. GAO was unable to determine whether FEMA met the statutory requirement that at least 3.5 percent of fiscal year 2008 grant funds be awarded for EMS. FEMA reported that its system is not designed to separately track grants awarded to fire departments for EMS purposes and, therefore, it could not determine if it met this requirement. FEMA reported that while it conducted research to determine that it met this requirement for 1 year, doing so was laborious. Establishing procedures to track awards for EMS purposes would allow FEMA to readily determine if it met statutory requirements. FEMA assists grant applicants by sponsoring workshops and involves representatives of the fire service community in establishing criteria and reviewing applications. Each year, FEMA convenes leaders of nine major fire service organizations to conduct a criteria development meeting to develop the program's criteria and funding priorities. FEMA's peer review process--in which members of the fire service organizations assess grant applications--also helps ensure that the fire service community is involved in the grant process. FEMA officials stated that they strive to provide an even chance for as many fire departments and other organizations as possible to serve on peer review panels. They also stated that they are considering conducting outreach efforts to expand peer review participation, such as announcing opportunities to serve on an upcoming peer review panel at workshops. FEMA has taken actions to ensure that its fire grants award process is accessible and clear to grant applicants--28 of 36 applicants GAO interviewed found the guidance to be clear--but GAO also identified inconsistencies between the stated grant application priorities and the application questions and scoring values. For example, the fiscal year 2008 guidance for the grant that funds the recruitment and retention of firefighters states that continuity--maintaining recruitment and retention efforts beyond the life of the grant--was a priority for grant awards. However, no grant application question addressed this priority and the scoring values did not include it. Thus, it is difficult for FEMA to ensure that grant funds are awarded in accordance with the agency's funding priorities. Further, four of the nine major fire service organizations voiced concerns about feedback FEMA provided to rejected applicants, and 22 of the 36 applicants stated that the feedback was helpful to little or no extent. FEMA officials stated that they could strengthen efforts to improve feedback. Providing specific feedback to rejected applicants could help FEMA strengthen future grant application processes. Fri, 30 Oct 2009 00:00:00 -0400 http://www.gao.gov/new.items/d10142.pdf There is ongoing concern about the security of federal buildings and their occupants. The Federal Protective Service (FPS) within the Department of Homeland Security (DHS) is responsible for providing law enforcement and related security services for nearly 9,000 federal buildings under the control and custody of the General Services Administration (GSA). In 2004, GAO identified a set of key protection practices from the collective practices of federal agencies and the private sector that included: allocating resources using risk management, leveraging technology, and information sharing and coordination. As requested, GAO determined whether FPS's security efforts for GSA buildings reflected key practices. To meet this objective, GAO used its key practices as criteria, visited five sites to gain firsthand knowledge, analyzed pertinent DHS and GSA documents, and interviewed DHS, GSA, and tenant agency officials. FPS's approach to securing GSA buildings reflects some aspects of key protection practices, and FPS has several improvements underway such as a new risk assessment program and a countermeasure acquisition program. While FPS's protection activities exhibit some aspects of the key practices, GAO found limitations in each of the areas. FPS assesses risk and recommends countermeasures to GSA and tenant agencies; however, FPS's ability to influence the allocation of resources using risk management is limited because resource allocation decisions are the responsibility of GSA and tenant agencies, which may be unwilling to fund FPS's countermeasure recommendations. Moreover, FPS uses an outdated risk assessment tool and a subjective, time-consuming process. As a result, GSA and tenant agencies are uncertain whether risks are being mitigated. Concerned with the quality and timeliness of FPS's risk assessment services, GSA and tenant agencies are pursuing some of these activities on their own. Although FPS is developing a new risk management program, full implementation is not planned until the end of fiscal year 2011 and has already experienced delays. With regard to leveraging technology, FPS inspectors have considerable latitude for selecting technologies and countermeasures that tenant agencies fund, but FPS provides inspectors with little training and guidance for making cost-effective choices. Additionally, FPS does not provide tenant agencies with an analysis of alternative technologies, their cost, and associated reduction in risk. As a result, there is limited assurance that the recommendations inspectors make are the best available alternatives and tenant agencies must make resource allocation decisions without key information. Although FPS is developing a program to standardize security equipment and contracting, the program has run behind schedule and lacks an evaluative component for assessing the cost-effectiveness of competing technologies and countermeasures. FPS has developed information sharing and coordination mechanisms with GSA and tenant agencies, but there is inconsistency in the type of information shared and the frequency of coordination. Lack of coordination through regular contact can lead to communication breakdowns. For example, during a construction project at one location, the surveillance equipment that FPS was responsible for maintaining was removed from the site during 2007. FPS and tenant agency representatives disagree over whether FPS was notified of this action. Furthermore, FPS and GSA disagree over what building risk assessment information can be shared. FPS maintains that the sensitive information contained in the assessments is not needed for GSA to carry out its mission. However, GSA maintains that restricted access to the risk assessments constrains its ability to protect buildings and occupants. Fri, 23 Oct 2009 00:00:00 -0400 http://www.gao.gov/new.items/d10128.pdf Since fiscal year 2002, the Transportation Security Administration (TSA) and the Department of Homeland Security (DHS) have invested over $795 million in technologies to screen passengers at airport checkpoints. The DHS Science and Technology Directorate (S&T) is responsible, with TSA, for researching and developing technologies, and TSA deploys them. GAO was asked to evaluate the extent to which (1) TSA used a risk-based strategy to prioritize technology investments; (2) DHS researched, developed, and deployed new technologies, and why deployment of the explosives trace portal (ETP) was halted; and (3) DHS coordinated research and development efforts with key stakeholders. To address these objectives, GAO analyzed DHS and TSA plans and documents, conducted site visits to research laboratories and nine airports, and interviewed agency officials, airport operators, and technology vendors. TSA completed a strategic plan to guide research, development, and deployment of passenger checkpoint screening technologies; however, the plan is not risk-based. According to TSA officials, the strategic plan and its underlying strategy for the Passenger Screening Program were developed using risk information, such as threat information. However, the strategic plan and its underlying strategy do not reflect some of the key risk management principles set forth in DHS's National Infrastructure Protection Plan (NIPP), such as conducting a risk assessment based on the three elements of risk--threat, vulnerability, and consequence--and developing a cost-benefit analysis and performance measures. TSA officials stated that, as of September 2009, a draft risk assessment for all of commercial aviation, the Aviation Domain Risk Assessment, was being reviewed internally. However, completion of this risk assessment has been repeatedly delayed, and TSA could not identify the extent to which it will address all three elements of risk. TSA officials also stated that they expect to develop a cost-benefit analysis and establish performance measures, but officials could not provide timeframes for their completion. Without adhering to all key risk management principles as required in the NIPP, TSA lacks assurance that its investments in screening technologies address the highest priority security needs at airport passenger checkpoints. Since TSA's creation, 10 passenger screening technologies have been in various phases of research, development, test and evaluation, procurement, and deployment, but TSA has not deployed any of these technologies to airports nationwide. The ETP, the first new technology deployment initiated by TSA, was halted in June 2006 because of performance problems and high installation costs. Deployment has been initiated for four technologies--the ETP in January 2006, and the advanced technology systems, a cast and prosthesis scanner, and a bottled liquids scanner in 2008. TSA's acquisition guidance and leading commercial firms recommend testing the operational effectiveness and suitability of technologies or products prior to deploying them. However, in the case of the ETP, although TSA tested earlier models, the models ultimately chosen were not operationally tested before they were deployed to ensure they demonstrated effective performance in an operational environment. Without operationally testing technologies prior to deployment, TSA does not have reasonable assurance that technologies will perform as intended. DHS coordinated with stakeholders to research, develop, and deploy checkpoint screening technologies, but coordination challenges remain. Through several mechanisms, DHS is taking steps to strengthen coordination within the department and with airport operators and technology vendors. Wed, 07 Oct 2009 00:00:00 -0400 http://www.gao.gov/new.items/d10105t.pdf By preparing their families and property before an event, individuals can reduce a disaster's impact on them and their need for first responder assistance, particularly in the first 72 hours following a disaster. By law, the Federal Emergency Management Agency (FEMA), located in the Department of Homeland Security (DHS), is to develop a national preparedness system (NPS)--FEMA includes community preparedness programs as part of the NPS. FEMA's budget to operate these programs made up less than one half of 1 percent of its $7.9 billion budget for fiscal year 2009. These programs include the Citizen Corps program and its partner programs, such as Fire Corps, and rely on volunteers to coordinate efforts and assist first responders in local communities. DHS's Ready Campaign promotes preparedness through mass media. This testimony provides preliminary observations on (1) challenges FEMA faces in measuring the performance of Citizen Corps, its partner programs, and the Ready Campaign and (2) actions FEMA has taken to develop a strategy to encompass how Citizen Corps, its partner programs, and the Ready Campaign operate within the context of the NPS. This testimony is based on work conducted from February 2008 to October 2009. GAO analyzed documents, such as FEMA's strategic plan, and compared reported performance data with observations from 12 site visits, selected primarily based on the frequency of natural disasters. The results are not projectable, but provide local insights. FEMA faces challenges measuring performance for Citizen Corps, partner programs, and the Ready Campaign because it does not have a process to verify that data for its principal performance measure--the registered number of established volunteer organizations across the country--are accurate and the Ready Campaign is not positioned to control the distribution of its message or measure whether its message is changing individuals' behavior. FEMA faces challenges ensuring that the information needed to measure the number of established, active volunteer units is accurate. For example, officials representing 17 councils GAO contacted during its site visits stated that 12 were active and 5 were not. FEMA officials said that the new online registration process FEMA plans to adopt in 2010 will result in some programs being removed from FEMA's registries. They said that FEMA expects to use the new process to collect more comprehensive data on membership and council activities. FEMA counts requests for literature, Web site hits, and the number of television or radio announcements made to gauge performance for the Ready Campaign, but FEMA does not control when its message is viewed because it relies on donated media, such as air time for television and radio announcements. Because changes in behavior can result from a variety of factors, including other campaigns, it is difficult to measure the campaign's effect on changes in individuals' behavior. FEMA's challenges measuring the performance of community preparedness programs is compounded by the fact that it has not developed a strategy to encompass how Citizen Corps, its partner programs, and the Ready Campaign are to operate within the context of the NPS. In April 2009, GAO reported that FEMA's National Preparedness Directorate (NPD), which is responsible for community preparedness, had not developed a strategic plan. GAO reported that instead of a strategic plan, NPD officials stated that they used a draft annual operating plan and Post-Katrina Act provisions to guide NPD's efforts. However, the plan's objectives do not include key elements of a strategy, such as how NPD will measure its progress meeting goals and objectives or the potential costs and types of resources and investments needed. GAO recommended that NPD develop a strategic plan to implement the NPS that contains these key elements. FEMA concurred with GAO's recommendation and told GAO that it is taking actions to strengthen strategic planning. FEMA officials stated that they are reviewing implementation plans and policy documents, such as the National Preparedness Guidelines, and that community preparedness is a key element being considered in this process. FEMA has not set a date for completion of the National Preparedness System strategy, and the extent to which Citizen Corps, its partner programs, or the Ready Campaign will be included in the final strategy is not clear. GAO will continue to assess FEMA's efforts related to community preparedness programs as part of its ongoing work. FEMA provided technical comments on a draft of this testimony, which GAO incorporated as appropriate. Thu, 01 Oct 2009 00:00:00 -0400 http://www.gao.gov/new.items/d091044t.pdf A comprehensive system to alert the American people in times of hazard allows people to take action to save lives. The Federal Emergency Management Agency (FEMA) is the agency within the Department of Homeland Security (DHS) responsible for the current Emergency Alert System (EAS) and the development of the new Integrated Public Alert and Warning System (IPAWS). In this testimony, based on its report released today, GAO discusses (1) the current status of EAS, (2) the progress made by FEMA in implementing an integrated alert and warning system, and (3) coordination issues involved in implementing an integrated alert and warning system. GAO conducted a survey of states, reviewed FEMA and other documentation, and interviewed industry stakeholders and officials from federal agencies responsible for public alerting. As the primary national-level public warning system, EAS is an important alert tool but it exhibits longstanding weaknesses that limit its effectiveness. In particular, the reliability of the national-level relay system--which would be critical if the President were to issue a national-level alert--remains questionable due to a lack of redundancy; gaps in coverage; a lack of testing and training; and limitations in how alerts are disseminated to the public. Further, EAS provides little capability to alert specific geographic areas. FEMA has projects under way to address some of these weaknesses. However, to date, little progress has been made and EAS remains largely unchanged since GAO's previous review, completed in March 2007. As a result, EAS does not fulfill the need for a reliable, comprehensive alert system. Initiated in 2004, FEMA's IPAWS program has made little progress. IPAWS is intended to integrate new and existing alert capabilities, including EAS, into a comprehensive "system of systems." However, national-level alert capabilities have remained unchanged and new technologies have not been adopted. IPAWS efforts have been affected by shifting program goals, lack of continuity in planning, staff turnover, and poorly organized program information from which to make management decisions. The vision of IPAWS has changed twice over the course of the program and strategic goals and milestones are not clearly defined, as IPAWS has operated without an implementation plan from early 2007 through June 2009. Consequently, as state and local governments are forging ahead with their own alert systems, IPAWS program implementation has stalled and many of the functional goals of IPAWS, such as geo-targeting of messages and dissemination through redundant pathways to multiple devices, have yet to reach operational capacity. FEMA conducted a series of pilot projects without systematically assessing outcomes or lessons learned and without substantially advancing alert and warning systems. FEMA does not periodically report on IPAWS progress, therefore, program transparency and accountability are lacking. FEMA faces coordination issues in developing and implementing IPAWS. Effective public warning depends on the expertise, efforts, and cooperation of diverse stakeholders, such as state and local emergency managers and the telecommunications industry. However, many stakeholders GAO contacted know little about IPAWS and expressed the need for better coordination with FEMA. A GAO survey indicated that the majority of state emergency management directors had little communication with FEMA regarding IPAWS. FEMA has taken steps to improve its coordination efforts by planning to participate in emergency management conferences and building improved relationships between the IPAWS program and FEMA regional offices. However, despite stating its plans to create a stakeholder subcommittee and state advisory committees, FEMA has established neither group and has no current plans to do so. Wed, 30 Sep 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09883.pdf The U.S. government considers the Kingdom of Saudi Arabia a vital partner in combating terrorism. The strong diplomatic relationship between the United States and Saudi Arabia, founded more than 70 years ago, was strained by the Al Qaeda attacks of September 11, 2001, that were carried out in large part by Saudi nationals and killed thousands of U.S. citizens. GAO was asked to report on (1) the U.S. government strategy to collaborate with and assist the Kingdom of Saudi Arabia to counter terrorism and terrorism financing, and (2) U.S. government agencies' assessment of and the Saudi government's views on progress toward the goals of this strategy. GAO analyzed relevant U.S. and Saudi strategy, planning, and evaluation documents related to efforts since 2005, and discussed these efforts with subject matter experts and U.S. and Saudi officials in Washington, D.C., and Riyadh and Jeddah, Saudi Arabia. GAO submitted a copy of this report to intelligence agencies, the National Security Council, and the Departments of Defense, Energy, Homeland Security, Justice, State, and Treasury for their review and comment. The U.S. government strategy to collaborate with Saudi Arabia on counterterrorism utilizes existing diplomatic and security-related efforts to create an active antiterrorism coalition by enhancing the Saudi government's ability to combat terrorists and prevent financial support to extremists. These objectives are contained in Department of State's (State) Mission Strategic Plans (MSP) for Saudi Arabia for fiscal years 2006 through 2009, and also reflected in a January 2008 report from State to the Congress on its strategy for Saudi Arabia. The MSPs include performance targets to measure progress on efforts to combat terrorism and its financing, such as providing security training to the Saudi government, strengthening Saudi financial institutions, and implementation of relevant Saudi regulations. U.S. and Saudi officials report progress on countering terrorism and its financing within Saudi Arabia, but noted challenges, particularly in preventing alleged funding for terrorism and violent extremism outside of Saudi Arabia. In April 2009, State assessed progress related to its goal of building an active U.S.-Saudi antiterrorist coalition as "on target." U.S. and Saudi officials report progress in enhancing the Saudi government's ability to combat terrorists, and note the Saudi government's efforts have disrupted Al Qaeda's terrorist network within Saudi Arabia. However, these officials noted Saudi Arabia's neighbor, Yemen, is emerging as a base from which Al Qaeda terrorists can launch attacks against U.S. and Saudi interests. U.S. and Saudi officials also report progress on efforts to prevent financial support to extremists, citing, for example, the Saudi government's regulations on sending charitable contributions overseas, and the arrest and prosecution of individuals providing support for terrorism. However, U.S. officials remain concerned about the ability of Saudi individuals and charitable organizations to support terrorism outside of Saudi Arabia, and noted limited Saudi enforcement capacity and terrorists' use of cash couriers as challenges. Despite these concerns, some performance targets related to countering terrorism financing were removed from State's current MSP. According to State officials, these changes were made either because a specific target was no longer considered feasible or because progress was made toward the target. Thu, 24 Sep 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09794.pdf In 2004, Congress combined preexisting and newly created units to form the Office of Terrorism and Financial Intelligence (TFI) within the Department of the Treasury (Treasury). TFI's mission is to integrate intelligence and enforcement functions to (1) safeguard the financial system against illicit use and (2) combat rogue nations, terrorist facilitators, and other national security threats. In the 5 years since TFI's creation, questioned have been raised about how TFI is managed and allocates its resources. As a result, GAO was asked to analyze how TFI (1) implements its functions, particularly in collaboration with interagency partners, (2) conducts strategic resource planning, and (3) measures its performance. To conduct this analysis, GAO reviewed Treasury and TFI planning documents, performance reports, and workforce data, and interviewed officials from Treasury and its key interagency partners. TFI undertakes five functions, each implemented by a TFI component, in order to achieve its mission. TFI officials cite the analysis of financial intelligence as a critical part of TFI's efforts because it underlies TFI's ability to utilize many of its tools. They said that the creation of OIA was critical to Treasury's ability to effectively identify illicit financial networks. To achieve its mission, TFI's five components often work with each other, other U.S. government agencies, the private sector, or foreign governments. Officials from TFI and its interagency partners cited strong collaboration in many areas, such as effective information sharing between FinCEN and the Justice Department (Justice). Officials differed, however, about the quality of interagency collaboration involving international forums. Treasury officials who led this collaboration stated that it runs smoothly and that they were unaware of any significant concerns, while Justice and State officials reported declining collaboration and unclear mechanisms to enhance or sustain it. While TFI and some of its components have conducted selected strategic resource planning activities, TFI as a unit has not fully adopted key practices that enhance such efforts. For example, TFI and its components have produced multiple strategic planning documents in recent years, but the objectives in some of these documents are not clearly aligned with resources needed to achieve them. As a result, it may be unclear whether TFI has sufficient resources to address its objectives. Also, though TFI has undertaken some workforce planning activities, it lacks a process for performing comprehensive strategic workforce planning. Thus, it is unclear whether TFI is able to effectively address persistent workforce challenges. Also, TFI has not yet developed appropriate performance measures, changing their number and substance each year. Though TFI's current measures fully address many attributes of effective performance measures, they do not cover all TFI core program activities. TFI officials acknowledge the need for improvement and have worked since 2007 to develop one overall performance measure to assess TFI. Yet questions remain about when TFI will implement its new measure and whether it will effectively gauge TFI's performance. Thu, 24 Sep 2009 00:00:00 -0400 http://www.gao.gov/new.items/d091047t.pdf To accomplish its mission of protecting federal facilities, the Federal Protective Services (FPS), within the Department of Homeland Security (DHS), currently has a budget of about $1 billion, about 1,200 full-time employees, and about 15,000 contract security guards. This testimony is based on completed and ongoing work for this Subcommittee and discusses: (1) challenges FPS faces in protecting federal facilities and (2) how FPS's actions address these challenges. To perform this work, GAO visited FPS's 11 regions, analyzed FPS data, and interviewed FPS officials, guards, and contractors. GAO also conducted covert testing at 10 judgmentally selected level IV facilities in four cities. Because of the sensitivity of some of the information, GAO cannot identify the specific locations of incidents discussed. A level IV facility has over 450 employees and a high volume of public contact. FPS faces challenges that hamper its ability to protect government employees and members of the public who work in and visit federal facilities. First, as we reported in our June 2008 report, FPS does not have a risk management framework that links threats and vulnerabilities to resource requirements. Without such a framework, FPS has little assurance that its programs will be prioritized and resources will be allocated to address changing conditions. Second, as discussed in our July 2009 report, FPS lacks a strategic human capital plan to guide its current and future workforce planning efforts. FPS does not collect data on its workforce's knowledge, skills, and abilities and therefore cannot determine its optimal staffing levels or identify gaps in its workforce and determine how to fill these gaps. Third, as we testified at a July 2009 congressional hearing, FPS's ability to protect federal facilities is hampered by weaknesses in its contract security guard program. GAO found that many FPS guards do not have the training and certifications required to stand post at federal facilities in some regions. For example, in one region, FPS has not provided the required 8 hours of X-ray or magnetometer training to its 1,500 guards since 2004. GAO also found that FPS does not have a fully reliable system for monitoring and verifying whether guards have the training and certifications required to stand post at federal facilities. In addition, FPS has limited assurance that guards perform assigned responsibilities (post orders). Because guards were not properly trained and did not comply with post orders, GAO investigators with the components for an improvised explosive device concealed on their persons, passed undetected through access points controlled by FPS guards at 10 of 10 level IV facilities in four major cities where GAO conducted covert tests. FPS has taken some actions to better protect federal facilities, but it is difficult to determine the extent to which these actions address these challenges because many of the actions are recent and have not been fully implemented. Furthermore, FPS has not fully implemented several recommendations that GAO has made over the last couple of years to address FPS's operational and funding challenges, despite the Department of Homeland Security's concurrence with the recommendations. In addition, most of FPS's actions focus on improving oversight of the contract guard program and do not address the need to develop a risk management framework or a human capital plan. To enhance oversight of its contract guard program FPS is requiring its regions to conduct more guard inspections at level IV facilities and provide more x-ray and magnetometer training to inspectors and guards. However, several factors make these actions difficult to implement and sustain. For example, FPS does not have a reliable system to track whether its 11 regions are completing these new requirements. Thus, FPS cannot say with certainty that the requirements are being implemented. FPS is also developing a new information system to help it better protect federal facilities. However, FPS plans to transfer data from several of its legacy systems, which GAO found were not fully reliable or accurate, into the new system. Wed, 23 Sep 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09828.pdf A successful terrorist attack on a facility containing nuclear weapons could have devastating consequences. GAO was asked to compare the Department of Defense's (DOD) and Department of Energy's (DOE) efforts to protect the nation's nuclear weapons where they are stored, maintained, or transported. This report (1) compares the nuclear weapons security policies and procedures at DOD and DOE, and the extent to which cost-benefit analyses are required; (2) compares DOD and DOE efforts to assess threats to nuclear weapons; and (3) identifies total current and projected funding requirements for securing nuclear weapons, including military construction costs. GAO analyzed DOD and DOE nuclear weapons security policies and procedures; visited sites that store, maintain, or transport nuclear weapons; and analyzed funding data for fiscal years 2006 through 2013. This report is an unclassified version of a classified report issued in May 2009. DOD and DOE nuclear weapons security policies and guidance are similar in that both establish minimum security standards for nuclear weapons. However, DOD's guidance does not emphasize or require a cost-benefit analysis when considering alternative security measures, and therefore the full costs of alternatives may not be considered in a comprehensive manner when choosing among security measures. For example, the Navy plans to spend about $1.1 billion on security improvements to protect ballistic missile submarines while in transit, but selected one alternative without considering the full life cycle costs of the available alternatives. In contrast, DOE's policy for nuclear weapons security provides local officials greater flexibility than DOD's in determining how to meet security standards, and has a greater emphasis on cost-benefit analysis as a part of the decision-making process. Although DOD and DOE assess threats to nuclear assets as part of their nuclear weapons security programs, DOD has not provided adequate guidance or capabilities to fully develop local threat assessments where nuclear weapons are stored, maintained, or transported. DOD policies require installation commanders to develop threat assessments using a national assessment as a starting point and tailor that assessment to their installations. However, GAO identified instances where the local threat assessment generally reflected all threats contained in the national assessment, with only minimal adjustments to reflect the local environment. Further, the individuals developing the local assessments had limited guidance, were not trained as intelligence analysts and often used different methodologies. Without clear guidance and necessary threat assessment capabilities, the military services may not be fully leveraging local, regional, and national threat information in preparing local assessments. In contrast, DOE provides guidance and, at the time of GAO's review, was developing an approach to incorporate all available threat information more fully into its assessments, though GAO did not assess its effectiveness because this new approach had not been fully implemented. DOD and DOE have estimated the funds required to protect nuclear weapons to be approximately $11 billion for fiscal years 2006 through 2013, but GAO identified shortfalls in the Air Force's ability to centrally manage and track funding that limits the visibility of Air Force requirements. The Air Force and Navy make up over $8 billion of the total estimated requirement for securing nuclear weapons. The remaining $3 billion is incurred by the two DOE organizations that handle nuclear weapons. Across all four organizations, over half the $11 billion is devoted to funding security forces. Although accountability over funding data is critical to enabling decision makers to address nuclear weapons security funding requirements, GAO found that the Air Force lacked a consistent method to identify requirements specifically related to nuclear weapons security because of the decentralized method through which it manages this funding. Without a method to track these costs, the visibility of these requirements is limited, and the Air Force may not be able to effectively manage its nuclear weapons security funding. Fri, 18 Sep 2009 00:00:00 -0400 http://www.gao.gov/new.items/d091013t.pdf This testimony discusses the implementation of the Department of Homeland Security's (DHS) Secure Border Initiative (SBI) program--a multiyear, multibillion dollar program aimed at securing U.S. borders and reducing illegal immigration. Securing the nation's borders from illegal entry of aliens and contraband, including terrorists and weapons of mass destruction, continues to be a major challenge. In November 2005, DHS announced the launch of SBI to help address this challenge. The U.S. Customs and Border Protection (CBP) supports this initiative by providing agents and officers to patrol the borders, secure the ports of entry, and enforce immigration laws. In addition, CBP's SBI program is responsible for developing a comprehensive border protection system using technology, known as SBInet, and tactical infrastructure--fencing, roads, and lighting--along the southwest border to deter smugglers and aliens attempting illegal entry. Since fiscal year 2005, SBI has received funding amounting to over $3.7 billion. Approximately $1.1 billion has been allocated to SBInet and $2.4 billion to tactical infrastructure. SBInet surveillance technologies are to include sensors, cameras, and radars. The command, control, communications, and intelligence (C3I) technologies are to include software and hardware to produce a Common Operating Picture (COP)--a uniform presentation of activities within specific areas along the border. SBInet technology is to be initially deployed in two geographic areas --designated as Tucson-1 and Ajo-1--within the Tucson sector. In September 2006, CBP awarded a prime contract for SBInet development to the Boeing Company for 3 years, with three additional 1-year options. As of July 8, 2009, CBP had awarded 13 task orders to Boeing for a total amount of approximately $1.1 billion. In addition to deploying technology across the southwest border, DHS planned to deploy 370 miles of single-layer pedestrian fencing and 300 miles of vehicle fencing by December 31, 2008. Pedestrian fencing is designed to prevent people on foot from crossing the border and vehicle fencing consists of physical barriers meant to stop the entry of vehicles. In September 2008, DHS revised its goal, committing instead to having 661 miles either built, under construction, or under contract by December 31, 2008, but did not set a goal for the number of miles it planned to build by December 31, 2008. Although some tactical infrastructure exists in all the southwest border sectors, most of what has been built through the SBI program is located in the San Diego, Yuma, Tucson, El Paso, and Rio Grande Valley sectors. This testimony is based on a report we are publicly releasing today that is the fourth in a series of interim reports on SBI implementation. testimony will discuss the following key issues in our report: (1) the extent to which CBP has implemented the SBInet technology program and the impact of any delays that have occurred, and (2) the extent to which CBP has deployed the SBI tactical infrastructure program and assessed its results. Our full report also provides a status of SBI program office staffing and the progress the office reports in achieving its human capital goals. SBInet technology capabilities have not yet been deployed and delays require the Border Patrol to rely on existing technology for securing the border, rather than using newer technology planned to overcome the existing technology's limitations. As a result of the delays, Border Patrol agents continue to use existing technology that has limitations, such as performance shortfalls and maintenance issues. For example, on the southwest border, the Border Patrol relies on existing equipment such as cameras mounted on towers that have intermittent problems, including signal loss. The Border Patrol has procured and delivered some new technology to fill gaps or augment existing equipment. However, incorporating SBInet technology as soon as it is operationally available should better position CBP to identify and implement operational changes needed for securing the border. Thu, 17 Sep 2009 00:00:00 -0400 http://www.gao.gov/new.items/d091002t.pdf The Department of Homeland Security (DHS) invested more than $6 billion in 2009 on large-scale, information technology (IT) systems to help it achieve mission outcomes and transform departmentwide operations. For DHS to effectively leverage these systems as mission enablers and transformation tools, it needs to employ a number of institutional acquisition and IT management controls and capabilities, such as using an operational and technological blueprint to guide and constrain system investments (enterprise architecture) and following institutional policies, practices, and structures for acquiring and investing in these systems. Other institutional controls and capabilities include employing rigorous and disciplined system life cycle management processes and having capable acquisition and IT management workforces. As GAO has reported, it is critical for the department to implement these controls and capabilities on each of its system acquisition programs. GAO has issued a series of reports on DHS institutional controls for acquiring and managing IT systems, and its implementation of these controls on large-scale systems. GAO was asked to testify on how far the department has come on both of these fronts, including its implementation of GAO's recommendations. To do this, GAO drew from its issued reports on institutional IT controls and IT systems, as well as our recurring work to follow up on the status of our open recommendations. Since its inception, DHS has made uneven progress in its efforts to institutionalize a framework of interrelated management controls and capabilities associated with effectively and efficiently acquiring large-scale IT systems. To its credit, it has continued to issue annual updates to its enterprise architecture that have added previously missing scope and depth, and further improvements are planned to incorporate the level of content, referred to as segment architectures, needed to effectively introduce new systems and modify existing ones. Also, it has redefined its acquisition and investment management policies, practices, and structures, including establishing a system life cycle management methodology, and it has increased its acquisition workforce. Nevertheless, challenges remain relative to, for example, implementing the department's plan for strengthening its IT human capital, and fully defining key system investment and acquisition management policies and procedures. Moreover, the extent to which DHS has actually implemented these investment and acquisition management policies and practices on major programs has been at best inconsistent, and in many cases, quite limited. For example, recent reviews by GAO show that major acquisition programs have not been subjected to executive level acquisition and investment management reviews at key milestones and have not, among other things, employed reliable cost and schedule estimating practices, effective requirements development and test management practices, meaningful performance measurement, strategic workforce management, proactive identification and mitigation of program risks, and effective contract tracking and oversight, among other things. Because of these weaknesses, major IT programs aimed at delivering important mission capabilities have not lived up to expectations. For example, full deployment of the Rescue 21 "search and rescue" system had to be extended from 2006 to 2017; development and deployment of an "exit" capability under the US-VISIT program has yet to occur; and the timing and scope of an SBInet "virtual border fence" initial operating capability has been delayed and reduced from the entire southwest border to 28 miles of the border. To assist the department in addressing its institutional and system-specific challenges, GAO has made a range of recommendations. While DHS and its components have acted on many of these recommendations, and as a result have arguably made progress and improved the prospects for success on ongoing and future programs, more needs to be done by DHS's new leadership team before the department can ensure that all system acquisitions are managed with the rigor and discipline needed to consistently deliver promised capabilities and benefits on time and on budget. Tue, 15 Sep 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09996t.pdf A terrorist's use of a radiological dispersal device (RDD) or improvised nuclear device (IND) to release radioactive materials into the environment could have devastating consequences. The timely cleanup of contaminated areas, however, could speed the restoration of normal operations, thus reducing the adverse consequences from an incident. This testimony examines (1) the extent to which federal agencies are planning to fulfill their responsibilities to assist cities and their states in cleaning up areas contaminated with radioactive materials from RDD and IND incidents; (2) what is known about the federal government's capability to effectively cleanup areas contaminated with radioactive materials from RDD and IND incidents, and (3) suggestions from government emergency management officials on ways to improve federal preparedness to provide assistance to recover from RDD and IND incidents. We also discuss recovery activities in the United Kingdom. This testimony is based on our ongoing review of recovery preparedness issues for which we examined applicable federal laws and guidance; interviewed officials from the Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA), Department of Energy (DOE), and Environmental Protection Agency (EPA); and surveyed emergency management officials from 13 large cities and their states, as well as FEMA and EPA regional office officials. DHS, through FEMA, is responsible for developing a comprehensive emergency management system to respond to and recover from natural disasters and terrorists attacks, including RDD and IND attacks. The response phase would involve evacuations and providing medical treatment to those who were injured; the recovery phase would include cleaning up the radioactive contamination from an attack in order to permit people to return to their homes and businesses. To date, much federal attention has been given to developing a response framework, with less attention to recovery. Our survey found that almost all cities and states would be so overwhelmed by an RDD or IND incident that they would rely on the federal government to conduct almost all analysis and cleanup activities that are essential first steps towards recovery. However, we found that the federal government has not sufficiently planned to undertake these activities. For example, FEMA has not issued a national disaster recovery strategy or plans for RDD and IND incidents as required by law. Existing federal guidance provides only limited direction for federal agencies to develop their own recovery plans and conduct exercises to test preparedness. Out of over 70 RDD and IND exercises conducted in the last 5 years, only three have included interagency recovery discussions following a response exercise. Although DOE and EPA have experience in the cleanup of small-scale radiation-contaminated areas, their lack of knowledge and capability to apply approaches to address the magnitude of an RDD or an IND incident could increase recovery costs and delay completion. According to anexpert at Idaho National Laboratory, experience has shown that not selecting the appropriate decontamination technologies can generate waste types that are more difficult to remove than the original material and can create more debris requiring disposal--leading to increased costs. Limitations in laboratory capacity to rapidly test thousands of material samples during cleanup, and uncertainty regarding where to dispose of radioactive debris could also slow the recovery process. At least two-thirds of the city, state, and federal respondents expressed concern about federal capability to provide the necessary analysis and cleanup actions to promote recovery after these incidents. Nearly all survey respondents had suggestions to improve federal recovery preparedness for RDD and IND incidents. For example, almost all the cities and states identified the need for a national disaster recovery strategy to address gaps and overlaps in federal guidance. All but three cities wanted additional guidance, for example, on monitoring radioactivity levels, cleanup standards, and management of radioactive waste. Most cities wanted more interaction with federal agencies and joint exercising to test recovery preparedness. Finally, our review of the United Kingdom's preparedness to recover from radiological terrorism showed that that country has already taken actions similar to those suggested by our survey respondents, such as issuing national recovery guidance, conducting a full-scale recovery exercise, and publishing a national handbook for radiation incidents. Mon, 14 Sep 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09896.pdf Securing the nation's borders from illegal entry of aliens and contraband, including terrorists and weapons of mass destruction, continues to be a major challenge. In November 2005, the Department of Homeland Security (DHS) announced the launch of the Secure Border Initiative (SBI), a multiyear, multibillion dollar program aimed at securing U.S. borders and reducing illegal immigration. Within DHS, U.S. Custom and Border Protection's (CBP) SBI program is responsible for developing a comprehensive border protection system using technology, known as SBInet, and tactical infrastructure--fencing, roads, and lighting. GAO was asked to provide periodic updates on the status of the program. This report addresses (1) the extent to which CBP has implemented SBInet and the impact of delays that have occurred, and (2) the extent to which CBP has deployed tactical infrastructure and assessed its results. To do this work, GAO reviewed program schedules, status reports, and previous GAO work; interviewed DHS and CBP officials, among others; and visited three SBI sites where initial technology or fencing had been deployed at the time of GAO's review. SBInet technology capabilities have not yet been deployed and delays require Border Patrol, a CBP component, to rely on existing technology for securing the border, rather than using newer technology planned to overcome the existing technology's limitations. Flaws found in testing and concerns about the impact of placing towers and access roads in environmentally sensitive locations caused delays. As of September 2006, SBInet technology deployment for the southwest border was planned to be complete by early fiscal year 2009. When last reported in February 2009, the completion date had slipped to 2016. As a result of such delays, Border Patrol agents continue to use existing technology that has limitations, such as performance shortfalls and maintenance issues. For example, on the southwest border, Border Patrol relies on existing equipment such as cameras mounted on towers that have intermittent problems, including signal loss. Border Patrol has procured and delivered some new technology to fill gaps or augment existing equipment. However, incorporating SBInet technology as soon as it is operationally available should better position CBP to identify and implement operational changes needed for securing the border. Tactical infrastructure deployments are almost complete, but their impact on border security has not been measured. As of June 2009, CBP had completed 633 of the 661 miles of fencing it committed to deploy along the southwest border. However, delays continue due mainly to challenges in acquiring the necessary property rights from landowners. While fencing costs increased over the course of construction, because all construction contracts have been awarded, costs are less likely to change. CBP plans to use $110 million in fiscal year 2009 funds to build 10 more miles of fencing, and fiscal year 2010 and 2011 funds for supporting infrastructure. CBP reported that tactical infrastructure, coupled with additional trained agents, had increased the miles of the southwest border under control, but despite a $2.4 billion investment, it cannot account separately for the impact of tactical infrastructure. CBP measures miles of tactical infrastructure constructed and has completed analyses intended to show where fencing is more appropriate than other alternatives, such as more personnel, but these analyses were based primarily on the judgment of senior Border Patrol agents. Leading practices suggest that a program evaluation would complement those efforts. Until CBP determines the contribution of tactical infrastructure to border security, it is not positioned to address the impact of this investment. Wed, 09 Sep 2009 00:00:00 -0400 This is a supplemtary report to GAO-09-834. It presents selected results of GAO's Web-based survey of emergency management directors in all 50 states and the District of Columbia. We conducted this survey to collect information on state and local alert capabilities, including the extent of compatibility standards usage; state and local participation in the Federal Emergency Management Agency's (FEMA) Integrated Public Alert and Warning System (IPAWS) pilot projects; state and local communication and coordination with FEMA regarding the IPAWS program; and challenges, from the state and local perspective, to developing and implementing an integrated alert and warning system. A copy of the survey and selected results can be viewed by clicking on the table of contents at the bottom right of this document. We received completed questionnaires from 46 states and the District of Columbia for a response rate of 92 percent. This document presents results from all closed-entry survey questions but does not include narrative responses that we received. Wed, 09 Sep 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09834.pdf A comprehensive system to alert the American people in times of hazard allows people to take action to save lives. The Federal Emergency Management Agency (FEMA) is responsible for the current Emergency Alert System (EAS) and the development of the new Integrated Public Alert and Warning System (IPAWS). In this requested report, GAO examined (1) the current status of EAS, (2) the progress made by FEMA in implementing an integrated alert and warning system, and (3) the challenges involved in implementing an integrated alert and warning system. GAO conducted a survey of states, reviewed FEMA and other documentation, and interviewed industry stakeholders and officials from federal agencies responsible for public alerting. As the primary national-level public warning system, EAS is an important alert tool, but it exhibits longstanding weaknesses that limit its effectiveness. EAS allows state and local officials limited ability to produce public alerts via television and radio. Weaknesses with EAS include lack of reliability of the message distribution system; gaps in coverage; insufficient testing; and inadequate training of personnel. Further, EAS provides little capability to alert specific geographic areas. EAS does not ensure message delivery for individuals with hearing and vision disabilities, and non-English speakers. FEMA has projects under way to address some of these weaknesses with EAS. However, to date, little progress has been made and EAS remains largely unchanged since GAO's previous review, completed in March 2007. As a result, EAS does not fulfill the need for a reliable, comprehensive alert system. Initiated in 2004, FEMA's IPAWS program is intended to integrate new and existing alert capabilities, including EAS, into a comprehensive "system of systems." However, national-level alert capabilities have remained unchanged and new technologies have not been adopted. IPAWS efforts have been affected by shifting program goals, lack of continuity in planning, staff turnover, and poorly organized program information from which to make management decisions. The vision of IPAWS has changed twice over the course of the program and strategic goals and milestones are not clearly defined, as IPAWS operated without an implementation plan from early 2007 through June 2009. Consequently, as state and local governments are forging ahead with their own alert systems, IPAWS program implementation has stalled and many of the functional goals of IPAWS, such as geo-targeting of messages and dissemination through redundant pathways to multiple devices, have yet to reach operational capacity. FEMA conducted a series of pilot projects without systematically assessing outcomes or lessons learned and without substantially advancing alert and warning systems. FEMA does not periodically report on IPAWS progress, therefore, program transparency and accountability are lacking. FEMA faces coordination issues and technical challenges in developing and implementing IPAWS. Effective public warning depends on the cooperation of stakeholders, such as emergency managers and the telecommunications industry, yet many stakeholders GAO contacted knew little about IPAWS and expressed the need for better coordination with FEMA. FEMA has taken steps to improve its coordination efforts, but the scope of stakeholder involvement is limited. FEMA also faces technical challenges related to systems integration, standards development, the development of geo-targeted and multilingual alerts, and alerts for individuals with disabilities. For example, the standard intended to facilitate integration of systems is still under development and is not widely used. As a result of these coordination and technical hurdles, integration with state and local systems will likely be a significant challenge due to potential incompatibility, and FEMA does not yet have logistical plans to integrate these systems. Wed, 09 Sep 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09824.pdf The U.S. Border Patrol, part of the Department of Homeland Security's Customs and Border Protection (CBP), operates checkpoints on U.S. roads, mainly in the southwest border states where most illegal entries occur. As part of a three-tiered strategy to maximize detection and apprehension of illegal aliens, Border Patrol agents at checkpoints screen vehicles for illegal aliens and contraband. GAO was asked to assess (1) checkpoint performance and factors affecting performance, (2) checkpoint performance measures, (3) community impacts considered in checkpoint placement and design, and (4) the impact of checkpoint operations on nearby communities. GAO work included a review of Border Patrol data and guidance; visits to checkpoints and communities in five Border Patrol sectors across four southwest border states, selected on the basis of size, type, and volume, among other factors; and discussions with community members and Border Patrol officials in headquarters and field locations. Checkpoints have contributed to the Border Patrol's ability to seize illegal drugs, apprehend illegal aliens, and screen potential terrorists; however, several factors have impeded higher levels of performance. Checkpoint contributions included over one-third of the Border Patrol's total drug seizures, according to Border Patrol data. Despite these and other contributions, Border Patrol officials said that additional staff, canine teams, and inspection technology were needed to increase checkpoint effectiveness. Border Patrol officials said they plan to increase these resources. The Border Patrol established three performance measures to report the results of checkpoint operations, and while they provide some insight into checkpoint activity, they do not indicate if checkpoints are operating efficiently and effectively. In addition, GAO found that a lack of management oversight and unclear checkpoint data collection guidance resulted in the overstatement of checkpoint performance results in fiscal year 2007 and 2008 agency performance reports, as well as inconsistent data collection practices at checkpoints. These factors hindered management's ability to monitor the need for program improvement. Internal control standards require that agencies accurately record and report data necessary to demonstrate agency performance, and that they provide proper oversight of these activities. The Border Patrol generally followed its guidelines for considering community safety and convenience in four recent checkpoint placement and design decisions, including the proposed permanent checkpoint on Interstate 19 in Arizona. Current and projected traffic volume was a key factor in the design of the proposed Interstate 19 checkpoint, but was not considered when determining the number of inspection lanes for three recently completed checkpoints in Texas due to a lack of guidance. Having explicit guidance on using current and projected traffic volumes could help ensure that future checkpoints are appropriately sized. Individuals GAO contacted who live near checkpoints generally supported their operations but expressed concerns regarding property damage that occurs when illegal aliens and smugglers circumvent checkpoints to avoid apprehension. The Border Patrol is not yet using performance measures it has developed to examine the extent that checkpoint operations affect quality of life in surrounding communities. The Border Patrol uses patrols and technology to detect and respond to circumventions, but officials said that other priorities sometimes precluded positioning more than a minimum number of agents on checkpoint circumvention routes. The Border Patrol has not documented the number of agents needed to address circumventions at the proposed I-19 checkpoint. Given the concerns of nearby residents regarding circumventions, conducting a workforce planning needs assessment at the checkpoint design stage could help ensure that resources needed for addressing such activity are planned for and deployed. Mon, 31 Aug 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09822.pdf Government functions and effective disaster response and management rely on the ability of national security and emergency preparedness (NS/EP) personnel to communicate. The Department of Homeland Security's (DHS) National Communications System (NCS), is responsible for ensuring continuity of NS/EP communications when network congestion or damage occurs. As requested, GAO assessed the (1) priority communication programs NCS provides, how it enlists subscribers, and to what extent NCS controls access to these programs; (2) challenges that can affect delivery of these programs; and (3) extent to which NCS plans for and evaluates its services. GAO reviewed NCS program documents, such as annual reports and access control procedures and data on program subscribers. GAO also interviewed officials from NCS and select state and local government entities. GAO compared NCS performance measures to federal best practices. NCS has two programs to provide NS/EP personnel with priority calling service when telephone networks are congested or damaged--the Government Emergency Telecommunications Service (GETS) and the Wireless Priority Service (WPS). NCS has undertaken several efforts, such as outreach at industry conferences, to increase participation in and control access to these programs. According to NCS, though outreach efforts have helped to increase overall enrollment, it is working to further address possible cost barriers to participation in WPS, such as discussing options with wireless carriers to help defray costs. In addition, NCS has implemented policies and procedures to ensure that access to its priority programs are limited to authorized users. GAO's review of select GETS and WPS subscriber data revealed that, of the 85 records we examined, NCS generally followed its policies and procedures to limit GETS and WPS access to authorized subscribers. NCS is taking steps to address inherent challenges in the communications environment--such as network congestion. For example, NCS initiated a satellite pilot program to allow NS/EP officials to circumvent severely damaged or congested traditional telephone networks. However, methods for implementation and evaluation of the pilot were unclear and NCS subsequently terminated the pilot. NCS is also working to provide priority voice and data NS/EP communications as part of the evolving telecommunications networks, but it has not finalized an acquisition approach based on available technologies, costs, or plans to mitigate technological and other challenges to deliver such capabilities. The lack of this information has led to congressional restrictions on NCS's funding. As NCS attempts to ensure that GETS and WPS services can operate in these evolving networks, an acquisition approach that includes this information will provide NCS officials and Congress with essential information to most effectively allocate resources and guide decision making. Although DHS agreed with GAO's June 2008 recommendation to complete the NCS strategic plan, NCS has not finalized its strategic plan which has been under development since 2007. Furthermore, existing performance measures do not cover all of its core responsibilities, as suggested by best practices, and certain performance measures could be strengthened. For example, NCS does not have a measure to gauge its performance in two of its key federal roles--critical infrastructure protection for communications under DHS's National Infrastructure Protection Plan as well as coordinating communications issues under the National Response Framework. Furthermore, NCS does not use prior years' enrollment levels to help determine increases, if any, to be made to future year's goals for user enrollment. Fully and accurately measuring performance is critical to ensuring the agency and key stakeholders--such as Congress--base program and resource decisions on actual performance. Fri, 28 Aug 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09983.pdf The September 11 terrorist attacks have heightened concerns about the security of the nation's icons and parks, which millions of people visit every year. The National Park Service (Park Service) within the Department of the Interior (Interior) is responsible for securing nearly 400 park units that include icons and other parks. In 2004, GAO identified a set of key protection practices that include: allocating resources using risk management, leveraging technology, information sharing and coordination, performance measurement and testing, and strategic management of human capital. As requested, GAO determined whether the Park Service's security efforts for national icons and parks reflected key practices. To meet this objective, GAO used its key practices as criteria, reviewed five icons and parks to gain firsthand knowledge, analyzed Interior documents, and interviewed Interior officials. The Park Service has implemented a range of security improvements since the September 11 terrorist attacks and has worked to integrate security into its primary mission to preserve national icons and parks for the public's enjoyment. For example, it has established a senior-level security manager position and taken steps to strengthen security at the icons, and is developing a risk management program for small parks. These efforts exhibit some aspects of the key protection practices, but GAO found limitations in each of the areas. The Park Service does not allocate resources using risk management servicewide or cost-effectively leverage technology. While the Park Service, with assistance from Interior, has conducted risk assessments and implemented countermeasures to enhance security at the icons, some critical vulnerabilities remain. Moreover, the Park Service has not advanced this risk management approach for icons to the rest of its national parks. Without a servicewide risk management approach, the Park Service lacks assurance that security efforts are focused where they are needed. Furthermore, while icons and parks may use a variety of security technologies and other countermeasures, they do not have guidance for evaluating the cost-effectiveness of these investments, thus limiting assurances of efficiency and cost-effectiveness. Additionally, the Park Service faces limitations with sharing and coordinating information internally and lacks a servicewide approach for routine performance measurement and testing. Although the Park Service collaborates with external organizations, it lacks comparable arrangements for internal security communications and, as a result, parks are not equipped to share information with one another on common security problems and solutions. Furthermore, the Park Service has not established security performance measures and lacks an analysis tool that could be used to evaluate program effectiveness and inform an overall risk management strategy. Thus, icons and parks have little information on the status and performance of security that they can use to manage daily activities or that Park Service management can use to manage security throughout the organization. Finally, strategic human capital management is an area of concern because of the Park Service's lack of clearly defined security roles and a security training curriculum. For example, staff that are assigned security duties are generally not required to meet qualifications or undergo specialized training. Absent a security training curriculum, there is less assurance that staff are well-equipped to effectively identify and mitigate risks at national icons and parks. Fri, 28 Aug 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09455.pdf Since 2004, private insurance companies participating in the Federal Emergency Management Agency's (FEMA) Write-Your-Own (WYO) program have collected an average of $2.3 billion in premiums annually and, of this amount, have been paid or allowed to retain an average of $1 billion per year. Questions have been raised about FEMA's oversight of the program in light of the debts FEMA has incurred since the 2005 hurricanes. GAO placed NFIP on its high-risk list and issued several reports addressing the challenges the program faces. This report addresses the methods FEMA uses for determining the rates at which WYOs are paid, its marketing bonus system for WYOs, its adherence to financial control requirements for the WYO program, and alternatives to the current system. To do this work, we reviewed and analyzed FEMA's data and policies and procedures and obtained the views of select WYOs and flood insurance experts. FEMA does not systematically consider actual flood insurance expense information when it determines the amount it pays the WYO for selling and servicing flood insurance policies and adjusting claims. Rather, since the inception of the WYO program, FEMA has used various proxies for determining the rates at which it pays the WYOs. Consequently, FEMA does not have the information it needs to determine (1) whether its payments are reasonable and (2) the amount of profit to the WYOs that are included in its payments. When GAO compared expense payments FEMA made to six WYOs to the WYOs' actual expenses for calendar years 2005 through 2007, we found that the payments exceeded actual expenses by $327.1 million, or 16.5 percent of total payments made. Considering actual expense information would provide transparency and accountability over payments to the WYOs. FEMA has not aligned its bonus structure with its long-term goals for the program. The WYOs generally offered flood insurance when requested but did not strategically market the product as a primary insurance line. FEMA has not set explicit marketing goals beyond a 5 percent goal of increasing policy growth each year, and the WYO program primarily rewards companies that are new to NFIP for sales increases that may result from external factors, including flood events. The Government Performance and Results Act states that when results could be influenced by external factors, agencies can use intermediate goals to measure contributions to specific goals. Paying bonuses based on such intermediate targeted goals could bring the bonus structure more in line with FEMA's goals for the NFIP program. FEMA has explicit financial control requirements and procedures for the WYO program but has not implemented all aspects of its Control Plan. FEMA provides guidance for WYOs that is intended to ensure compliance with the statutory requirements for the NFIP and contains checks and balances to help ensure that taxpayer funds are spent appropriately. FEMA did most of the required biennial audits and underwriting and claims reviews but did not do most of the required audits for cause; state insurance department audits; and marketing, litigation, and customer service operational reviews. In addition, FEMA did not systematically track the outcomes of the various audits, inspections, and reviews that it performed for the 10 WYOs included in this review of FEMA's oversight of the program. Because FEMA does not implement all aspects of the Control Plan, it cannot ensure that the WYOs are fully complying with program requirements. Three alternative administrative structures could replace NFIP's payment arrangement with a competitively awarded contract that could lower costs for selling and servicing flood insurance policies and administering claims: (1) contracting with one or more insurance companies, (2) contracting with a single vendor, or (3) contracting with multiple vendors and maintaining the WYO network. Each alternative involves trade-offs in terms of the impact on the program's basic operations that would have to be considered. Fri, 21 Aug 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09676.pdf Since 1997, periodic GAO surveys indicate that overall, federal managers have more performance information available but have not made any greater use of this information for decision making. Based on GAO's most recent survey in 2007, GAO was asked to (1) identify agencies with relatively low use of performance information and the factors that contribute to this condition; and (2) examine practices in an agency with indications of improvement in use of performance information. GAO analyzed results from its surveys of federal managers across 29 agencies, reviewed key agency documents related to using performance information--such as Performance and Accountability Reports--and interviewed agency and selected subunit managers about their management practices. GAO also compared management practices, at selected agencies with those GAO has identified as promoting the use of performance information for decision making. According to GAO's 2007 survey of federal managers on their use of performance information for decision making, the Federal Emergency Management Agency (FEMA) and the Department of the Interior (Interior), ranked 27 and 28 out of 29 agencies. Several factors contributed to this relatively low use. At both FEMA and Interior, the demonstrated commitment of agency leaders to using performance information--a key management practice--was inconsistent. While some FEMA programs and regions encouraged use of performance information to plan for and respond to unpredictable events, others expressed uncertainty as to how they could use performance information in the face of uncontrollable external factors. FEMA managers were also hampered by weak alignment among agency, program, and individual goals, as well as limited analytic capacity to make use of performance information. At Interior and the National Park Service (NPS), managers reported a proliferation of measures, including some that, while meaningful for department-level accountability, were not relevant to their day-to-day management. Managers at NPS and the Bureau of Reclamation also said that poorly integrated performance and management information systemscontributed to an environment where the costs of performance reporting--in terms of time and resources--outweighed what they described as minimal benefits. While both FEMA and Interior have taken some promising steps to make their performance information both useful and used, these initiatives have thus far been limited. The experience of the Centers for Medicare & Medicaid Services (CMS) highlights the role that strengthened management practices can play. According to GAO's 2000 and 2007 survey results, the percentage of managers at CMS reporting use of performance information for various management decisions increased by nearly 21 percentage points--one of the largest improvements among agencies over that period. CMS officials attributed this change to a combination of key management practices they had employed, including, but not limited to: leadership commitment to using performance information; alignment of strategic and performance goals; improving the usefulness of performance information; and building the analytic capacity to collect and use performance information. Mon, 17 Aug 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09811.pdf In the wake of the 2005 Gulf Coast Hurricanes, coordination and collaboration challenges created obstacles during the government's response and recovery efforts. Because of the many stakeholders involved in recovery, including all levels of government, it is critical to build collaborative relationships. Building on GAO's September 2008 report which provided several key recovery practices from past catastrophic disasters, this report presents examples of how federal, state, and local governments have effectively collaborated in the past. GAO reviewed five catastrophic disasters--the Loma Prieta earthquake (California, 1989), Hurricane Andrew (Florida, 1992), the Northridge earthquake (California, 1994), the Kobe earthquake (Japan, 1995), and the Grand Forks/Red River flood (North Dakota and Minnesota, 1997)--to identify recovery lessons. GAO interviewed officials involved in the recovery from these disasters and experts on disaster recovery. GAO also reviewed relevant legislation, policies, and the disaster recovery literature. Effective collaboration among stakeholders can play a key role in facilitating long-term recovery after a catastrophic event. Toward that end, GAO has identified four collaborative practices that may help communities rebuild from the Gulf Coast hurricanes as well as future catastrophic events: (1) Develop and communicate common goals to guide recovery. Defining common recovery goals can enhance collaboration by helping stakeholders overcome differences in missions and cultures. After the Grand Forks/Red River flood, federally-funded consultants convened various stakeholders to develop recovery goals and priorities for the city of Grand Forks. The city used these goals as a basis to create a detailed recovery action plan that helped it to implement its recovery goals. (2) Leverage resources to facilitate recovery. Collaborating groups bring different resources and capacities to the task at hand. After the Northridge earthquake, officials from the Federal Highway Administration and California's state transportation agency worked together to review highway rebuilding contracts, discuss changes, and then approve projects all in one location. This co-located, collaborative approach enabled the awarding of rebuilding contracts in 3 to 5 days--instead of the 26 to 40 weeks it could take using normal contracting procedures. This helped to restore damaged highways within a few months of the earthquake. (3) Use recovery plans to agree on roles and responsibilities. Organizations can collectively agree on who will do what by identifying roles and responsibilities in recovery plans developed either before or after a disaster takes place. Learning from its experiences from the Loma Prieta earthquake, San Francisco Bay Area officials created a plan that clearly identifies roles for all participants in order to facilitate regional recovery in the event of a future disaster. (4) Monitor, evaluate, and report on progress made toward recovery. After the 1995 earthquake, the city of Kobe and the surrounding region established processes to assess and report on recovery progress. These jurisdictions required periodic external reviews over 10 years on the progress made toward achieving recovery goals. As a result of one of these reviews, the city of Kobe gained insight into unintended consequences of how it relocated elderly earthquake victims, which subsequently led to a change in policy. Past recovery experiences--including practices that promote effective collaboration--offer potentially valuable lessons for future catastrophic events. FEMA has taken some steps to facilitate the sharing of such experiences among communities involved in disaster recovery. However, the agency can do more to build on and systematize the sharing of this information so that recovery lessons are better captured and disseminated for use in the future. Fri, 31 Jul 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09749.pdf The Federal Protective Service (FPS), as part of the Department of Homeland Security (DHS) is responsible for providing security services to about 9,000 federal facilities. In recent years, FPS downsized its workforce from 1,400 to about 1,000 full-time employees. In 2008, GAO expressed concerns about the impact that downsizing had on FPS's mission, and in fiscal years 2008 and 2009 Congress mandated FPS maintain no fewer than 1,200 employees. GAO was asked to determine the extent to which (1) FPS has hired and trained new staff to address its mandated staffing levels, (2) FPS has developed a strategic human capital plan to manage its current and future workforce needs, and (3) FPS's customers are satisfied with the services it provides. To address these objectives, we reviewed relevant laws and documents, interviewed officials from FPS and other federal agencies, and conducted a generalizable survey of FPS's customers. FPS did not meet its fiscal year 2008 mandated deadline of increasing its staffing level to no fewer than 1,200 full-time employees by July 31, 2008. This same mandate relating to FPS's staffing was included in DHS's fiscal year 2009 appropriations act. Although FPS currently has over 1,200 employees on board, it did not meet this mandate until April 2009, because of challenges in shifting its priorities from downsizing its workforce to increasing it, inexperience working with DHS's hiring processes, and delays in the candidate screening process. Also, not all of FPS's new law enforcement security officers have completed all required training. According to FPS officials, it expects to have all new hires fully trained by September 2009. FPS does not have a strategic human capital plan to guide its current and future workforce planning efforts, including effective processes for training, retention, and staff development. Instead, FPS has developed a short-term hiring plan that does not include key human capital principles, such as determining an agency's optimum staffing needs. The lack of a human capital plan has contributed to inconsistent approaches in how FPS regions and headquarters are managing human capital activities. For example, FPS officials in some of the regions GAO visited said they implement their own procedures for managing their workforce, including processes for performance feedback, training, and mentoring. Additionally, FPS does not collect data on its workforce's knowledge, skills, and abilities. These elements are necessary for successful workforce planning activities, such as identifying and filling skill gaps and succession planning. FPS is working on developing and implementing a data management system that will provide it with these data, but this system has experienced significant delays and will not be available for use until 2011 at the earliest. On the basis of GAO's generalizable survey of FPS customers, customers had mixed views about some of the services they pay FPS to provide. Survey results showed that 58 percent were satisfied, 7 percent were dissatisfied, 18 percent were neutral, and 17 percent were not able to comment on FPS's overall services. The survey also showed that many of FPS's customers did not rely on FPS for services. For example, in emergency situations, about 82 percent of FPS's customers primarily rely on other agencies such as local law enforcement, while 18 percent rely on FPS. The survey also suggests that the roles and responsibilities of FPS and its customers are unclear, primarily because on average about one-third of FPS's customers, i.e., tenant agencies, could not comment on how satisfied or dissatisfied they were with FPS's level of communication on its services, partly because they had little to no interaction with FPS officers. Although FPS plans to implement education and outreach initiatives to improve customer service, it will face challenges because of its lack of complete and accurate contact data. Complete and accurate contact information for its customers is critical for information sharing and an essential component of any customer service initiative. Thu, 30 Jul 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09747.pdf Foot-and-mouth disease (FMD) is the most highly infectious animal disease known: nearly 100 percent of exposed animals become infected with it. Although the United States has not had an outbreak of FMD since 1929, a single outbreak of FMD virus as a result of an accidental or intentional release from a laboratory on the U.S. mainland could have significant consequences for U.S. agriculture. The traditional approach to the disease, once infection is confirmed, is to depopulate infected and potentially infected livestock herds to eradicate the disease. The value of U.S. livestock sales was $140 billion in 2007; about 10 percent of this figure, or approximately $13 billion, was accounted for by export markets. The Plum Island Animal Disease Center (PIADC), on a federally owned island off the northern tip of Long Island, New York, is the only facility in the United States that studies the live FMD virus. The U.S. Department of Agriculture (USDA) was responsible for the PIADC from its opening in the 1950s until June 2003, when USDA transferred responsibility for it to the U.S. Department of Homeland Security (DHS), as required by the Homeland Security Act of 2002. The act specified that USDA would continue to have access to Plum Island to conduct diagnostic and research work on foreign animal diseases, and it authorized the president to transfer funds from USDA to DHS to operate the PIADC. Also, under Homeland Security Presidential Directive 9 (HSPD-9), the secretary of Agriculture and the secretary of Homeland Security are to develop a plan to provide safe, secure, and state-of-the-art agricultural biocontainment laboratories for researching and developing diagnostic capabilities for foreign animal and zoonotic diseases. On January 19, 2006, DHS announced that to meet its obligations under HSPD-9, it would construct and operate a new facility--the National Bio- and Agro-Defense Facility (NBAF)--containing several biosafety level 3 (BSL-3) laboratories, BSL-3 agricultural (BSL-3-Ag) laboratories, and biosafety level 4 (BSL-4) laboratories. FMD research is to be performed in a BSL-3-Ag laboratory. When fully operational, the NBAF is meant to replace the PIADC. The primary research and diagnostic focus at the PIADC is foreign or exotic diseases, including FMD virus, that could affect livestock, including cattle, pigs, and sheep. DHS stated that the PIADC was "nearing the end of its life cycle" and was lacking critical capabilities to continue as the primary facility for such work. Another reason DHS cited was the need to be close to research facilities. According to DHS, although the PIADC coordinates with many academic institutes throughout the northeast, its isolated island location means that few academic institutes are within a reasonable commuting distance; DHS believes that these are needed to provide research support and collaboration required for the anticipated NBAF program. We are doing this work to respond to the statutory mandate in the fiscal year 2009 appropriations act for DHS (Consolidated Security, Disaster Assistance, and Continuing Appropriations Act, 2009 (Public Law 110-329)). The act restricted DHS's obligation of funds for constructing the NBAF on the mainland until DHS completed a risk assessment on whether FMD work can be done safely on the U.S. mainland and we reviewed DHS's risk assessment. In our review, we specifically assessed the evidence DHS used to conclude that work with FMD can be conducted as safely on the U.S. mainland as on Plum Island, New York. DHS developed a threat and risk analysis independent of the environmental impact statement (EIS) that identified and evaluated potential security risks--threats, vulnerabilities, and consequences--that might be encountered in operating the NBAF. They included crimes against people and property and threats from compromised or disgruntled employees. The objectives of this analysis were to present the risks and effective mitigation strategies for ensuring the NBAF's secure operation and to help DHS select the site with the fewest unique security threats. DHS concluded that the EIS and threat and risk analysis showed very little differentiation across the six sites and considered that the safety and security risks that had been identified at all sites were acceptable, with or without mitigation. Specifically, for all sites the risk was zero to low for all accident scenarios, except for an overpressure fire--an explosion from the buildup of a large amount of gas or flammable chemical in an enclosed area. The risk of an overpressure fire accident was moderate for all sites For all sites--except Plum Island--the overall risk rank was moderate, based on the potential for infection and opportunity for disease to spread through livestock or wildlife. The Plum Island site's overall risk rank was low, because the likelihood of any disease spreading beyond the island was small, since animals do not live in the vicinity and the potential for infection is less. The threat and risk assessment concluded that the insider threat would be the biggest threat to the NBAF and would be independent of the site. Thu, 30 Jul 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09903t.pdf By deploying armed air marshals onboard selected flights, the Federal Air Marshal Service (FAMS), a component of the Transportation Security Administration (TSA), plays a key role in helping to protect approximately 29,000 domestic and international flights operated daily by U.S. air carriers. This testimony discusses (1) FAMS's operational approach or "concept of operations" for covering flights, (2) an independent evaluation of the operational approach, and (3) FAMS's processes and initiatives for addressing workforce-related issues. Also, this testimony provides a list of possible oversight issues related to FAMS. This testimony is based on GAO's January 2009 report (GAO-09-273), with selected updates in July 2009. For its 2009 report, GAO analyzed policies and procedures regarding FAMS's operational approach and a July 2006 classified assessment of that approach. Also, GAO analyzed employee working group reports and related FAMS's initiatives for addressing workforce-related issues, and interviewed FAMS headquarters officials and 67 air marshals (selected to reflect a range in levels of experience). Because the number of air marshals is less than the number of daily flights, FAMS's operational approach is to assign air marshals to selected flights it deems high risk--such as the nonstop, long-distance flights targeted on September 11, 2001. In assigning air marshals, FAMS seeks to maximize coverage of flights in 10 targeted high-risk categories, which are based on consideration of threats, vulnerabilities, and consequences. In July 2006, the Homeland Security Institute, a federally funded research and development center, independently assessed FAMS's operational approach and found it to be reasonable. However, the institute noted that certain types of flights were covered less often than others. The institute recommended that FAMS increase randomness or unpredictability in selecting flights and otherwise diversify the coverage of flights within the various risk categories. In its January 2009 report, GAO noted that the Homeland Security Institute's evaluation methodology was reasonable and that FAMS had taken actions (or had ongoing efforts) to implement the institute's recommendations. To address workforce-related issues, FAMS's previous Director, who served until June 2008, established a number of processes and initiatives, such as working groups, listening sessions, and an internal Web site for agency personnel to provide anonymous feedback to management. These efforts have produced some positive results. For example, FAMS revised its policy for airport check-in and aircraft boarding procedures to help protect the anonymity of air marshals in mission status, and FAMS modified its mission scheduling processes and implemented a voluntary lateral transfer program to address certain quality-of-life issues. The air marshals GAO interviewed expressed satisfaction with FAMS's efforts to address workforce-related issues. The current FAMS Director has expressed a commitment to continue applicable processes and initiatives. Also, FAMS has plans to conduct a workforce satisfaction survey of all employees every 2 years, building upon an initial survey conducted in fiscal year 2007. GAO's review found that the potential usefulness of future surveys could be enhanced by ensuring that the survey questions and the answer options are clearly structured and unambiguous and that additional efforts are considered for obtaining the highest possible response rates. To its credit, FAMS has made progress in addressing various operational and quality-of-life issues that affect the ability of air marshals to perform their aviation security mission. However, sustaining progress will require ongoing consideration by FAMS management--and continued oversight by congressional stakeholders--of key questions, such as how to foster career sustainability for air marshals given that maintaining an effective operational tempo can at times be incompatible with supporting a work-life balance. Thu, 23 Jul 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09497.pdf As part of its more than $24 billion Deepwater program to replace aging vessels and aircraft with new or upgraded assets, the Coast Guard is preparing the National Security Cutter (NSC) for service. GAO previously reported on Deepwater assets' deployment delays and the Coast Guard's management of the Deepwater program. GAO was legislatively directed to continue its oversight of the Deepwater program. As a result, this report addresses: (1) the operational effects, if any, of delays in the delivery of the NSC and its support assets of unmanned aircraft and small boats; (2) Coast Guard plans for mitigating any operational effects and any associated costs of these plans; and (3) the extent to which the Coast Guard has plans, to include cost estimates, for phasing in logistics support of the NSC while phasing out support for the High Endurance Cutter (HEC) it is replacing. GAO's work is based on analyses of the (1) operational capabilities and maintenance plans of the NSC and its support assets and (2) data on the HECs' condition; comparison of an NSC and HEC; and, interviews with Coast Guard officials. Delays in the delivery of the NSC and the support assets of unmanned aircraft and small boats have created operational gaps for the Coast Guard that include the projected loss of thousands of days in NSC availability for conducting missions until 2018. Enhancements to the NSC's capabilities following the 9/11 terrorist attacks and the effects of Hurricane Katrina were factors that contributed to these delays. Given the delivery delays, the Coast Guard must continue to rely on HECs that are becoming increasingly unreliable. Coast Guard officials said that the first NSC's capabilities will be greater than those of an HEC; however, the Coast Guard cannot determine the extent to which the NSC's capabilities will exceed those of the HECs until the NSC's support assets are operational, which will take several years. To mitigate these operational gaps, the Coast Guard plans to upgrade its HECs and use existing aircraft and small boats until unmanned aircraft and new small boats are operational, but because the mitigation plans are not yet finalized, the costs are largely unknown. Also, the Coast Guard has not yet completed operational requirements for the unmanned aircraft or new small boats. As a result, the Coast Guard has not determined the cost of the HEC upgrade plan or the operational gap created by the delay in fielding new support assets for the NSC. The Coast Guard's logistics support plans for its transition to the NSC from the HEC are not finalized, and it has not yet fully determined transition costs. The contractor developed the initial NSC logistics plans, but Coast Guard officials said the plans lacked needed details, such as how the contractor would support the NSC after it becomes fully operational, and so, in 2007, the Coast Guard took over logistics planning. Coast Guard acquisition guidance states that an Integrated Logistics Support Plan should be completed by the time production of an asset is started. Although the first NSC has already been delivered, the Coast Guard has not yet finalized this plan, but expects to do so by October 2009. While the Coast Guard has developed an interim plan, it did not commit to including required logistics support documents to be used or time frames for completing them in the Integrated Logistics Support Plan because it is in the process of determining how to finalize the plan. Ensuring the plan includes these documents and time frames would better prepare the Coast Guard to support the NSC and aid it in making operational decisions given that the Coast Guard has not yet developed a deployment plan or completed cost estimates of the logistics transition from the HEC to the NSC. Fri, 17 Jul 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09682.pdf The Deepwater Program includes efforts to build or modernize ships and aircraft and to procure other capabilities. In 2002, the Coast Guard contracted with Integrated Coast Guard Systems (ICGS) to manage the acquisition as systems integrator. After a series of project failures, the Coast Guard announced in April 2007 that it would take over the lead role, with future work on individual assets bid competitively, and a program baseline of $24.2 billion was set. In June 2008, GAO reported on the Coast Guard's progress and made several recommendations, which the Coast Guard and the Department of Homeland Security (DHS) have addressed. In response to a Senate report accompanying the DHS Appropriations Bill, 2009, GAO addressed (1) efforts to manage Deepwater, (2) changes in cost and schedule of the assets, and (3) efforts to build an acquisition workforce. GAO reviewed Coast Guard and DHS documents and interviewed officials. The Coast Guard has assumed the role of systems integrator for the overall Deepwater Program by reducing the scope of the work on contract with ICGS and assigning these functions to Coast Guard stakeholders. As part of its systems integration responsibilities, the Coast Guard has undertaken a fundamental reassessment of the capabilities, number, and mix of assets it needs and expects to complete this analysis by the summer of 2009. At the individual Deepwater asset level, the Coast Guard has improved and begun to apply the disciplined management process contained in its Major Systems Acquisition Manual (MSAM), but did not meet its goal of complete adherence to this process for all Deepwater assets by the end of March 2009. For example, key acquisition management activities--such as operational requirements documents and test plans--are not in place for assets with contracts or orders recently awarded (such as the Fast Response Cutter and C4ISR) or in production, placing the Coast Guard at risk of cost growth or schedule slips. In addition, the MSAM does not appear to be consistent with recent DHS policy that requires entities responsible for operational testing to be independent of the system's users. Due in part to the Coast Guard's increased insight into what it is buying, the anticipated cost, schedules, and capabilities of many Deepwater assets have changed since the $24.2 billion baseline was established in 2007. Coast Guard officials have stated that this baseline reflected not a traditional cost estimate, but rather the anticipated contract costs as determined by ICGS. As the Coast Guard has developed its own cost baselines for some assets, it has become apparent that some of these assets it is procuring will likely cost more than anticipated--up to $2.7 billion more based on information to date. This represents approximately 39 percent cost growth for the assets with revised cost estimates. As more cost baselines are developed and approved, further cost growth is likely. Updated baselines also indicate that schedules have slipped for several of the assets. In addition, the current structure of the Coast Guard's budget submission to Congress does not include details at the asset level, such as estimates of total costs and total numbers to be procured, as do those of the Department of Defense, which acquires similar systems. One reason the Coast Guard hired a contractor as a systems integrator was because it recognized that it lacked the experience and depth in workforce to manage the acquisition internally. The Coast Guard acknowledges that it still faces challenges in hiring and retaining qualified acquisition personnel and that this situation poses a risk to the successful execution of its acquisition programs. According to human capital officials in the acquisition directorate, as of April 2009, the acquisition branch had 16 percent of positions unfilled, including key jobs such as contracting officers and systems engineers. Even as it attempts to fill its current vacancies, the Coast Guard plans to increase the size of its acquisition workforce significantly; the fiscal year 2010 budget request includes funding for 100 new acquisition workforce positions. In the meantime, the Coast Guard has been increasing its use of support contractors. Tue, 14 Jul 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09561.pdf As a result of the unprecedented damage caused by Hurricanes Katrina and Rita in 2005, the federal government, for the first time, funded several disaster case management programs. These programs help victims access services for disaster-related needs. GAO was asked to review (1) steps the federal government took to support disaster case management programs after the hurricanes, (2) the extent to which federal agencies oversaw the implementation of these programs, (3) challenges case management agencies experienced in delivering disaster case management services, and (4) how these programs will inform the development of a federal case management program for future disasters. GAO reviewed relevant laws and guidance, obtained data from two programs, conducted site visits to Louisiana and Mississippi, and interviewed case management providers and officials from federal and state agencies involved in disaster case management. Federal agencies provided more than$209 million for disaster case management services to help thousands of households cope with the devastation caused by Hurricanes Katrina and Rita, but breaks in federal funding adversely affected services to some hurricane victims. The Federal Emergency Management Agency (FEMA) awarded a grant of $66 million for initial case management services provided by Katrina Aid Today (KAT) shortly after the hurricanes made landfall. When this program ended in March 2008, FEMA provided funds for additional programs to continue services. As a result of ongoing budget negotiations between FEMA and Mississippi, the state-managed Disaster Case Management Pilot (DCM-P) program in Mississippi did not begin until August 2008, approximately 2 months after it was scheduled to, and FEMA's DCM-P program in Louisiana was never implemented. Consequently, some victims most in need may not have received case management services. FEMA and the Department of Housing and Urban Development (HUD) provided some oversight of disaster case management programs, but monitoring of KAT was limited and coordination challenges may provide lessons for future disasters. As recovery continued, FEMA and HUD provided additional monitoring of subsequent programs. Coordination challenges contributed to implementation difficulties, such as a lack of timely information sharing. For example, client information provided by FEMA to the Mississippi state agency implementing the DCM-P program was invalid or out-of-date for nearly 20 percent of eligible clients. As a result of incompatible databases and inconsistent outreach efforts, some victims may have received services from multiple agencies while others may not have been reached. Case management agencies experienced challenges in delivering federally-funded disaster case management services due to large caseloads, limited community resources, and federal funding rules. Some case management agencies experienced high turnover, and some case managers had caseloads of more than 100 clients, making it difficult to meet client needs. KAT and HUD data indicated that the most frequently occurring needs among clients included housing and employment, but these resources were limited following the hurricanes. Further, case management agencies saw the ability to provide direct financial assistance for items such as home repair, clothing, or furniture as key to helping victims, yet only one federally funded program allowed case management agencies to use federal funds for direct assistance. FEMA and other agencies are evaluating disaster case management pilot programs to inform the development of a federal disaster case management program for future disasters, but some of the evaluations have limitations. For example, some evaluations will not assess program outcomes, such as whether clients' needs were met. In addition, FEMA did not include stakeholder input in designing its evaluation of multiple pilot programs. According to FEMA officials, the agency does not have a time line for developing the federal disaster case management program. Wed, 08 Jul 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09859t.pdf To accomplish its mission of protecting about 9,000 federal facilities, the Federal Protective Service (FPS) currently has a budget of about $1 billion, about 1,200 full time employees, and about 13,000 contract security guards. This testimony discusses GAO's preliminary findings on (1) the extent to which FPS ensures that its guards have the required training and certifications before being deployed to a federal facility, (2) the extent to which FPS ensures that its guards comply with their assigned responsibilities (post orders) once they are deployed at federal facilities, and (3) security vulnerabilities GAO recently identified related to FPS's guard program. To address these objectives, GAO conducted site visits at 6 of FPS's 11 regions, interviewed numerous FPS officials, guards, contractors, and analyzed FPS's policies and data. GAO also conducted covert testing at 10 judgmentally selected level IV facilities in four cities. A level IV facility has over 450 employees and a high volume of public contact. FPS does not fully ensure that its contract security guards have the training and certifications required to be deployed to a federal facility. FPS requires that all prospective guards complete about 128 hours of training including 8 hours of x-ray and magnetometer training. However, in one region, FPS has not provided the x-ray or magnetometer training to its 1,500 guards since 2004. Nonetheless, these guards are assigned to posts at federal facilities. X-ray training is critical because guards control access points at facilities. Insufficient x-ray and magnetometer training may have contributed to several incidents where guards were negligent in carrying out their responsibilities. For example, at a level IV facility, an infant in a carrier was sent through an x-ray machine due to a guard's negligence. Moreover, GAO found that FPS does not have a fully reliable system for monitoring and verifying guard training and certification requirements. GAO reviewed 663 randomly selected guard records and found that 62 percent of the guards had at least one expired certification including a declaration that guards have not been convicted of domestic violence, which make them ineligible to carry firearms. FPS has limited assurance that its guards are complying with post orders. FPS does not have specific national guidance on when and how guard inspections should be performed. FPS's inspections of guard posts at federal facilities are inconsistent and the quality varied in the six regions GAO visited. GAO also found that guard inspections are typically completed by FPS during regular business hours and in locations where FPS has a field office; and seldom on nights and on weekends. However, on an occasion when FPS did conduct a post inspection at night it found a guard asleep at his post after taking the pain killer prescription drug Percocet. FPS also found other incidents at level IV facilities where guards neglected or inadequately performed their assigned responsibilities. For example, a guard failed to recognize or did not properly x-ray a box containing handguns at the loading dock at a facility. FPS became aware of the situation because the handguns were delivered to FPS. GAO identified substantial security vulnerabilities related to FPS's guard program. GAO investigators carrying the components for an improvised explosive device successfully passed undetected through security checkpoints monitored by FPS's guards at each of the 10 level IV federal facilities where GAO conducted covert testing. Of the 10 level IV facilities GAO penetrated, 8 were government owned, 2 were leased, and included offices of a U.S. Senator and U.S. Representative, as well as agencies such as the Departments of Homeland Security, State, and Justice. Once GAO investigators passed the control access points, they assembled the explosive device and walked freely around several of floors of these level IV facilities with the device in a briefcase. In response to GAO's briefing on these findings, FPS has recently taken some actions including increasing the frequency of intrusion testing and guard inspections. However, implementing these changes may be challenging, according to FPS. Wed, 08 Jul 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09810t.pdf The U.S. Coast Guard, a component of the Department of Homeland Security (DHS), conducts 11 statutory missions that range from marine safety to defense readiness. To enhance mission performance, the Coast Guard is implementing a modernization program to update its command structure, support systems, and business practices, while continuing the Deepwater program--the acquisition program to replace or upgrade its fleet of vessels and aircraft. This testimony discusses the Coast Guard's (1) fiscal year 2010 budget, (2) mission performance in fiscal year 2008, the most recent year for which statistics are available; and (3) challenges in managing its modernization and acquisition programs and workforce planning. This testimony is based on GAO products issued in 2009 (including GAO-09-530R and GAO-09-620T) and other GAO products issued over the past 11 years--with selected updates in June 2009--and ongoing GAO work regarding the Coast Guard's newest vessel, the National Security Cutter. Also, GAO analyzed budget and mission-performance documents and interviewed Coast Guard officials. The Coast Guard's fiscal year 2010 budget request totals $9.7 billion, an increase of 4.2 percent over its fiscal year 2009 enacted budget. Of the total requested, about $6.6 billion (or 67 percent) is for operating expenses--the primary appropriation account that finances Coast Guard activities, including operating and maintaining multipurpose vessels, aircraft, and shore units. This account, in comparing the 2010 budget request to the 2009 enacted budget, reflects an increase of $361 million (about 6 percent). The next two largest accounts in the 2010 budget request, at about $1.4 billion each, are (1) acquisition, construction, and improvements and (2) retired pay--with each representing about 14 percent of the Coast Guard's total request. The retired pay account--with an increase of about $125 million in the 2010 budget request compared to the 2009 enacted budget--is second only to the operating expenses account in reference to absolute amount increases, but retired pay reflects the highest percentage increase (about 10 percent) of all accounts. Regarding performance of its 11 statutory missions in fiscal year 2008, the Coast Guard reported that it fully met goals for 5 missions, partially met goals for 3 missions, and did not meet goals for 3 missions. One of the fully met goals involved drug interdiction. Specifically, for cocaine being shipped to the United States via non-commercial means, the Coast Guard reported achieving a removal rate of about 34 percent compared to the goal of at least 28 percent. Search and rescue was a mission with partially met goals. The Coast Guard reported that it met one goal (saving at least 76 percent of people from imminent danger in the maritime environment) but narrowly missed a related goal (saving at least 87 percent of mariners in imminent danger) by achieving a success rate of about 84 percent. For missions with unmet goals, the Coast Guard reported falling substantially short of performance targets for only one mission--defense readiness. The Coast Guard reported meeting designated combat readiness levels 56 percent of the time compared to the goal of 100 percent. The Coast Guard continues to face several management challenges. For example, GAO reported in June 2009 that although the Coast Guard has taken steps to monitor the progress of the modernization program, development of performance measures remains in the early stages with no time frame specified for completion. Also, as GAO reported in April 2009, although the Coast Guard has assumed the lead role for managing the Deepwater acquisition program, it has not always adhered to procurement processes, and its budget submissions to Congress do not include detailed cost estimates. GAO also reported that the Coast Guard faces challenges in workforce planning, including difficulties in hiring and retaining qualified acquisition personnel. Further, GAO's ongoing work has noted that delays associated with the Coast Guard's newest vessel, the National Security Cutter, are projected to result in the loss of thousands of cutter operational days for conducting missions through 2017. The Coast Guard is working to manage this operational challenge using various mitigation strategies. Tue, 07 Jul 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09651.pdf From fiscal year 2003 through fiscal year 2009, the Department of Homeland Security (DHS) allocated about $5 billion for the Urban Area Security Initiative (UASI) grant program to enhance regional preparedness capabilities in the nation's highest risk urban areas (UASI regions). The Federal Emergency Management Agency (FEMA) administers this program. The Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Act) required FEMA to change the size of the geographical areas used to assess UASI regions' risk. The conference report accompanying the Consolidated Appropriations Act for fiscal year 2008 directed GAO to assess FEMA's efforts to build regional preparedness through the UASI program, and determine how the 9/11 Act change affected UASI regions. This report addresses (1) the extent to which FEMA assesses how UASI regions' collaborative efforts build preparedness capabilities, and (2) how UASI officials described their collaboration efforts and changes resulting from the 9/11 Act. GAO surveyed all 49 UASI regions that received funding prior to the 9/11 Act change, and visited 6 regions selected based on factors such as length of participation. GAO also reviewed FEMA's grant guidance and monitoring systems. Although FEMA has gathered and summarized data on UASI regions' funding for specific projects and related preparedness priorities and capabilities, it does not have measures to assess how UASI regions' collaborative efforts have built preparedness capabilities. An executive directive, Departmental policy, and agency guidance all require that preparedness priorities and capabilities be measurable so that FEMA can determine current capabilities, gaps, and assess national resource needs. To report on the performance of the UASI program, FEMA has gathered data on UASI regions' funding for projects and the goals and objectives those projects support, including the National Priority to Expand Regional Collaboration. However, FEMA's assessments do not provide a means to measure the effect UASI regions' projects have on building regional preparedness capabilities--the goal of the UASI program. FEMA acknowledged a lack of specific measures that define how or whether national priorities--including expanding regional collaboration--are achieved. In the absence of measures, FEMA directed states to describe their collaborative activities. However, these state activities do not provide a means to assess how regional collaboration activities help build preparedness capabilities. FEMA has an effort underway to establish a comprehensive assessment system to appraise the nation's preparedness capabilities. FEMA could build upon its current efforts to assess overall preparedness by developing and including measures related to the collaboration efforts of UASI regions and their effect on building regional preparedness. This could provide FEMA with more meaningful information on the return on investment of the $5 billion it has allocated to the UASI program to date. UASI officials described program activities that they said greatly or somewhat helped support regional collaboration, reflecting factors GAO identified that can enhance and sustain collaboration, and also described a variety of actions taken in response to the 9/11 Act change to assess risk. Regarding program activities that support regional collaboration, of the 49 UASI regions GAO surveyed, 46 said they have active mutual aid agreements in part to share resources among jurisdictions, and 44 described training and exercises as activities they use to build regional preparedness capabilities. Some UASI regions reported changes in membership in response to FEMA's change in the size of the geographical areas used to assess UASI regions' risk. For example, of the 49 regions GAO surveyed, 27 reported that additional jurisdictions were included within the geographical area FEMA used to assess risk that were not included in the region's membership. However, 17 of these regions reported that they had assessed and evaluated the need to include these new jurisdictions in their membership and 3 UASI regions said they plans to do this, while 7 UASI regions said they had no plans to do this. Thu, 02 Jul 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09654r.pdf In 2005, Hurricane Katrina devastated the Gulf Coast, damaging critical infrastructure, such as oil platforms, pipelines, and refineries; water mains; electric power lines; and cellular phone towers. The infrastructure damage and resulting chaos disrupted government and business functions alike, producing cascading effects far beyond the physical location of the storm. Threats against critical infrastructure are not limited to natural disasters. For example, in 2005, suicide bombers struck London's public transportation system, disrupting the city's transportation and mobile telecommunications infrastructure. In March 2007, we reported that our nation's critical infrastructures and key resources (CIKR)--systems and assets, whether physical or virtual, so vital to the United States that their incapacity or destruction would have a debilitating impact on national security, national economic security, national public health or safety, or any combination of those matters--continue to be vulnerable to a wide variety of threats. According to DHS, because the private sector owns approximately 85 percent of the nation's CIKR--banking and financial institutions, telecommunications networks, and energy production and transmission facilities, among others--it is vital that the public and private sectors work together to protect these assets. The Homeland Security Act of 2002 created DHS and gave the department wide-ranging responsibilities for, among other things, leading and coordinating the overall national critical infrastructure protection effort. For example, the act required DHS to (1) develop a comprehensive national plan for securing the nation's CIKR and (2) recommend measures to protect CIKR in coordination with other agencies of the federal government and in cooperation with state and local government agencies and authorities, the private sector, and other entities. Homeland Security Presidential Directive 7 (HSPD-7) further defined critical infrastructure protection responsibilities for DHS and those federal agencies--known as sector-specific agencies (SSA)--responsible for particular industry sectors, such as transportation, energy, and communications. HSPD-7 directed DHS to establish uniform policies, approaches, guidelines, and methodologies for integrating federal infrastructure protection and risk management activities within and across CIKR sectors. The Conference Report accompanying the Department of Homeland Security Appropriations Act, 2005, directed DHS to complete an analysis on whether the department should require private sector entities to provide DHS with existing information about their security measures and vulnerabilities in order to improve the department's ability to evaluate critical infrastructure protection nationwide. This direction was consistent with concerns raised by the House Appropriations Committee about DHS's progress conducting vulnerability assessments for critical infrastructure facilities generally, and security measures at chemical facilities in particular. DHS used two contractors to complete the cost-benefit report at a cost of about $3.4 million. In August 2005, the first contractor developed a draft proposal that discussed the scope of the information required to complete the report and the security and vulnerability information currently available to DHS. It also proposed surveying the public and private sectors to collect information on the costs anbenefits of providing vulnerability assessment and security information to DHS. DHofficials said that DHS rejected this approach because DHS was involved in developing a public-private partnership structure and officials believed that doingsurvey on possible regulatory costs would have adversely affected the partnershipbuilding process. DHS officials also said that the Paperwork Reduction Act (PRA)--which requires agency requests for information to undergo internal and OffManagement and Budget review and approval and includes, among other requirements, public comment periods for the proposed information-gathering method--could have resulted in some delays in gathering data for the report, but it was not the primary reason for rejecting the proposed survey approach. DHS subsequently tasked the second contractor to complete the report using a different methodology, and according to DHS, this contractor produced a draft report in December 2005. This contractor compiled publicly available information on the costs and benefits to the public and private sectors of requiring vulnerability and security information be provided to DHS. Although the second contractor's report discussed potential public and private sector costs and benefits, it did not articulate which of these costs and benefits were most important, nor did it conclude whether the costs exceeded the benefits, or vice a versa, with regard to potential requirements for the private sector to provide information on vulnerabilities and existing security measures. DHS took receipt of the second contractor's report and, according to DHS officials, continued to revise it throughout the following year to incorporate information from the final NIPP and it's supporting sector specific plans. In addition to a discussion of potential costs and benefits, DHS's final report, dated June 2007, includes a general discussion of critical infrastructure risk management and associated information needs, an overview of the existing regulatory environment for each of the CIKR sectors, and the availability of security information and its utility to security partners, such as CIKR owners and operators. DHS officials told us that they believe the final report was useful because it provided insights on different regulatory approaches across sectors and used appendixes to present more detailed regulatory overviews of three sectors--the chemical sector, the electricity sub sector of the energy sector, and the food and agriculture sector. They added that some sectors used this information to help write sector specific plans (SSPs) that are to augment the NIPP and detail the application of the NIPP framework to each CIKR sector. Nonetheless, DHS officials said that they believe that the report is outdated because DHS's CIKR program has evolved and matured since the report was originally completed, including DHS's efforts to promote and achieve voluntary information sharing between DHS and the private sector. Regarding the latter, DHS officials stated that they believe that the type of report directed by the Conference Report--that DHS analyze whether private sector entities should be required to provide information to the department--conflicts with the partnering/voluntary information-sharing approach DHS was already mandated to pursue under the Homeland Security Act. Fri, 26 Jun 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09804t.pdf The Department of Homeland Security's (DHS) Domestic Nuclear Detection Office (DNDO) is responsible for addressing the threat of nuclear smuggling. Radiation detection portal monitors are key elements in the nation's defenses against such threats. DHS has sponsored testing to develop new monitors, known as advanced spectroscopic portal (ASP) monitors, to replace radiation detection equipment being used at ports of entry. DNDO expects that ASPs may offer improvements over current-generation portal monitors, particularly the potential to identify as well as detect radioactive material and thereby to reduce both the risk of missed threats and the rate of innocent alarms, which DNDO considers to be key limitations of radiation detection equipment currently used by Customs and Border Protection (CBP) at U.S. ports of entry. However, ASPs cost significantly more than current generation portal monitors. Due to concerns about ASPs' cost and performance, Congress has required that the Secretary of Homeland Security certify that ASPs provide a significant increase in operational effectiveness before obligating funds for full-scale ASP procurement. This testimony addresses (1) GAO findings on DNDO's latest round of ASP testing, and (2) lessons from ASP testing that can be applied to other DHS technology investments. These findings are based on GAO's May 2009 report GAO-09-655 and other related reports. GAO's report on the latest round of ASP testing found that DHS increased the rigor in comparison with previous tests and thereby added credibility to the test results. However, GAO's report also questioned whether the benefits of the ASPs justify the high cost. In particular, the DHS criteria for a significant increase in operational effectiveness require only a marginal improvement in the detection of certain weapons-usable nuclear materials, which DNDO considers a key limitation of current-generation portal monitors. The marginal improvement required of ASPs is particularly notable given that DNDO has not completed efforts to fine-tune current-generation equipment to provide greater sensitivity. Moreover, the preliminary test results show that ASPs performed better than current-generation portal monitors in detection of such materials concealed by light shielding approximating the threat guidance for setting detection thresholds, but that differences in sensitivity were less notable when shielding was slightly below or above that level. Finally, DNDO has not yet updated its cost-benefit analysis to take into account the results of the latest round of ASP testing and does not plan to complete computer simulations that could provide additional insight into ASP capabilities and limitations prior to certification even though test delays have allowed more time to conduct the simulations. DNDO officials believe the other tests are sufficient for ASPs to demonstrate a significant increase in operational effectiveness. GAO recommended that DHS assess ASPs against the full potential of current-generation equipment and revise the program schedule to allow time to conduct computer simulations and to uncover and resolve problems with ASPs before full-scale deployment. DHS agreed to a phased deployment that should allow time to uncover ASP problems but disagreed with the other recommendations, which GAO believes remain valid. The challenges DNDO has faced in developing and testing ASPs illustrate the importance of following best practices for investments in complex homeland security acquisitions and for testing of new technologies. GAO recently found that many major DHS investments, including DNDO's ASP program, had not met the department's requirements for basic acquisition documents necessary to inform the investment review process, which has adopted many acquisition best practices. As a result, DHS had not consistently provided the oversight needed to identify and address cost, schedule, and performance problems in its major investments. A primary lesson to be learned regarding testing is that the push to replace existing equipment with the new portal monitors led to an ASP testing program that until recently lacked the necessary rigor. Even for the most recent round of testing, DNDO's schedule consistently underestimated the time required to conduct tests and resolve problems uncovered during testing. In contrast, GAO has previously found that testing programs designed to validate a product's performance against increasing standards for different stages in product development are a best practice for acquisition strategies for new technologies. Aspects that improved the latest round of ASP testing could also, if properly implemented, provide rigor to DHS's testing of other advanced technologies. Thu, 25 Jun 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09530r.pdf The U.S. Coast Guard is currently undertaking a major effort to update its command structure, support systems, and business practices. This effort, referred to as the modernization program, is intended to better position the service to fulfill not only traditional missions--such as ensuring the safety and security of commercial shipping, safeguarding U.S. fisheries, interdicting the smuggling of illicit drugs, and conducting search and rescue operations--but also homeland security responsibilities that expanded after September 11, 2001 (9/11). The modernization program is specifically focused on modifying the Coast Guard's command and control structure--including the establishment of four new organizational entities--as well as updating mission support systems, such as maintenance, logistics, financial management, human resources, acquisitions, and information technology. The proposed changes will have a major impact on a variety of functions servicewide, including management of Deepwater--the long-term, multibillion-dollar program to upgrade the Coast Guard's aging fleet of water vessels and aircraft. The conceptual framework for the modernization program is reflected in 10 Commandant Intent Action Orders, which were issued by the Commandant of the Coast Guard in 2006. Subsequently, congressional direction accompanying the Coast Guard's fiscal year 2008 appropriations required the Coast Guard to submit a report describing and assessing each of the 10 action orders. In August 2008, the Coast Guard submitted its report on the modernization program to the Senate and House Appropriations Committees. In accordance with the congressional direction and as discussed with Congressional offices, this report assesses the Coast Guard's modernization program. Specifically this report answers the following primary research questions: (1) What is the genesis for the Coast Guard's modernization program? (2) To what extent has the Coast Guard conducted efforts to monitor the progress of its modernization program and evaluate the results? The Coast Guard's modernization program--while inherently reflecting the judgment and prerogatives of the service's leadership--derives from multiple sources that collectively encompass a time frame from the mid-1980s to the present. These sources include internal and external studies or reports that identified deficiencies in the Coast Guard's command and control structure, the acquisition and logistics systems, and other aspects of the service's operations and capabilities, including the financial management system. Coast Guard officials also cited lessons learned from emergencies, such as the terrorist attacks of 9/11, and major natural disasters, such as Hurricane Katrina. According to officials, these events highlighted the need for greater standardization of policies and procedures, which the new command structure is intended to address. As an overarching cause for action, Coast Guard officials also stressed a need for positioning the service to be more responsive to 21st century demands and challenges by eliminating existing geographic command boundaries and establishing a more functionally based organizational structure. The Coast Guard has several efforts under way or planned for monitoring the progress of the modernization program and identifying needed improvements; however, development of applicable performance measures to evaluate results remains in the early stages. Consistent with project management principles and our previous work on organizational transformation, the Coast Guard has established implementation timelines to help guide the overall modernization program, which include key actions and milestones. The Coast Guard has reported that all interim key actions have been completed on schedule, including the implementation of several new organizational components. However, the Coast Guard has requested additional statutory authorities designed to fully establish the new command structure and associated senior leadership positions, currently envisioned to be in place in June 2009. For some of the organizational components established to date, the Coast Guard has also developed business plans that further identify key goals, activities, and specific milestones. In addition, the Coast Guard has initiated efforts to conduct external and internal assessments of various aspects of the modernization program. For example, the Coast Guard engaged the National Academy of Public Administration (NAPA) to conduct a third-party, independent review of the Coast Guard's overall modernization efforts. This review--which began in April 2008 and was completed in April 2009--was conducted to identify the strengths, weaknesses, opportunities, and risks involved in the current modernization approach and make recommendations for improvements and risk mitigation. Internally, the Coast Guard is conducting a series of process reviews intended to identify the key internal activities and outputs required for mission execution within the new structure. These process reviews--currently scheduled for completion during the summer of 2009--are also intended to generate inputs folonger-term effort to identify and develop applicable performance metrics for assessing the results of the modernization program. As the new organizational components and command elements are further implemented, the development of relevant performance metrics will become increasingly important to help ensure that the purported benefits from modernization are realized. Wed, 24 Jun 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09542r.pdf The U.S. Border Patrol, a component within the Department of Homeland Security's (DHS) U.S. Customs and Border Protection (CBP), is responsible for patrolling 8,000 miles of the land and coastal borders of the United States to detect and prevent the illegal entry of aliens and contraband, including terrorists and weapons of mass destruction. To strengthen control of the U.S. borders, CBP increased the number of Border Patrol agents from about 12,300 in September 2006 to 18,875 in April 2009, an unprecedented 53 percent increase in about 2.5 years. The Border Patrol plans to add additional agents during the remaining months of fiscal year 2009, increasing its onboard strength to about 19,700 agents by the end of September 2009. To support the President's yearly budget request for funding for additional Border Patrol agents, Customs and Border Protection (CBP) first identifies a list of cost items associated with the recruiting, hiring, training, equipping, and deploying of a new Border Patrol agent. These cost items include, for example, recruiting functions: background checks and medical exams to determine an applicant's fitness for the Border Patrol; salary and benefits; training at the Border Patrol's training academy in Artesia, NM; and equipment such as night-vision goggles, mobile radios, and uniforms. All of these cost items are then added together to arrive at what CBP refers to as the Position Cost Model (PCM), the incremental dollar amount needed to recruit, hire, train, equip, and deploy one additional Border Patrol agent. CBP then multiplies the PCM amount by the number of additional Border Patrol agents CBP expects to hire in a particular fiscal year to estimate the funding needed for these additional agents. This budget estimate is then incorporated into the President's overall budget request for CBP. In total, the PCM used to support the President's 2009 budget request for additional Border Patrol agents contained 93 individual cost items totaling $159,642; that is, CBP estimated it would need $159,642 for each additional agent hired in fiscal year 2009 (see enc. I for a list of all 93 cost items). As a result, for fiscal year 2009 the President requested an additional $362.5 million over the Border Patrol's fiscal year 2008 funding level to increase the Border Patrol agent workforce by 2,200 agents. Of this amount, $351.2 million was generated by the PCM estimate ($159,642 x 2,200) and the remaining $11.3 million was for additional support staff, vehicles, and equipment not included in the PCM estimate. The accuracy of estimates for the individual cost items that constitute the PCM is crucial to CBP developing a reliable budget request for new agents. To assist the Congress in reviewing the Border Patrol's funding for new agents, you asked that we assess the reliability of the estimates generated by the PCM. In prior work we identified best practices for agencies to use in developing cost estimates, which are to be comprehensive (e.g., they are reasonably complete, cover pertinent costs in sufficient detail, and ensure that key cost items are neither omitted nor double-counted), accurate (e.g., calculations are correct; there are few, if any, minor mistakes; estimates are not overly conservative or optimistic; and are adjusted properly for inflation), and well-documented (e.g., all calculations are provided, the assumptions are justified, and supporting sources of data are provided). We have also issued standards for internal control in the federal government that outline requirements for effective management control over program operations. This report addresses the extent to which CBP used best practices and internal controls when developing the PCM cost estimates for the President's fiscal year 2009 CBP budget request. CBP's PCM for the President's fiscal year 2009 budget request was comprehensive and met cost estimating best practice guidelines for developing 16 of the 28 cost items, but did not meet best practice guidelines for developing 12 other cost items, and CBP also did not provide program guidance as required by internal control standards. Specifically, consistent with cost estimating best practices, the fiscal year 2009 PCM was comprehensive in that it reasonably complete, covering 93 pertinent cost items related to recruiting, hiring, training, equipping, and deploying a new Border Patrol agent, and contained both large and small dollar cost items. In addition, the PCM contained cost items both directly related to the hiring of a new agent, such as the agent's salary, and indirectly related, such as the additional rent and utility costs associated with hiring new agents. For 16 of the 28 cost items (which accounted for 49 percent of the total fiscal year 2009 PCM dollar amount), CBP used relevant historical cost data, applied approved ratios and inflation factors to help ensure that specific cost item estimates were accurate and retained appropriate documentation, consistent with best practices. We validated the PCM cost estimate for these 16 items using the documentation and formulas CBP provided, arriving at the same amount or within $20 of the PCM amount. However, for 12 of the 28 cost items, CBP did not meet one or more best practices or follow internal control standards. Best practices state that cost estimates are considered valid if they are well documented so they can be easily replicated or updated and can be traced to original sources through auditing. Similarly, internal control standards require that all transactions and other significant events be clearly documented and the documentation should be readily available for examination. However, we could not replicate the fiscal year 2009 PCM estimate based upon the documentation CBP provided for four of the cost items, CBP could not provide documentation for five other cost items, and CBP did not use relevant cost data that would have provided a more precise cost estimate, document the assumptions used, or apply inflation factors for three cost items. As a result, we could not determine the reliability of these 12 cost items, which accounted for 43 percent ($152 million) of CBP's $351.2 million budget estimate for recruiting, hiring, training, equipping, and deploying an additional 2,200 Border Patrol agents in fiscal year 2009. These deficiencies occurred, in part, because CBP did not provide detailed guidance to CBP offices involved in developing PCM cost item estimates on, for example, who is responsible for developing the various cost items, how PCM estimates are to be calculated, and what documentation requirements are to be applied. CBP's Office of Budget Formulation recognizes that additional rigor needs to be incorporated into the estimating process to improve the reliability of the PCM estimate. Standards for internal control require that agencies document policies and procedures for enforcing management directives, such as developing the PCM, and best practices state that agencies should provide guidance on how cost items are to be calculated and supported. With such guidance, CBP could strengthen its position to help ensure that management's directives for the PCM development process are carried out as intended and consistently result in a reliable cost estimate. Mon, 15 Jun 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09489.pdf The United States Coast Guard's Administrative Law Judge (ALJ) program is designed to, among other things, promote safety at sea while protecting mariners' rights and is composed of judges whose duties include presiding over cases involving mariners' credentials. If a mariner does not meet certain requirements related to safety and security at sea, Coast Guard investigative officers are to serve the mariner with a complaint that lists the allegation(s) and initiate proceedings that can result in the mariner's credential being suspended or revoked. GAO was asked to review elements of the ALJ program and this report addresses (1) the extent to which the ALJ program contains elements designed to foster the decisional independence of ALJs, (2) the extent to which the ALJ program includes protections for mariners and whether complaints and decisions include elements required by program regulations, and (3) the outcome of mariner suspension and revocation cases in recent years. To conduct this study, GAO analyzed the laws, regulations, and policies governing the ALJ program. GAO also reviewed all suspension and revocation cases opened and closed from November 10, 2005, through September 30, 2008, to determine outcomes, and further reviewed a representative sample of these cases to determine whether complaints and decisions included the required elements. GAO supplemented these case reviews with interviews of Coast Guard ALJ program officials. The Coast Guard's ALJ program contains elements designed to foster the decisional independence of its judges by following Office of Personnel Management regulations governing the ALJs' hiring and employment. These regulations are designed to ensure that the ALJs are not subject to undue influence from Coast Guard officials. For example, personnel actions against a judge, such as the removal of an ALJ, may only be taken through an independent agency, the Merit Systems Protection Board. The Coast Guard's ALJ program contains protections for mariners--such as the right to a hearing and representation--and complaints filed by the Coast Guard and decisions issued by ALJs that we reviewed generally included the required elements. In particular, GAO reviewed cases opened and closed from November 10, 2005, through September 30, 2008, and determined that (1) regulations governing complaints, which are intended to notify mariners of the allegations against them; and (2) regulations requiring ALJs' decisions to contain certain elements, such as finding of fact, were being followed. Based on GAO's review of the 1,675 suspension and revocation cases opened and closed from November 10, 2005, through September 30, 2008, the majority (62 percent) resulted in settlement agreements; for example, a mariner may give up his or her credential while completing safety training. In these cases, the outcomes were determined through negotiations between the mariners and the Coast Guard. In contrast, 3 percent of the cases resulted in a hearing before an ALJ that ended with a decision and order--a decision presents the ALJ's findings, while an order states the sanction, if any, imposed on the mariner. The remaining 36 percent of cases had a variety of outcomes. The disposition of all cases reviewed is shown below. In commenting on a draft of this report, the Coast Guard generally concurred with the findings and believes that the report is both complete and accurate. Fri, 12 Jun 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09491.pdf From fiscal years 2006 through 2008, the Department of Homeland Security (DHS) has allocated about $755 million dollars to transit agencies through its Transit Security Grant Program (TSGP) to protect transit systems and the public from terrorist attacks. GAO was asked to evaluate the extent to which (1) TSGP funds are allocated and awarded based on risk; (2) DHS has allocated, awarded, and distributed TSGP grants in accordance with statutory deadlines and leading practices for collaborating agencies; and (3) DHS has evaluated the effectiveness of the TSGP and its investments. To address these objectives, GAO reviewed the TSGP risk model, fund allocation methodology and program documents, such as TSGP guidance, and interviewed DHS and transit officials, among other steps. DHS has used a risk analysis model to allocate TSGP funding and award grants to higher-risk transit agencies, although transit agency officials have expressed concerns about changes that have occurred since the TSGP's inception, such as revised priorities. The TSGP risk model includes all three elements of risk--threat, vulnerability, and consequence--but can be strengthened by measuring variations in vulnerability. DHS has held vulnerability constant, which limits the model's overall ability to assess risk and more precisely allocate funds. Although the Transportation Security Administration (TSA) allocated about 90 percent of funding to the highest-risk agencies, lower-risk agency awards were based on other factors in addition to risk. In addition, TSA has revised the TSGP's approach, methodology and funding priorities each year since 2006. These changes have raised predictability and flexibility concerns among transit agencies because they make engaging in long-term planning difficult. DHS met the statutory timeline requirements for allocating and awarding grants, but the two agencies that manage the TSGP--TSA and Federal Emergency Management Agency (FEMA)--lack defined roles and responsibilities, and only 3 percent of the funds awarded for fiscal years 2006 through 2008 have been spent as of February 2009. There is no documentation articulating the roles and responsibilities of the agencies, and grant information has not been passed between the two agencies which affected TSA's ability to share grant status information with transit agencies. DHS met statutory deadlines for releasing grant guidance and acting upon applications, but management and resource issues have resulted in delays in approving projects and making funds available, including (1) lengthy project negotiations between transit agencies and TSA; (2) a backlog of required environmental reviews; and (3) a reported lack of personnel to conduct required reviews. As a result, according to FEMA records, as of February 2009, transit agencies have spent about $21 million of the $755 million that has been awarded for fiscal years 2006 through 2008. This spending rate is, in part, caused by agencies receiving authorization to spend grant dollars late in the grant period. Despite concerns over delays, FEMA has not communicated time frames for providing funding. In April 2004, GAO reported that timely grant awards are imperative to provide intended benefits. DHS has reported taking some actions to address delays, including shortening project approval times and hiring staff, but the effectiveness of these efforts is unknown. Although FEMA has taken initial efforts to develop measures to assess the effectiveness of its grant programs, TSA and FEMA lack a plan and related milestones for developing measures specifically for the TSGP, and thus DHS does not have the capability to measure the effectiveness of the program or its investments. Without such a plan, it will be difficult for TSA and FEMA to provide reasonable assurance that measures are being developed to assess the effectiveness of the program as intended. While FEMA is responsible for the financial controls and audits of the TSGP, it does not have a mechanism to systematically collect data and track grant projects throughout the grant process. As a result, FEMA cannot assess whether awards are timely or funds are being used effectively to reduce risk and increase transit system security Mon, 08 Jun 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09125r.pdf This report formally transmits a briefing in response to a Congressional request. Specifically, Congress requested that GAO update our January 2005 report entitled, Gun Control and Terrorism: FBI Could Better Manage Firearm-Related Background Checks Involving Terrorist Watch List Records, GAO-05-127 (Washington, D.C.: Jan. 19, 2005). Under the Brady Handgun Violence Prevention Act and implementing regulations, the Federal Bureau of Investigation (FBI) and designated state and local criminal justice agencies use the FBI's National Instant Criminal Background Check System (NICS) to conduct checks on individuals before federal firearms licensees (gun dealers) may transfer any firearm to an unlicensed individual. Also, to assist the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), the FBI conducts NICS background checks on individuals seeking to obtain a federal explosives license or permit. Under current law, there is no basis to automatically prohibit a person from possessing firearms or explosives because they appear on the terrorist watch list. Rather, there must be a disqualifying factor (i.e., prohibiting information) pursuant to federal or state law, such as a felony conviction or illegal immigration status. In response to the request, this report addresses (1) the number of NICS background checks involving terrorist watch list records, the related results, and the FBI's current procedures for handling these checks and (2) the extent to which the FBI has taken action to collect information from NICS background checks involving terrorist watch list records and share this information with counterterrorism officials to support investigations and other counterterrorism activities. In summary, from February 2004 through February 2009, FBI data show that 963 NICS background checks resulted in valid matches with terrorist watch list records; of these matches, approximately 90 percent were allowed to proceed because the checks revealed no prohibiting information and about 10 percent were denied. Regarding FBI procedures for handling these checks, in response to a recommendation in our January 2005 report, the FBI began conducting all NICS background checks involving terrorist watch list records in July 2005--including those generated via state operations--to ensure consistency in handling. Moreover, in April 2005, the FBI issued guidance to its field offices on the availability and use of information collected as a result of NICS background checks involving terrorist watch list records to help support investigations and other counterterrorism efforts. In April 2007, the Department of Justice (DOJ) provided legislative language to Congress that would give the Attorney General discretionary authority to deny the transfer of firearms or the issuance of a firearm or explosives license or permit when a NICS background check reveals that the purchaser is a known or suspected terrorist and the Attorney General reasonably believes that the person may use a firearm or explosives in connection with terrorism. A related bill was introduced in the 111th Congress and is currently pending (H.R. 2159). Neither DOJ's proposed legislative language nor the related bill include provisions for the development of guidelines further delineating the circumstances under which the Attorney General could exercise this authority. In October 2007, we reported that agencies that use terrorist watch list records to screen for potential terrorists use applicable laws or other guidelines as a basis for determining what related actions to take, if any, such as the criteria that are used for determining which subjects of watch list records should be precluded from boarding an aircraft. Further, Homeland Security Presidential Directive 11 requires that terrorist watch list records be used in a manner that safeguards legal rights, including freedoms, civil liberties, and information privacy guaranteed by federal law. Guidelines delineating how the Attorney General could use any new authority would help DOJ and its component agencies (1) provide accountability and a basis for monitoring to ensure that the intended goals for, and expected results of, the screening are being achieved and (2) ensure that terrorist watch list records are used in accordance with requirements outlined in the Presidential directive. In response to our questions, DOJ was noncommittal on whether it would develop guidelines if legislation providing the Attorney General with discretionary authority to deny firearms or explosives transactions involving subjects of terrorist watch list records was enacted. Thu, 21 May 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09655.pdf The Department of Homeland Security's (DHS) Domestic Nuclear Detection Office (DNDO) is testing new advanced spectroscopic portal (ASP) radiation detection monitors. DNDO expects ASPs to reduce both the risk of missed threats and the rate of innocent alarms, which DNDO considers to be key limitations of radiation detection equipment currently used by Customs and Border Protection (CBP) at U.S. ports of entry. Congress has required that the Secretary of DHS certify that ASPs provide a significant increase in operational effectiveness before obligating funds for full-scale procurement. GAO was asked to review (1) the degree to which DHS's criteria for a significant increase in operational effectiveness address the limitations of existing radiation detection equipment, (2) the rigor of ASP testing and preliminary test results, and (3) the ASP test schedule. GAO reviewed the DHS criteria, analyzed test plans, and interviewed DHS officials. The DHS criteria for a significant increase in operational effectiveness require a minimal improvement in the detection of threats and a large reduction in innocent alarms. Specifically, the criteria require a marginal improvement in the detection of certain weapons-usable nuclear materials, considered to be a key limitation of current-generation portal monitors. The criteria require improved performance over the current detection threshold, which for certain nuclear materials is based on the equipment's limited sensitivity to anything more than lightly shielded materials, but do not specify a level of shielding that smugglers could realistically use. In addition, DNDO has not completed efforts to improve current-generation portal monitors' performance. As a result, the criteria do not take the current equipment's full potential into account. With regard to innocent alarms, the other key limitation of current equipment, meeting the criteria could result in hundreds fewer innocent alarms per day, thereby reducing CBP's workload and delays to commerce. DHS increased the rigor of ASP testing in comparison with previous tests. For example, DNDO mitigated the potential for bias in performance testing (a concern GAO raised about prior testing) by stipulating that there would be no ASP contractor involvement in test execution. Such improvements added credibility to the test results. However, the testing still had limitations, such as a limited set of scenarios used in performance testing to conceal test objects from detection. Moreover, the preliminary results are mixed. The results show that the new portal monitors have a limited ability to detect certain nuclear materials at anything more than light shielding levels: ASPs performed better than current-generation portal monitors in detection of such materials concealed by light shielding approximating the threat guidance for setting detection thresholds, but differences in sensitivity were less notable when shielding was slightly below or above that level. Testing also uncovered multiple problems in ASPs meeting the requirements for successful integration into operations at ports of entry. CBP officials anticipate that, if ASPs are certified, new problems will appear during the first few years of deployment in the field. While DNDO's schedule underestimated the time needed for ASP testing, test delays have allowed more time for review and analysis of results. DNDO's original schedule anticipated completion in September 2008. Problems uncovered during testing of ASPs' readiness to be integrated into operations at U.S. ports of entry caused the greatest delays to this schedule. DHS's most recent schedule anticipated a decision on ASP certification as early as May 2009, but DHS recently suspended field validation due to ASP performance problems and has not updated its schedule for testing and certification. In any case, DNDO does not plan to complete computer simulations that could provide additional insight into ASP capabilities and limitations prior to certification even though delays have allowed more time to conduct the simulations. DNDO officials believe the other tests are sufficient for ASPs to demonstrate a significant increase in operational effectiveness. Thu, 21 May 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09274r.pdf This letter formally transmits the summary of an oral briefing we gave in response to a mandate in the Consolidated Security, Disaster Assistance, and Continuing Appropriations Act, 2009, and subsequent agency comments. This mandate required the Department of Homeland Security (DHS) to prepare an expenditure plan that satisfied 12 specified conditions, and for the plan to be submitted to and approved by the House and Senate Appropriations Committees before the agency could obligate $400 million of the approximately $775 million appropriated for U.S. Customs and Border Protection (CBP) fencing, infrastructure, and technology. In response to this requirement, DHS submitted a plan on March 4, 2009, titled "U.S. Customs and Border Protection: Secure Border Initiative Border Security, Fencing, Infrastructure and Technology (BSFIT) Fiscal Year 2009 Expenditure Plan." As required by the act, we reviewed the plan and on March 12 and March 13, 2009, briefed staff of the Senate and House Appropriations Subcommittees, respectively, on the analysis of whether the plan satisfied the 12 specified legislative conditions. In summary, we found that the expenditure plan did not fully satisfy all of the conditions set out by law. Specifically, three of the conditions were satisfied and nine were partially satisfied. Based on the results of our review, we are not making any recommendations for congressional consideration or agency action. In commenting on a draft of this report, DHS stated that it disagreed with our assessment of partially satisfied for three legislative conditions. Specifically, DHS said that we had not considered additional information not included in the plan that it provided that would support an assessment of these legislative conditions as satisfied. Because the legislative requirement required that the expenditure plan (emphasis added) contain information to address the legislative conditions, we limited our assessment to the information in the expenditure plan. Nevertheless, the additional information program officials provided during the course of our review added context, but would not have changed our assessments of these legislative conditions. In response to DHS's comments, we clarified our definitions of satisfied, partially satisfied and not satisfied to make it clear that we relied only on the expenditure plan in making our assessments. Thu, 30 Apr 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09369.pdf Hurricane Katrina was the most destructive disaster in our nation's history and it highlighted gaps in preparedness for a catastrophic disaster. The Federal Emergency Management Agency (FEMA), a component within the Department of Homeland Security (DHS), is the lead federal agency responsible for developing a national preparedness system. The system includes policies and plans as well as exercises and assessments of capabilities across many public and private entities. GAO was asked to assess the extent to which FEMA has (1) developed policies and plans that define roles and responsibilities; (2) implemented the National Exercise Program, a key tool for examining preparedness; (3) developed a national capabilities assessment; and (4) developed a strategic plan that integrates these elements of the preparedness system. GAO analyzed program documents, such as after-action reports, and visited six states located in disaster regions. While the results of these visits are not generalizable, they show how select states carry out their efforts. While most policies (41 of 50) that define roles and responsibilities have been completed, such as the National Response Framework, 68 percent (49 of 72) of the plans to implement these policies, including several for catastrophic incidents, are not yet complete. As a result, the roles and responsibilities of key officials involved in responding to a catastrophe have not been fully defined and, thus, cannot be tested in exercises. The lack of clarity in response roles and responsibilities among the diverse set of responders contributed to the disjointed response to Hurricane Katrina and highlighted the need for clear, integrated disaster preparedness and response policies and plans. Although best practices for program management call for a plan that includes key tasks and their target completion dates, FEMA does not have such a plan. With such a plan, FEMA would be better positioned to ensure that the policies and plans are completed and integrated with each other as intended as well as with other elements of the preparedness system. Since 2007, FEMA has taken actions to implement the National Exercise Program at the federal and state levels by developing, among other things, program guidance and systems to track corrective actions; however, FEMA faces challenges in ensuring that the exercises are carried out consistent with program guidance. For example, the Homeland Security Council (an interagency entity responsible for coordinating homeland security policy) and state participants did not systematically track whether corrective actions had been taken to address deficiencies identified by exercises as called for by program guidance. As a result, FEMA lacks reasonable assurance that entities have taken actions aimed at improving preparedness. FEMA has made progress in developing a system for assessing national preparedness capabilities by, among other things, establishing reporting guidance for state preparedness, but it faces challenges in completing the system and required reports to assess preparedness. While FEMA has developed a project management plan for the new system, the plan does not fully identify milestones and program risks for developing quantifiable metrics necessary for measuring preparedness capabilities. A more complete project plan that identifies milestones and program risks would provide FEMA with greater assurance that it can produce a system to assess capabilities and inform decisions related to improving national preparedness. FEMA's strategic plan for fiscal years 2008-2013 recognizes that each of its components need to develop its own strategic plans that integrate the elements of national preparedness. FEMA's National Preparedness Directorate has yet to develop its strategic plan, but instead plans to use a draft annual operating plan to guide its efforts. This plan does not include all elements of a strategic plan, such as how the directorate will integrate the various elements of the system over time to improve national preparedness. Having a strategic plan would provide FEMA with a roadmap for addressing the complex task of guiding and building a national preparedness system. Thu, 30 Apr 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09527r.pdf The detonation of a nuclear weapon or radiological dispersal device (RDD) in the United States or elsewhere would cause decision makers to immediately demand information on the nature of the device--including its design, the materials used to build it, and the materials' source--as well as the identification of the perpetrators. Technical nuclear forensics--the analysis of nuclear or radiological materials that are intercepted or the radioactive debris and prompt output signals (such as gamma rays) produced by a nuclear event--can contribute to the identification of the sources of these materials and the processes used to create them. Analytical techniques developed to determine the nature of nuclear tests can be used if terrorists were to detonate a nuclear device or RDD and radioactive debris samples were recovered (known as "postdetonation" nuclear forensics). Nuclear forensic techniques also could potentially be used to determine the origin of nuclear or radiological materials or devices seized prior to their use in a weapon (known as "predetonation" nuclear forensics). The U.S. government's predetonation nuclear forensics capabilities have been demonstrated in investigations on seized nuclear material from illicit smuggling operations. In addition, it is important to note that nuclear forensics represents a key piece of the overall effort to identify specific perpetrators of a nuclear event, in a process known as attribution. The combination of nuclear forensics conclusions, law enforcement findings (e.g., traditional forensics, such as fingerprint analysis), and intelligence information can be used to attribute an event to specific perpetrators. The departments of Defense (DOD), Energy (DOE), Homeland Security (DHS), and State (State), as well as the Federal Bureau of Investigation (FBI) and the intelligence community, would play key roles in a nuclear forensics investigation. The specific roles these agencies would play were established in August 2007 through a presidential decision directive. This directive also formally established the National Technical Nuclear Forensics Center (NTNFC) within DHS's Domestic Nuclear Detection Office to coordinate planning, integration, assessment, and stewardship of the U.S. government's nuclear forensics capabilities. NTNFC has chartered a number of interagency groups to guide policy making for the National Technical Nuclear Forensics (NTNF) program and has led the development of key interagency documents such as the NTNF strategic plan. In this context, Congress asked GAO to assess the (1) challenges the U.S. government faces in developing and maintaining a comprehensive nuclear forensics capability and (2) current and future costs associated with the U.S. government's nuclear forensics efforts. Agencies implementing the NTNF program face challenges in reducing the time needed to arrive at nuclear forensics conclusions and addressing human capital shortages in key disciplines--such as radiochemistry--needed for nuclear forensics. Agencies are working to significantly reduce the time needed to collect, transport, and analyze nuclear forensics samples after an event. For example, DOD has supported a variety of research and development efforts to make sample collection more efficient. In addition, DOE national laboratories are engaged in research and development initiatives to automate laboratory techniques used to analyze radioactive samples and to modernize aging equipment. With regard to human capital challenges, agencies lack a comprehensive interagency plan to guide their efforts. DHS has led interagency efforts to promote the development of trained nuclear forensics experts, including funding summer schools and internships. However, the agency has not fully assessed the demand for these specialists from competing areas outside the NTNF program, such as private industry. In addition, DHS-led efforts to promote radiochemistry have not been well coordinated with similar programs at DOE and NRC. To address the human capital challenges facing the program, we are recommending that DHS work with other agencies to develop a comprehensive interagency plan. According to DHS, agencies implementing the NTNF program planned to spend about $60 million and $59 million in fiscal years 2008 and 2009, respectively, but the future budgetary needs to support the program are unknown. Regarding current program costs, the projected spending total DHS provided underestimates the program's true costs because it does not include costs associated with many DOD, DOE, and State programs that are critical to supporting nuclear forensics. The long-term future budget for the NTNF program is undetermined, in part, because agencies have not developed a plan to mitigate any possible reductions in the funding streams for activities that currently pay for the infrastructure, equipment, and personnel upon which the nation's nuclear forensics capabilities depend. GAO is recommending that agencies more fully account for the amounts spent on other DOD, DOE, and State efforts that the NTNF program relies upon and take steps to mitigate potential effects of budget reductions for these efforts. Thu, 30 Apr 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09612t.pdf This testimony discusses GAO's recently issued report on the North American Aerospace Defense Command's (NORAD) and the Department of Defense's (DOD) air sovereignty alert (ASA) operations. According to the National Strategy for Aviation Security, issued in March 2007, and officials from U.S. intelligence agencies with whom we met, air attacks are still a threat to the United States and its people. To address this threat, NORAD and DOD have fully fueled, fully armed aircraft and trained personnel on alert 24 hours a day, 365 days a year, at 18 ASA sites across the United States. Of the 18 sites, 16 are maintained by Air National Guard (ANG) units and 2 are maintained by active duty Air Force units. If warranted, NORAD can increase personnel, aircraft, and the number of ASA sites based on changes in threat conditions. The Air Force provides NORAD with personnel and equipment, including F-15 and F-16 aircraft, for these operations. ASA units are tasked to conduct and train for both expeditionary missions (e.g., military operations in Iraq) and ASA operations. This testimony will discuss whether (1) NORAD routinely conducts risk assessments to determine the appropriate operational requirements; (2) the Air Force has implemented ASA operations as a steady-state mission, which would require programming funding and measuring readiness, in accordance with NORAD, DOD, and Air Force guidance; and (3) the Air Force has developed a plan to address the recapitalization challenges to sustaining ASA operations for the future. Although NORAD had performed some risk assessments in response to individual DOD leadership inquiries about ASA operations, it had not done routine risk assessments as part of a risk-based management approach to determine ASA operational requirements. Moreover, NORAD has not conducted similar assessments since 2006. Although its units are conducting ASA operations, the Air Force had not implemented these operations as a steady-state mission in accordance with NORAD, DOD, and Air Force directives and guidance. For example, in response to a December 2002 NORAD declaration of a steady-state air defense mission, the Air Force issued a directive assigning specific functions and responsibilities to support the mission. According to the directive, the Air Force was to take 140 actions to implement ASA as a steady-state mission. NORAD partially assessed readiness through inspections; however, the Air Force, which as the force provider is responsible for measuring readiness for its missions by evaluating personnel, training, and the quantity and quality of equipment needed, has not done so for ASA operations. Air Force officials said they do not perform such assessments because the service has not formally assigned the mission to the units. Specifically, the Air Force issues mission Designed Operational Capability statements that identify the unit's mission(s) and related requirements (e.g., type anumber of personnel). Because the Air Force did not implement ASA operations as a steady-state mission in accordance with NORAD, DOD, and Air Force guidance, at the time of our review ASA units were experiencing a number of difficulties that challenged their ability to perform both their expeditionary missions and ASA operations. The unit commanders we interviewed identified funding, personnel, and dual tasking of responsibilities as the top three factors affecting ASA operations. Wed, 22 Apr 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09620t.pdf The Deepwater Program is intended to recapitalize the Coast Guard's fleet and includes efforts to build or modernize five classes each of ships and aircraft, and procure other key capabilities. In 2002, the Coast Guard contracted with Integrated Coast Guard Systems (ICGS) to manage the acquisition as systems integrator. After the program experienced a series of failures, the Coast Guard announced in April 2007 that it would take over the lead role, with future work on individual assets to be potentially bid competitively outside of the existing contract. A program baseline of $24.2 billion was set as well. In June 2008, GAO reported on the new approach and concluded that while these steps were beneficial, continued oversight and improvement was necessary. The Coast Guard has taken actions to address the recommendations in that report. This testimony updates key issues from prior work: (1) Coast Guard program management at the overall Deepwater Program and asset levels; (2) how cost, schedules, and capabilities have changed from the 2007 baseline and how well costs are communicated to Congress; and (3) Coast Guard efforts to manage and build its acquisition workforce. GAO reviewed Coast Guard acquisition program baselines, human capital plans and other documents, and interviewed officials. For information not previously reported, GAO obtained Coast Guard views. The Coast Guard generally concurred with the findings. The Coast Guard has assumed the role of systems integrator for the overall Deepwater Program by reducing the scope of work on contract with ICGS and assigning these functions to Coast Guard stakeholders. As part of its systems integration responsibilities, the Coast Guard has undertaken a fundamental reassessment of the capabilities, number, and mix of assets it needs; according to an official, it expects to complete this analysis by the summer of 2009. At the individual Deepwater asset level, the Coast Guard has improved and begun to apply the disciplined management process found in its Major Systems Acquisition Manual, but did not meet its goal of complete adherence to this process for all Deepwater assets by the second quarter of fiscal year 2009. For example, key acquisition management activities--such as operational requirements documents and test plans--are not in place for assets with contracts recently awarded or in production, placing the Coast Guard at risk of cost overruns or schedule slips. Due in part to the Coast Guard's increased insight into what it is buying, the anticipated cost, schedules, and capabilities of many of the Deepwater assets have changed since the establishment of the $24.2 billion baseline in 2007. Coast Guard officials have stated that this baseline reflected not a traditional cost estimate but rather the anticipated contract costs as determined by ICGS. As the Coast Guard has developed its own cost baselines for some assets, it has become apparent that some of the assets it is procuring will likely cost more than anticipated. Information to date shows that the total cost of the program may grow by $2.1 billion. As more cost baselines are developed and approved, further cost growth may become apparent. In addition, while the Coast Guard plans to update its annual budget requests with asset-based cost information, the current structure of its budget submission to Congress does not include certain details at the asset level, such as estimates of total costs and total numbers to be procured. The Coast Guard's reevaluation of baselines has also changed its understanding of the delivery schedules and capabilities of Deepwater assets. One reason the Coast Guard sought a systems integrator from outside the Coast Guard was because it recognized that it lacked the experience and depth in workforce to manage the acquisition internally. The Coast Guard acknowledges that it still faces challenges in hiring and retaining qualified acquisition personnel and that this situation poses a risk to the successful execution of its acquisition programs. According to human capital officials in the acquisition directorate, as of April 2009, the acquisition branch had 16 percent of positions unfilled, including key jobs such as contracting officers and systems engineers. Even as it attempts to fill its current vacancies, the Coast Guard plans to increase the size of its acquisition workforce significantly by the end of fiscal year 2011. While the Coast Guard may be hard-pressed to fill these positions, it has made progress in identifying the broader challenges it faces and is working to mitigate them. In the meantime, the Coast Guard has been increasing its use of support contractors. Wed, 22 Apr 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09411r.pdf In November 2005, the President issued an executive order establishing the Office of the Federal Coordinator for Gulf Coast Rebuilding (OFC) with the broad mission of supporting recovery efforts following Hurricanes Katrina and Rita. Given their vast size and impact, these storms presented unprecedented rebuilding challenges to federal, state, and local officials which, combined with concerns about the lack of coordination in government's initial response to the disaster, precipitated the creation of the Office of the Federal Coordinator. To assist in Congress' ongoing oversight responsibilities of the recovery of the Gulf Coast, Congress asked us to: (1) describe the functions the Coordinator has performed, (2) obtain stakeholder perspectives regarding the office's operation, and (3) provide observations on issues to be considered for moving forward. We provided Congressional staff with summaries of our findings this past February to answer these questions as well as our observations, including extending the term of OFC. We have since updated some of the information in our briefing, using information that has subsequently become available including the President's decision to extend the operations of OFC through September 30, 2009. Fri, 10 Apr 2009 00:00:00 -0400 http://www.gao.gov/new.items/d0963.pdf Given the global context of the war on drugs--coupled with growing recognition since September 11, 2001 (9/11), of the nexus between drug trafficking and terrorism--the mission of the Drug Enforcement Administration (DEA) and efforts to forge effective interagency partnerships and coordination are increasingly important. GAO was asked to examine, in the context of the post-9/11 environment, DEA's (1) priorities, (2) interagency partnerships and coordination mechanisms, and (3) strategic plan and performance measures. GAO reviewed DEA policy, planning, and budget documents and visited 7 of DEA's 21 domestic field offices and 3 of its 7 regional offices abroad-- sites selected to reflect diverse drug-trafficking threats, among other factors. GAO also contacted other relevant federal agencies-- including U.S. Immigration and Customs Enforcement (ICE) and U.S. Customs and Border Protection (CBP)--and various state and local partner agencies. Since 9/11, while continuing its primary mission of enforcing U.S. controlled substances laws, DEA has supported U.S. counterterrorism efforts by prioritizing narcoterrorism cases--drug-trafficking cases linked to terrorism-- and by implementing other policies and actions, such as collecting terrorismrelated intelligence from confidential informants and foreign partners. Also, DEA is using a new enforcement authority to pursue and arrest narcoterrorists--even those who operate outside the United States. Because most of the nation's illegal drug supply is distributed by Mexican drug organizations, DEA's partnerships and coordination with Department of Homeland Security (DHS) agencies that have border-related missions-ICE and CBP--are important. However, an outdated interagency agreement-and long-standing disputes involving ICE's drug enforcement role and DEA's oversight of that role--have led to conflicts and the potential for duplicative investigative efforts. Another interagency agreement, predating CBP's formation under DHS, has led to operational inefficiencies, as reflected in a bifurcated process for handling illegal drugs seized at the nation's borders. That is, drugs seized by CBP between ports of entry are to be referred to DEA, but drugs seized at ports of entry are to be referred to ICE. According to CBP, an updated agreement that specifies a standardized process would be more efficient and less confusing. Further, in conducting the war on drugs, an important interagency coordination mechanism is the Special Operations Division, a DEA-led intelligence center that targets the command and control capabilities of major drug-trafficking organizations. Another coordination mechanism is the Organized Crime Drug Enforcement Task Force (OCDETF) Fusion Center, which collects and analyzes drug-trafficking and related financial information and disseminates investigative leads. However, ICE is providing limited information to the Special Operations Division and is not participating in the OCDETF Fusion Center. As a result, according to DEA, these coordination entities are not as effective as they could be. Resolution of these interagency issues necessitates involvement by both the Attorney General and the Secretary of Homeland Security, given that their respective departments' component agencies have been unable to reach mutually acceptable agreements. Notably, because of links between drug trafficking and terrorism, DEA has established new partnerships with the Department of Defense (DOD), especially in Afghanistan, where they share intelligence and DOD provides airlift and other support for DEA operations. DEA's strategic plan has not been updated since 2003; also, DEA's annual performance plans do not provide results-focused measures for assessing the agency's post-9/11 activities, such as counterterrorism efforts. A current and comprehensive strategic planning and performance measurement framework would help to ensure accountability by providing crucial information to DEA's senior leadership for making management decisions and to the Congress and the administration for assessing program effectiveness. In February 2009, DOJ reported that it was reviewing DEA's updated strategic plan. Fri, 20 Mar 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09422t.pdf The Implementing Recommendations of the 9/11 Commission Act of 2007 mandates the Department of Homeland Security (DHS) to establish a system to physically screen 50 percent of cargo transported on passenger aircraft by February 2009 and 100 percent of such cargo by August 2010. This testimony provides preliminary observations on the Transportation Security Administration's (TSA) progress in meeting the mandate to screen cargo on passenger aircraft and the challenges TSA and industry stakeholders may face in screening such cargo. GAO's testimony is based on products issued from October 2005 through August 2008, and its ongoing review of air cargo security. GAO reviewed TSA's air cargo security programs, interviewed program officials and industry representatives, and visited two large U.S. airports. TSA has made progress in meeting the air cargo screening mandate as it applies to domestic cargo. TSA has taken steps that will allow screening responsibilities to be shared across the air cargo supply chain--including TSA, air carriers, freight forwarders (which consolidate cargo from shippers and take it to air carriers for transport), and shippers--although air carriers have the ultimate responsibility for ensuring that they transport cargo screened at the requisite levels. TSA has taken several key steps to meet the mandate, including establishing a new requirement for 100 percent screening of cargo transported on narrow-body aircraft; revising or eliminating most screening exemptions for domestic cargo; creating the Certified Cargo Screening Program (CCSP) to allow screening to take place at various points in the air cargo supply chain; and establishing a screening technology pilot. Although TSA estimates that it achieved the mandated 50 percent screening level by February 2009 as it applies to domestic cargo, the agency cannot yet verify that the requisite levels of cargo are being screened. It is working to establish a system to do so by April 2009. Also, TSA's screening approach could result in variable percentages of screened cargo on passenger flights. TSA and industry stakeholders may face a number of challenges in meeting the screening mandate, including attracting participants to the CCSP, and technology, oversight, and inbound cargo challenges. TSA's approach relies on the voluntary participation of shippers and freight forwarders, but it is unclear whether the facilities needed to meet TSA's screening estimates will join the CCSP. In addition, TSA has taken some steps to develop and test technologies for screening air cargo, but the agency has not yet completed assessments of these technologies and cannot be assured that they are effective in the cargo environment. TSA's limited inspection resources may also hamper its ability to oversee the thousands of additional entities that it expects to participate in the CCSP. Finally, TSA does not expect to meet the mandated 100 percent screening deadline as it applies to inbound air cargo, in part due to existing inbound screening exemptions and challenges it faces in harmonizing security standards with other nations. Wed, 18 Mar 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09433t.pdf Hurricane Katrina severely tested disaster management at the federal, state, and local levels and revealed weaknesses in the basic elements--leadership, capabilities, and accountability--of preparing for, responding to, and recovering from disasters. In its 2006 work on the response to Hurricane Katrina, GAO noted that these elements needed to be strengthened. In October 2006, Congress enacted the Post-Katrina Act to address issues identified in the response to Hurricane Katrina. GAO reported in November 2008 that the Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA) had at least preliminary efforts under way to address most of the provisions, but also identified a number of areas that required further action. This statement discusses select issues within the basic elements related to (1) findings from the response to Hurricane Katrina, (2) provisions of the Post-Katrina Act, and (3) specific actions DHS and FEMA have taken to implement these provisions. GAO's comments are based on GAO products issued from February 2006 through November 2008, and selected updates in March 2009. To obtain updated information, GAO consulted program officials. GAO reported in September 2006 that the experience of Hurricane Katrina showed the need to improve leadership at all levels of government to respond to catastrophic disasters. For example, GAO reported that, in the response to Hurricane Katrina, there was confusion over roles and responsibilities under the National Response Plan, including the roles of the DHS Secretary, the FEMA Administrator, the Principal Federal Official (PFO), and the Federal Coordinating Officer (FCO). The Post-Katrina Act clarified FEMA's mission within DHS and set forth the role and responsibilities of the FEMA Administrator. The act also required that the FEMA Administrator provide a clear chain of command that accounts for these roles. In revising the National Response Plan--now called the National Response Framework--FEMA articulated specific roles for the PFO and FCO, which are described in GAO's November 2008 report. GAO reported in September 2006 that various congressional reports and GAO's own work on FEMA's performance before, during, and after Hurricane Katrina suggested that FEMA's capabilities were insufficient to meet the challenges posed by the degree of damage and the number of hurricane victims. The capabilities issues GAO identified related to, among others, (1) emergency communications, (2) evacuations, (3) logistics, (4) mass care, (5) planning and training, and (6) human capital. The Post-Katrina Act included a variety of provisions that related to these issues. For example, related to emergency communications, the act established an Office of Emergency Communications (OEC) within DHS. GAO reported in November 2008 that, in response to specific responsibilities outlined in its authorizing provision, OEC has been working with Urban Area Working Groups and states to assess gaps in communications infrastructure and to determine technical requirements to enhance interoperable communications systems. GAO reported in February 2006 that accountability mechanisms--specifically, internal controls--were lacking or nonexistent in processing applications for individual and household assistance following Hurricane Katrina, which left the government vulnerable to fraud and abuse. For example, GAO estimated that through February 2006, FEMA made about 16 percent ($1 billion) in improper and potentially fraudulent payments to applicants who used invalid information to apply for disaster assistance. The Post-Katrina Act required the development of a system, including an electronic database, to counter improper payments. GAO reported in November 2008 that FEMA established a process to identify and collect duplicative payments by, among other things, enabling its disaster assistance database to check automatically for duplicate applications. Tue, 17 Mar 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09337.pdf U.S. ports, waterways, and coastal approaches are part of a system handling more than $700 billion in merchandise annually. With the many possible threats--including transportation and detonation of weapons of mass destruction, suicide attacks against vessels, and others--in the maritime domain, awareness of such threats could give the Coast Guard advance notice to help detect, deter, interdict, and defeat them and protect the U.S. homeland and economy. GAO was asked to review the Coast Guard's efforts to achieve awareness about activity in the maritime domain. This report addresses: the extent to which the Coast Guard (1) has vessel tracking systems in place, (2) can use these systems to track vessels that may be threats, and (3) has coordinated the development and implementation of these systems. To answer these questions, GAO analyzed relevant statutes, regulations, and plans for vessel tracking systems, compared the roles of the planned systems, and interviewed appropriate officials. At sea or in U.S. coastal areas, inland waterways, and ports, the Coast Guard is currently relying on a diverse array of vessel tracking systems operated by various entities, but its attempts to develop systems to track vessels at sea are facing delays. For tracking vessels at sea, the Coast Guard uses existing national technical means--classified methods of tracking vessels--and plans to obtain vessel identification and tracking information from two more sources, long-range identification and tracking system (LRIT), and commercially provided long-range automatic identification system (AIS). However, one source of this information has just become available and the other has been delayed due to technical and operational difficulties. International LRIT requirements generally came into effect on January 1, 2009. The Coast Guard estimates that commercially provided long-range AIS will be operational in 2014. For tracking vessels in U.S. coastal areas, inland waterways, and ports, the Coast Guard operates a land-based AIS, and also either operates, or has access to, radar and cameras in some ports. The existing and planned sources of vessel tracking information may allow the Coast Guard to track larger vessels at sea, but systems and other equipment that track smaller and noncommercial vessels in coastal areas, inland waterways, and ports may prove ineffective in thwarting an attack without advance knowledge. The means of tracking vessels at sea--national technical means, LRIT, and commercially provided long-range AIS--are potentially effective, but each has features that could impede its effectiveness. The systems used in U.S. coastal areas, inland waterways, and ports--AIS, radar, and video cameras--have more difficulty tracking smaller and noncommercial vessels because they are not required to carry AIS equipment and because of the technical limitations of radar and cameras. In studies GAO reviewed and discussions with maritime stakeholders, there was widespread agreement that vessel tracking systems and equipment will be challenged to provide a warning if a small vessel is moving in a threatening manner. The Coast Guard has not coordinated its plans for obtaining vessel tracking information at sea, and is planning on obtaining potentially duplicative information, but in coastal areas, inland waterways, and ports, the various tracking methods complement each other. Once operational, the two new planned means for tracking vessels at sea--LRIT and commercially provided long-range AIS--will both provide vessel identification and position information for almost all the same vessels. Commercially provided long-range AIS provides additional information about each vessel and its voyage, but almost all of that information is available through reports filed by vessel operators. The primary need cited by the Coast Guard to develop both systems--to detect anomalies--can be met by the national technical means already operational, combined with information from the reports filed by vessel operators and LRIT. Furthermore, the Coast Guard has not coordinated or analyzed the information each source can provide and the need for information from both. Tue, 17 Mar 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09447.pdf A genuine U.S. passport is a vital document, permitting its owner to travel freely in and out of the United States, prove U.S. citizenship, obtain further identification documents, and set up bank accounts, among other things. Unfortunately, a terrorist or other criminal could take advantage of these benefits by fraudulently obtaining a genuine U.S. passport from the Department of State (State). There are many ways that malicious individuals could fraudulently obtain a genuine U.S. passport, including stealing an American citizen's identity and counterfeiting or fraudulently obtaining identification or citizenship documents to meet State requirements. GAO was asked to proactively test the effectiveness of State's passport issuance process to determine whether the process is vulnerable to fraud. To do so, GAO designed four test scenarios that simulated the actions of a malicious individual who had access to an American citizen's personal identity information. GAO created counterfeit documents for four fictitious or deceased individuals using off-the-shelf, commercially available hardware, software, and materials. An undercover GAO investigator then applied for passports at three United States Postal Service (USPS) locations and a State-run passport office. GAO's investigation shows that terrorists or criminals could steal an American citizen's identity, use basic counterfeiting skills to create fraudulent documentation for that identity, and obtain a genuine U.S. passport from State. GAO conducted four tests simulating this approach and was successful in obtaining a genuine U.S. passport in each case. In the most egregious case, an undercover GAO investigator obtained a passport using counterfeit documents and the Social Security Number (SSN) of a man who died in 1965. In another case, the investigator obtained a passport using counterfeit documents and the genuine SSN of a fictitious 5-year-old child GAO created for a previous investigation--even though the investigator's counterfeit documents and application indicated he was 53 years old. All four passports were issued to the same GAO investigator, under four different names. In all four tests, GAO used counterfeit and/or fraudulently obtained documents. State and USPS employees did not identify GAO's documents as counterfeit. GAO's investigator later purchased an airline ticket under the name used on one of the four fraudulently obtained U.S. passports, and then used that passport as proof of identity to check in to his flight, get a boarding pass, and pass through the security checkpoint at a major metropolitan-area airport. At a briefing on the results of GAO's investigation, State officials agreed with GAO that the investigation exposes a major vulnerability in State's passport issuance process. According to State officials, State's fraud detection efforts are hampered by limitations to its information sharing and data access with other federal and state agencies. After GAO's briefing, State officials notified GAO that they identified and revoked GAO's four fraudulently obtained U.S. passports, and were studying the matter to determine the appropriate steps for improving State's passport issuance process. Fri, 13 Mar 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09381t.pdf This testimony discusses the Department of Homeland Security's (DHS) U.S. Immigration and Customs Enforcement's (ICE) management of the 287(g) program. Recent reports indicate that the total population of unauthorized aliens residing in the United States is about 12 million. Some of these aliens have committed one or more crimes, although the exact number of aliens that have committed crimes is unknown. Some crimes are serious and pose a threat to the security and safety of communities. ICE does not have the agents or the detention space that would be required to address all criminal activity committed by unauthorized aliens. Thus, state and local law enforcement officers play a critical role in protecting our homeland because, during the course of their daily duties, they may encounter foreign-national criminals and immigration violators who pose a threat to national security or public safety. On September 30, 1996, the Illegal Immigration Reform and Immigrant Responsibility Act was enacted and added section 287(g) to the Immigration and Nationality Act. This section authorizes the federal government to enter into agreements with state and local law enforcement agencies, and to train selected state and local officers to perform certain functions of an immigration officer--under the supervision of ICE officers--including searching selected federal databases and conducting interviews to assist in the identification of those individuals in the country illegally. The first such agreement under the statute was signed in 2002, and as of February 2009, 67 state and local agencies were participating in this program. The testimony today is based on our January 30, 2009, report regarding the program including selected updates made in February 2009. Like the report, this statement addresses (1) the extent to which Immigration and Customs Enforcement has designed controls to govern 287(g) program implementation and (2) how program resources are being used and the activities, benefits, and concerns reported by participating agencies. To do this work, we interviewed officials from both ICE and participating agencies regarding program implementation, resources, and results. We also reviewed memorandums of agreement (MOA) between ICE and the 29 law enforcement agencies participating in the program as of September 1, 2007, that are intended to outline the activities, resources, authorities, and reports expected of each agency. We also compared the controls ICE designed to govern implementation of the 287(g) program with criteria in GAO's Standards for Internal Control in the Federal Government, the Government Performance and Results Act (GPRA), and the Project Management Institute's Standard for Program Management. More detailed information on our scope and methodology appears in the January 30, 2009 report. In February 2009, we also obtained updated information from ICE regarding the number of law enforcement agencies participating in the 287(g) program as well as the number of additional law enforcement agencies being considered for participation in the program. We conducted our work in accordance with generally accepted government auditing standards. In summary, ICE has designed some management controls, such as MOAs with participating agencies and background checks of officers applying to participate in the program, to govern 287(g) program implementation. However, the program lacks other key internal controls. Specifically, program objectives have not been documented in any program-related materials, guidance on how and when to use program authority is inconsistent, guidance on how ICE officials are to supervise officers from participating agencies has not been developed, data that participating agencies are to track and report to ICE has not been defined, and performance measures to track and evaluate progress toward meeting program objectives have not been developed. Taken together, the lack of internal controls makes it difficult for ICE to ensure that the program is operating as intended. ICE and participating agencies used program resources mainly for personnel, training, and equipment, and participating agencies reported activities and benefits, such as a reduction in crime and the removal of repeat offenders. However, officials from more than half of the 29 state and local law enforcement agencies we reviewed reported concerns members of their communities expressed about the use of 287(g) authority for minor violations and/or about racial profiling. We made several recommendations to strengthen internal controls for the 287(g) program to help ensure that the program operates as intended. DHS concurred with our recommendations and reported plans and steps taken to address them. Wed, 04 Mar 2009 00:00:00 -0500 http://www.gao.gov/new.items/d09437t.pdf Recovery from major disasters is a complex undertaking that involves the combined efforts of federal, state, and local government in order to succeed. While the federal government provides a significant amount of financial and technical assistance for recovery, state and local jurisdictions work closely with federal agencies to secure and make use of those resources. This testimony describes lessons and insights that GAO has identified from review of past disasters, which may be useful to inform recovery efforts in the wake of Hurricanes Ike and Gustav, as well as disasters yet to come. These lessons come from two reports GAO recently released last fall on disaster recovery. The first draws on the experiences of communities that have recovered from previous major disasters in order to help inform recovery efforts in the wake of Hurricanes Ike and Gustav as well as the 2008 Midwest floods. The second examines the implementation of the Federal Emergency Management Agency's (FEMA) Public Assistance grant program and identifies several actions that the Department of Homeland Security can take to improve operations of that program. These include improving information sharing and enhancing continuity and communication. Commenting on a draft of that report, the department generally agreed with our recommendations. In doing this work, GAO interviewed federal, state, and local officials involved in recovery and reviewed relevant documents, data, and laws. Lessons from past disasters provide a potentially valuable source of information for all levels of government as they seek to meet the many challenges of recovering from a major disaster. For affected state and local jurisdictions, good practices to consider include the following: (1) Creating a clear, implementable, and timely recovery plan can provide communities with a road map for the recovery process. Just 2 months after the 1995 Kobe earthquake in Japan, the city created a recovery plan with these elements. (2) Providing financial and technical capacity facilitates jurisdictions' ability to implement federal disaster programs. For example, loans and technical assistance provided after past disasters helped communities better navigate the wide range of federal disaster programs. (3) Implementing business recovery strategies to minimize business relocations helps small businesses adapt to postdisaster market conditions. For example, to encourage businesses to remain in the city Grand Forks after the 1997 flood, the city forgave loans for businesses that stayed in the city. (4) Adopting a comprehensive approach toward combating fraud, waste, and abuse protects both disaster victims from contractor fraud and public funds from fraudulent applicants. Controls to combat such activities before, during, and after a disaster can deter such activities, including instances of contractor fraud. On the federal level, experiences with FEMA's Public Assistance grant program after the 2005 Gulf Coast hurricanes illustrated a variety of challenges in the day-to-day operation of the program that could be faced again by Gulf Coast states recoveringfrom Hurricanes Ike and Gustav or other disasters in the future. These include the following: (1) Challenges using program flexibilities to respond to the postdisaster needs of grant applicants and determining project scope. For example, applicants reported needing additional flexibility when rebuilding to address significant population changes after the storm. (2) Challenges in sharing information among federal, state, and local officials during project development that at times slowed the process. For example, some applicants in Louisiana told us of the need to repeatedly resubmit key project documents because of the lack of an effective system to share such documentation. Opportunities exist for the federal government to further refine FEMA's Public Assistance grant program to better address these and other challenges as recovery continues on the Gulf Coast and in advance of future disasters. Tue, 03 Mar 2009 00:00:00 -0500 http://www.gao.gov/new.items/d09401t.pdf Immigration and Customs Enforcement (ICE) was created in March 2003 as part of the Department of Homeland Security (DHS). From fiscal year 2003 through fiscal year 2007, the average daily population of detainees in ICE custody increased by about 40 percent, with the most growth occurring since fiscal year 2005. In fiscal year 2007, ICE held over 311,000 detainees at more than 500 detention facilities. Most of these were Intergovernmental Service Agreement (IGSA) facilities--state and local jails under contract with ICE to hold detainees. Some ICE detainees received health care services from IGSA staff, IGSA contractors, or community medical providers, and other ICE detainees received health care provided or arranged by the Division of Immigration Health Services (DIHS). DIHS is mainly composed of contract employees and officers from the U.S. Public Health Service (PHS) Commissioned Corps--a uniformed service of public health professionals who are part of the Department of Health and Human Services (HHS) and who provide services in different settings, including ICE detention facilities. In light of questions about the health care provided to detainees in ICE custody, Congress requested information about ICE's organizational structure and its health care resources for detainees. Our report provides (1) a description of ICE's organizational structure for providing health care services to detainees, which includes our review of the relevant agreements between DHS and HHS regarding DIHS; (2) information about ICE's annual spending and staffing resources devoted to the provision of health care for detainees, and the number of services provided; and (3) an assessment of whether ICE's mortality rate can be compared with the mortality rates of the Federal Bureau of Prisons (BOP) and the U.S. Marshals Service (USMS)--two entities that are responsible for holding certain persons, such as criminals. In summary, we found that ICE's organizational structure for providing health care to detainees is not uniform across facilities. In fiscal year 2007, 21 DIHS-staffed facilities provided or arranged for health care for about 53 percent of the average daily population of detainees, while 508 IGSA facilities provided or arranged for health care for the remaining detainees--about 47 percent of the population. Before October 1, 2007, DHS and HHS maintained annual interagency agreements through which DIHS--a component of HHS's Health Resources and Services Administration (HRSA)--provided health care for ICE detainees. As of that date, the last annual interagency agreement was terminated, and DIHS no longer is a component of HRSA. DHS officials told us that this termination--along with a 2007 Memorandum of Agreement between HHS and DHS that placed PHS officers on detail to DHS on an open-ended basis and that allowed for additional PHS officers to be detailed to DHS in the future--affected 565 direct health care providers and administrative staff. According to DHS officials, ICE now has a component known as DIHS which provides health care services to detainees. We also found that although ICE's health care data are not complete, the available data on health care spending, staffing, and services provided generally showed growth in all three areas. For instance, from fiscal year 2003 through fiscal year 2007, reported expenditures for medical claims and program operations increased by 47 percent, while the average daily population of detainees increased by about 40 percent. However, ICE facilities do not use standardized record keeping, and are not required to routinely report data to DHS on the health care services provided to detainees. Furthermore, data were not available on the detainee health expenditures that are incurred by IGSAs. In addition, we determined that ICE's mortality rate cannot be directly compared with BOP's or USMS's mortality rate. This is due to differences in the three agencies' health care goals and scopes of services, as well as to demographic differences among the ICE, BOP, and USMS detainee populations. Based on our work, we have identified a number of issues that may merit further assessment in the $2 million external study that ICE was directed to fund. These include: (1) ICE's ability to access detainee population data that measure unique individuals in ICE custody, rather than the average number of beds used; (2) Reporting relationships between DIHS and ICE; (3) IGSA reporting requirements--including the frequency of reporting on health care services provided to detainees and the format in which health records are maintained; (4) ICE's ability to routinely ensure the transfer of medical records when detainees are transferred between facilities; (5) ICE's ability to identify and report the detainee health care costs incurred by IGSAs; and (6) ICE's ability to identify and report medical claims expenditures by facility type--such as for all IGSAs. Tue, 03 Mar 2009 00:00:00 -0500 http://www.gao.gov/new.items/d0985.pdf Numerous incidents around the world have highlighted the vulnerability of commercial vehicles to terrorist acts. Commercial vehicles include over 1 million highly diverse truck and intercity bus firms. Within the Department of Homeland Security (DHS), the Transportation Security Administration (TSA) has primary federal responsibility for ensuring the security of the commercial vehicle sector, while vehicle operators are responsible for implementing security measures for their firms. GAO was asked to examine: (1) the extent to which TSA has assessed security risks for commercial vehicles; (2) actions taken by key stakeholders to mitigate identified risks; and (3) TSA efforts to coordinate its security strategy with other federal, state, and private sector stakeholders. GAO reviewed TSA plans, assessments, and other documents; visited a nonrandom sample of 26 commercial truck and bus companies of varying sizes, locations, and types of operations; and interviewed TSA and other federal and state officials and industry representatives. TSA has taken actions to evaluate the security risks associated with the commercial vehicle sector, including assessing threats and initiating vulnerability assessments, but more work remains to fully gauge security risks. Risk assessment uses a combined analysis of threat, vulnerability, and consequence to estimate the likelihood of terrorist attacks and the severity of their impact. TSA conducted threat assessments of the commercial vehicle sector and has also cosponsored a vulnerability assessment pilot program in Missouri. However, TSA's threat assessments generally have not identified the likelihood of specific threats, as required by DHS policy. TSA has also not determined the scope, method, and time frame for completing vulnerability assessments of the commercial vehicle sector. In addition, TSA has not conducted consequence assessments, or leveraged the consequence assessments of other sectors. As a result of limitations with its threat, vulnerability, and consequence assessments, TSA cannot be sure that its approach for securing the commercial vehicle sector addresses the highest priority security needs. Moreover, TSA has not developed a plan or time frame to complete a risk assessment of the sector. Nor has TSA completed a report on commercial trucking security as required by the Implementing Recommendations of the 9/11 Commission Act (9/11 Commission Act). Key government and industry stakeholders have taken actions to strengthen the security of commercial vehicles, but TSA has not assessed the effectiveness of federal programs. TSA and the Department of Transportation (DOT) have implemented programs to strengthen security, particularly those emphasizing the protection of hazardous materials. States have also worked collaboratively to strengthen commercial vehicle security through their transportation and law enforcement officials' associations, and the establishment of fusion centers. TSA also has begun developing and using performance measures to monitor the progress of its program activities to secure the commercial vehicle sector, but has not developed measures to assess the effectiveness of these actions in mitigating security risks. Without such information, TSA will be limited in its ability to measure its success in enhancing commercial vehicle security. While TSA has also taken actions to improve coordination with federal, state, and industry stakeholders, more can be done to ensure that these coordination efforts enhance security for the sector. TSA signed joint agreements with DOT and supported the establishment of intergovernmental and industry councils to strengthen collaboration. TSA and DOT completed an agreement to avoid duplication of effort as required by the 9/11 Commission Act. However, some state and industry officials GAO interviewed reported that TSA had not clearly defined stakeholder roles and responsibilities consistent with leading practices for collaborating agencies. TSA has not developed a means to monitor and assess the effectiveness of its coordination efforts. Without enhanced coordination with the states, TSA will have difficulty expanding its vulnerability assessments. Fri, 27 Feb 2009 00:00:00 -0500 http://www.gao.gov/new.items/d09308r.pdf Recent events have drawn attention to the health care provided to detainees held by U.S. Immigration and Customs Enforcement (ICE), a component of the Department of Homeland Security (DHS). For fiscal year 2004 through fiscal year 2007, ICE reported that 69 detainees died while in ICE custody, and during 2008, national news organizations investigated and published reports of the circumstances surrounding several detainee deaths. Other reports have also outlined concerns about the health care provided to detainees. For example, in 2007, the DHS Office of the Inspector General (OIG) found problems with adherence to ICE's medical standards at two ICE facilities it reviewed where detainee deaths had occurred. Additionally, members of Congress, the media, and advocacy groups have raised questions about the health care provided to detainees in ICE custody. An explanatory statement accompanying the fiscal year 2009 DHS appropriations act directed ICE to fund an independent, comprehensive review of the medical care provided to persons detained by DHS and identified $2 million for that purpose. ICE was created in March 2003 as part of DHS. From fiscal year 2003 through fiscal year 2007, the average daily population of detainees in ICE custody increased by about 40 percent, with the most growth occurring since fiscal year 2005. In fiscal year 2007, ICE held over 311,000 detainees at more than 500 detention facilities. Most of these were Intergovernmental Service Agreement (IGSA) facilities--state and local jails under contract with ICE to hold detainees. Some ICE detainees received health care services from IGSA staff, IGSA contractors, or community medical providers, and other ICE detainees received health care provided or arranged by the Division of Immigration Health Services (DIHS). DIHS is mainly comprised of contract employees and officers from the U.S. Public Health Service (PHS) Commissioned Corps--a uniformed service of public health professionals who are part of the Department of Health and Human Services (HHS) and who provide services in different settings, including ICE detention facilities. In light of questions about the health care provided to detainees in ICE custody, Congress requested information about ICE's organizational structure and its health care resources for detainees. This report provides (1) a description of ICE's organizational structure for providing health care services to detainees, which includes our review of the relevant agreements between DHS and HHS regarding DIHS; (2) information about ICE's annual spending and staffing resources devoted to the provision of health care for detainees, and the number of services provided; and (3) an assessment of whether ICE's mortality rate can be compared with the mortality rates of the Federal Bureau of Prisons (BOP) and the U.S. Marshals Service (USMS)--two entities that are responsible for holding certain persons, such as criminals. ICE's organizational structure for providing health care to detainees is not uniform across facilities. In fiscal year 2007, 21 DIHS-staffed facilities provided or arranged for health care for about 53 percent of the average daily population of detainees, while 508 IGSA facilities provided or arranged for health care for the remaining detainees--about 47 percent of the population. In addition, recent agreements with HHS reassigned medical personnel to DHS. DHS officials told us that a total of 565 direct health care providers and administrative staff were affected by these agreements. Although ICE's health care data are not complete, the available data on health care spending, staffing, and services provided generally showed growth in all three areas. For instance, from fiscal year 2003 through fiscal year 2007, reported expenditures for medical claims and program operations increased by 47 percent, while the average daily population of detainees increased by about 40 percent. ICE's mortality rate cannot be directly compared with BOP's or USMS's mortality rate. This is due to differences in the three agencies' health care goals and scopes of services, as well as to demographic differences among the ICE, BOP, and USMS detainee populations. Mon, 23 Feb 2009 00:00:00 -0500 http://www.gao.gov/new.items/d09123r.pdf This report was written in response to House Report 110-181, accompanying H.R. 2638, the Department of Homeland Security Appropriations Bill, 2008. In accordance with direction in that report, we are reporting on the operation of the transportation security inspector (TSI) program since it has been located at the Transportation Security Administration (TSA) within the Department of Homeland Security, including the size of the TSI workforce, the roles and responsibilities of TSIs, and the extent to which TSA has a reasonable basis for determining the size of the workforce needed to achieve inspection goals. Fri, 06 Feb 2009 00:00:00 -0500 http://www.gao.gov/new.items/d09244r.pdf Much of the United States' 6,000 miles of international borders with Canada and Mexico remains vulnerable to illegal entry of aliens, criminals, and cargo. The Department of Homeland Security (DHS) apprehends hundreds of thousands of people and seizes large volumes of cargo entering the country illegally each year; however, several hundreds of thousands of individuals and an unknown volume of contraband also enter the United States illegally and undetected. DHS's U.S. Customs and Border Protection (CBP) is the agency responsible for securing the nation's borders along and between ports of entry. In November 2005, DHS announced the launch of the Secure Border Initiative (SBI), a multiyear, multibillion-dollar program aimed at securing U.S. borders and reducing illegal immigration. CBP's SBI program office is responsible for managing the SBI program and for developing a comprehensive border protection system. This system has two main components: SBInet, which employs radars, sensors, and cameras to detect, identify, and classify the threat level associated with an illegal entry into the United States between the ports of entry, and SBI tactical infrastructure (TI), fencing, roads, and lighting intended to enhance U.S. Border Patrol agents' ability to respond to the area of the illegal entry and bring the situation to a law enforcement resolution (i.e., arrest). The current focus of the SBI program is on the southwest border areas between ports of entry that CBP has designated as having the highest need for enhanced border security because of serious vulnerabilities. The Consolidated Appropriations Act, 2008, required DHS to complete construction by December 31, 2008, of either 370 miles or other mileage determined by the Secretary, of reinforced fencing along the southwest border wherever the Secretary determines it would be most practical and effective in deterring smugglers and aliens attempting illegal entry. DHS set a goal to complete approximately 670 miles of fencing by December 31, 2008. In September 2008, we testified that SBI fencing project costs were increasing and land acquisition issues posed a challenge to DHS in meeting its goal to have about 670 miles of fencing completed by December 31, 2008. Also in September 2008, DHS revised its goal such that it planned to have these miles either built, under construction, or under contract by December 31, 2008. In December 2008, DHS reported that it planned to complete all but one of the fence projects by March 2009. As directed by the Explanatory Statement accompanying the fiscal year 2008 Consolidated Appropriations Act, we examined the costs of constructing fencing along the southern border of the United States. This report addresses the following questions: (1) What were the construction costs of primary pedestrian and vehicle fencing miles completed under the SBI program as of September 30, 2007, and October 31, 2008? (2) What were the construction costs of secondary pedestrian fencing completed along existing primary fencing as of October 31, 2008? (3) If appropriated SBI funds from fiscal years 2007 and 2008 that were allocated for SBInet had been used to construct fencing, how many additional miles of pedestrian or vehicle fencing could have been constructed? CBP had completed about 73 miles of primary SBI fencing costing approximately $198 million as of September 30, 2007, and about 215 miles of fencing costing about $625 million as of October 31, 2008. Seventy-one of the miles completed as of September 30, 2007, were pedestrian fencing completed at costs ranging from $400,000 to $4.8 million per mile and averaging $2.8 million per mile. CBP had also finished about 2 miles of vehicle fencing at a cost of $2.8 million. Pedestrian fencing accounted for 140 of the miles that CBP had completed as of October 31, 2008, with costs ranging from $400,000 to $15.1 million per mile for an average of $3.9 million per mile. Seventy-five of the miles were vehicle fencing and costs ranged from $200,000 to $1.8 million per mile, averaging $1.0 million per mile. The per mile costs to build the fencing varied considerably because of the type of fencing, topography, materials used, land acquisition costs, and labor costs, among other things. As of October 31, 2008, CBP reported that approximately 32 miles of secondary fence existed along the southwest border and about 18 of those miles had an average construction cost of $2 million per mile. CBP officials said that they do not have cost information for the remaining miles because they were constructed by the International Boundary and Water Commission. In addition, CBP had obligated $58 million of fiscal year 2008 funding on a 3.5-mile secondary fencing project in the San Diego sector that is scheduled to be completed in calendar year 2009. If the approximately $393 million in appropriated SBI funds from fiscal years 2007 and 2008 that were allocated for SBInet had been used to construct fencing, depending on the operational needs of the Border Patrol and a number of assumptions that were discussed above, we estimate that CBP could have built about 73 miles of additional pedestrian fencing or about 232 miles of additional vehicle fencing. Alternatively, depending on the operational needs of the Border Patrol, CBP could have constructed a mix of additional pedestrian and vehicle fencing. For example, if the additional funding had been divided equally between pedestrian and vehicle fencing in fiscal years 2007 and 2008, CBP could have constructed 36 miles of pedestrian and 116 miles of vehicle fencing. However, these estimates are approximate, and depending on actual costs at the time, more or less fencing could have been built, particularly taking into account the complexities of fence construction, specifically, increased material costs, a short supply of labor, and a compressed schedule to complete fence construction projects. Thu, 29 Jan 2009 00:00:00 -0500 http://www.gao.gov/new.items/d09257.pdf In April 2005, the Domestic Nuclear Detection Office (DNDO) was established within the Department of Homeland Security (DHS) to enhance and coordinate federal, state, and local efforts to combat nuclear smuggling domestically and overseas. DNDO was directed to develop, in coordination with the departments of Defense (DOD), Energy (DOE), and State (State), a global strategy for nuclear detection--a system of radiation detection equipment and interdiction activities domestically and abroad. GAO was asked to examine (1) DNDO's progress in developing programs to address critical gaps in preventing nuclear smuggling domestically, (2) DNDO's role in supporting other agencies' efforts to combat nuclear smuggling overseas, and (3) the amount budgeted by DHS, DOD, DOE, and State for programs that constitute the global nuclear detection strategy. To do so, GAO analyzed agency documents; interviewed agency, state, and local officials; and visited select pilot program locations. DNDO has made some progress in strengthening radiation detection capabilities to address critical gaps and vulnerabilities in combating nuclear smuggling, which include the land border area between ports of entry into the United States, aviation, and small maritime vessels. However, DNDO is still in the early stages of program development, and has not clearly developed long term plans, with costs and time frames, for achieving its goal of closing these gaps by expanding radiological and nuclear detection capabilities. For example, DNDO and Customs and Border Protection have been collaborating on radiological and nuclear detection options to better secure the land borders between ports of entry. However, DNDO-sponsored field evaluations to test radiation detection equipment are still not complete and DNDO and CBP may not have all radiation detection equipment in place until 2012. In addition, DNDO is in the first year of a 3-year maritime pilot program, working with the Coast Guard and local law enforcement agencies in the Puget Sound, Washington, area to field test equipment and to develop radiological and nuclear screening procedures. However, DNDO has made little progress in (1) developing criteria for assessing the success of the pilot to help determine whether it should be expanded to other locations, and (2) resolving some of the challenges it faces in the pilot program, such as technological limitations of the detection equipment and sustaining current detection efforts. Although DNDO has no authority over other federal agencies' programs to combat radiological and nuclear smuggling overseas, it has worked with DOD, DOE, and State to provide subject matter expertise and exchange lessons learned on radiological and nuclear detection. However, most of DNDO's efforts are modest in scope, reflecting the fact that these agencies have well-established programs to combat nuclear smuggling. For example, DNDO has been working with State's Global Initiative to Combat Nuclear Terrorism to develop model guidelines that other nations can use to establish their own nuclear detection programs. According to DNDO, approximately $2.8 billion was budgeted by DHS, DOD, DOE, and State in fiscal year 2007 for programs included in the global strategy for nuclear detection. Of this amount, approximately $1.1 billion was budgeted for programs to combat nuclear smuggling overseas, $1.1 billion was budgeted for nuclear detection programs at the U.S. border and within the United States, and approximately $577 million was budgeted to fund cross-cutting activities, such as providing technical support to users of the radiation detection equipment. DNDO collected budget data and published them in the Joint Annual Interagency Review, an annual report required by Congress. DOD, DOE, and State officials told GAO that this information is used primarily as a status report of individual programs to combat nuclear smuggling. It is not used as a tool to help plan for or inform the future direction of the strategy or to help establish current or future priorities. Thu, 29 Jan 2009 00:00:00 -0500 http://www.gao.gov/new.items/d09184.pdf According to U.S. intelligence, the threat to U.S airspace remains. The North American Aerospace Defense Command (NORAD) is to defend U.S. air space and the U.S. Air Force has 18 sites in the United States that conduct air sovereignty alert (ASA) operations. ASA operations support fighter aircraft in conducting homeland air defense operations. GAO examined the extent to which (1) NORAD has adopted a risk-based management approach to determine ASA operational requirements; (2) the Air Force has implemented ASA operations as a steady-state mission in accordance with Department of Defense (DOD), NORAD, and Air Force directives and guidance; (3) the Air Force assesses the readiness of units conducting ASA operations; and (4) the Air Force faces challenges in sustaining ASA operations for the future and what plans, if any, it has to address such challenges. GAO reviewed relevant ASA guidance, directives, and planning documents; and interviewed DOD officials, including the commanders of all 18 ASA sites. Responding to individual requests from DOD, NORAD has done some assessments to determine ASA operational requirements. NORAD has not adopted a risk-based approach to determining ASA requirements, including routine risk assessments. Although GAO previously reported on the benefits to organizations that routinely do risk assessments to determine program requirements, NORAD does not conduct such assessments because DOD does not require NORAD to do so. However, such assessments could enhance NORAD's ability to determine and apply the appropriate levels and types of units, personnel, and aircraft for the ASA mission. The Air Force has not implemented ASA operations in accordance with DOD, NORAD, and Air Force directives and guidance, which instruct the Air Force to establish ASA as a steady-state (ongoing and indefinite) mission. The Air Force has not implemented the 140 actions it identified to establish ASA as a steady-state mission, which included integrating ASA operations into the Air Force's planning, programming, and funding cycle. The Air Force has instead been focused on other priorities, such as overseas military operations. While implementing ASA as a steady-state mission would not solve all of the challenges the units must address, it would help them mitigate some of the challenges associated with conducting both their ASA and warfighting missions. NORAD has partially assessed the readiness of ASA units; however the Air Force has not evaluated personnel, training, and quantity and quality of equipment. Readiness measures are designed to ensure that DOD forces are properly trained, equipped, and prepared to conduct their assigned missions. For example, while NORAD evaluated the extent to which aircraft were maintained for ASA operations and the units' ability to respond to an alert and to locate and intercept aircraft, it did not evaluate training. Because the Air Force has not implemented ASA as a steady-state mission or formally assigned the mission to the units, it does not assess ASA readiness. By assessing the readiness of units that consistently conduct ASA operations, DOD would be better assured that these units are organized, trained, and equipped to perform ASA operations. The Air Force faces two challenges to sustaining its ASA capabilities over the long term--(1) replacing or extending the service life of aging fighter aircraft and (2) replacing ASA units with equipment and trained personnel when they deploy. For example, if aircraft are not replaced by 2020, 11 of the 18 current air sovereignty alert sites could be without aircraft. The Air Force has not developed plans to mitigate these challenges because it has been focused on other priorities. Plans would provide the Air Force information that could assist it in ensuring the long-term sustainability of ASA operations and the capability of ASA units to protect U.S. airspace. Tue, 27 Jan 2009 00:00:00 -0500 http://www.gao.gov/new.items/d0970.pdf The Department of Homeland Security's (DHS) U.S. Citizenship and Immigration Services (USCIS) is responsible for granting or denying immigration benefits to individuals. USCIS charges fees for the millions of immigration applications it receives each year to fund the cost of processing and adjudicating them. In February 2007, USCIS completed a study to determine the full costs of its operations and the level at which application fees should be set to recover those costs. USCIS's new fee schedule increased application fees by a weighted average of 86 percent. Almost 96 percent of USCIS's fiscal year 2008 budget of $2.6 billion was expected to have come from fees. GAO was asked to review the methodology USCIS used in its fee review and controls in place over collection and use of fees. In this report, GAO addresses the consistency of the methodology with federal accounting standards and principles and other guidance, including whether key assumptions and methods were sufficiently justified and documented. The report also addresses internal controls USCIS has in place over the collection and use of fees. In 2007, USCIS completed a fee review in which USCIS estimated the costs of its immigration application processing and adjudication services and, in accordance with management's objective, set the fees at a level to recover those costs. The methodology USCIS used in its review, however, did not consistently adhere to federal accounting standards and principles and other guidance. While federal accounting standards allow flexibility for agencies to develop managerial cost accounting practices that are suited to their needs, they also provide certain specific guidance based on sound cost accounting concepts. USCIS's methodology, for example, did not include the costs paid by other federal entities on behalf of USCIS. Federal standards and guidance also call for documentation that is sufficient to allow an understanding of and provide justification for the cost assignment processes and data used. USCIS did not adequately document the detailed processes used or sufficiently justify assumptions used in allocating costs to various activities on a prorated basis. As a result, USCIS could not show that its methods provided a reasonable distribution of the costs to the various types of applications. For instance, USCIS allocated $732 million of overhead costs (or 31 percent of total costs)--including information technology operations and maintenance--to offices based on the number of staff full-time equivalents (FTE) in each office. However, USCIS's documentation did not sufficiently justify (1) why cost allocation was used instead of other possible methods or (2) why it did not include about 6,100 contract workers and used only approximately 7,900 FTEs of the total federal FTEs of about 10,400 as the basis for allocation. USCIS also did not adequately justify the equal assignment of activity costs representing 51 percent of total costs to each application type. While such pro rata assignment of costs may be a reasonable method in some circumstances, USCIS did not document its justification for the assumptions made when deciding which costs to allocate on a prorated basis and how those costs should be allocated. Because of these inconsistencies with federal accounting standards and principles and other guidance, USCIS cannot support the reasonableness of cost assignments to the various application types. USCIS has implemented accountability mechanisms to track the use of both regular application fees as well as premium processing fees intended for specific projects. USCIS plans to use its premium processing fee collections to fund its transformation program to make long-term improvements to its business processes and technology. Through its monitoring of fee collection procedures, USCIS has identified some weaknesses at one of its service centers. It has taken actions to strengthen service center controls in the short term, and it is moving all fee receipt functions and the application processing done in preparation for adjudication to lockbox facilities to further strengthen control over collections. Fri, 23 Jan 2009 00:00:00 -0500 http://www.gao.gov/new.items/d09180.pdf U.S. Citizenship and Immigration Services (USCIS) announced an increase to its immigration and naturalization application fees by an average of 86 percent, effective July 2007, contributing to a surge in application volume that challenged the agency's pre-adjudicative operations. In July 2007, the incoming application volume increased an unprecedented 100 percent over the prior month and the processing of 1.47 million applications was delayed. GAO was asked to review USCIS's current fee design and compare it to the principles in GAO's user-fee design guide and USCIS's management of operations affected by the new fees, specifically in projecting application volumes and contracting for application processing services. To do so, GAO reviewed legislation and agency documentation; compared the fee design to GAO's principles of effective user-fee design (equity, efficiency, revenue adequacy, and administrative burden); visited processing centers; and interviewed agency officials at these locations and in headquarters. USCIS's 2007 fee design reflects choices and trade-offs consistent with several of GAO's four user-fee design dimensions--efficiency, equity, revenue adequacy, and administrative burden. For example, in three areas the fee design reflects policy choices related to equity and administrative burden considerations: (1) the structure of fee exemptions and waivers, (2) limitations on certain fee increases for a population deemed unlikely to be able to pay, and (3) decisions about how costs were assigned among users. However, USCIS did not conduct the analyses necessary to fully inform congressional decision-making or internal deliberations on some key areas, such as the cost of activities funded by fees whose rates are set in statute. Notably, the $1,000 fee for USCIS's premium-processing service for employment-based applications, which was the fifth largest single generator of funds for USCIS in fiscal year 2007, will be used for business process and technology improvements. As such, the additional costs of premium processing services are funded by nonpremium processing fee-paying applicants, raising equity concerns. Since USCIS has not identified the total costs of these services, the actual dollar amount being subsidized is unknown. The new fee design also does not allow for an appropriate "reserve" or carryover balance, to ensure the continuity of operations and cover fixed costs in the event of a decrease in applications, nor does it consider the costs associated with certain fee collection operations. According to USCIS's schedule, if the next review identifies a needed fee adjustment, it would occur in September 2009. However, USCIS did not provide documentation that would allow us to determine whether the 2009 fee review would address identified shortcomings in the 2007 fee review or whether the remaining time frames for key milestones, such as refining data and the proposed rulemaking schedule, are reasonable. Absent timely reviews, it is more likely that fees and costs will become misaligned, leading to costly challenges. Projections of USCIS application volume have historically been developed and used as budget tools but do not effectively inform workload management efforts. Specifically, the projections do not identify monthly variations in application volume, despite variations that regularly exceed 20 percent and the serious operational challenges associated with application surges. USCIS's contractors do not receive workload projection information, despite requirements that processing centers shall maintain the capacity to accommodate "spikes" in receipt volumes that are anticipated at least 45 to 90 calendar days in advance. Further, USCIS projection documents do not consistently record critical information such as factors that drive application volume, inhibiting analysis that could improve projections over time. Service-center contractors process USCIS mail and are paid according to a fixed unit price per piece. Contractors count up to 90 percent of incoming mail, but USCIS has not developed an agencywide standard operating procedure for validating the contractors' counts. As a result, USCIS is limited in its ability to verify that USCIS is receiving the service that it is paying for. Fri, 23 Jan 2009 00:00:00 -0500 http://www.gao.gov/new.items/d09273.pdf By deploying armed air marshals onboard selected flights, the Federal Air Marshal Service (FAMS), a component of the Transportation Security Administration (TSA), plays a key role in helping to protect approximately 29,000 domestic and international flights operated daily by U.S. air carriers. GAO was asked to examine (1) FAMS's operational approach or "concept of operations" for covering flights, (2) to what extent this operational approach has been independently evaluated, and (3) the processes and initiatives FAMS established to address workforce-related issues. GAO analyzed documented policies and procedures regarding FAMS's operational approach and a July 2006 classified report based on an independent evaluation of that approach. Also, GAO analyzed employee working group reports and other documentation of FAMS's processes and initiatives for addressing workforce-related issues, and interviewed the FAMS Director, other senior officials, and 67 air marshals (selected to reflect a range in levels of experience). This report is the public version of a restricted report (GAO-09-53SU) issued in December 2008. Because the number of air marshals is less than the number of daily flights, FAMS's operational approach is to assign air marshals to selected flights it deems high risk--such as the nonstop, long-distance flights targeted on September 11, 2001. In assigning air marshals, FAMS seeks to maximize coverage of flights in 10 targeted high-risk categories, which are based on consideration of threats, vulnerabilities, and consequences. In July 2006, the Homeland Security Institute, a federally funded research and development center, independently assessed FAMS's operational approach and found it to be reasonable. However, the institute noted that certain types of flights were covered less often than others. The institute recommended that FAMS increase randomness or unpredictability in selecting flights and otherwise diversify the coverage of flights within the various risk categories. As of October 2008, FAMS had taken actions (or had ongoing efforts) to implement the Homeland Security Institute's recommendations. GAO found the institute's evaluation methodology to be reasonable. To address workforce-related issues, FAMS's previous director, who served until June 2008, established a number of processes and initiatives--such as working groups, listening sessions, and an internal Web site--for agency personnel to provide anonymous feedback to management on any topic. These efforts have produced some positive results. For example, FAMS revised its policy for airport check-in and aircraft boarding procedures to help protect the anonymity of air marshals in mission status, and FAMS adjusted its flight scheduling process for air marshals to support a better work-life balance. The air marshals GAO interviewed expressed satisfaction with FAMS efforts to address workforce-related issues. Further, the current FAMS Director, after being designated in June 2008 to head the agency, issued a broadcast message to all employees, expressing a commitment to continue applicable processes and initiatives. Also, FAMS has plans to conduct a workforce satisfaction survey of all employees every 2 years, building upon an initial survey conducted in fiscal year 2007. Although the 2007 survey indicated positive changes since the prior year, it was answered by 46 percent of the workforce, well short of the 80-percent response rate that the Office of Management and Budget (OMB) encourages for ensuring that results reflect the views of the target population. OMB guidance gives steps, such as extending the cut-off date for responding, that could improve the response rate of future surveys. Also, several of the 2007 survey questions were ambiguous, and response options were limited. Addressing these design considerations could enhance future survey results. Wed, 14 Jan 2009 00:00:00 -0500 http://www.gao.gov/new.items/d0927r.pdf This report formally responds to Congress' request that GAO review the Transportation Security Administration's (TSA) Screening Partnership Program (SPP). In accordance with the Aviation and Transportation Security Act, TSA created the SPP to allow commercial airports an opportunity to apply to TSA to use private sector screeners through qualified private-screening contractors approved by TSA. In February 2008, TSA issued a report on its study comparing the cost and performance of screening services at SPP and non-SPP airports. Our briefing addresses the following questions: (1) To what extent did the design of TSA's study of the cost and performance of passenger and checked baggage screening services at selected SPP and non-SPP airports affect the usefulness of the study? (2) To what extent has TSA taken actions to identify and eliminate any unnecessary overhead/supervisory redundancies at SPP airports between TSA and contractor personnel? (3) What factors do airport operators cite as having contributed to airports' decisions about whether to participate in the SPP? We are recommending that if TSA plans to rely on its comparison of costs and performance of SPP and non-SPP airports for future decision making, the agency update its study to address the limitations we identified, for example, by including various cost elements that were excluded and conducting statistical tests to determine the level of confidence in any observed differences in screening performance. TSA generally agreed with our findings and recommendation. Fri, 09 Jan 2009 00:00:00 -0500 http://www.gao.gov/new.items/d09168r.pdf This report formally transmits the briefing in response to P.L. 110-329, the Consolidated Security, Disaster Assistance and Continuing Appropriations Act, that required GAO for the fourth year to review the methodology the Department of Homeland Security (DHS) and the Federal Emergency Management Agency (FEMA) use to allocate Homeland Security Grant Program (HSGP) grants, including the risk assessment methodology they use to determine which urban areas are eligible to apply for grants. HSGP includes the State Homeland Security Program (SHSP) and Urban Areas Security Initiative (UASI) grants. Our objective was to identify any changes in the methodology for risk assessment and grant allocation for 2009 and to assess the reasonableness of the methodology. We analyzed DHS and FEMA documents including the fiscal year 2008 and 2009 risk analysis models and grant guidance and interviewed DHS and FEMA officials about the changes in the 2009 model. We did our work between October and December 2008 in accordance with generally accepted government auditing standards. We briefed the mandated reporting committees with two briefings in November 2008 and December 2008 on the results of our analysis. DHS has adopted a process of continuing improvement in its methods for assessing risk and measuring grant applicants' effective use of resources. SHSP and UASI grant allocations continue to be based on a three-step process: (1) risk assessments to determine areas eligible to apply for grants, (2) effectiveness assessments of the grant applicants' investment justifications, and (3) final grant allocations. The methodology is described in detail in our 2008 report. There were minor changes in the risk assessment for 2009 and no changes in the process used for the effectiveness assessment and final grant allocations. Generally, we found that DHS has constructed a reasonable methodology to assess risk and allocate funds. DHS uses empirical risk analysis and policy judgments to select the urban areas eligible for grants (all SHSP grantees are guaranteed a specified minimum percentage of available grant funds) and to allocate SHSP and UASI funds. DHS continued to include three basic variables in its risk assessment--threat, vulnerability, and consequences. For fiscal year 2009, DHS changed some elements of the inputs used for the threat, economic, and national security indexes used in the model. The value of each of these indices is given a specific weight in the risk assessment (for example, the threat index is weighted at 20 percent and the population index at 40 percent of the final risk score). DHS continued to consider all areas of the nation equally vulnerable to a successful terrorist attack and assigned every state and urban area a vulnerability score of 1.0 in the risk analysis model. Thus, as a practical matter, the final risk scores are determined by the threat and consequences scores. The result of the UASI risk assessment is a list of UASI jurisdictions eligible for grants. A total of 62 urban areas were eligible for grants in 2009 (60 were eligible in 2008). In response to grantee feedback, in 2009, DHS for the first time provided each eligible State and UASI area its estimated target grant allocation in the Fiscal Year 2009 Homeland Security Grant Program Guidance and Application Kit. FEMA believes this change will enable grantees to better target their investment justifications in their grant applications as the amounts requested should more closely match final actual allocations. Applicants may submit applications for up to 110 percent of their targeted allocation. Final 2009 allocations will be based on the targeted allocations as adjusted by applicants' effectiveness scores, up to a maximum of plus or minus 10 percent of their targeted allocation. As in 2008, the seven urban areas with the highest risk scores (Tier I) will be collectively allocated 55 percent of total available fiscal year 2009 funds and the remaining 55 urban areas (Tier II) will be collectively allocated 45 percent. Tue, 23 Dec 2008 00:00:00 -0500 http://www.gao.gov/new.items/d09129.pdf The devastation caused by the 2005 Gulf Coast hurricanes presented the nation with unprecedented rebuilding challenges. The Federal Emergency Management Agency's (FEMA) Public Assistance (PA) grant program is a key tool for providing funds to support recovery, including rebuilding public schools, roads, and utilities. GAO was asked to examine the amount of PA grants FEMA has provided for rebuilding the Gulf Coast; challenges in the day-to-day operation of the PA program; and human capital challenges; as well as actions taken to address them. Toward this end, GAO reviewed relevant laws, PA regulations and procedures, and analyzed data from FEMA's National Emergency Management Information System. GAO also interviewed federal officials from FEMA and the Department of Homeland Security's (DHS) Office of the Federal Coordinator for Gulf Coast Rebuilding as well as more than 60 officials from state government and eight localities in Louisiana and Mississippi. Funding for PA grants related to the 2005 Gulf Coast hurricanes is already more than $11 billion, surpassing that of any previous disaster, and will likely be higher than FEMA's total cost estimate of $13.2 billion. About 90 percent of these funds have gone to the states of Louisiana and Mississippi, about half of which have passed from the states to grant applicants to date. GAO identified challenges in the following broad areas, many of which contributed to slowing down rebuilding projects. (1) Project Development: Challenges in the development of PA projects included difficulties determining the amount of damage that was disaster-related, using PA program flexibilities to rebuild in a way that meets postdisaster needs, assessing project scope including whether to repair or replace damaged structures, estimating project costs, and having sufficient resources to initiate projects. For example, assessing the damage to New Orleans's water and sewer system was complicated by the difficulty distinguishing disaster-related from preexisting damage. Estimating the cost of PA projects presented special challenges because of unusual market conditions for labor and materials in the postdisaster economy. (2) Information Sharing and Tracking: GAO identified challenges in sharing information among federal, state, and local participants in the PA process as well as in tracking the status of projects. For example, in Louisiana, information sharing was made more difficult in the absence of an effective document-sharing system and because key FEMA and state officials who review PA applications are located in different cities. (3) Project Approvals and Appeals: FEMA's approval decisions on some projects were reversed after applicants had already moved ahead with construction. In addition, decisions on appeals were often not made within required time frames due to the large number of rebuilding projects. (4) Human Capital: Human capital challenges at all levels of government underlie many of the above challenges and also slowed rebuilding projects. Shortages of experienced and knowledgeable staff were particularly problematic during the initial stages of rebuilding. FEMA's early reliance on temporary rotating staff did not provide the level of continuity needed for the complex demands of Gulf Coast rebuilding. Among the actions DHS has taken to address these challenges are the finalization of a PA catastrophic disaster recovery concept plan that recognizes the need to more easily tailor projects to meet postdisaster conditions; the development of new management information systems to better track and manage projects and increase the transparency of PA funding; and the creation of a credentialing program for employees. Thu, 18 Dec 2008 00:00:00 -0500 http://www.gao.gov/new.items/d0996.pdf The Department of Homeland Security (DHS) has established a program known as U.S. Visitor and Immigrant Status Indicator Technology (US-VISIT) to collect, maintain, and share information, including biometric identifiers, on certain foreign nationals who travel to and from the United States. By congressional mandate, DHS is to develop and submit an expenditure plan for US-VISIT that satisfies certain conditions, including being reviewed by GAO. GAO's objectives were to (1) determine if the plan satisfies the twelve legislative conditions and (2) provide observations about the plan and management of the program. To accomplish this, GAO assessed the plan and related DHS certification letters against each aspect of each legislative condition and assessed program documentation against federal guidelines and industry standards. The fiscal year 2008 US-VISIT expenditure plan does not fully satisfy any of the eleven conditions required of DHS by the Consolidated Appropriations Act, 2008, either because the plan does not address key aspects of the condition or because what it does address is not adequately supported or is otherwise not reflective of known program weaknesses. More specifically, of the eleven conditions, the plan partially satisfies eight. For example, while the plan includes a listing of GAO recommendations, it does not provide milestones for addressing these recommendations, as required by the act. Further, although the plan includes a certification by the DHS Chief Procurement Officer that the program has been reviewed and approved in accordance with the department's investment management process, and that this process fulfills all capital planning and investment control requirements and reviews established by the Office of Management and Budget, the certification is based on information that pertains to the fiscal year 2007 expenditure plan and fiscal year 2009 budget submission, rather than to the fiscal year 2008 expenditure plan. Moreover, even though the plan provides an accounting of operations and maintenance and program management costs, the plan does not separately identify the program's contractor services costs, as required by the act. With regard to the remaining three legislative conditions, the plan does not satisfy any of them. For example, the plan does not include a certification by the DHS Chief Human Capital Officer that the program's human capital needs are being strategically and proactively managed and that the program has sufficient human capital capacity to execute the expenditure plan. Further, the plan does not include a detailed schedule for implementing an exit capability or a certification that a biometric exit capability is not possible within 5 years. The twelfth legislative condition was satisfied by our review of the expenditure plan. Beyond the expenditure plan, GAO observed that other program planning and execution limitations and weaknesses also confront DHS in its quest to deliver US-VISIT capabilities and value in a timely and cost-effective manner. Concerning DHS's proposed biometric air and sea exit solution, for example, the reliability of the cost estimates used to justify the proposed solution is not clear, the proposed solution would provide less security and privacy than other alternatives, and public comments on the proposed solution raise additional concerns, including the impact the solution would have on the industry's efforts to improve passenger processing and travel. Moreover, the program's risk management database shows that key risks are not being managed. Finally, frequent rebaselining of one of the program's task orders has minimized the significance of schedule variances. Collectively, this means that additional management improvements are needed to effectively define, justify, and deliver a US-VISIT system solution that meets program goals, reflects stakeholder input, minimizes exposure to risk, and provides Congress with the means by which to oversee program execution. Until these steps are taken, US-VISIT program performance, transparency, and accountability will suffer. Fri, 12 Dec 2008 00:00:00 -0500 http://www.gao.gov/new.items/d0939.pdf The Terrorism Risk Insurance Act of 2002 (TRIA) is credited with stabilizing insurance markets after the September 11, 2001, attacks by requiring insurers to offer terrorism coverage to commercial property owners (property/casualty insurance), and specifying that the federal government is liable for a large share of related losses. While TRIA covers attacks involving conventional weapons, insurers may use exceptions that may exclude coverage for attacks with nuclear, biological, chemical, or radiological (NBCR) weapons, which has raised concerns about the potential economic consequences of such attacks. TRIA's 2007 reauthorization directed GAO to review (1) the extent to which insurers offer NBCR coverage, (2) factors that contribute to the willingness of insurers to provide NBCR coverage, and (3) policy options for expanding coverage for NBCR risks. To do this work, GAO reviewed studies and reports and interviewed more than 100 industry participants about the availability of NBCR coverage in the market. GAO provided a draft of this report to the Department of the Treasury and the National Association of Insurance Commissioners (NAIC). Treasury and NAIC said that they found the report informative and useful. NAIC did express what it said was a philosophical difference of opinion with GAO's characterization of risk-based premiums for workers' compensation insurers. Consistent with the findings of a September 2006 GAO report on the market for NBCR terrorism insurance, property/casualty insurers still generally seek to exclude such coverage from their commercial policies. In doing so, insurers rely on long-standing standard exclusions for nuclear and pollution risks, although such exclusions may be subject to challenges in court because they were not specifically drafted to address terrorist attacks. Commercial property/casualty policyholders, including companies that own high-value properties in large cities, generally reported that they could not obtain NBCR coverage. Unlike commercial property/casualty insurers, insurers in workers' compensation, group life, and health lines reported generally providing NBCR coverage because states generally do not allow them to exclude these risks. Commercial property/casualty insurers generally remain unwilling to offer NBCR coverage because of uncertainties about the risk and the potential for catastrophic losses, according to industry participants. Insurers face challenges in reliably estimating the severity and frequency of NBCR attacks for several reasons, including accounting for the multitude of weapons and locations that could be involved (ranging from an anthrax attack on a single building to a nuclear explosion in a populated area) and the difficulty or perhaps impossibility of predicting terrorists' intentions. Without the capacity to reliably estimate the severity and frequency of NBCR attacks, which would be necessary to set appropriate premiums, insurers focus on determining worst-case scenarios (which with NBCR weapons can result in losses that would render insurers insolvent). For example, a nuclear detonation could destroy many insured properties throughout an entire metropolitan area. Workers' compensation, group life, and health insurers that generally cannot exclude NBCR coverage from their policies also face challenges in managing these risks. For example, workers' compensation insurers said they face challenges in setting premiums that they believe would cover the potential losses associated with an attack involving NBCR weapons. GAO reviewed two proposals that have been made to address the lack of NBCR coverage in the commercial property/casualty market. The first proposal, part of an early version of the bill to reauthorize TRIA in 2007, would have required insurers to offer NBCR coverage, with the federal government assuming a greater share of potential losses than it would for conventional attacks. Some industry participants supported this proposal because insurers otherwise would not offer NBCR coverage and because a substantial federal backstop was necessary to mitigate the associated risks. However, others said that some insurers might withdraw from the market if mandated to offer NBCR coverage, even with a substantial federal backstop. In a second proposal by some industry participants, the federal government would assume all potential NBCR risks through a separate insurance program and charge premiums for doing so. However, critics said the government might face substantial losses on such an NBCR insurance program because it might not be able to determine or charge appropriate premiums. Fri, 12 Dec 2008 00:00:00 -0500 http://www.gao.gov/new.items/d0955.pdf Since September 11, 2001, a concern has been that terrorists or their supporters would seek to immigrate to the United States (i.e., seek lawful permanent residency (LPR)). The Department of Homeland Security's U.S. Citizenship and Immigration Services (USCIS) conducts background checks and the FBI conducts name checks for those applying for LPR. GAO was asked to review USCIS's processes for screening individuals applying for LPR. GAO assessed: (1) what available data show about the extent to which national security concerns were discovered during USCIS background checks for LPR applications, (2) what issues USCIS has encountered in its background check processes and what actions have been taken to resolve those issues, and (3) the extent to which USCIS has addressed fraud vulnerabilities in its adjudication procedures for LPR. To conduct this work, GAO analyzed USCIS background check and adjudication procedures, USCIS data on adjudications, and its assessments of fraud in applications for LPR, and interviewed USCIS and FBI officials. Available data show that of the approximately 917,000 applications for LPR USCIS received from January 1, 2006, through May 31, 2007, 516 (0.05 percent) were referred to USCIS's Office of Fraud Detection and National Security (FDNS) for national security concerns. According to FDNS, the cases referred to it involved individuals on a watch list which included names of known and suspected terrorists, or posed other national security concerns such as individuals who associated with suspected terrorists or engaged in espionage. While USCIS's application case management system was not designed to capture and routinely generate detailed statistics on those posing national security concerns, FDNS has developed a separate system to capture such data. USCIS had encountered delays in obtaining the results of FBI name checks--FBI checks of its investigative files--for LPR applicants and others, and had issues regarding the usefulness of these results, but USCIS and the FBI have taken a number of actions that have improved these checks. The FBI dedicated more staff to process name checks, and USCIS provided additional funding and training to FBI staff. As a result, the number of pending name checks has decreased 90 percent, from 329,000 in May 2007 to 32,000 as of September 30, 2008. The FBI plans on being able to complete all name checks within 90 days of receipt by June 2009. USCIS has taken some actions to address vulnerabilities identified in one of its assessments of fraud, called Benefit Fraud and Compliance Assessments (BFCA), but has yet to complete actions to address vulnerabilities identified in four other BFCAs. To conduct BFCAs, FDNS selected a sample of petitions to determine the extent of fraud and identify any systemic vulnerabilities in USCIS's adjudications processes. Internal control standards call for agency managers to promptly evaluate findings from audits and reviews, determine proper actions to take, and complete them within established time frames. Although FDNS completed all of these assessments between June 2006 and September 2007, USCIS has not established time frames for evaluating these findings and implementing any necessary corrective actions. Until USCIS takes corrective actions, vulnerabilities identified by these BFCAs will persist, increasing the risk that ineligible individuals will obtain LPR status. Lack of verification of the evidence submitted with petitions is one of the major vulnerabilities identified in these BFCAs. For example, FDNS staff found that individuals claiming to be married were not, employers did not exist, and aliens did not have the education or skills they claimed. USCIS procedures give its staff discretion on deciding whether to verify evidence submitted with petitions. The BFCAs have shown that adjudicators following these procedures have approved fraudulent petitions. Verifying all petitioner-submitted evidence is impossible. Procedures that require verifying certain evidence under certain circumstances would help adjudicators better detect fraud and help USCIS maintain the balance between fraud detection and USCIS's customer service and production-related objectives. Fri, 05 Dec 2008 00:00:00 -0500 http://www.gao.gov/new.items/d0993.pdf Covering nearly 4,000 miles of land and water from Washington to Maine, the U.S.-Canadian border is the longest undefended border in the world. Various Department of Homeland Security (DHS) component agencies share responsibility for northern border security, primarily U.S. Customs and Border Protection (CBP), in collaboration with other federal, state, local, tribal, and Canadian entities. The Implementing Recommendations of the 9/11 Act of 2007 required the Secretary of Homeland Security to submit a report to Congress that addresses the vulnerabilities along the northern border, and provides recommendations and required resources to address them. The act also required GAO to review and comment on this report. In response to this mandate, GAO examined (1) the extent to which the DHS report to Congress is responsive to the legislative requirements and (2) actions that may be necessary to address northern border vulnerabilities in addition to the actions addressed in the report. To conduct this work, GAO reviewed DHS plans, reports, and other documents, and interviewed DHS officials. The DHS February 2008 report to Congress is not fully responsive to legislative requirements in providing information for improving northern border security. In particular, DHS provided a listing of northern border vulnerabilities and initiatives to address them, but did not include recommendations and additional resources that are needed to protect the northern border. DHS officials provided several reasons for the lack of specificity and gaps in reported information, including the fact that the component agencies' priorities for action and resources are reflected in the existing budget process, and that they had nothing further to recommend or request through this report. However, budget documents do not reflect the resources needed over time to achieve control of the northern border. The lack of this information makes it difficult for Congress to consider future actions and resources needed. DHS is developing northern border strategic plans and a risk-management process to help guide and prioritize action and resources, and fully implementing recommendations from past GAO evaluations would also provide benefit in addressing northern border security vulnerabilities. DHS is currently developing strategic plans that are intended to provide overall direction in addressing vulnerabilities in northern border security. DHS is also developing a risk-management process to assist in prioritizing efforts and resources that will provide greatest benefit to national security. DHS officials have said that the success of various pilot projects, such as DHS's testing of new technology, will likely change the level and mix of resources needed to protect the northern border. In the meantime, DHS could take action to reduce vulnerabilities by implementing recommendations made in past evaluations. DHS has implemented 11 GAO recommendations designed to improve border security, but 39 recommendations are yet to be fully addressed. Eighteen of these open recommendations were made within the last year. However, 21 recommendations for improving use of air and marine assets, improving screening processes at the ports of entry, and deploying nuclear detection equipment--which DHS and other agencies generally agreed to take action to implement--have remained open for at least 1 year and, in some cases, over 3 years. GAO believes these outstanding recommendations continue to have merit and should be implemented. Tue, 25 Nov 2008 00:00:00 -0500 http://www.gao.gov/new.items/d0930.pdf The Department of Homeland Security (DHS) is one of the largest procurement spending agencies in the federal government. In fiscal year 2007, DHS obligated about $12 billion for a wide range of goods and services to meet complex mission needs. Like other federal agencies, DHS has faced challenges in building and sustaining a capable workforce to support its acquisitions. GAO was asked to identify and assess DHS's efforts to build and sustain an effective acquisition workforce and determine the extent to which DHS has planned strategically for the acquisition workforce. To conduct the work, GAO collected and reviewed data and interviewed officials from the Office of the Chief Procurement Officer (CPO), DHS's nine procurement offices, and nine program offices, and reviewed in detail workforce information and data for acquisition support contracts from selected offices. DHS has undertaken several initiatives, mostly focused on contract specialists, to begin addressing acquisition workforce challenges. Initiatives related to recruiting, hiring, and training have made progress. In January 2008, CPO implemented a contract specialist intern program, and 49 contract specialists were hired through this initiative as of September 2008. In addition, CPO developed DHS-specific training for program managers through a training program begun in spring 2008. However, most initiatives related to defining and identifying the acquisition workforce and assessing workforce needs have not yet produced results and in some cases are progressing more slowly than originally projected. CPO is considering expanding some of its recruiting and hiring initiatives to address identified shortages in acquisition-related positions other than contract specialists, but has not determined how it will implement such an expansion. Moreover, DHS generally lacks documented performance goals and implementation steps--such as actions to be taken, needed resources, and milestones--for its current initiatives. Without developing this foundation, DHS will not be in a position to effectively monitor and evaluate implementation of these initiatives. DHS has not developed a comprehensive strategic acquisition workforce plan to direct its future acquisition workforce efforts and generally lacks several elements key to developing such a plan: a coordinated planning process; a comprehensive acquisition workforce definition; and sufficient data on workforce size and skills, including the use of acquisition support contractors. DHS has not set an overall direction for acquisition workforce planning or fully involved key stakeholders, such as the Office of the Chief Human Capital Officer and component procurement and program offices. However, DHS has recently taken steps that may help to include program office stakeholders in workforce planning. The department's narrow acquisition workforce definition, which includes only a portion of the employees performing acquisition-related functions, further limits the scope of planning. While DHS recognizes the importance of expanding the definition, it has not yet established an interim definition that identifies which positions should be included. DHS also lacks sufficient data to fully assess its acquisition workforce needs, including gaps in the numbers of employees needed or the skills of those employees. Understanding such workforce gaps is key to developing effective strategies to address current and future workforce needs. Further, prior GAO work has found that agencies should develop workforce strategies that include contractors; however, DHS has limited insight into the numbers of contractors supporting its acquisition function or the types of tasks performed. While GAO has previously reported that strategic acquisition workforce planning is not an easy task and can take several years to accomplish, government agencies will not be in a sound position to ensure they have capable acquisition workforces without this planning. Wed, 19 Nov 2008 00:00:00 -0500 http://www.gao.gov/new.items/d0929.pdf In fiscal year 2007, the Department of Homeland Security (DHS) obligated about $12 billion for acquisitions to support homeland security missions. DHS's major investments include Coast Guard ships and aircraft; border surveillance and screening equipment; nuclear detection equipment; and systems to track finances and human resources. In part to provide insight into the cost, schedule, and performance of these acquisitions, DHS established an investment review process in 2003. However, concerns have been raised about how well the process has been implemented--particularly for large investments. GAO was asked to (1) evaluate DHS's implementation of the investment review process, and (2) assess DHS's integration of the investment review and budget processes to ensure major investments fulfill mission needs. GAO reviewed relevant documents, including those for 57 DHS major investments (investments with a value of at least $50 million)--48 of which required department-level review through the second quarter of fiscal year 2008; and interviewed DHS headquarters and component officials. While DHS's investment review process calls for executive decision making at key points in an investment's life cycle--including program authorization--the process has not provided the oversight needed to identify and address cost, schedule, and performance problems in its major investments. Poor implementation of the process is evidenced by the number of investments that did not adhere to the department's investment review policy--of DHS's 48 major investments requiring milestone and annual reviews, 45 were not assessed in accordance with this policy. At least 14 of these investments have reported cost growth, schedule slips, or performance shortfalls. Poor implementation is largely the result of DHS's failure to ensure that its Investment Review Board (IRB) and Joint Requirements Council (JRC)--the department's major acquisition decision-making bodies--effectively carried out their oversight responsibilities and had the resources to do so. Regardless, when oversight boards met, DHS could not enforce IRB and JRC decisions because it did not track whether components took actions called for in these decisions. In addition, many major investments lacked basic acquisition documents necessary to inform the investment review process, such as program baselines, and two out of nine components--which manage a total of 8 major investments--do not have required component-level processes in place. DHS has begun several efforts to address these shortcomings, including issuing an interim directive, to improve the investment review process. The investment review framework also integrates the budget process; however, budget decisions have been made in the absence of required oversight reviews and, as a result, DHS cannot ensure that annual funding decisions for its major investments make the best use of resources and address mission needs. GAO found almost a third of DHS's major investments received funding without having validated mission needs and requirements--which confirm a need is justified--and two-thirds did not have required life- cycle cost estimates. At the same time, DHS has not conducted regular reviews of its investment portfolios--broad categories of investments that are linked by similar missions--to ensure effective performance and minimize unintended duplication of effort for investments. Without validated requirements, life-cycle cost estimates, and regular portfolio reviews, DHS cannot ensure that its investment decisions are appropriate and will ultimately address capability gaps. In July 2008, 15 of the 57 DHS major investments reviewed by GAO were designated by the Office of Management and Budget as poorly planned and by DHS as poorly performing. Tue, 18 Nov 2008 00:00:00 -0500 http://www.gao.gov/new.items/d08979.pdf The Department of Homeland Security's (DHS) Domestic Nuclear Detection Office (DNDO) is responsible for addressing the threat of nuclear smuggling. Radiation detection portal monitors are part of the U.S. defense against such threats. In 2007, Congress required that funds for new advanced spectroscopic portal (ASP) monitors could not be spent until the Secretary of DHS certified that these machines represented a significant increase in operational effectiveness over currently deployed portal monitors. In addition to other tests, DNDO conducted the Phase 3 tests on ASPs to identify areas in which the ASPs needed improvement. GAO was asked to assess (1) the degree to which the Phase 3 test report accurately depicts the test results and (2) the appropriateness of using the Phase 3 test results to determine whether ASPs represent a significant improvement over current radiation detection equipment. GAO also agreed to provide its observations on special tests conducted by Sandia National Laboratories (SNL). Because the limitations of the Phase 3 test results are not appropriately stated in the Phase 3 test report, the report does not accurately depict the results from the tests and could potentially be misleading. In the Phase 3 tests, DNDO performed a limited number of test runs. Because of this, the test results provide little information about the actual performance capabilities of the ASPs. The report often presents each test result as a single value; but considering the limited number of test runs, the results would be more appropriately stated as a range of potential values. For example, the report narrative states in one instance that an ASP could identify a source material during a test 50 percent of the time. However, the narrative does not disclose that, given the limited number of test runs, DNDO can only estimate that the ASP would correctly identify the source from about 15 percent to about 85 percent of the time--a result that lacks the precision implied by DNDO's narrative. DNDO's reporting of the test results in this manner makes them appear more conclusive and precise than they really are. The purpose of the Phase 3 tests was to conduct a limited number of test runs in order to identify areas in which the ASP software needed improvement. While aspects of the Phase 3 report address this purpose, the preponderance of the report goes beyond the test's original purpose and makes comparisons of the performance of the ASPs with one another or with currently deployed portal monitors. In GAO's view, it is not appropriate to use the Phase 3 test report in determining whether the ASPs represent a significant improvement over currently deployed radiation equipment because the limited number of test runs do not support many of the comparisons of ASP performance made in the Phase 3 report. As the report shows, if an ASP can identify a source material every time during a test, but the test is run only five times, the only thing that can be inferred with a high level of statistical confidence is that the probability of identification is no less than about 60 percent. Although DNDO states in the Phase 3 test report that the results will be relevant to the Secretary's certification that the ASPs represent a significant increase in operational effectiveness, it does not clarify in what ways the results will be relevant. Furthermore, DNDO offers no explanation as to why it changed its view from the Phase 3 test plan, which states that these tests will not be used to support a certification decision. The goal of SNL's special tests was, among other things, to identify potential vulnerabilities in the ASPs by using different test scenarios from those that DNDO planned to use in other ASP tests. SNL concluded in its test report that the ASPs' software and hardware can be improved and that rigor could be added to DNDO's testing methods. Furthermore, the report acknowledges that (1) a specific objective of the testing at the Nevada Test Site was to refine and improve the ASP's performance and (2) the special tests were never intended to demonstrate conformity of the ASPs with specific performance requirements. In GAO's view, these statements appear to accurately describe the purpose, limitations, and results of the special tests. Tue, 30 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081170r.pdf The Department of Homeland Security's (DHS) U.S. Citizenship and Immigration Services (USCIS) is responsible for granting or denying applications or petitions of foreign nationals seeking to become citizens of the United States or to study, work, or live in this country. In order to process the millions of applications and petitions that USCIS receives each year, USCIS uses contractors to perform various support services including SI International, Inc. and Stanley Associates for mail operations, fee collection, data collection, and file operations at its four service centers, in California, Nebraska, Vermont, and Texas. The contracts with these two firms are expiring, and USCIS has the option to extend the contracts for one year beginning in December 2008. We understand that USCIS may be planning to propose possible contract changes for the option year. Based on our ongoing work on USCIS user fees, we believe that improvements could be made to these contracts before the options to extend the contracts are exercised. The purpose of this report is to summarize our initial observations on performance standards and financial deductions to assist USCIS in obtaining the most value and highest level of performance from its contracts and contractors. In our forthcoming report we will address contract management issues. The service center contracts generally require that fees that accompany applications be deposited within 24 hours. The contracts provide for financial deductions for noncompliance. The contractors are expected to maintain the capability to accommodate surges in volume of receipts of up to 20 percent above the daily average receipt volume for the previous 20 business days, known as the rolling daily average; receipts in excess of 120-percent are not held to the 24-hour deposit standard and may be processed on the next business day without financial deduction. The contractor was responsible for meeting the 24-hour deposit standard for 6,098, plus 20 percent (1,220)--7,318 applications in total. The 24-hour timeliness standard did not apply for the additional 1,205 applications above the 120-percent threshold. Our analysis of USCIS's servicewide daily application receipts indicates that application volume regularly and predictably meets or exceeds this threshold. Specifically, application volume met or exceeded the surge threshold an average of nearly 65 percent, and as much as 74 percent of the Mondays or days after a holiday from January 1 through August 6, 2008. These surges were often large--at times more than 170 percent of the rolling daily average. Despite the known pattern of increased receipts on Mondays and the days after a holiday, the application surge threshold remains the same. As a result, the service centers regularly have large numbers--as many as 5,000 a day at a single center--of application fees averaging $438 each that are not deposited within 24 hours of receipt with no financial deduction assessed against the contractor. The 24-hour deposit requirement is consistent with Chapter 8000 of the Treasury Financial Manual. When fees are not deposited in accordance with this standard, additional control processes must be employed to secure inventory, such as tracking mechanisms and a secure and locked storage area for all unprocessed fees. USCIS levies financial deductions on its service center contractors when they do not meet certain performance standards associated with data and fee collection, but the effectiveness of these standards is limited by the lack of a tiered financial deduction system. Four of the five financial deductions are applied at the same rate regardless of the magnitude by which the contractor fails to meet performance standards. Two of the five financial deductions are applied at the same rate regardless of the number of times the contractor fails to meet the standards. USCIS may levy a financial deduction of $15,000 if a contractor fails to meet any of the data collection standards in a given month. However, this deduction is not modified based on the magnitude by which a contractor fails to meet the performance standards. For example, the contracts establish that a $15,000 financial deduction is to be levied if more than six labels are prepared or affixed incorrectly, but the contracts do not provide for any difference in the financial deduction whether the number of incorrectly prepared or affixed labels is a small or large number. This is also true for the two percentage-based data collection standards. Thu, 25 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08935.pdf Each year, tens of thousands of noncitizens apply in the United States for asylum, which provides refuge to those who have been persecuted or fear persecution. Asylum officers (AO) in the Department of Homeland Security's (DHS) U.S. Citizenship and Immigration Services (USCIS), and immigration judges (IJ) in the Department of Justice's (DOJ) Executive Office for Immigration Review (EOIR) assess applicants' credibility and eligibility. GAO was asked to evaluate aspects of the asylum system. This report addresses the extent to which quality assurance mechanisms have been designed to ensure adjudications' integrity, how key factors affect AOs' adjudications, and what key factors affect IJs' adjudications. To conduct this work, GAO reviewed agency documents, policies, and procedures; surveyed all AOs, supervisory AOs, and IJs; and visited three of the eight Asylum Offices. These offices varied in size and percentage of cases granted asylum. Results of these visits provided additional information but were not projectable. USCIS and EOIR have designed quality assurance mechanisms to help ensure the integrity of asylum adjudications, but some can be improved. While 75 percent of AO survey respondents reported that basic training prepared them at least moderately well to adjudicate cases, they also reported that despite weekly training, they needed additional training to help them detect fraud, conduct security checks, and assess the credibility of asylum seekers. The Asylum Division does not consistently solicit AOs' and supervisory AOs' input on a range of their training needs. Without this, the Asylum Division lacks key information for making training decisions. The Asylum Division has designed a quality review framework to ensure the quality and consistency of asylum decisions. Although supervisors review all cases and headquarters reviews certain cases, other local quality assurance reviews rarely took place in three of the eight Asylum Offices primarily due to competing priorities. By fully implementing its quality review framework, the Asylum Division would better identify deficiencies, examine their root causes, and take action. The majority of IJ survey respondents reported that training enhanced their ability to adjudicate asylum cases, although the majority also reported having additional training needs. EOIR expanded its training program in 2006, particularly for newly hired IJs, and annually solicits IJs' views on their training needs. Asylum officers reported challenges in identifying fraud and assessing applicants' credibility, as well as time constraints, as key factors affecting their adjudications. The majority of AO survey respondents reported it moderately or very difficult to identify various types of fraud, despite mechanisms designed to help identify fraud and assess credibility. Further, assistance from other federal entities to AOs in assessing the authenticity of asylum claims has been hindered in part by resource limitations and competing priorities. With respect to time constraints, 65 percent of AOs and 73 percent of supervisory AOs reported that AOs have insufficient time to thoroughly adjudicate cases--that is, in a manner consistent with procedures and training--while management's views were mixed. The Asylum Division set a productivity standard equating to 4 hours per case in 1999 without empirical data. Without empirical data on the time it takes to thoroughly adjudicate a case, the Asylum Division is not best positioned to know if its productivity standard reflects the time AOs need for thorough adjudications. Verifying fraud, assessing credibility, and time constraints are also key factors affecting IJs' adjudications. IJ survey respondents cited verifying fraud (88 percent) and assessing credibility (81 percent) as a moderately or very challenging aspect of asylum adjudications. Responding to 2006 Attorney General reforms, EOIR implemented a program to which IJs can refer instances of suspected fraud and receive information to aid in fraud detection. Eighty-two percent of IJs reported time limitations as moderately or very challenging aspects of their adjudications. EOIR has detailed IJs to courts with high caseloads and plans to hire additional staff, but it is too soon to know the extent to which additional staff will alleviate IJs' time challenges. Thu, 25 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081178t.pdf The Department of Homeland Security's (DHS) Domestic Nuclear Detection Office (DNDO) is responsible for addressing the threat of nuclear smuggling. Radiation detection portal monitors are key elements in our national defenses against such threats. DHS has sponsored testing to develop new monitors, known as advanced spectroscopic portal (ASP) monitors, to replace radiation detection equipment currently being used at ports of entry. ASPs may offer improvements over current generation portal monitors, particularly the potential to identify as well as detect radioactive material and thereby minimize both missed threats and false alarms. However, ASPs cost significantly more than current generation portal monitors, and testing of ASPs' capabilities needs to be more objective and rigorous. Due to concerns about ASPs' cost and performance, Congress has required that the Secretary of DHS certify that ASPs will provide a significant increase in operational effectiveness before obligating funds for full-scale ASP procurement. DHS is currently testing ASPs and anticipates a decision on certification in November 2008. This testimony addresses (1) the highlights of GAO's September 2008 report on the life cycle cost estimate to deploy ASPs (GAO-08-1108R), and (2) preliminary observations from ongoing work reviewing the current program of ASP testing. GAO's independent cost estimate suggested that from 2007 through 2017 the cost of DNDO's program to equip U.S. ports of entry with radiation detection equipment will likely be about $3.1 billion, but could range from $2.6 billion to $3.8 billion. GAO's estimate was based on the anticipated costs of DNDO implementing its 2006 project execution plan, the most recent official documentation of the program. DNDO's cost estimate of $2.1 billion to implement its project execution plan is unreliable because it omits major project costs, such as maintenance, and relies on a flawed methodology. For example, although the normal life expectancy of the standard cargo ASP is about 10 years, DNDO's estimate considers only 8 years. According to DNDO officials, the agency is now following a scaled-back ASP deployment strategy rather than the 2006 project execution plan, and a senior DNDO official told GAO the ASP deployment strategy could change dramatically depending on the outcome of ongoing testing. GAO's analysis indicated the cost to implement the scaled-back plans over the period 2008 through 2017 will be about $2 billion, but could range from $1.7 billion to $2.3 billion. However, frequent changes in DNDO's deployment strategy make it difficult to assess ASP program costs. GAO's recent report recommended that the Secretary of Homeland Security direct DNDO to update the project execution plan, revise its cost estimate, and communicate the revised estimate to the Congress so that it is fully apprised of the program's scope and funding requirements. DHS agreed with the recommendations. DNDO has made progress in addressing a number of problems GAO identified in previous rounds of ASP testing. However, GAO's ongoing review of the 2008 ASP testing program identified several potential areas of concern. First, the DHS criteria for "significant increase in operational effectiveness" appear to set a low bar for improvement--for example, by requiring ASPs to perform at least as well as current generation equipment when nuclear material is present in cargo but not specifying an actual improvement. GAO recently requested additional information from DNDO about the rationale behind these criteria, particularly in light of seemingly stricter criteria found in other documents. Second, the ASP certification schedule does not allow for completion of computer simulations that could provide additional data on ASP performance. While these computer simulations may have limitations, they also could provide useful data on ASP capabilities prior to the Secretary's decision on certification. Finally, the test schedule is highly compressed and is running at least 8 weeks behind, leaving limited time for analysis and review of test results. Assuming that DHS addresses these concerns, the 2008 round of testing could provide an objective basis for comparing ASPs with current generation equipment. However, GAO recommended in March 2006 that DHS analyze the benefits and costs of deploying ASPs to determine whether any additional detection capability provided by ASPs is worth the cost, and would still question the replacement of current generation equipment with ASPs until DNDO demonstrates that any additional increase in security would be worth the ASPs' much higher cost. Thu, 25 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081088.pdf When the Department of Homeland Security (DHS) was created in 2002, it was granted "other transaction" authority--a special authority used to meet mission needs. While the authority provides greater flexibility to attract and work with nontraditional contractors to research, develop, and test innovative technologies, other transactions carry the risk of reduced accountability and transparency--in part because they are exempt from certain federal acquisition regulations and cost accounting standards. In 2004, GAO reported on DHS's early use of this authority. This follow-up report determines the extent to which nontraditional contractors have been involved in DHS's other transactions, and assesses DHS's management of the acquisition process when using this authority to identify additional safeguards. To conduct its work, GAO reviewed relevant statutes, guidance, and prior GAO reports on other transactions, and interviewed contracting and program management officials, as well as contractors. GAO also reviewed 53 files for agreements entered into from fiscal years 2004 through 2008 and identified those involving nontraditional contractors. DHS's other transactions documentation indicates that nontraditional contractors played a significant role in over 80 percent of the Science and Technology directorate's other transaction agreements. GAO identified 50 nontraditional contractors who participated in 44 agreements--one-third of them were prime contractors and about half of them were small businesses. These contractors provided a variety of technologies and services that DHS described as critical--including technology designed to detect chemical warfare agents after a suspected or known chemical attack. The proportion of dollars obligated for nontraditional contractors on an agreement did not necessarily indicate the importance of their contributions. For example, only 1 percent of total agreement obligations were allocated to a nontraditional subcontractor that, according to the prime contractor, was specially qualified for developing tests for a hazardous substance detection system. While DHS has continued to develop policies and procedures for other transactions, including some to mitigate financial and program risks for prototype projects, the department faces challenges in systematically assessing its use of other transactions and maintaining a skilled contracting workforce. DHS issued guidance in 2008 and continued to provide training to contracting staff on the use of other transactions. However, DHS does not track information on the amount of funds paid to nontraditional contractors or the nature of the work they performed, which could help the department assess whether it is obtaining the full benefits of other transaction authority. DHS recently updated its procurement database to capture information on other transaction agreements, but the database does not include all of the data DHS would need to assess nontraditional contractor involvement. Further, DHS's ability to maintain a stable and capable contracting workforce remains uncertain due to high staff turnover and the lack of a staff planning method. Tue, 23 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081175t.pdf Voluntary organizations have traditionally played a major role in the nation's response to disasters, but the response to Hurricane Katrina raised concerns about their ability to handle large-scale disasters. This testimony examines (1) the roles of five voluntary organizations in providing mass care and other services, (2) the steps they have taken to improve service delivery, (3) their current capabilities for responding to mass care needs, and (4) the challenges they face in preparing for large-scale disasters. This testimony is based on GAO's previous report (GAO-08-823) that reviewed the American Red Cross, The Salvation Army, the Southern Baptist Convention, Catholic Charities USA, and United Way of America; interviewed officials from these organizations and the Federal Emergency Management Agency (FEMA); reviewed data and laws; and visited four high-risk metro areas--Los Angeles, Miami, New York, and Washington, D.C. The five voluntary organizations we reviewed are highly diverse in their focus and response structures. They also constitute a major source of the nation's mass care and related disaster services and are integrated into the 2008 National Response Framework. The Red Cross in particular--the only one whose core mission is disaster response--has a federally designated support role to government under the mass care provision of this Framework. While the Red Cross no longer serves as the primary agency for coordinating government mass care services--as under the earlier 2004 National Plan--it is expected to support FEMA by providing staff and expertise, among other things. FEMA and the Red Cross agree on the Red Cross's role in a catastrophic disaster, but it is not clearly documented. While FEMA recognized the need to update the 2006 Catastrophic Incident Supplement to conform with the Framework, it does not yet have a time frame for doing so. Since Katrina, the organizations we studied have taken steps to strengthen their service delivery by expanding coverage and upgrading their logistical and communications systems. The Red Cross, in particular, is realigning its regional chapters to better support its local chapters and improve efficiency and establishing new partnerships with local community-based organizations. Most recently, however, a budget shortfall has prompted the organization to reduce staff and alter its approach to supporting FEMA and state emergency management agencies. While Red Cross officials maintain that these changes will not affect improvements to its mass care service infrastructure, it has also recently requested federal funding for its governmental responsibilities. Capabilities assessments are preliminary, but current evidence suggests that in a worst-case large-scale disaster, the projected need for mass care services would far exceed the capabilities of these voluntary organizations without government and other assistance--despite voluntary organizations' substantial resources locally and nationally. Voluntary organizations also faced shortages in trained volunteers, as well as other limitations that affected their mass care capabilities. Meanwhile, FEMA's initial assessment does not necessarily include the sheltering capabilities of many voluntary organizations and does not yet address feeding capabilities outside of shelters. In addition, the ability to assess mass care capabilities and coordinate in disasters is currently hindered by a lack of standard terminology and measures for mass care resources, and efforts are under way to develop such standards. Finding and training more personnel, dedicating more resources to preparedness, and working more closely with local governments are ongoing challenges for voluntary organizations. A shortage of staff and volunteers was most commonly cited, but we also found they had difficulty seeking and dedicating funds for preparedness, in part because of competing priorities. However, the guidance for FEMA preparedness grants to states and localities was also not sufficiently explicit with regard to using such funds to support the efforts of voluntary organizations. Tue, 23 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081086.pdf The Department of Homeland Security's (DHS) Secure Border Initiative (SBI) is a multiyear, multibillion-dollar program to secure the nation's borders through, among other things, new technology, increased staffing, and new fencing and barriers. The technology component of SBI, which is known as SBInet, involves the acquisition, development, integration, and deployment of surveillance systems and command, control, communications, and intelligence technologies. GAO was asked to determine whether DHS (1) has defined the scope and timing of SBInet capabilities and how these capabilities will be developed and deployed, (2) is effectively defining and managing SBInet requirements, and (3) is effectively managing SBInet testing. To do so, GAO reviewed key program documentation and interviewed program officials, analyzed a random sample of requirements, and observed operations of a pilot project. Important aspects of SBInet remain ambiguous and in a continued state of flux, making it unclear and uncertain what technology capabilities will be delivered, when and where they will be delivered, and how they will be delivered. For example, the scope and timing of planned SBInet deployments and capabilities have continued to change since the program began and, even now, are unclear. Further, the program office does not have an approved integrated master schedule to guide the execution of the program, and GAO's assimilation of available information indicates that the schedule has continued to change. This schedule-related risk is exacerbated by the continuous change in and the absence of a clear definition of the approach that is being used to define, develop, acquire, test, and deploy SBInet. The absence of clarity and stability in these key aspects of SBInet impairs the ability of the Congress to oversee the program and hold DHS accountable for program results, and it hampers DHS's ability to measure program progress. SBInet requirements have not been effectively defined and managed. While the program office recently issued guidance that defines key practices associated with effectively developing and managing requirements, such as eliciting user needs and ensuring that different levels of requirements and associated verification methods are properly aligned with one another, the guidance was developed after several key activities had been completed. In the absence of this guidance, the program has not effectively performed key requirements definition and management practices. For example, it has not ensured that different levels of requirements are properly aligned, as evidenced by GAO's analysis of a random probability sample of component requirements showing that a large percentage of them could not be traced to higher-level system and operational requirements. Also, some of SBInet's operational requirements, which are the basis for all lower-level requirements, were found by an independent DHS review to be unaffordable and unverifiable, thus casting doubt on the quality of lower-level requirements that are derived from them. As a result, the risk of SBInet not meeting mission needs and performing as intended is increased, as are the chances of expensive and time-consuming system rework. SBInet testing has not been effectively managed. For example, the program office has not tested the individual system components to be deployed to the initial deployment locations, even though the contractor initiated integration testing of these components with other system components and subsystems in June 2008. Further, while a test management strategy was drafted in May 2008, it has not been finalized and approved, and it does not contain, among other things, a clear definition of testing roles and responsibilities; a high-level master schedule of SBInet test activities; or sufficient detail to effectively guide project-specific test planning, such as milestones and metrics for specific project testing. Without a structured and disciplined approach to testing, the risk that SBInet will not satisfy user needs and operational requirements, thus requiring system rework, is increased. Mon, 22 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081108r.pdf Since the attacks of September 11, 2001, combating terrorism has been one of the nation's highest priorities. As part of that effort, preventing nuclear and radioactive material from being smuggled into the United States--perhaps to be used by terrorists in a nuclear weapon or in a radiological dispersal device (a "dirty bomb")--has become a key national security objective. On April 15, 2005, the president directed the establishment, within the Department of Homeland Security (DHS), of the Domestic Nuclear Detection Office (DNDO), whose duties include acquiring and supporting the deployment of radiation detection equipment. In October 2006, Congress enacted the SAFE Port Act, which made DNDO responsible for the development, testing, acquisition and deployment of a system to detect radiation at U.S. ports of entry. An important component of this system is the deployment of radiation portal monitors, large stationary detectors through which cargo containers and trucks pass as they enter the United States. Prior to DNDO's creation, another DHS agency--U.S. Customs and Border Protection (CBP)--managed programs for deployment of radiation detection equipment. In 2002, CBP began the radiation portal monitor project, deploying radiation detection equipment at U.S. ports of entry. This program initially deployed portal monitors, known as polyvinyl toluene monitors (PVT), and handheld detection technologies, such as radioactive isotope identification devices (RIID). CBP also established a system of standard operating procedures to guide its officers in the use of this equipment. Current procedures include conducting primary inspections with PVTs to detect the presence of radioactivity, and secondary inspections with PVTs and RIIDs to confirm and identify the source and determine whether it constitutes a threat. After its creation, DNDO assumed responsibility for the development, testing, and deployment of radiation detection equipment, while CBP maintained its role of operating the equipment at U.S. ports of entry. Currently deployed PVTs are capable of detecting radiation, but they have an inherent limitation because they are unable to identify specific radioactive isotopes and therefore cannot distinguish between dangerous and benign materials. CBP officers also use RIIDs to identify different types of radioactive material. However, RIIDs are limited in their ability to identify nuclear material. DNDO believes that these deficiencies may delay legitimate commerce at ports of entry, and that CBP may use an inordinate amount of inspection resources for radiation detection at the expense of other missions, such as drug interdiction. Our independent cost estimate suggests that from 2007 through 2017 the total cost of DNDO's program to equip U.S. ports of entry with radiation detection equipment will likely be about $3.1 billion, but could range from $2.6 billion to $3.8 billion. We based our estimate on the anticipated costs of DNDO implementing its 2006 project execution plan, the most recent official documentation of the program. According to this plan, DNDO will buy and deploy multiple types of ASPs, including those designed to screen rail cars, and airport and seaport cargo, as well as mobile ASPs--spectroscopic equipment mounted on vehicles--to provide greater flexibility in screening commerce. The project execution plan also targets several types of PVTs for purchase and deployment. DNDO's cost estimate of $2.1 billion to equip U.S. ports of entry with radiation detection equipment is unreliable because it omits major project costs and relies on a flawed methodology. For example, although the normal life expectancy of the standard cargo ASP is about 10 years, DNDO's estimate considers only 8 years--fiscal years 2006 through 2013. According to DNDO officials, OMB's budget submission software allows only a limited number of years of costs to be included. Furthermore, DNDO's cost estimate does not include all of the elements of the ASPs' life cycle, as it omits estimates for maintenance and operational sustainment of ASPs. Finally, contrary to OMB and DHS guidelines, DNDO did not provide detailed documentation of ASP costs, which raises questions about the adequacy and reliability of the agency's estimates. DNDO officials told us on several occasions during the course of our review the agency is no longer following the 2006 project execution plan. These officials told us the scope of the agency's current ASP deployment strategy has been reduced to only the standard cargo portal monitor. Although we repeatedly requested documentation of DNDO's current official deployment strategy, the agency did not provide such official information. In fact, DNDO officials continued to cite the 2006 project execution plan as the most recent official deployment documentation. In July 2008, the agency provided a 1-page spreadsheet of summary information outlining DNDO's current plans to buy and deploy ASPs and PVTs. Our analysis of these summary data indicates the total cost to deploy standard cargo portals over the period 2008 through 2017 will be about $2.0 billion, but could range from $1.7 billion to $2.3 billion. These data also indicate that between fiscal years 2008 and 2014, DNDO plans to deploy 717 ASP and 1,005 PVT standard cargo portals. Furthermore, agency officials acknowledged the program requirements that would have been fulfilled by the discontinued ASPs remain valid, including screening rail cars, airport cargo, and cargo at seaport terminals, but the agency has no current plans for how such screening will be accomplished. These officials told us the technology to accomplish these requirements likely will not be ASP monitors. We believe a comprehensive estimate of the cost to provide radiation detection equipment for U.S. ports of entry should account for meeting these objectives, even if DNDO decides that ASP technology is not suited to them. However, a DNDO official responsible for overseeing the agency's operations told us in August 2008 that DNDO's ASP deployment strategy could change dramatically depending on the outcome of ongoing ASP testing. In our view, it is difficult to assess the total costs of the ASP program because of the frequent changes in DNDO's deployment strategy. Furthermore, the Congress needs a complete understanding of DNDO's deployment strategy before approving additional ASP program funds. Mon, 22 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08823.pdf Voluntary organizations have traditionally played a major role in the nation's response to disasters, but the response to Hurricane Katrina raised concerns about their ability to handle large-scale disasters. This report examines (1) the roles of five voluntary organizations in providing mass care and other services, (2) the steps they have taken to improve service delivery, (3) their current capabilities for responding to mass care needs, and (4) the challenges they face in preparing for large-scale disasters. To address these questions, GAO reviewed the American Red Cross, The Salvation Army, the Southern Baptist Convention, Catholic Charities USA, and United Way of America; interviewed officials from these organizations and the Federal Emergency Management Agency (FEMA); reviewed data and laws; and visited four high-risk metro areas--Los Angeles, Miami, New York, and Washington, D.C. The five voluntary organizations we reviewed are highly diverse in their focus and response structures. They also constitute a major source of the nation's mass care and related disaster services and are integrated into the 2008 National Response Framework. The Red Cross in particular--the only one whose core mission is disaster response--has a federally designated support role to government under the mass care provision of this Framework. While the Red Cross no longer serves as the primary agency for coordinating government mass care services--as under the earlier 2004 National Plan--it is expected to support FEMA by providing staff and expertise, among other things. FEMA and the Red Cross agree on the Red Cross's role in a catastrophic disaster, but it is not clearly documented. While FEMA recognized the need to update the 2006 Catastrophic Incident Supplement to conform with the Framework, it does not yet have a time frame for doing so. Since Katrina, the organizations we studied have taken steps to strengthen their service delivery by expanding coverage and upgrading their logistical and communications systems. The Red Cross, in particular, is realigning its regional chapters to better support its local chapters and improve efficiency and establishing new partnerships with local community-based organizations. Most recently, however, a budget shortfall has prompted the organization to reduce staff and alter its approach to supporting FEMA and state emergency management agencies. While Red Cross officials maintain that these changes will not affect improvements to its mass care service infrastructure, it has also recently requested federal funding for its governmental responsibilities. Capabilities assessments are preliminary, but current evidence suggests that in a worst-case large-scale disaster, the projected need for mass care services would far exceed the capabilities of these voluntary organizations without government and other assistance--despite voluntary organizations' substantial resources locally and nationally. Voluntary organizations also faced shortages in trained volunteers, as well as other limitations that affected their mass care capabilities. Meanwhile, FEMA's initial assessment does not necessarily include the sheltering capabilities of many voluntary organizations and does not yet address feeding capabilities outside of shelters. In addition, the ability to assess mass care capabilities and coordinate in disasters is currently hindered by a lack of standard terminology and measures for mass care resources, and efforts are under way to develop such standards. Finding and training more personnel, dedicating more resources to preparedness, and working more closely with local governments are ongoing challenges for voluntary organizations. A shortage of staff and volunteers was most commonly cited, but we also found they had difficulty seeking and dedicating funds for preparedness, in part because of competing priorities. However, the guidance for FEMA preparedness grants to states and localities was also not sufficiently explicit with regard to using such funds to support the efforts of voluntary organizations. Thu, 18 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081164t.pdf Since it was created in 2003, the Department of Homeland Security (DHS) has obligated billions of dollars annually to meet its expansive homeland security mission. The department's acquisitions support complex and critical trade, transportation, border security, and information technology investments. In fiscal year 2007, DHS spent over $12 billion on procurements to meet this mission including spending for complex services and major investments. Prior GAO work has found that while DHS has made some initial progress in developing its acquisition function since 2003, acquisition planning and oversight for procurement and major acquisitions need improvement. This testimony discusses GAO's findings in these areas and is based on GAO's body of work on acquisition management issues. Recognizing the need to improve its acquisition outcomes, DHS has taken some steps to integrate disparate acquisition processes and systems that the component organizations brought with them when the department was formed. However, we have reported that more needs to be done to develop clear and transparent policies and processes for all acquisitions, and to develop an acquisition workforce to implement and monitor acquisitions. With regard to acquisition planning, DHS did not assess the risk of hiring contractors to perform management and professional support services that have the potential to increase the risk that government decisions may be influenced by, rather than independent from, contractor judgments. Planning for services procured through interagency and performance-based contracting methods was also lacking. For example, DHS did not always consider alternatives to ensure good value when selecting among interagency contracts. Shortcomings in DHS's use of a performance-based approach for complex acquisitions included a lack of well-defined requirements, a complete set of measurable performance standards, or both, at the time of contract award or the start of work. Contracts for several investments we reviewed experienced cost overruns, schedule delays, or less than expected performance. Acquisition oversight also has consistently been identified as needing improvement. While the Chief Procurement Officer (CPO) has recently implemented a departmentwide oversight program, evaluations of the outcomes of acquisition methods and contracted services have not yet been conducted. Further, the CPO continues to face challenges in maintaining the staffing levels needed to fully implement the oversight program, and CPO authority to ensure that components comply with the procurement oversight plan remains unclear. Wed, 17 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081157t.pdf Recent cyber attacks demonstrate the potentially devastating impact these pose to our nation's computer systems and to the federal operations and critical infrastructures that they support. They also highlight that we need to be vigilant against individuals and groups with malicious intent, such as criminals, terrorists, and nation-states perpetuating these attacks. Federal law and policy established the Department of Homeland Security (DHS) as the focal point for coordinating cybersecurity, including making it responsible for protecting systems that support critical infrastructures, a practice commonly referred to as cyber critical infrastructure protection. Since 2005, GAO has reported on the responsibilities and progress DHS has made in its cybersecurity efforts. GAO was asked to summarize its key reports and their associated recommendations aimed at securing our nation's cyber critical infrastructure. To do so, GAO relied on previous reports, as well as two reports being released today, and analyzed information about the status of recommendations. GAO has reported over the last several years that DHS has yet to fully satisfy its cybersecurity responsibilities. To address these shortfalls, GAO has made about 30 recommendations in the following key areas. Specifically, examples of what GAO reported and recommended are as follows: (1) Cyber analysis and warning--In July 2008, GAO reported that DHS's United States Computer Emergency Readiness Team (US-CERT) did not fully address 15 key cyber analysis and warning attributes. For example, US-CERT provided warnings by developing and distributing a wide array of notifications; however, these notifications were not consistently actionable or timely. Consequently, GAO recommended that DHS address these attribute shortfalls. (2) Cyber exercises--In September 2008, GAO reported that since conducting a cyber attack exercise in 2006, DHS demonstrated progress in addressing eight lessons it learned from this effort. However, its actions to address the lessons had not been fully implemented. GAO recommended that the department schedule and complete all identified corrective activities. (3) Control systems--In a September 2007 report and October 2007 testimony, GAO identified that DHS was sponsoring multiple efforts to improve control system cybersecurity using vulnerability evaluation and response tools. However, the department had not established a strategy to coordinate this and other efforts across federal agencies and the private sector, and it did not effectively share control system vulnerabilities with others. Accordingly, GAO recommended that DHS develop a strategy to guide efforts for securing such systems and establish a process for sharing vulnerability information. While DHS has developed and implemented capabilities to address aspects of these areas, it still has not fully satisfied any of them. Until these and other areas are effectively addressed, our nation's cyber critical infrastructure is at risk of increasing threats posed by terrorists, nation-states, and others. Tue, 16 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08967.pdf The Visa Waiver Program, which enables citizens of participating countries to travel to the United States without first obtaining a visa, has many benefits, but it also has risks. In 2006, GAO found that the Department of Homeland Security (DHS) needed to improve efforts to assess and mitigate these risks. In August 2007, Congress passed the 9/11 Act, which provides DHS with the authority to consider expanding the program to countries whose short-term business and tourism visa refusal rates were between 3 and 10 percent in the prior fiscal year. Countries must also meet certain conditions, and DHS must complete actions to enhance the program's security. GAO has examined DHS's process for expanding the Visa Waiver Program and evaluated the extent to which DHS is assessing and mitigating program risks. GAO reviewed relevant laws and procedures and interviewed agency officials in Washington, D.C., and in U.S. embassies in eight aspiring and three Visa Waiver Program countries. The executive branch is moving aggressively to expand the Visa Waiver Program by the end of 2008, but, in doing so, DHS has not followed a transparent process. DHS did not follow its own November 2007 standard operating procedures, which set forth key milestones to be met before countries are admitted into the program. As a result, Departments of State (State) and Justice and U.S. embassy officials stated that DHS created confusion among interagency partners and aspiring program countries. U.S. embassy officials in several aspiring countries told us it had been difficult to explain the expansion process to foreign counterparts and manage their expectations. State officials said it was also difficult to explain to countries with fiscal year 2007 refusal rates below 10 percent that have signaled interest in joining the program (Croatia, Israel, and Taiwan) why DHS is not negotiating with them, given that DHS is negotiating with several countries that had refusal rates above 10 percent (Hungary, Latvia, Lithuania, and Slovakia). Despite this confusion, DHS achieved some security enhancements during the expansion negotiations, including agreements with several aspiring countries on lost and stolen passport reporting. DHS, State, and Justice agreed that a more transparent process is needed to guide future program expansion. DHS has not fully developed tools to assess and mitigate risks in the Visa Waiver Program. To designate new program countries with refusal rates between 3 and 10 percent, DHS must first make two certifications. First, DHS must certify that it can verify the departure of not less than 97 percent of foreign nationals who exit from U.S. airports. In February 2008, we testified that DHS's plan to meet this provision will not help mitigate program risks because it does not account for data on those who remain in the country beyond their authorized period of stay (overstays). DHS has not yet finalized its methodology for meeting this provision. Second, DHS must certify that the Electronic System for Travel Authorization (ESTA) for screening visa waiver travelers in advance of their travel is "fully operational." While DHS has not announced when it plans to make this certification, it anticipates ESTA authorizations will be required for all visa waiver travelers after January 12, 2009. DHS determined that the law permits it to expand the program to countries with refusal rates between 3 and 10 percent after it makes these two certifications, and after the countries have met the required conditions, but before ESTA is mandatory for all Visa Waiver Program travelers. For DHS to maintain its authority to admit certain countries into the program, it must incorporate biometric indicators (such as fingerprints) into the air exit system by July 1, 2009. However, DHS is unlikely to meet this timeline due to several unresolved issues.In addition, DHS does not fully consider countries' overstay rates when assessing illegal immigration risks in the Visa Waiver Program. Finally, DHS has implemented many recommendations from GAO's 2006 report, including screening U.S.-bound travelers against Interpol's lost and stolen passport database, but has not fully implemented others. Implementing the remaining recommendations is important as DHS moves to expand both the program and the department's oversight responsibilities. Mon, 15 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081057.pdf The Terrorism Risk Insurance Act of 2002 (TRIA) specifies that the federal government assume significant financial responsibility for insured losses on commercial properties resulting from future terrorist attacks. While TRIA has been credited with stabilizing markets for terrorism insurance after the September 11, 2001, attacks, questions remain as to whether certain policyholders, especially those located in large urban areas viewed as being at high risk of attack, may still face challenges in obtaining coverage. GAO was asked to conduct a study to describe (1) whether the availability of terrorism insurance for commercial properties is constrained in any geographic markets, (2) factors limiting insurers' willingness to provide coverage, and (3) advantages and disadvantages of selected public policy options to increase the availability of such insurance. To address these objectives, GAO analyzed available data and interviewed industry participants, including those with expertise in specific geographic markets considered to be at high, moderate, or low risk of attack (Atlanta, Boston, Chicago, New York, San Francisco, and Washington, D.C.). GAO provided a draft of this report to the Department of the Treasury and the National Association of Insurance Commissioners (NAIC). Treasury and NAIC said the report was informative and useful. While some owners of high-value properties in major cities may face initial challenges obtaining terrorism insurance coverage compared with most policyholders nationwide, they generally have reported that they could meet current coverage requirements through a variety of approaches. Many industry participants said that terrorism insurance is currently available nationwide at prices viewed as reasonable and that the TRIA program was a key reason for these favorable conditions. However, some policyholders that own large, high-value properties in densely built urban areas viewed as at high risk of attack, particularly in Manhattan and to a lesser extent in Chicago and San Francisco, may still face initial challenges obtaining desired amounts of coverage at prices viewed as reasonable, according to industry participants. To address these challenges, some policyholders purchased coverage from a large number of insurers, which can be a time-consuming and complicated process for policyholders and their insurance brokers. Others purchased coverage in a separate policy (rather than as part of an overall property insurance package) which may be more costly, or self-insured. While TRIA specifies that the federal government assume substantial financial responsibility for insured losses associated with future terrorist attacks, the steps insurers take to manage the risks they do face appear to be the primary reason some policyholders face challenges in obtaining coverage. Insurers said they seek to mitigate potential terrorism losses by limiting the amount of property coverage that they offered in specific areas of cities, such as downtown locations or areas considered to be at high risk of attack. These risk mitigation efforts generally make obtaining coverage more difficult or costly for policyholders with high-value properties in these areas, according to a variety of sources GAO contacted. Industry participants also said that the availability of reinsurance (insurance for insurers) and the views of rating agencies can limit the availability of coverage in such cities. Industry participants had no consensus on whether TRIA should be modified or additional actions taken to increase the availability of terrorism coverage, and identified advantages and disadvantages of selected policy proposals that have been included in legislation, discussed in prior GAO reports, or suggested by industry participants to increase such coverage. A proposal to increase the federal government's current responsibility under TRIA for the insured losses associated with a future attack could make insurers more willing to offer coverage in affected areas. For example, one large insurer said that the proposal might make the company more willing to immediately offer additional coverage in cities viewed as at high risk of attack. However, any such benefits might be limited for reasons including the widespread insurance market disruptions that may result from another attack. This proposal, along with several other proposals analyzed in the report, also would increase the federal government's exposure to the losses associated with terrorist attacks, which is already 85 percent of losses up to $100 billion annually, after an industry deductible. Mon, 15 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081141t.pdf In November 2005, the Department of Homeland Security (DHS) established the Secure Border Initiative (SBI), a multiyear, multibillion-dollar program to secure U.S. borders. One element of SBI is the U.S. Customs and Border Protection's (CBP) SBI program, which is responsible for developing a comprehensive border protection system through a mix of surveillance and communication technologies known as SBInet (e.g., radars, sensors, cameras, and satellite phones), and tactical infrastructure (e.g., fencing). The House Committee on Homeland Security and its Subcommittee on Management, Investigations, and Oversight asked GAO to monitor DHS progress in implementing CBP's SBI program. This testimony provides GAO's observations on (1) technology deployment; (2) infrastructure deployment; and (3) how the CBP SBI program office has defined its human capital goals and the progress it has made to achieve these goals. GAO's observations are based on prior and new work, including analysis of DHS documentation, such as program schedules, contracts, and status reports. GAO also conducted interviews with DHS and Department of the Interior officials and contractors, and visits to sites on the southwest border where SBI deployment is under way. GAO performed the work from March to September 2008. DHS generally agreed with GAO's findings. SBInet technology deployments continue to experience delays and, as a result, Border Patrol agents have to rely upon existing limited technological capabilities to help achieve control of the border. SBI program officials had originally planned to deploy SBInet technology across the southwest border by the end of 2008, but in February 2008 this date had slipped to 2011. In July 2008, officials reported that two initial projects that had been scheduled to be completed by the end of calendar year 2008 would be finished sometime in 2009. SBInet program uncertainties, such as not fully defined program expectations, changes to timelines, and confusion over the need to obtain environmental permits contribute to ongoing delays of SBInet technology deployments. Due to the delays, Border Patrol agents continue to use existing technology that predates SBInet, and in the Tucson, Arizona, area they are using capabilities from SBInet's prototype system despite previously reported performance shortfalls. Further delays of SBInet technology deployments may hinder the Border Patrol's efforts to secure the border. The deployment of fencing is ongoing, but costs are increasing, the life-cycle cost is not yet known, and meeting DHS's statutorily required goal to have 670 miles of fencing in place by December 31, 2008, will be challenging. As of August 22, 2008, the SBI program office reported that it had constructed a total of 341 miles of fencing, and program officials stated that they plan to meet the December 2008 deadline. However, project costs are increasing and various factors pose challenges to meeting this deadline, such as a short supply of labor and land acquisition issues. According to program officials, as of August 2008, fencing costs averaged $7.5 million per mile for pedestrian fencing and $2.8 million per mile for vehicle fencing, up from estimates in February 2008 of $4 million and $2 million per mile, respectively. Furthermore, the life-cycle cost is not yet known, in part because of increasing construction costs and because the program office has yet to determine maintenance costs and locations for fencing projects beyond December 2008. In addition, land acquisition issues present a challenge to completing fence construction. As of September 2008, the SBI program office was reevaluating its staffing goal and continued to take actions to implement its human capital plan. In February 2008, we reported that the SBI program office had established a staffing goal of 470 employees for fiscal year 2008. As of August 1, 2008, the SBI program office reported having 129 government staff and 164 contractor support staff for a total of 293 employees. Program officials stated that a reorganization of the SBI program office and SBInet project delays have resulted in fewer staffing needs and that they plan to continue to evaluate these needs. The SBI program office also continued to take steps to implement its human capital plan. For example, recruitment efforts are under way to fill open positions. However, the SBI program office is in the process of drafting or has drafted documents, such as the Succession Management Plan, that have yet to be approved or put into action. Wed, 10 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081148t.pdf The Department of Homeland Security's (DHS) Secure Border Initiative (SBI) is a multiyear, multibillion-dollar program to secure the nation's borders through, among other things, new technology, increased staffing, and new fencing and barriers. The technology component of SBI, which is known as SBInet, involves the acquisition, development, integration, and deployment of surveillance systems and command, control, communications, and intelligence technologies. GAO was asked to testify on its draft report, which assesses DHS's efforts to (1) define the scope, timing, and life cycle management approach for planned SBInet capabilities and (2) manage SBInet requirements and testing activities. In preparing the draft report, GAO reviewed key program documentation, including guidance, plans, and requirements and testing documentation; interviewed program officials; analyzed a random probability sample of system requirements; and observed operations of the initial SBInet project. Important aspects of SBInet remain ambiguous and in a continued state of flux, making it unclear and uncertain what technology capabilities will be delivered and when, where, and how they will be delivered. For example, the scope and timing of planned SBInet deployments and capabilities have continued to be delayed without becoming more specific. Further, the program office does not have an approved integrated master schedule to guide the execution of the program, and the nature and timing of planned activities has continued to change. This schedule-related risk is exacerbated by the continuous change in, and the absence of a clear definition of, the approach that is being used to define, develop, acquire, test, and deploy SBInet. SBInet requirements have not been effectively defined and managed. While the program office recently issued guidance that is consistent with recognized leading practices, this guidance was not finalized until February 2008, and thus was not used in performing a number of important requirements-related activities. In the absence of this guidance, the program's efforts have been mixed. For example, while the program has taken steps to include users in developing high-level requirements, several requirements definition and management limitations exist. These include a lack of proper alignment (i.e., traceability) among the different levels of requirements, as evidenced by GAO's analysis of a random probability sample of requirements, which revealed large percentages that were not traceable backward to higher level requirements, or forward to more detailed system design specifications and verification methods. SBInet testing has also not been effectively managed. While a test management strategy was drafted in May 2008, it has not been finalized and approved, and it does not contain, among other things, a high-level master schedule of SBInet test activities, metrics for measuring testing progress, and a clear definition of testing roles and responsibilities. Further, the program office has not tested the individual system components to be deployed to the initial deployment locations, even though the contractor initiated testing of these components with other system components and subsystems in June 2008. In light of these circumstances, our soon to be issued report contains eight recommendations to the department aimed at reassessing its approach to and plans for the program, including its associated exposure to cost, schedule and performance risks, and disclosing these risks and alternative courses of action to DHS and congressional decision makers. The recommendations also provide for correcting the weaknesses surrounding the program's unclear and constantly changing commitments and its life cycle management approach and processes, as well as implementing key requirements development and management and testing practices. Wed, 10 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081136t.pdf Domestic air carriers are responsible for checking passenger names against terrorist watch-list records to identify persons who should be denied boarding (the No Fly List) or who should undergo additional security scrutiny (the Selectee List). The Transportation Security Administration (TSA) is to assume this function through its Secure Flight program. However, due to program delays, air carriers retain this role. This testimony discusses (1) TSA's requirements for domestic air carriers to conduct watch-list matching, (2) the extent to which TSA has assessed compliance with watch-list matching requirements, and (3) TSA's progress in developing Secure Flight. This statement is based on GAO's report on air carrier watch-list matching (GAO-08-992) being released today and GAO's previous and ongoing reviews of Secure Flight. In conducting this work, GAO reviewed TSA security directives and TSA inspections guidance and results, and interviewed officials from 14 of 95 domestic air carriers. TSA's requirements for domestic air carriers to conduct watch-list matching include a requirement to identify passengers whose names are either identical or similar to those on the No Fly and Selectee lists. Similar-name matching is important because individuals on the watch list may try to avoid detection by making travel reservations using name variations. According to TSA, there have been incidents of air carriers failing to identify potential matches by not successfully conducting similar-name matching. However, until revisions were initiated in April 2008, TSA's security directives did not specify what types of similar-name variations were to be considered. Thus, in interviews with 14 air carriers, GAO found inconsistent approaches to conducting similar-name matching, and not every air carrier reported conducting similar-name comparisons. In January 2008, TSA conducted an evaluation of air carriers and found deficiencies in their capability to conduct similar-name matching. Thus, in April 2008, TSA revised the No Fly List security directive to specify a baseline capability for conducting watch-list matching and reported that it planned to similarly revise the Selectee List security directive. While recognizing that the new baseline capability will not address all vulnerabilities, TSA emphasized that establishing the baseline capability should improve air carriers' performance of watch-list matching and is a good interim solution pending the implementation of Secure Flight. TSA has undertaken various efforts to assess domestic air carriers' compliance with watch-list matching requirements; however, until 2008, TSA had conducted limited testing of air carriers' similar-name-matching capability. In 2005, for instance, TSA evaluated the capability of air carriers to identify names that were identical--but not similar--to those in terrorist watch-list records. Also, TSA's internal guidance did not specifically direct inspectors to test air carriers' similar-name-matching capability, nor did the guidance specify the number or types of name variations to be assessed. Records in TSA's database for regular inspections conducted during 2007 made reference to name-match testing in only 61 of the 1,145 watch-list-related inspections that GAO reviewed. During the course of GAO's review, and prompted by findings of the evaluation conducted in January 2008, TSA reported that its guidance for inspectors would be revised to help ensure air carriers' compliance with security directives. Although TSA has plans to strengthen its oversight efforts, it is too early to determine the extent to which TSA will provide oversight of air carriers' compliance with the revised security directives. In February 2008, GAO reported that TSA has made progress in developing Secure Flight but that challenges remained, including the need to more effectively manage risk and develop more robust cost and schedule estimates (GAO-08-456T). If these challenges are not addressed effectively, the risk of the program not being completed on schedule and within estimated costs is increased, and the chances of it performing as intended are diminished. TSA plans to begin assuming watch-list matching from air carriers in January 2009. Tue, 09 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08825.pdf Federal policies establish the Department of Homeland Security (DHS) as the focal point for the security of cyberspace. As part of its responsibilities, DHS is required to coordinate cyber attack exercises to strengthen public and private incident response capabilities. One major exercise program, called Cyber Storm, is a large-scale simulation of multiple concurrent cyber attacks involving the federal government, states, foreign governments, and private industry. To date, DHS has conducted Cyber Storm exercises in 2006 and 2008. GAO agreed to (1) identify the lessons that DHS learned from the first Cyber Storm exercise, (2) assess DHS's efforts to address the lessons learned from this exercise, and (3) identify key participants' views of their experiences during the second Cyber Storm exercise. To do so, GAO evaluated documentation of corrective activities and interviewed federal, state, and private sector officials. As a result of its first Cyber Storm exercise, in February 2006, DHS identified eight lessons that had significant impact across sectors, agencies, and exercise participants. These lessons involved improving (1) the interagency coordination groups; (2) contingency planning, risk assessment, and roles and responsibilities; (3) integration of incidents across infrastructures; (4) access to information; (5) coordination of response activities; (6) strategic communications and public relations; (7) processes, tools, and technology; and (8) the exercise program. While DHS has demonstrated progress in addressing the lessons it learned from its first Cyber Storm exercise, more remains to be done to fully address the lessons. In the months following its first exercise, DHS identified 66 activities that address one or more of the lessons, including hosting meetings with key cyber response officials from foreign, federal, and state governments and private industry, and refining their operating procedures. To date, DHS has completed a majority of these activities. However, key activities have not yet been completed. Specifically, DHS identified 16 activities as ongoing and 7 activities as planned for the future. Further, while DHS has identified completion dates for its planned activities, it has not identified completion dates for its ongoing activities. Until DHS schedules and completes its remaining activities, the agency risks conducting subsequent exercises that repeat the lessons learned during the first exercise. Commenting on their experiences during the second Cyber Storm exercise, in March 2008, participants observed both progress and continued challenges in building a comprehensive national cyber response capability. Their observations addressed several key areas, including the value and scope of the exercise, roles and responsibilities, public relations, communications, the exercise infrastructure, and the handling of classified information. For example, many participants reported that their organizations found value in the exercise because it led them to update their contact lists and improve their response capabilities. Other participants, however, reported the need for clarifying the role of the law enforcement community during a cyber incident and for improving policies governing the handling of classified information so that key information can be shared. Many of the challenges identified during Cyber Storm II were similar to challenges identified during the first exercise. Tue, 09 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081038r.pdf In the years since the 2001 terrorist attacks, balancing the need to secure U.S. borders while maintaining the flow of legitimate cross-border travel and commerce has taken on an added importance. The United States and Canada share a border that extends nearly 4,000 miles, and one of the world's largest trading relationships. Each year, approximately 70 million travelers and 35 million vehicles cross the border from Canada into the United States, according to the Department of Homeland Security (DHS). Given the volume of cross-border travel and trade between the United States and Canada, border congestion and the resulting wait times have a substantial economic impact on both nations. Furthermore, according to an analysis by DHS, the heightened emphasis on border security following the 2001 terrorist attacks has lengthened processing time for travelers and cargo crossing into the United States. Recognizing the need to improve both border security and border-crossing efficiency, the United States and Canada have cooperated on various cross-border management initiatives intended to increase the flow of legitimate travel across the border while maintaining security. For example, to facilitate the travel of low-risk prescreened individuals across the northern border, the United States and Canada jointly operate the NEXUS program. The NEXUS program allows registered border residents and frequent cross-border travelers identified as low-risk individuals access to dedicated lanes and expedited processing with minimal inspection. The United States and Canada also coordinate on border law enforcement programs such as the Integrated Border Enforcement Team Program (IBET), which is a bi-national, multi-agency law enforcement initiative that (1) provides, where necessary, support to national security investigations associated to the Canada/United States border and (2) investigates illegal cross-border activities. A key collaborative effort to improve security and relieve congestion at the ports of entry across the northern border is to move customs and immigration inspection activities away from the border--a concept known as "land preclearance" or "shared border management." In December 2004, the United States and Canada announced that the two governments had agreed to move forward with a land preclearance pilot project at the Buffalo, New York-Fort Erie, Ontario Peace Bridge and at one other border crossing site along the northern border, which had not yet been determined. The land preclearance pilot project flowed from the 2001 Smart Border Declaration and its associated action plan, which was meant to enhance the security along the northern border while facilitating information sharing and the legitimate flow of people and goods, and securing infrastructure. The preclearance pilot at the Peace Bridge would involve the relocation of all U.S. border inspection operations for both commercial and passenger traffic from the U.S. side of the border in Buffalo, New York, to the Canadian side of the border in Fort Erie, Ontario. From 2005 to 2007, the United States and Canada were engaged in negotiations to implement land preclearance at the Buffalo-Fort Erie Peace Bridge ports of entry. However, in April 2007, these negotiations were officially terminated by DHS. Section 566 of the 2008 DHS Appropriations Act mandates that we conduct a study on DHS's use of shared border management to secure the borders of the United States. In accordance with the mandate and discussions with Committee staff, this report addresses the following questions: (1) What negotiations have been conducted by the Department of Homeland Security regarding the shared border management pilot project? (2) What issues led to the termination of shared border management negotiations? From 2005 to 2007, the United States and Canada were engaged in negotiations to implement a land preclearance pilot project (also referred to as "shared border management"), which would have relocated the U.S. border inspection facility from the Buffalo, New York, side of the Peace Bridge to the Fort Erie, Ontario, side. All CBP inspections and operations would then take place before travelers and cargo entered the United States. The Peace Bridge site was selected for the pilot because it is one of the busiest commercial crossings between the United States and Canada, yet the existing border infrastructure at the Peace Bridge contributes to a number of security and border crossing inefficiencies, according to DHS. Specifically, DHS had concluded that the U.S. inspection facility, which is located near the center of downtown Buffalo, is outdated, undersized, and lacks the modern amenities a port of its size should have to operate efficiently and securely. The facility is located on 17 acres of land, as opposed to the 80 acres that CBP recommends for a large port of entry. DHS has reported that additional inspection space is needed to address these infrastructure issues, but there is no easily available land adjacent to the facility in Buffalo. On the Canadian side of the Peace Bridge in Fort Erie, there are approximately 70 acres of land available on which the U.S. inspection facility could have been co-located with Canadian inspection facilities. In April 2007, DHS officially terminated negotiations with Canada because a mutually acceptable framework for United States-Canada shared border management could not be reached. Officials from both countries agreed that negotiations were conducted in good faith, and the two governments were able to reach accommodations on several key issues raised during the negotiations, such as the approval of all of the authorities Canada sought for its U.S.-based preclearance area, and the arming of CBP officers at the preclearance site on Canadian soil. However, certain issues pertaining to each country's sovereignty and the law enforcement authorities of U.S. CBP officers operating on Canadian soil could not be resolved. These issues included concerns over arrest authority; the right of individuals to withdraw an application to enter the United States while at the land preclearance site in Canada; mutually agreeable fingerprinting processes; how information collected by U.S. officials at the land preclearance site would be shared; and concerns that future interpretations of the Canadian Charter could adversely impact U.S. authorities at the preclearance site. Thu, 04 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08538.pdf Oceangoing cargo containers play a vital role in global trade but can also pose a risk of terrorist exploitation. U.S. Customs and Border Protection (CBP), part of the Department of Homeland Security (DHS), oversees security of the supply chain--the flow of goods from manufacturer to retailer. CBP anticipates that adoption of uniform, international customs security standards could eventually lead to a system of mutual recognition whereby the customs security-related practices and programs taken by one customs administration are recognized and accepted by another administration. In response to congressional requesters, GAO determined (1) actions CBP has taken to develop and implement international supply chain security standards, (2) actions CBP has taken with international partners to achieve mutual recognition of customs security practices, and (3) issues CBP and foreign customs administrations anticipate in implementing 100 percent scanning of U.S.-bound container cargo. To conduct its work, GAO analyzed CBP documents on supply chain security programs and international cooperation initiatives and met with CBP officials and foreign customs officials from various trading partner nations. Also, GAO drew upon its related reports and testimony on supply chain security issued earlier this year--GAO-08-187 (Jan. 25), GAO-08-240 (Apr. 25), and GAO-08-533T (June 12). DHS provided technical comments on a draft of this report, which GAO incorporated where appropriate. To develop and implement international supply chain security standards, CBP has taken a lead role in working with foreign customs administrations and the World Customs Organization (WCO). Through the Container Security Initiative (CSI), CBP places staff at foreign seaports to work with host nation customs officials to identify high-risk container cargo bound for the United States, and through the Customs-Trade Partnership Against Terrorism (C-TPAT), CBP forms voluntary partnerships to enhance security measures with international businesses involved in oceangoing trade with the United States. In collaboration with 11 other members of the WCO, CBP developed the Framework of Standards to Secure and Facilitate Global Trade (SAFE Framework), which is based in part on the core concepts of the CSI and C-TPAT programs and provides standards for collaboration among customs administrations and entities participating in the supply chain. The SAFE Framework was adopted by the 173 WCO member customs administrations in June 2005; and as of July 2008 154 had signed letters of intent to implement the standards. CBP has actively engaged with international partners to define and achieve mutual recognition of customs security practices. Broadly, for example, CBP contributed to development of the SAFE Framework, which calls for a system of mutual recognition. More specifically, in June 2007, CBP signed a mutual recognition arrangement with New Zealand--the first such arrangement in the world--to recognize each other's customs-to-business partnership programs. Furthermore, in June of this year, CBP signed mutual recognition agreements with Jordan and Canada. By early 2009, CBP anticipates obtaining a mutual recognition agreement with the European Commission, which represents the 27 member nations of the European Union. CBP actively engages in the implementation of international customs security standards, however recent law, such as The Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Act) requiring that 100 percent of U.S.-bound container cargo be scanned at foreign seaports--using a nonintrusive inspection process involving equipment such as X-rays and radiation detection equipment--may affect worldwide adoption of international supply chain security standards. CBP and some foreign partners have stated that unless additional resources are made available, 100 percent scanning could not be met. Given limited resources, CBP and European custom administration officials said that 100 percent scanning may provide a lower level of security if customs officers are diverted from focusing on high-risk container cargo. Under the current risk-management system, for example, the scanned images of high-risk containers are to be reviewed in a very detailed manner. However, according to WCO and industry officials, if all containers are to be scanned, the reviews may not be as thorough. Further, a European customs administration reported that 100 percent scanning could have a negative impact on the flow of commerce and also would affect trade with developing countries disproportionately. Fri, 15 Aug 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08958.pdf The Transportation Security Administration (TSA) uses undercover, or covert, testing to approximate techniques that terrorists may use to identify vulnerabilities in and measure the performance of airport security systems. During these tests, undercover inspectors attempt to pass threat objects through passenger and baggage screening systems, and access secure airport areas. In response to a congressional request, GAO examined (1) TSA's strategy for conducting covert testing of the transportation system and the extent to which the agency has designed and implemented its covert tests to achieve identified goals; and (2) the results of TSA's national aviation covert tests conducted from September 2002 to June 2007, and the extent to which TSA uses the results of these tests to mitigate security vulnerabilities. To conduct this work, GAO analyzed covert testing documents and data and interviewed TSA and transportation industry officials. TSA has designed and implemented risk-based national and local covert testing programs to achieve its goals of identifying vulnerabilities in and measuring the performance the aviation security system, and has begun to determine the extent to which covert testing will be used in non-aviation modes of transportation. TSA's Office of Inspection (OI) used information on terrorist threats to design and implement its national covert tests and determine at which airports to conduct tests based on the likelihood of a terrorist attack. However, OI did not systematically record the causes of test failures or practices that resulted in higher pass rates for tests. Without systematically recording reasons for test failures, such as failures caused by screening equipment not working properly, as well as reasons for test passes, TSA is limited in its ability to mitigate identified vulnerabilities. OI officials stated that identifying a single cause for a test failure is difficult since failures can be caused by multiple factors. TSA recently redesigned its local covert testing program to more effectively measure the performance of passenger and baggage screening systems and identify vulnerabilities. However, it is too early to determine whether the program will meet its goals since it was only recently implemented and TSA is still analyzing the results of initial tests. While TSA has a well established covert testing program in commercial aviation, the agency does not regularly conduct covert tests in non-aviation modes of transportation. Furthermore, select domestic and foreign transportation organizations and DHS components use covert testing to identify security vulnerabilities in non-aviation settings. However, TSA lacks a systematic process for coordinating with these organizations. TSA covert tests conducted from September 2002 to June 2007 have identified vulnerabilities in the commercial aviation system at airports of all sizes, and the agency could more fully use the results of tests to mitigate identified vulnerabilities. While the specific results of these tests and the vulnerabilities they identified are classified, covert test failures can be caused by multiple factors, including screening equipment that does not detect a threat item, Transportation Security Officers (TSOs), formerly known as screeners, not properly following TSA procedures when screening passengers, or TSA screening procedures that do not provide sufficient detail to enable TSOs to identify the threat item. TSA's Administrator and senior officials are routinely briefed on covert test results and are provided with test reports that contain recommendations to address identified vulnerabilities. However, TSA lacks a systematic process to ensure that OI's recommendations are considered and that the rationale for implementing or not implementing OI's recommendations is documented. Without such a process, TSA is limited in its ability to use covert test results to strengthen aviation security. TSA officials stated that opportunities exist to improve the agency's processes in this area. In May 2008, GAO issued a classified report on TSA's covert testing program. That report contained information that was deemed either classified or sensitive. This version of the report summarizes our overall findings and recommendations while omitting classified or sensitive security information. Fri, 08 Aug 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08933r.pdf This report formally transmits the attached briefing in response to section 1307 of the Implementing Recommendations of the 9/11 Commission Act of 2007. The act requires the Comptroller General to report on the utilization of explosives detection canine teams to strengthen security and the capacity of the national explosives detection canine team program, which is administered by the Transportation Security Administration. Thu, 31 Jul 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08588.pdf Cyber analysis and warning capabilities are critical to thwarting computer-based (cyber) threats and attacks. The Department of Homeland Security (DHS) established the United States Computer Emergency Readiness Team (US-CERT) to, among other things, coordinate the nation's efforts to prepare for, prevent, and respond to cyber threats to systems and communications networks. GAO's objectives were to (1) identify key attributes of cyber analysis and warning capabilities, (2) compare these attributes with US-CERT's current capabilities to identify whether there are gaps, and (3) identify US-CERT's challenges to developing and implementing key attributes and a successful national cyber analysis and warning capability. To address these objectives, GAO identified and analyzed related documents, observed operations at numerous entities, and interviewed responsible officials and experts. Cyber analysis and warning capabilities include (1) monitoring network activity to detect anomalies, (2) analyzing information and investigating anomalies to determine whether they are threats, (3) warning appropriate officials with timely and actionable threat and mitigation information, and (4) responding to the threat. GAO identified 15 key attributes associated with these capabilities. While US-CERT's cyber analysis and warning capabilities include aspects of each of the key attributes, they do not fully incorporate all of them. For example, as part of its monitoring, US-CERT obtains information from numerous external information sources; however, it has not established a baseline of our nation's critical network assets and operations. In addition, while it investigates if identified anomalies constitute actual cyber threats or attacks as part of its analysis, it does not integrate its work into predictive analyses. Further, it provides warnings by developing and distributing a wide array of notifications; however, these notifications are not consistently actionable or timely. US-CERT faces a number of newly identified and ongoing challenges that impede it from fully incorporating the key attributes and thus being able to coordinate the national efforts to prepare for, prevent, and respond to cyber threats. The newly identified challenge is creating warnings that are consistently actionable and timely. Ongoing challenges that GAO previously identified, and made recommendations to address, include employing predictive analysis and operating without organizational stability and leadership within DHS, including possible overlapping roles and responsibilities. Until US-CERT addresses these challenges and fully incorporates all key attributes, it will not have the full complement of cyber analysis and warning capabilities essential to effectively performing its national mission. Thu, 31 Jul 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08999t.pdf In April 2005, a Presidential Directive established the Domestic Nuclear Detection Office (DNDO) within the Department of Homeland Security to enhance and coordinate federal, state, and local efforts to combat nuclear smuggling domestically and abroad. DNDO was directed to develop, in coordination with the departments of Defense (DOD), Energy (DOE), and State (State), an enhanced global nuclear detection architecture--an integrated system of radiation detection equipment and interdiction activities. DNDO implements the domestic portion of the architecture, while DOD, DOE, and State are responsible for related programs outside the U.S. This testimony provides preliminary observations based on ongoing work addressing (1) the status of DNDO's efforts to develop a global nuclear detection architecture, (2) the challenges DNDO and other federal agencies face in implementing the architecture, and (3) the costs of the programs that constitute the architecture. This statement draws on prior GAO reviews of programs constituting the architecture, and GAO's work on strategic planning According to GAO's preliminary work to date, DNDO has taken steps to develop a global nuclear detection architecture but lacks an overarching strategic plan to help guide how it will achieve a more comprehensive architecture. Specifically, DNDO has developed an initial architecture after coordinating with DOD, DOE, and State to identify 74 federal programs that combat smuggling of nuclear or radiological material. DNDO has also identified gaps in the architecture, such as land border crossings into the United States between formal points of entry, small maritime vessels, and international general aviation. Although DNDO has started to develop programs to address these gaps, it has not yet developed an overarching strategic plan to guide its transition from the initial architecture to a more comprehensive architecture. For example, such a plan would define across the entire architecture how DNDO would achieve and monitor its goal of detecting the movement of radiological and nuclear materials through potential smuggling routes, such as small maritime craft or land borders in between points of entry. The plan would also define the steps and resources needed to achieve a more comprehensive architecture and provide metrics for measuring progress toward goals. DNDO and other federal agencies face a number of coordination, technological, and management challenges. First, prior GAO reports have demonstrated that U.S.-funded radiological detection programs overseas have proven problematic to implement and sustain and have not been effectively coordinated, although there have been some improvements in this area. Second, detection technology has limitations and cannot detect and identify all radiological and nuclear materials. For example, smugglers may be able to effectively mask or shield radiological materials so that it evades detection. Third, DNDO faces challenges in managing implementation of the architecture. DNDO has been charged with developing an architecture that depends on programs implemented by other agencies. This responsibility poses a challenge for DNDO in ensuring that the individual programs within the global architecture are effectively integrated and coordinated to maximize the detection and interdiction of radiological or nuclear material. According to DNDO, approximately $2.8 billion was budgeted in fiscal year 2007 for the 74 programs included in the global nuclear detection architecture. Of this $2.8 billion, $1.1 billion was budgeted for programs to combat nuclear smuggling internationally; $220 million was devoted to programs to support the detection of radiological and nuclear material at the U.S. border; $900 million funded security and detection activities within the United States; and approximately $575 million was used to fund a number of cross-cutting activities. The future costs for DNDO and other federal agencies to address the gaps identified in the initial architecture are not yet known or included in these amounts. Wed, 16 Jul 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08960t.pdf The United States faces potentially dangerous biological threats that occur naturally or may be the result of a terrorist attack. The Department of Homeland Security (DHS) is developing two major initiatives to provide early detection and warning of biological threats: the National Biosurveillance Integration Center (NBIC), a center for integrating and coordinating information on biological events of national significance, and the BioWatch program that operates systems used to test the air for biological agents. The Implementing Recommendations of the 9/11 Commission Act of 2007 requires DHS to establish a fully operational NBIC by September 30, 2008. This statement discusses the status of DHS's efforts to (1) make NBIC fully operational by the mandated deadline, and (2) improve the BioWatch program's technology. GAO's preliminary observations of these two programs are based on our ongoing work mandated by the Implementing Recommendations of the 9/11 Commission Act of 2007 to review U.S. biosurveillance efforts. To conduct this work, GAO reviewed related statutes; federal directives; and DHS planning, development, and implementation documents on these two initiatives. We also interviewed DHS program officials to obtain additional information about NBIC and BioWatch. DHS reviewed a draft of this testimony and provided technical comments, which were incorporated as appropriate. DHS has made progress making NBIC fully operational by September 30, 2008, as required by the Implementing Recommendations of the 9/11 Commission Act of 2007, but it is unclear what operations the center will be capable of carrying out at that point. DHS has acquired facilities and hired staff for the center but has not yet defined what capabilities the center will have in order to be considered fully operational. DHS has also started to coordinate biosurveillance efforts with other agencies, but DHS has not yet formalized some key agreements to fulfill NBIC's integration mission. For example, DHS has signed memoranda of understanding with 6 of 11 agencies DHS identified to support the operations of NBIC. However, DHS has not yet completed other key agreements to, for example, facilitate the technical exchange of information, such as data on human health, between NBIC and the agencies. In addition, a contractor DHS hired to enhance NBIC's information technology system delivered an upgrade to the system on April 1, 2008, intended to enhance data integration capabilities. However, before this upgrade can be used effectively, DHS officials said that NBIC will need to train its employees to use the system and negotiate interagency agreements to define the data that the agencies using the system will provide. DHS officials expect that NBIC will complete the training in early 2009. DHS has two ongoing efforts to improve the detection technology used by the BioWatch program, which deploys detectors to collect data that are then analyzed to detect the presence of specific biological agents. First, the Directorate for Science and Technology (S&T) within DHS is developing next-generation detectors for the BioWatch program. DHS plans for this new technology to collect air samples and automatically test the samples for a broader range of biological agents than the current technology. Under the current system, samples are manually collected and taken to a laboratory for analysis. DHS plans to operationally test and evaluate the new automatic technology in April 2009 and to begin replacing its existing detection technology in 2010. Operational testing and evaluation of the new technology is planned to take place in April 2009, about 1 year later than DHS initially planned, because S&T officials received revised requirements for the new system about 4 months before S&T was scheduled to complete development of the system. Second, while S&T is completing its work on the new detection technology, DHS is developing an interim solution, managed by the Office of Health Affairs, to enhance its current detection technology. This interim solution is intended to automatically analyze air samples for the same number of biological agents currently monitored by the BioWatch program. Contingent on successful operational testing and evaluation that is to start in November 2008, DHS plans to decide whether to acquire over 100 of these enhanced detectors. Wed, 16 Jul 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081003r.pdf Members of the Committee requested that GAO provide additional comments to a number of post-hearing questions after GAO testified before the Subcommittee on Management, Investigations, and Oversight on the Department of Homeland Security's (DHS) Preparedness for Catastrophic Disasters. The responses are generally based on work associated with previously issued GAO products, which were conducted in accordance with generally accepted government auditing standards. Because the responses are based on prior work, we did not obtain comments from DHS. Tue, 15 Jul 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08959t.pdf The Implementing Recommendations of the 9/11 Commission Act of 2007 requires the Transportation Security Administration (TSA) to implement a system to physically screen 100 percent of cargo on passenger aircraft by August 2010. To fulfill these requirements, the Department of Homeland Security's (DHS) TSA is developing the Certified Cargo Screening Program (CCSP), which would allow the screening of cargo to occur prior to placement on an aircraft. This testimony addresses four challenges TSA may face in developing a system to screen 100 percent of cargo: (1) deploying effective technologies; (2) changing TSA air cargo screening exemptions; (3) allocating compliance inspection resources to oversee CCSP participants; and (4) securing cargo transported from a foreign nation to the United States. GAO's comments are based on GAO products issued from October 2005 through February 2008, including selected updates conducted in July 2008. DHS has taken steps to develop and test technologies for screening and securing air cargo; however, TSA has not completed assessments of the technologies it plans to use as part of the CCSP. TSA has reported that there are several challenges that must be overcome to effectively implement any of these technologies, including the nature, type, and size of cargo to be screened and the location of air cargo facilities. In addition, the air cargo industry voiced concern about the costs associated with purchasing the screening equipment. GAO will likely review this issue in future work. TSA plans to revise and eliminate screening exemptions for some categories of air cargo, thereby reducing the percentage of cargo transported on passenger aircraft that is subject to alternative methods of screening. However, TSA plans to continue to exempt some types of domestic and outbound cargo (cargo transported by air from the United States to a foreign location) after August 2010. TSA based its determination regarding the changing of exemptions on professional judgment and the results of air cargo vulnerability assessments. However, TSA has not completed all of its air cargo vulnerability assessments, which would further inform its efforts. TSA officials stated there may not be enough compliance inspectors to oversee implementation of the CCSP and is anticipating requesting an additional 150 inspectors for fiscal year 2010. They further stated that they have not formally assessed the number of inspectors the agency will need. Without such an assessment, TSA may not be able to ensure that CCSP entities are meeting TSA requirements to screen and secure cargo. To ensure that existing air cargo security requirements are being implemented as required, TSA conducts audits, referred to as compliance inspections, of air carriers that transport cargo. The compliance inspections range from a comprehensive review of the implementation of all security requirements to a review of at least one security requirement by an air carrier or freight forwarder (which consolidates cargo from many shippers and takes it to air carriers for transport). GAO reported in October 2005 that TSA had conducted compliance inspections on fewer than half of the estimated 10,000 freight forwarders nationwide and, of those, had found violations in over 40 percent of them. GAO also reported that TSA had not analyzed the results of compliance inspections to systematically target future inspections. GAO reported in April 2007 that more work remains for TSA to strengthen the security of cargo transported from a foreign nation to the United States, referred to as inbound air cargo. Although TSA is developing a system to screen 100 percent of domestic and outbound cargo, TSA officials stated that it does not plan to include inbound cargo because it does not impose its security requirements on foreign countries. TSA officials said that vulnerabilities to inbound air cargo exist and that these vulnerabilities are in some cases similar to those of domestic air cargo, but stated that each foreign country has its own security procedures for flights coming into the United States. Tue, 15 Jul 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08919r.pdf The terrorist attacks of September 11, 2001, on the World Trade Center in New York City and the Pentagon in Arlington, Virginia, are estimated to have resulted in insured losses amounting to $32.5 billion. Subsequent to the attacks, insurers largely stopped offering terrorism insurance coverage to commercial property owners, which raised significant concerns about potential negative economic consequences. To help restore confidence and stability in property insurance markets, Congress enacted and the President signed the Terrorism Risk Insurance Act of 2002 (TRIA). Under TRIA, the federal government assumed significant responsibility for the potential insured financial losses associated with future terrorist attacks. While TRIA, which was reauthorized in 2005 and again in 2007, has been credited with stabilizing markets for commercial property insurance, some building owners, Members of Congress, and other industry participants remain concerned that there may still be gaps in coverage. In particular, they have expressed concerns about the ability of policyholders located in large urban areas that are viewed as being at high risk of attack to obtain terrorism insurance coverage. Under the 2007 statute that reauthorized TRIA coverage, GAO was required to conduct a study to determine if specific markets in the United States have any unique constraints on the amount of terrorism insurance available and to evaluate options to enhance coverage. This law required GAO to submit a report to the Committee on Banking, Housing, and Urban Affairs of the Senate and the Committee on Financial Services of the House of Representatives no later than June 23, 2008. The purpose of this report is to document our compliance with this reporting requirement. While commercial property terrorism insurance coverage appears to be available nationwide at rates policyholders view as reasonable, certain policyholders may face challenges in obtaining desired amounts of coverage or obtaining coverage at prices they view as reasonable. The policyholders experiencing these challenges were typically those that own large, high-value properties in areas where many large buildings are clustered, particularly in urban areas viewed as at high risk of attack, such as Manhattan, and to a lesser extent certain areas of other major cities, such as Chicago and San Francisco, according to policyholders and brokers. While TRIA limits insurers' financial exposure related to future terrorist attacks, several insurers said they remained concerned about the exposure they retain, and their efforts to minimize potential losses appear to be the primary reason some policyholders face challenges in obtaining coverage. Insurance industry participants and analysts had no consensus on whether TRIA should be modified or additional actions taken to increase the availability of terrorism insurance coverage. Industry analysts and participants identified the advantages and disadvantages of various policy proposals that have been made to increase terrorism insurance coverage. One proposal involves lowering insurers' TRIA deductibles in areas affected by a future large terrorist attack under the premise that further relieving insurers of the financial consequences of such attacks would make them more willing to offer terrorism insurance coverage. Some industry participants believe that another option, allowing insurers to establish tax-deductible reserves for terrorist attacks, could increase insurers' ability to provide terrorism insurance coverage. However, others said that establishing the appropriate size of such reserves would be difficult. Finally, some industry analysts and participants said that changing the federal tax code to encourage the issuance of catastrophe bonds within the United States could allow capital from the securities markets to help cover the potential costs of terrorist attacks. Fri, 11 Jul 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08852.pdf Since 2002, the Department of Homeland Security (DHS) has distributed almost $20 billion in funding to enhance the nation's capabilities to respond to acts of terrorism or other catastrophic events. In fiscal year 2007, DHS provided approximately $1.7 billion to states and urban areas through its Homeland Security Grant Program (HSGP) to prevent, protect against, respond to, and recover from acts of terrorism or other catastrophic events. As part of the Omnibus Appropriations Act of 2007, GAO was mandated to review the methodology used by DHS to allocate HSGP grants. This report addresses (1) the changes DHS has made to its risk-based methodology used to allocate grant funding from fiscal year 2007 to fiscal year 2008 and (2) whether the fiscal year 2008 methodology is reasonable. To answer these questions, GAO analyzed DHS documents related to its methodology and grant guidance, interviewed DHS officials about the grant process used in fiscal year 2007 and changes made to the process for fiscal year 2008, and used GAO's risk management framework based on best practices. For fiscal year 2008 HSGP grants, DHS is primarily following the same methodology it used in fiscal year 2007, but incorporated metropolitan statistical areas (MSAs) within the model used to calculate risk. The methodology consists of a three-step process--a risk analysis of urban areas and states based on measures of threat, vulnerability and consequences, an effectiveness assessment of applicants' investment justifications, and a final allocation decision. The principal change in the risk analysis model for 2008 is in the definition of the geographic boundaries of eligible urban areas. In 2007, the footprint was defined using several criteria, which included a 10-mile buffer zone around the center city. Reflecting the requirements of the Implementing Recommendations of the 9/11 Commission Act of 2007, DHS assessed risk for the Census Bureau's 100 largest MSAs by population in determining its 2008 Urban Areas Security Initiative (UASI) grant allocations. This change altered the geographic footprint of the urban areas assessed, aligning them more closely with the boundaries used by government agencies to collect some of the economic and population data used in the model. This may have resulted in DHS using data in its model that more accurately estimated the population and economy of those areas. The change to the use of MSA data in fiscal year 2008 also resulted in changes in the relative risk rankings of some urban areas. As a result, DHS officials expanded the eligible urban areas in fiscal year 2008 to a total of 60 UASI grantees, in part, to address the effects of this change to MSA data, as well as to ensure that all urban areas receiving fiscal year 2007 funding continued to receive funding in fiscal year 2008, according to DHS officials. Generally, DHS has constructed a reasonable methodology to assess risk and allocate funds within a given fiscal year. The risk analysis model DHS uses as part of its methodology includes empirical risk analysis and policy judgments to select the urban areas eligible for grants (all states are guaranteed a specified minimum percentage of grant funds available) and to allocate State Homeland Security Program (SHSP) and UASI funds. However, our review found that the vulnerability element of the risk analysis model has limitations that reduce its value. Measuring vulnerability is considered a generally-accepted practice in assessing risk; however, DHS's current risk analysis model does not measure vulnerability for each state and urban area. Rather, DHS considered all states and urban areas equally vulnerable to a successful attack and assigned every state and urban area a vulnerability score of 1.0 in the risk analysis model, which does not take into account any geographic differences. Thus, as a practical matter, the final risk scores are determined by the threat and consequences scores. Fri, 27 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08180.pdf First responders are responsible for responding to terrorist-related and accidental releases of CBRN materials in urban areas. Two primary tools for identifying agents released and their dispersion and effect are equipment to detect and identify CBRN agents in the environment and plume models to track the dispersion of airborne releases of these agents. GAO reports on the limitations of the CBRN detection equipment, its performance standards and capabilities testing, plume models available for tracking urban dispersion of CBRN materials, and information for determining how exposure to CBRN materials affects urban populations. To assess the limitations of CBRN detection equipment and urban plume modeling for first responders' use, GAO met with and obtained data from agency officials and first responders in three states. While the Department of Homeland Security (DHS) and other agencies have taken steps to improve homeland defense, local first responders still do not have tools to accurately identify right away what, when, where, and how much chemical, biological, radiological, or nuclear (CBRN) materials are released in U.S. urban areas, accidentally or by terrorists. Equipment local first responders use to detect radiological and nuclear material cannot predict the dispersion of these materials in the atmosphere. No agency has the mission to develop, certify, and test equipment first responders can use for detecting radiological materials in the atmosphere. According to DHS, chemical detectors are marginally able to detect an immediately dangerous concentration of chemical warfare agents. Handheld detection devices for biological agents are not reliable or effective. DHS's BioWatch program monitors air samples for biothreat agents in selected U.S. cities but does not provide first responders with real-time detection capability. Under the BioWatch system, a threat agent is identified within several hours to more than 1 day after it is released, and how much material is released cannot be determined. DHS has adopted few standards for CBRN detection equipment and has no independent testing program to validate whether it can detect CBRN agents at the specific sensitivities manufacturers claim. DHS has a mission to develop, test, and certify first responders' CB detection equipment, but its testing and certification cover equipment DHS develops, not what first responders buy. Interagency studies show that federal agencies' models to track the atmospheric release of CBRN materials have major limitations in urban areas. DHS's national TOPOFF exercises have demonstrated first responders' confusion over competing plume models' contradictory results. The Interagency Modeling and Atmospheric Assessment Center (IMAAC), created to coordinate modeling predictions, lacks procedures to resolve contradictory predictions. Evaluations and field testing of plume models developed for urban areas show variable predictions in urban environments. They are limited in obtaining accurate data on the characteristics and rate of CBRN material released. Data on population density, land use, and complex terrain are critical to first responders, but data on the effects of exposure to CBRN materials on urban populations have significant gaps. Scientific research is lacking on how low-level exposure to CBRN material affects civilian populations, especially elderly persons, children, and people whose immune systems are compromised. Fri, 27 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08739r.pdf In November 2005, the Department of Homeland Security (DHS) announced the launch of Secure Border Initiative (SBI), a multiyear, multibillion-dollar program aimed at securing U.S. borders and reducing illegal immigration. Elements of SBI are carried out by several organizations within DHS. One component is the U.S. Customs and Border Protection's (CBP) SBI program office, which is responsible for developing a comprehensive border protection system using people; technology, known as SBInet; and tactical infrastructure (TI)--pedestrian and vehicle fencing; roads; and lighting. Initially, the focus of SBI is on the U.S. southwest border areas, between the ports of entry, that CBP has designated as most in need of enhanced border security because of serious vulnerabilities. In September 2006, CBP awarded a prime contract to the Boeing Company for 3 years, with three additional 1-year options. As the prime contractor, Boeing is responsible for acquiring, deploying, and sustaining selected SBInet technology and tactical infrastructure projects, and for providing supply chain management for selected tactical infrastructure projects. For fiscal years 2005 through 2008, Congress appropriated more than $2.7 billion for the SBI program. For fiscal year 2009, the President's budget includes a request for an additional $775 million for SBI. The Fiscal Year 2008 Consolidated Appropriations Act required DHS to submit to the House and Senate Appropriations Committees an expenditure plan for the department's efforts to establish a security barrier along the borders of the United States, including pedestrian and vehicle fencing as well as other forms of tactical infrastructure and technology. This plan was to address 15 legislative conditions and was submitted to Congress on March 31, 2008. As required by the act, we reviewed the plan and on April 7 and April 10, 2008, briefed staff of the House and Senate Appropriations Subcommittees, respectively, on our results. The SBI fiscal year 2008 expenditure plan, including related documentation and program officials' statements, satisfied seven legislative conditions, partially satisfied seven legislative conditions, and did not satisfy one legislative condition. The SBI expenditure plan is intended to provide Congress with the information needed to effectively oversee the program and hold DHS accountable for program results. Satisfying the conditions is important since the Fiscal Year 2008 Consolidated Appropriations Act required an expenditure plan that satisfies the 15 conditions summarized above to be submitted to and approved by the House and Senate Appropriations Committees before the agency could obligate $650 million of the approximately $1.2 billion appropriated for CBP fencing, infrastructure and technology. Satisfying the conditions is also important to minimize the program's exposure to cost, schedule, and performance risks. The fiscal year 2008 plan states that it addresses our February 2007 recommendation that the plan include explicit and measurable commitments relative to the capabilities, schedule, costs, and benefits associated with individual program activities. However, based on our review, while the 2008 plan is more detailed than the 2007 plan, it does not provide detailed justification for all planned SBI expenditures, nor does it permit progress against program commitments to be adequately measured and disclosed. In addition, the 2008 plan does not clearly demonstrate how specific CBP SBI activities link with the DHS Secure Border Strategy and further the objectives of DHS's overall border strategy, nor does it provide Congress with reasonable assurance that funding is used for the highest priority requirements. Thu, 26 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08904t.pdf From the terrorist attacks of September 11, 2001, to Hurricane Katrina, homeland security risks vary widely. The nation can neither achieve total security nor afford to protect everything against all risks. Managing these risks is especially difficult in today's environment of globalization, increasing security interdependence, and growing fiscal challenges for the federal government. Broadly defined, risk management is a process that helps policymakers assess risk, strategically allocate finite resources, and take actions under conditions of uncertainty. GAO convened a forum of 25 national and international experts on October 25, 2007, to advance a national dialogue on applying risk management to homeland security. Participants included federal, state, and local officials and risk management experts from the private sector and academia. Forum participants identified (1) what they considered to be effective risk management practices used by organizations from the private and public sectors and (2) key challenges to applying risk management to homeland security and actions that could be taken to address them. Comments from the proceedings do not necessarily represent the views of all participants, the organizations of the participants, or GAO. Participants reviewed a draft of this report and their comments were incorporated, as appropriate. Forum participants identified what they considered to be effective public and private sector risk management practices. For example, participants discussed the private sector use of a chief risk officer, though they did not reach consensus on how to apply the concept of the chief risk officer to the public sector. One key practice for creating an effective chief risk officer, participants said, was defining reporting relationships within the organization in a way that provides sufficient authority and autonomy for a chief risk officer to report to the highest levels of the organization. Participants stated that the U.S. government needs a single risk manager. One participant suggested that this lack of central leadership has resulted in distributed responsibility for risk management within the administration and Congress and has contributed to a lack of coordination on spending decisions. Participants also discussed examples of public sector organizations that have effectively integrated risk management practices into their operations, such as the U.S. Coast Guard, and compared and contrasted public and private sector risk management practices. According to the participants at our forum, three key challenges exist to applying risk management to homeland security: improving risk communication, political obstacles to risk-based resource allocation, and a lack of strategic thinking about managing homeland security risks. Many participants agreed that improving risk communication posed the single greatest challenge to using risk management principles. To address this challenge, participants recommended educating the public and policymakers about the risks we face and the value of using risk management to establish priorities and allocate resources; engaging in a national discussion to reach a public consensus on an acceptable level of risk; and developing new communication practices and systems to alert the public during an emergency. In addition, to address strategic thinking challenges, participants recommended the government develop a national strategic planning process for homeland security and governmentwide risk management guidance. To improve public-private sector coordination, forum participants recommended that the private sector should be more involved in the public sector's efforts to assess risks and that more state and local practitioners and experts be involved through intergovernmental partnerships. Wed, 25 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08745.pdf The Coast Guard's Deepwater Program, under the Department of Homeland Security (DHS), has experienced serious performance and management problems. Deepwater is intended to replace or modernize Coast Guard vessels, aircraft, and the communications and electronic systems that link them together. As of fiscal year 2008, over $4 billion has been appropriated for Deepwater. The Coast Guard awarded a contract in June 2002 to a lead system integrator, Integrated Coast Guard Systems (ICGS), to execute the program using a system-of-systems approach. In response to a Senate report accompanying a Department of Homeland Security appropriations bill, 2008, this GAO report assesses whether the changes the Coast Guard is making to its management and acquisition approach to Deepwater will put it in a position to realize better outcomes. GAO reviewed key program documents and interviewed Coast Guard and contractor personnel. Coast Guard leadership is making positive changes to its management and acquisition approach to the Deepwater Program that should put it in a position to realize better outcomes, although challenges to its efforts remain. The Coast Guard has increased accountability by bringing Deepwater under a restructured acquisition function and investing its government project managers with management and oversight responsibilities formerly held by ICGS. Coast Guard project managers and technical experts--as opposed to contractor representatives--now hold the greater balance of management responsibility and accountability for program outcomes. However, like other federal agencies, the Coast Guard has faced obstacles in building an adequate government workforce. It has various initiatives under way to develop and retain a workforce capable of managing this complex acquisition program, but faced with an almost 20 percent vacancy rate, it is relying on support contractors, such as cost estimators, in key positions. The Coast Guard's decision to manage Deepwater under an asset-based approach, rather than as an overall system-of-systems, has resulted in increased government control and visibility over acquisitions. Agency officials have begun to hold competitions for Deepwater assets outside of the ICGS contract. While the asset-based approach is beneficial, certain cross-cutting aspects of Deepwater, such as the program's communications and intelligence components and the numbers of each asset needed, still require a systems-level approach. The Coast Guard recognizes this but is not yet fully positioned to manage these aspects. The Coast Guard has begun to follow the disciplined, project management framework of its Major Systems Acquisition Manual (MSAM), which requires documentation and high-level executive approval of decisions at key points in a program's life cycle. But the consequences of not following this approach in the past are now evident, as Deepwater assets have been delivered without a determination of whether their planned capabilities would meet mission needs. The MSAM process currently allows limited initial production to proceed before the majority of design activities have been completed. In addition, a disconnect between MSAM requirements and current practice exists because DHS had earlier delegated to the Coast Guard all Deepwater acquisition decisions, resulting in little departmental oversight. Coast Guard project managers and decision makers are now receiving information intended to help manage project outcomes, but some key information is unreliable. The earned value management data reported by ICGS lacks sufficient transparency to be useful to Coast Guard program managers, and subcontractor Northrop Grumman's system for producing the data may need to be re-certified to ensure its reliability. Officials state that they are addressing these issues through joint efforts with the Navy and the Defense Contract Management Agency. Tue, 24 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08672.pdf The safety and economic security of the United States depends on the secure use of the world's seaports and waterways. Homeland Security Presidential Directive-13 (HSPD-13, also referred to as National Security Presidential Directive-41) directs the coordination of U.S. maritime security policy through the creation of a National Strategy for Maritime Security and supporting implementation plans. GAO was asked to evaluate this strategy and its eight supporting plans. This report discusses: (1) the extent to which the strategy and its supporting plans contain desirable characteristics of an effective national strategy, and (2) the reported status of the implementation of these plans. To conduct this work, GAO evaluated the National Strategy for Maritime Security and its supporting plans against the desirable characteristics of an effective national strategy that GAO identified in February 2004, reviewed HSPD-13 and supporting plans, and reviewed documents on the status of the plans' implementation. Of the six desirable characteristics of an effective national strategy that GAO identified in 2004, the National Strategy for Maritime Security and its eight supporting implementation plans address four and partially address the remaining two. Documents provided by the Maritime Security Working Group--an interagency body responsible for monitoring and assessing the implementation of the maritime strategy--indicate that the implementation status of the eight supporting plans varies. For example, as of November 2007, implementation of one plan had been completed, while another has reached the assessment phase (e.g., lessons learned and best practices), and a third has reached the execution phase (e.g., exercises and operations). The other five plans remain primarily in the planning phase. The working group is monitoring the implementation of 76 actions across the plans, and reported 6 of these are completed and 70 are ongoing. Fri, 20 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08897t.pdf The Federal Protective Service (FPS) is responsible for providing physical security and law enforcement services to about 9,000 General Services Administration (GSA) facilities. To accomplish its mission of protecting GSA facilities, FPS currently has an annual budget of about $1 billion, about 1,100 employees, and 15,000 contract guards located throughout the country. GAO was asked to provide information and analysis on challenges FPS faces including ensuring that it has sufficient staffing and funding resources to protect GSA facilities and the over one million federal employees as well as members of the public that work in and visit them each year. GAO discusses (1) FPS's operational challenges and actions it has taken to address them, (2) funding challenges, and (3) how FPS measures the effectiveness of its efforts to protect GSA facilities. This testimony is based on our recently issued report (GAO-08-683) to this Subcommittee. FPS faces several operational challenges that hamper its ability to accomplish its mission and the actions it has taken may not fully resolve these challenges. FPS's staff has decreased by about 20 percent from fiscal years 2004 through 2007. FPS has also decreased or eliminated law enforcement services such as proactive patrol in many FPS locations. Moreover, FPS has not resolved longstanding challenges, such as improving the oversight of its contract guard program, maintaining security countermeasures, and ensuring the quality and timeliness of building security assessments (BSA). For example, one regional supervisor stated that while reviewing a BSA for an address he personally visited he realized that the inspector completing the BSA had falsified the information because the inspector referred to a large building when the actual site was a vacant plot of land owned by GSA. To address some of these operational challenges, FPS is currently changing to an inspector based workforce, which seeks to eliminate the police officer position and rely primarily on FPS inspectors for both law enforcement and physical security activities. FPS is also hiring an additional 150 inspectors. However, these actions may not fully resolve the challenges FPS faces, in part because the approach does not emphasize law enforcement responsibilities. Until recently, the security fees FPS charged to agencies have not been sufficient to cover its costs and the actions it has taken to address the shortfalls have had adverse implications. For example, the Department of Homeland Security (DHS) transferred emergency supplemental funding to FPS. FPS restricted hiring and limited training and overtime. According to FPS officials, these measures have had a negative effect on staff morale and are partially responsible for FPS's high attrition rates. FPS was authorized to increase the basic security fee four times since it transferred to DHS in 2003, currently charging tenant agencies 62 cents per square foot for basic security services. Because of these actions, FPS's collections in fiscal year 2007 were sufficient to cover costs, and FPS projects that collections will also cover costs in fiscal year 2008. However, FPS's primary means of funding its operations--the basic security fee--does not account for the risk faced by buildings, the level of service provided, or the cost of providing services, raising questions about equity. Stakeholders expressed concern about whether FPS has an accurate understanding of its security costs. FPS has developed output measures, but lacks outcome measures to assess the effectiveness of its efforts to protect federal facilities. Its output measures include determining whether security countermeasures have been deployed and are fully operational. However, FPS does not have measures to evaluate its efforts to protect federal facilities that could provide FPS with broader information on program outcomes and results. FPS also lacks a reliable data management system for accurately tracking performance measures. Without such a system, it is difficult for FPS to evaluate and improve the effectiveness of its efforts, allocate its limited resources, or make informed risk management decisions. Thu, 19 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08598.pdf Concerns have grown that terrorists could use radioactive materials and sealed sources (materials sealed in a capsule) to build a "dirty bomb"-- a device using conventional explosives to disperse radioactive material. In 2003, GAO found weaknesses in the Nuclear Regulatory Commission's (NRC) radioactive materials licensing process and made recommendations for improvement. For this report, GAO assesses (1) the progress NRC has made in implementing the 2003 recommendations, (2) other steps NRC has taken to improve its ability to track radioactive materials, (3) Customs and Border Protection's (CBP) ability to detect radioactive materials at land ports of entry, and (4) CBP's ability to verify that such materials are appropriately licensed prior to entering the United States. To perform this work, GAO assessed documents and interviewed NRC and CBP officials in headquarters and in several field locations. NRC has implemented three of the six recommendations in GAO's 2003 report on the security of radioactive sources. It has worked with the 35 states to which it ceded primary authority to regulate radioactive materials and sources and others to (1) identify sealed sources of greatest concern, (2) enhance requirements to secure radioactive sources, and (3) ensure security requirements are implemented. In contrast, NRC has made limited progress toward implementing recommendations to (1) modify its process for issuing licenses to ensure that radioactive materials cannot be purchased by those with no legitimate need for them, (2) determine how to effectively mitigate the potential psychological effects of malicious use of such materials, and (3) examine whether certain radioactive sources should be subject to more stringent regulations. Beyond acting on GAO's recommendations, NRC has also taken four steps to improve its ability to monitor and track radioactive materials. First, NRC created an interim national database to monitor the licensed sealed sources containing materials that pose the greatest risk of being used in a dirty bomb. Second, NRC is developing a National Source Tracking System to replace the interim database and provide more comprehensive, frequently updated information on potentially dangerous sources. However, this system has been delayed by 18 months and is not expected to be fully operational until January 2009. Third, NRC is also developing a Web-based licensing system that will include more comprehensive information on all sources and materials that require NRC or state approval to possess. Finally, NRC is developing a license verification system that will draw information from the other new systems to enable officials and vendors to verify that those seeking to bring these radioactive materials into the country or purchase them are licensed to do so. However, these systems are more than 3 years behind schedule and may not include the licensing information, initially at least, on radioactive materials regulated by agreement states--which represent over 80 percent of all U.S. licenses for such materials. The delays in the deployment and full development of these systems are especially consequential because NRC has identified their deployment as key to improving the control and accountability of radioactive materials. While CBP has a comprehensive system in place to detect radioactive materials entering the United States at land borders, some equipment that is used to protect CBP officers is in short supply. Specifically, vehicles, cargo, and people entering the United States at most ports of entry along the Canadian and Mexican borders are scanned for radioactive materials with radiation detection equipment capable of detecting very small amounts of radiation. However we found that personal radiation detectors are not available to all officers who need them. Moreover, while CBP has systems in place to verify the legitimacy of radioactive materials licenses, it has not effectively communicated to officers at the borders when they must contact officials to verify the license for a given sealed source. Consequently, some CPB officers are not following current guidance, and some potentially dangerous radioactive materials have entered the country without license verification. Thu, 19 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08914t.pdf The Federal Protective Service (FPS) is responsible for providing physical security and law enforcement services to about 9,000 General Services Administration (GSA) facilities. To accomplish its mission of protecting GSA facilities, FPS currently has an annual budget of about $1 billion, about 1,100 employees, and 15,000 contract guards located throughout the country. GAO was asked to provide information and analysis on challenges FPS faces including ensuring that it has sufficient staffing and funding resources to protect GSA facilities and the over one million federal employees as well as members of the public that work in and visit them each year. GAO discusses (1) FPS's operational challenges and actions it has taken to address them, (2) funding challenges, and (3) how FPS measures the effectiveness of its efforts to protect GSA facilities. This testimony is based on our recently issued report (GAO-08-683) to this Subcommittee. FPS faces several operational challenges that hamper its ability to accomplish its mission and the actions it has taken may not fully resolve these challenges. FPS's staff has decreased by about 20 percent from fiscal years 2004 through 2007. FPS has also decreased or eliminated law enforcement services such as proactive patrol in many FPS locations. Moreover, FPS has not resolved longstanding challenges, such as improving the oversight of its contract guard program, maintaining security countermeasures, and ensuring the quality and timeliness of building security assessments (BSA). For example, one regional supervisor stated that while reviewing a BSA for an address he personally visited he realized that the inspector completing the BSA had falsified the information because the inspector referred to a large building when the actual site was a vacant plot of land owned by GSA. To address some of these operational challenges, FPS is currently changing to an inspector based workforce, which seeks to eliminate the police officer position and rely primarily on FPS inspectors for both law enforcement and physical security activities. FPS is also hiring an additional 150 inspectors. However, these actions may not fully resolve the challenges FPS faces, in part because the approach does not emphasize law enforcement responsibilities. Until recently, the security fees FPS charged to agencies have not been sufficient to cover its costs and the actions it has taken to address the shortfalls have had adverse implications. For example, the Department of Homeland Security (DHS) transferred emergency supplemental funding to FPS. FPS restricted hiring and limited training and overtime. According to FPS officials, these measures have had a negative effect on staff morale and are partially responsible for FPS's high attrition rates. FPS was authorized to increase the basic security fee four times since it transferred to DHS in 2003, currently charging tenant agencies 62 cents per square foot for basic security services. Because of these actions, FPS's collections in fiscal year 2007 were sufficient to cover costs, and FPS projects that collections will also cover costs in fiscal year 2008. However, FPS's primary means of funding its operations--the basic security fee--does not account for the risk faced by buildings, the level of service provided, or the cost of providing services, raising questions about equity. Stakeholders also expressed concern about whether FPS has an accurate understanding of its security costs. FPS has developed output measures, but lacks outcome measures to assess the effectiveness of its efforts to protect federal facilities. Its output measures include determining whether security countermeasures have been deployed and are fully operational. However, FPS does not have measures to evaluate its efforts to protect federal facilities that could provide FPS with broader information on program outcomes and results. FPS also lacks a reliable data management system for accurately tracking performance measures. Without such a system, it is difficult for FPS to evaluate and improve the effectiveness of its efforts, allocate its limited resources, or make informed risk management decisions. Wed, 18 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08533t.pdf U.S. Customs and Border Protection (CBP), within the Department of Homeland Security (DHS), is responsible for preventing weapons of mass destruction from entering the United States in cargo containers that are shipped from more than 700 foreign seaports. The Security and Accountability for Every (SAFE) Port Act calls for testing the feasibility of scanning 100 percent of U.S.-bound cargo containers, and the Implementing Recommendations of the 9/11 Commission Act (9/11 Act) requires scanning 100 percent of U.S.-bound cargo containers by 2012. To fulfill these requirements, CBP created the Secure Freight Initiative (SFI) and has initiated a pilot program at seven seaports. This testimony discusses challenges related to the SFI pilot program and implementation of the requirement to scan 100 percent of U.S.-bound container cargo. This testimony is based on GAO products issued from July 2003 through April 2008 and ongoing work. To conduct this work, GAO reviewed reports from CBP and international partners on SFI and other container security programs, and interviewed CBP and foreign customs officials. GAO identified challenges in nine areas that are related to the continuation of the SFI pilot program and the longer-term 100 percent scanning requirement: (1) Workforce planning: The SFI pilot program could generate an increased quantity of scan data. Therefore, more CBP officers will be required to review and analyze data for participating seaports. (2) Host nation examination practices: The SAFE Port and 9/11 Acts require DHS to develop standards for the scanning systems, but CBP lacks information on host nation equipment and practices. (3) Measuring performance: CBP has had difficulties defining performance measures for its container security programs; therefore, it will be difficult to assess if 100 percent scanning achieves increased security. (4) Resource responsibilities: Neither the SAFE Port Act nor the 9/11 Act specifies whether the United States would bear the costs of implementing 100 percent scanning. (5) Logistics: Space constraints can require seaports to place scanning equipment miles from where cargo containers are stored, and some containers are only available for scanning for a short period of time and may be difficult to access. (6) Technology and infrastructure: Environmental conditions can damage equipment and cause delays, and infrastructure capacity and equipment compatibility have presented difficulties in the SFI pilot program. (7) Use and ownership of data: Legislation specifies that scan data should be available to CBP officials, but the data are often generated and collected by foreign seaports and, in some cases, will require international agreements for transfer to CBP officials. (8) Consistency with risk management: International partners state that 100 percent scanning is inconsistent with accepted risk management principles and diverts resources away from other security threats. (9) Reciprocity and trade concerns: Foreign governments could call for reciprocity of 100 percent scanning, requiring the United States to scan cargo containers, and some view this requirement as a barrier to trade. Thu, 12 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08768.pdf Hurricane Katrina illustrated that effective preparation and response to a catastrophe requires a joint effort between federal, state, and local government. The Department of Homeland Security (DHS), through the Federal Emergency Management Agency (FEMA), is responsible for heading the joint effort. In January 2008, DHS released the National Response Framework (NRF), a revision of the 2004 National Response Plan (2004 Plan), the national preparation plan for all hazards. In response to the explanatory statement to the Consolidated Appropriations Act of 2008 and as discussed with congressional committees, this report evaluates the extent to which (1) DHS collaborated with non-federal stakeholders in revising and updating the 2004 Plan into the 2008 NRF and (2) FEMA has developed policies and procedures for managing future NRF revisions. To accomplish these objectives, GAO reviewed DHS and FEMA documents related to the revision process, analyzed the relevant statutes, and interviewed federal and non-federal officials who held key positions in the revision process. While DHS included non-federal stakeholders--state, local, and tribal governments, nongovernmental organizations, and the private sector--in the initial and final stages of revising the 2004 Plan into the NRF, it did not collaborate with these stakeholders as fully as it originally planned or as required by the October 2006 Post-Katrina Emergency Management Reform Act (Post-Katrina Act). As the revision process began in 2006, DHS involved both federal and non-federal stakeholders by soliciting and incorporating their input in determining the key revision issues and developing the first draft in April 2007. However, after this first draft was completed, DHS deviated from its revision work plan by conducting a closed, internal federal review of the draft rather than releasing it for stakeholder comment because the draft required further modifications DHS considered necessary. DHS limited communication with non-federal stakeholders until it released a draft for public comment 5 months later on September 10, 2007. The following day, non-federal stakeholders testified at a congressional hearing that DHS had shut them out during that 5-month period. In addition, the Post-Katrina Act required that DHS establish a National Advisory Council (NAC) for the FEMA Administrator by December 2006 to, among other things, incorporate nonfederal stakeholders' input in the revision process. However, FEMA stated the necessary time to select quality NAC members required additional time, and FEMA did not announce the NAC's membership until June 2007. The NAC did not provide comments on a revision draft until one month before DHS publicly released the final NRF in January 2008. FEMA anticipates that the NRF will be revised in the future; however, FEMA does not have policies or procedures in place to guide this process or ensure a collaborative partnership with stakeholders. FEMA has emphasized the importance of partnering with relevant stakeholders to effectively prepare for and respond to major and catastrophic disasters, and the Congress, through the Post-Katrina Act, requires such partnership. In addition, the Standards for Internal Controls in the Federal Government calls for policies and procedures that establish regular communication with stakeholders and monitor performance over time as essential for achieving desired program goals. Furthermore, previous GAO work on the Department of Defense's civil support plans and the administration's national pandemic influenza implementation plan has shown the need for participation of state and local jurisdictions in emergency planning. Especially in view of a new administration, the experience of the previous revision process illustrates the importance of collaborating with stakeholders in revising a plan that relies on them for its successful implementation. While the NRF is published by DHS, it belongs to the nation's emergency response community. Developing such policies and procedures is essential for ensuring that FEMA attains the Post- Katrina Act's goal of partnering with non-federal stakeholders in building the nation's emergency management system, including the periodic review and revision of the NRF. Wed, 11 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08868t.pdf The Homeland Security Act was enacted in November 2002, creating the Department of Homeland Security (DHS) to improve homeland security following the September 11, 2001, terrorist attacks on the United States. The act centralized the leadership of many homeland security activities under a single federal department and, accordingly, DHS has the dominant role in implementing this national strategy. This testimony discusses the status of DHS's actions in fulfilling its responsibilities to (1) establish policies to define roles and responsibilities for national emergency preparedness efforts and prepare for the transition between presidential administrations, and (2) develop operational plans and performance metrics to implement these roles and responsibilities and coordinate federal resources for disaster planning and response. This testimony is based on prior GAO work performed from September 2006 to June 2008 focusing on DHS's efforts to address problems identified in the many post-Katrina reviews. DHS has taken several actions to define national roles and responsibilities and capabilities for emergency preparedness efforts in key policy documents and has begun preparing for the upcoming transition between presidential administrations. DHS prepared initial versions of key policy documents that describe what should be done and by whom (National Response Plan in 2004), how it should be done (the National Incident Management System in 2004) and how well it should be done (the interim National Preparedness Goal in 2005). DHS subsequently developed and issued revisions to these documents to improve and enhance its national-level policies, such as the National Preparedness Guidelines in 2007 which was the successor to the interim National Preparedness Goal. Most recently, DHS developed the National Response Framework (NRF), the successor to the National Response Plan, which became effective in March 2008. This framework describes the doctrine that guides national response actions and the roles and responsibilities of officials and entities involved in response efforts. Clarifying roles and responsibilities will be especially critical as a result of the coming change in administrations and the associated transition of key federal officials with homeland security preparedness and response roles. To cope with the absence of many political appointed executives from senior roles, DHS has designated career executives to carry out specific responsibilities in the transition between presidential administrations and recently provided information to this Committee on its transition plans. To assist in planning to execute an efficient and effective administration transition, DHS has also contracted with the Council for Excellence in Government to identify key roles and responsibilities for the Department and its homeland security partners for responding to disasters during the transition between administrations. DHS is still developing operational plans to guide other federal agencies' response efforts and metrics for assessing federal capabilities. Two essential supplements to the new National Response Framework--response guides for federal partners and an integrated planning system--are still under development. Also, DHS is still establishing a process to measure the nation's overall preparedness based on a list of targeted capabilities and has not yet completed an inventory of all federal response capabilities. The measures and metrics associated with these targeted capabilities are not standards, but serve as guides for planning, training, and exercise activities. However, DHS policy does not direct development of these capabilities to address national priorities for federal agencies. For example, for the national priority to "Strengthen Interoperable and Operable Communications Capabilities" the National Preparedness Guidelines state that communications capabilities are developed to target levels in the states, tribal areas, territories, and designated urban areas that are consistent with measures and metrics established for targeted capabilities; federal agencies' interoperability is not addressed. Wed, 11 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08683.pdf In 2003, the Federal Protective Service (FPS) transferred from the General Services Administration (GSA) to the Department of Homeland Security (DHS). FPS provides physical security and law enforcement services to about 9,000 GSA facilities. To accomplish its mission of protecting GSA facilities, FPS currently has an annual budget of about $1 billion, 1,100 employees, and 15,000 contract guards located throughout the country. Recently, FPS has faced several challenges protecting GSA facilities and federal employees. This report provides information and analysis on (1) FPS's operational challenges and actions it has taken to address them, (2) funding challenges FPS faces and actions it has taken to address them, and (3) how FPS measures the effectiveness of its efforts to protect GSA facilities. To address these objectives, we conducted site visits at 7 of FPS's 11 regions and interviewed FPS, GSA, tenant agencies, and local law enforcement officials. FPS faces several operational challenges that hamper its ability to accomplish its mission, and the actions it has taken may not fully resolve these challenges. FPS's staff decreased by about 20 percent between fiscal years 2004 and 2007. FPS has managed the decreases in its staffing resources in a manner that has diminished security at GSA facilities and increased the risk of crime or terrorist attacks at many GSA facilities. For example, with the exception of a few locations, FPS no longer provides proactive patrols at GSA facilities to detect and prevent criminal incidents and terrorism-related activities. FPS also continues to face problems with managing its contract guard program and ensuring that security countermeasures, such as security cameras and magnetometers, are operational. For example, according to FPS, it has investigated significant crimes at multiple high-risk facilities, but the security cameras installed in those buildings were not working properly, preventing FPS investigators from identifying the suspects. To address some of its operational challenges, FPS is moving to an inspector-based workforce, which seeks to eliminate the police officer position and rely primarily on FPS inspectors for both law enforcement and physical security activities. FPS believes that this change will ensure that its staff has the right mix of technical skills and training needed to accomplish its mission. FPS is also hiring an additional 150 inspectors and developing a new system for completing building security assessments. However, these actions may not fully resolve FPS's operational challenges because, for example, inspectors might not be able to fulfill both law enforcement and physical security roles simultaneously. FPS also faces funding challenges, and the actions it has taken to address them have had some adverse implications. To fund its operations, FPS charges each tenant agency fees for its security services. In fiscal years 2005 and 2006, FPS's projected expenses exceeded its collections and DHS had to transfer funds to make up the difference. FPS also instituted cost-saving measures such as restricting hiring and travel and limiting training and overtime. According to FPS, these measures have affected staff morale, safety and increased attrition. FPS has been authorized to increase the basic security fee four times since it transferred to DHS, currently charging tenant agencies 62 cents per square foot for basic security services. Because of these actions, FPS's collections in fiscal year 2007 were sufficient to cover costs, and FPS projects that collections will also cover costs in fiscal year 2008. However, FPS's primary means of funding its operations--the basic security fee--does not account for the risk faced by specific buildings, the level of service provided, or the cost of providing services, raising questions about equity. Several stakeholders also expressed concern about whether FPS has an accurate understanding of its costs to provide security at federal facilities. FPS has developed output measures, but lacks outcome measures to assess the effectiveness of its efforts to protect federal facilities. Its output measures include determining whether security countermeasures have been deployed and are fully operational. However, FPS has not developed outcome measures to evaluate its efforts to protect federal facilities that could provide FPS with broader information on program results. FPS also lacks a reliable data management system for accurately tracking performance measures. Wed, 11 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08869t.pdf In fiscal year 2007, Department of Homeland Security's (DHS) U.S. Immigration and Customs Enforcement (ICE) detained over 311,000 aliens, with an average daily population of over 30,000 and an average length of stay of about 37 days in one of approximately 300 facilities. The care and treatment of aliens while in detention is a significant challenge to ICE, as concerns continue to be raised by members of Congress and advocacy groups about the treatment of the growing number of aliens while in ICE's custody. This testimony focuses on (1) the extent to which 23 facilities complied with medical care standards, (2) deficiencies found during ICE's annual compliance inspection reviews, and (3) the types of complaints filed by alien detainees about detention conditions. This testimony is based on GAO's July 2007 report evaluating, among other things, the extent to which 23 facilities complied with aspects of eight of ICE's 38 National Detention Standards. This report did not address quality of care issues. At the time of its visits, GAO observed instances of noncompliance with ICE's medical care standards at 3 of the 23 facilities visited. These instances related to staff not administering a mandatory 14-day physical exam to approximately 260 detainees, not administering medical screenings immediately upon admission, and first aid kits not being available as required. However, these instances did not show a pervasive or persistent pattern of noncompliance across all 23 facilities. Officials at some facilities told GAO that meeting the specialized medical and mental health needs of detainees had been challenging, citing difficulties they had experienced in obtaining ICE approval for outside nonroutine medical and mental health care. On the other hand, GAO observed instances where detainees were receiving specialized care at the facilities visited. At the time of its study, GAO reviewed the most recently available ICE annual inspection reports for 20 of the 23 detention facilities that it visited; these reports showed that ICE reviewers had identified a total of 59 instances of noncompliance with National Detention Standards, 4 of which involved medical care. One facility had sick call request forms that were available only in English whereas the population was largely Spanish speaking. Another did not maintain alien medical records on-site. One facility's staff failed to obtain informed consent from the detainee when prescribing psychiatric medication. Finally, another facility did not have medical staff on-site to screen detainees arriving after 5 p.m. and did not have a properly locked medical cabinet. GAO did not determine whether these instances of noncompliance were subsequently corrected as required. The types of grievances at the facilities GAO visited typically included the lack of timely response to requests for medical treatment, missing property, high commissary prices, poor food quality and insufficient food quantity, high telephone costs, problems with telephones, and questions concerning detention case management issues. ICE's detainee grievance standard states that facilities shall establish and implement procedures for informal and formal resolution of detainee grievances. Four of the 23 facilities GAO visited did not comply with all aspects of ICE's detainee grievance standards. For example, one facility did not properly log all grievances that GAO found in their facility files. Detainee complaints may also be filed with several governmental and nongovernmental organizations. The primary way for detainees to file complaints is to contact the DHS Office of Inspector General (OIG). About 11 percent of detainee complaints to the OIG between 2005 and 2006 involved medical treatment issues. However, we found that the OIG complaint hotline 1-800 number was blocked or otherwise restricted at 12 of the facilities we tested. OIG investigates the most serious complaints and refers the remainder to other DHS components. GAO could not determine the number of cases referred to ICE's Detention Removal Office and concluded that ICE's detainee complaint database was not sufficiently reliable. Wed, 04 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08610.pdf Following the World Trade Center (WTC) attack, the Congress appropriated more than $8 billion to the Department of Homeland Security's (DHS) Federal Emergency Management Agency for response and recovery activities. The Department of Health and Human Services (HHS) received some of this funding to establish health screening and monitoring programs for responders to the disaster and later received additional appropriations to fund treatment. In total, about $369.2 million has been appropriated or awarded for the WTC health programs. GAO previously reported on problems that these programs have had in ensuring the availability of services for all responders. GAO was asked to examine lessons from the WTC health programs that could guide future programs. GAO examined (1) lessons from the programs' experience and (2) HHS actions or plans that incorporate the lessons. GAO interviewed WTC health program officials and other experts and reviewed DHS and HHS documents. GAO identified five important lessons from the experience of the WTC health programs that could help with the development of responder health programs in the event of a future disaster. First, registering all responders during a response to a disaster could improve implementation of screening and monitoring services. Second, designing and implementing screening and monitoring programs that foster the ability to conduct epidemiologic research could improve the understanding of health effects experienced by responders and help determine the need for ongoing monitoring. Third, providing timely mental health screening and monitoring that is integrated with physical health screening and monitoring could improve the ability to accurately diagnose physical and mental health conditions and prevent more serious mental health conditions from developing. Fourth, including a treatment referral process in screening and monitoring programs could improve the ability of responders to gain access to needed treatment. Fifth, making comparable services available to all responders, regardless of their employer or geographic location, could ensure more equitable access to services for responders and help ensure that data collected about responders' health are consistent and comprehensive. HHS has taken steps to facilitate responder registration, but has not developed a department-level plan for responder health programs. HHS's Agency for Toxic Substances and Disease Registry has developed a survey instrument that state and local entities can adopt to register responders and other individuals exposed to a disaster. In a separate effort, HHS's Office of the Assistant Secretary for Preparedness and Response is taking steps to establish a system to register HHS employees and other federal public health and medical personnel who are deployed to a disaster, but it has not completed this effort. HHS has not developed a department-level plan for designing and implementing responder health programs that incorporates the five lessons from the WTC health programs. As a result, HHS has not indicated whether its policies and actions following a disaster or emergency would apply these lessons. Another consequence of not having a plan is that HHS has not described its components' roles and responsibilities for designing and implementing responder health programs. It has not identified which HHS components would be involved in responder health programs, which component would take the lead, how the expertise of various components would be used, or how efforts would be coordinated. In the absence of a department-level plan, HHS's National Institute for Occupational Safety and Health developed a proposal in February 2008 for a project to develop strategies to ensure responder safety and health. While GAO concluded that this proposal is a step in the right direction for addressing responder health issues, it noted that the proposal does not fully address the lessons that have been identified from the WTC health programs. Fri, 30 May 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08821t.pdf DHS is proposing to move foot-and mouth disease (FMD) research from its current location at the Plum Island Animal Disease Center--located on a federally owned island off the northern tip of Long Island, New York--and potentially onto the United States mainland. FMD is the most highly infectious animal disease that is known. Nearly 100 percent of exposed animals become infected. A single outbreak of FMD on the U.S. mainland could have significant economic consequences. Concerns have been raised about moving FMD research off its island location and onto the U.S. mainland--where it would be in closer proximity to susceptible animal populations--as opposed to building a new facility on the island. GAO was asked to evaluate the evidence DHS used to support its decision that FMD work can be done safely on the U.S. mainland, whether an island location provides any additional protection over and above that provided by modern high containment laboratories on the mainland, and the economic consequences of an FMD outbreak on the U.S. mainland. In preparing this testimony, GAO interviewed officials from DHS and USDA, talked with experts in FMD and high-containment laboratories worldwide, and reviewed studies on FMD, high-containment laboratories, and the economic consequences of FMD outbreaks. GAO also visited the Plum Island Animal Disease Center and other animal biocontainment laboratories in other countries. GAO found that the Department of Homeland Security (DHS)has neither conducted nor commissioned any study to determine whether work on foot-and-mouth disease (FMD) can be done safely on the U.S. mainland. Instead, in deciding that work with FMD can be done safely on the mainland, DHS relied on a 2002 U.S. Department of Agriculture (USDA) study that addressed a different question. The study did not assess the past history of releases of FMD virus or other dangerous pathogens in the United States or elsewhere. It did not address in detail the issues of containment related to large animal work in BSL-3 Ag facilities. It was inaccurate in comparing other countries' FMD work experience with that of the United States. Therefore, GAO believes DHS does not have evidence to conclude that FMD work can be done safely on the U.S. mainland. While location, in general, confers no advantage in preventing a release, location can help prevent the spread of pathogens and, thus, a resulting disease outbreak if there is a release. Given that there is always some risk of a release from any biocontainment facility, most experts GAO spoke with said that an island location can provide additional protection. An island location can help prevent the spread of FMD virus along terrestrial routes, such as from vehicles splashed with contaminated mud, and may also reduce airborne transmission. Some other countries besides the United States have historically seen the benefit of an island location, with its remoteness from susceptible species and permanent water barriers. A recent release from the Pirbright facility--located in a farming community on the mainland of the United Kingdom--highlights the risks of a release from a laboratory that is in close proximity to the susceptible animals and provides the best evidence in favor of an island location. FMD has no health implications for humans, but it can have significant economic consequences, as recent outbreaks in the United Kingdom have demonstrated. The economic effects of an FMD outbreak in the United States, however, would depend on the characteristics of the outbreak and how producers, consumers, and the government responded to it. Although estimates vary, experts agree that the economic consequences of an FMD outbreak on the U.S. mainland could be significant, especially for red meat producers whose animals would be at risk for diseases, depending on how and where such an outbreak occurred. Thu, 22 May 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08757.pdf From January 2003 to September 2007, GAO testified before the Committee on three occasions to describe security vulnerabilities that terrorists could exploit to enter the country. GAO's first two testimonies focused on covert testing at ports of entry--the air, sea, and land locations where international travelers can legally enter the United States. In its third testimony, GAO focused on limited security assessments of unmanned and unmonitored border areas between land ports of entry. GAO was asked to summarize the results of covert testing and assessment work for these three testimonies. This report discusses the results of testing at land, sea, and air ports of entry; however, the majority of GAO's work was focused on land ports of entry. The unmanned and unmonitored border areas GAO assessed were defined as locations where the government does not maintain a manned presence 24 hours per day or where there was no apparent monitoring equipment in place. GAO assessed a nonrepresentative selection of these locations and did not attempt to evaluate all potential U.S. border security vulnerabilities. Further, GAO's work was limited in scope and cannot be projected to represent systemic weaknesses. In response to this report, DHS provided a written update on numerous border protection efforts it has taken to enhance border security since 2003. GAO did not attempt to verify the information provided by DHS, but has included the response in this report. GAO investigators identified numerous border security vulnerabilities, both at ports of entry and at unmanned and unmonitored land border locations between the ports of entry. In testing ports of entry, undercover investigators carried counterfeit drivers' licenses, birth certificates, employee identification cards, and other documents, presented themselves at ports of entry and sought admittance to the United States dozens of times. They arrived in rental cars, on foot, by boat, and by airplane. They attempted to enter in four states on the northern border (Washington, New York, Michigan, and Idaho), three states on the southern border (California, Arizona, and Texas), and two other states requiring international air travel (Florida and Virginia). In nearly every case, government inspectors accepted oral assertions and counterfeit identification provided by GAO investigators as proof of U.S. citizenship and allowed them to enter the country. In total, undercover investigators made 42 crossings with a 93 percent success rate. On several occasions, while entering by foot from Mexico and by boat from Canada, investigators were not even asked to show identification. For example, at one border crossing in Texas in 2006, an undercover investigator attempted to show a Customs and Border Protection (CBP) officer his counterfeit driver's license, but the officer said, "That's fine, you can go" without looking at it. As a result of these tests, GAO concluded that terrorists could use counterfeit identification to pass through most of the tested ports of entry with little chance of being detected. In its most recent work, GAO shifted its focus from ports of entry and primarily performed limited security assessments of unmanned and unmonitored areas between ports of entry. The names of the states GAO visited for this limited security assessment have been withheld at the request of CBP. In four states along the U.S.-Canada border, GAO found state roads that were very close to the border that CBP did not appear to monitor. In three states, the proximity of the road to the border allowed investigators to cross undetected, successfully simulating the cross-border movement of radioactive materials or other contraband into the United States from Canada. For example, in one apparently unmanned, unmonitored area on the northern border, the U.S. Border Patrol was alerted to GAO's activities through the tip of an alert citizen. However, the responding U.S. Border Patrol agents were not able to locate the investigators and their simulated contraband. Also on the northern border, GAO investigators located several ports of entry in one state on the northern border that had posted daytime hours and were unmanned overnight. Investigators observed that surveillance equipment was in operation, but that the only preventive measure to stop an individual from crossing the border into the United States was a barrier across the road that could be driven around. GAO also identified potential security vulnerabilities on federally managed lands adjacent to the U.S.-Mexico border. GAO concluded that CBP faces significant challenges on the northern border, and that a determined cross-border violator would likely be able to bring radioactive materials or other contraband undetected into the United States by crossing the U.S.-Canada border at any of the assessed locations. Fri, 16 May 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08765t.pdf The Department of Homeland Security (DHS) has relied on service acquisitions to meet its expansive mission. In fiscal year 2006, DHS spent $12.7 billion to procure services. To improve service acquisition outcomes, federal procurement policy establishes a preference for a performance-based approach, which focuses on developing measurable outcomes rather than prescribing how contractors should perform services. This testimony focuses on how contract outcomes are influenced by how well DHS components have defined and developed contract requirements and performance standards, as well as the need for improved assessment and oversight to ensure better acquisition outcomes. GAO's statement is based on its report being released today, which reviewed judgmentally selected contracts for eight major investments at three DHS components--the Coast Guard, Customs and Border Protection (CBP), and the Transportation Security Administration (TSA)-- totaling $1.53 billion in fiscal years 2005 and 2006; prior GAO and DHS Inspector General reviews; management documents and plans; and related data, including 138 additional contracts, primarily for basic services from the Coast Guard, CBP, TSA, and Immigration and Customs Enforcement. Over the past several years, GAO has found that appropriate planning, structuring, and monitoring of agency service acquisitions, including those that are performance-based, can help minimize the risk of cost overruns, delayed delivery, and unacceptably quality. Several prior GAO and DHS Inspector General reviews of major DHS investments using a performance-based approach point to such shortcomings. While all of the contracts GAO reviewed at the Coast Guard, CBP, and TSA had outcome-oriented requirements, contracts for four of the eight investments did not have well-defined requirements, or a complete set of measurable performance standards, or both at the time of contract award or start of work. These service contracts experienced cost overruns, schedule delays, or did not otherwise meet performance expectations. In contrast, contracts for the other four investments had well-defined requirements linked to measurable performance standards and met the standards for contracts that had begun work. In managing its service acquisitions, including those that are performance-based, DHS has faced oversight challenges that have limited its visibility over service acquisitions and its ability to make informed acquisition management decisions. Notably, the department lacks reliable data on performance-based service acquisitions. About half of the 138 contracts identified by DHS as performance-based had none of the elements DHS requires for such contracts: a performance work statement, measurable performance standards, or a quality assurance surveillance plan. Such inaccurate data limit DHS's ability to perform management assessments of these acquisitions. In addition, the Chief Procurement Officer, who is responsible for departmentwide procurement oversight, has not conducted management assessments of performance-based service acquisitions. To help DHS improve outcomes for its service acquisitions, including those that are performance-based, GAO recommended that DHS routinely assess requirements for complex investments to ensure that they are well-defined, and develop consistently measurable performance standards linked to those requirements. GAO also recommended that DHS systematically evaluate the outcomes of major investments and relevant contracting methods and improve the quality of data to facilitate identifying and assessing the use of various contracting methods. DHS generally concurred with GAO's recommendations, noting some departmental initiatives to improve acquisition management. Thu, 08 May 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08240.pdf U.S. Customs and Border Protection (CBP) is responsible for ensuring the security of cargo containers shipped into the United States. To strike a balance between security and commerce, CBP oversees the Customs-Trade Partnership Against Terrorism, or C-TPAT program. As part of this program, CBP aims to secure the supply chain--the flow of goods from manufacturers to retailers--through partnerships with international trade companies. Member companies agree to allow CBP to validate their security practices and, in exchange, they are awarded benefits, such as reduced scrutiny of their cargo. In 2005, GAO reviewed the C-TPAT program and noted operational challenges. For this report, GAO was asked to assess the progress CBP has made since 2005 in (1) improving its benefit award policies for C-TPAT members, (2) addressing challenges in validating members' security practices, and (3) addressing management and staffing challenges. To perform this work, GAO analyzed a nonprobability sample of completed validations; reviewed annual, human capital, and strategic plans; and held discussions with CBP officials. CBP has strengthened its policies for granting benefits to importers, C-TPAT's largest member sector, and is working to improve its policies for members in other trade sectors. For example, starting in March 2005, CBP began requiring members in 9 out of the 10 trade sectors to meet minimum security criteria and it plans to finalize criteria for the tenth trade sector by mid-2008. CBP has also introduced a process that awards benefits for C-TPAT importers on a three-tiered basis, depending on validation of their security practices. CBP officials told us that they interpret the benefit tiering provisions of the Security and Accountability for Every Port Act of 2006 to apply mainly to importers. Nevertheless, CBP considered implementing tiered benefits for these other trade sectors, but it has not been able to identify additional benefits to offer nonimporters in a tiered structure. CBP has taken steps to improve the security validation process, but still faces challenges in verifying that C-TPAT members' security practices meet minimum criteria. CBP has sought to strengthen the validation process by providing appropriate guidance and developing a portable, electronic instrument to help ensure that validation information is consistently collected, documented, and uniformly applied to decisions regarding the awarding of benefits to C-TPAT members. However, the usefulness of the instrument is limited due to its default "no" responses. Specifically, if a response is marked "no," it is unclear whether a security specialist, who has the discretion to answer or not answer individual questions, intentionally answered the question or if the response was an automatic default. This factor limits the ability of CBP to validate security practices at member companies. CBP has taken actions to address C-TPAT management and staffing challenges, such as implementing a human capital plan, a records management system, and performance measures. While these actions have addressed a number of challenges, others remain. In particular, CBP's records management system does not include interim processing dates--such as the date that security specialists send companies the 30-day validation notification letter--to enable management or others to determine CBP's compliance with program requirements. Further, although CBP has developed performance measures for facilitating the flow of commerce, it has not developed performance measures to assess the effectiveness of C-TPAT's efforts to improve supply chain security. Fri, 25 Apr 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08263.pdf The Department of Homeland Security (DHS) has relied on service acquisitions to meet its expansive mission. In fiscal year 2006, DHS spent $12.7 billion to procure services. To improve service acquisition outcomes, federal procurement law establishes a preference for a performance-based approach, which focuses on developing measurable outcomes rather than prescribing how contractors should perform services. GAO was asked to (1) evaluate the implementation of a performance-based approach in the context of service acquisitions for major, complex investments, and (2) identify management challenges that may affect DHS's successful acquisitions for major investments, including those using a performance-based approach. GAO reviewed judgmentally selected contracts for eight major investments at three DHS components totaling $1.53 billion in fiscal years 2005 and 2006; prior GAO and DHS Inspector General reviews; management documents and plans; and related data, including 138 additional contracts for basic services. All service contracts for the eight major, complex investments GAO reviewed had outcome-oriented requirements; however, four of these contracts did not have well-defined requirements, a complete set of measurable performance standards, or both. These service contracts experienced cost overruns, schedule delays, or did not otherwise meet performance expectations. In contrast, service contracts for the other four investments GAO reviewed had well-defined requirements linked to measurable performance standards. Contractors had begun work on three of these four contracts and performed within budget meeting the standards. This finding is consistent with prior GAO work on service acquisitions, which has highlighted the criticality of sound acquisition planning to develop well-defined requirements and measurable performance standards to achieving desired outcomes. In the four cases that had negative outcomes, program officials identified the contractor performance weaknesses through quality assurance surveillance and took corrective actions. Prior GAO work has found that if acquisitions, including those that are performance-based, are not appropriately planned, structured, and monitored, there is an increased risk that the government may receive products or services that are over budget, delivered late, and of unacceptable quality. In managing its service acquisitions, including those that are performance based, DHS has faced workforce and oversight challenges. Prior GAO work has highlighted the importance of having the right people with the right skills to achieve successful acquisition outcomes. Contracts for two major investments with negative cost and schedule outcomes did not have the staff needed to adequately plan and execute the contracts. Further, while representatives for several of the contracts GAO reviewed indicated that contracting and program staff worked well together, some senior acquisition representatives at the component level indicated that a lack of collaboration between these key stakeholders has been a challenge when developing and managing complex service acquisitions. In terms of oversight, component contracting and program officials said they used a performance-based approach to the maximum extent practicable; however, DHS does not have reliable data to facilitate required reporting, informed decisions, and analyzing acquisition outcomes. GAO's review also found that about half of an additional 138 contracts for basic services identified as performance-based did not have any of the elements intended to foster good outcomes: a performance work statement, measurable performance standards, and a quality assurance surveillance plan. DHS's Chief Procurement Officer (CPO)--who is responsible for departmentwide oversight of acquisitions--has several efforts under way to address some of these workforce and oversight issues. One initiative is an acquisition oversight program that is intended to assess (1) compliance with federal acquisition guidance, (2) contract administration, and (3) business judgment. However, this oversight program has not yet included an evaluation of the outcomes of contracting methods such as performance-based service acquisition. Tue, 22 Apr 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08636t.pdf Following the September 11 terrorist attacks, state and local governments formed fusion centers, collaborative efforts to detect, prevent, investigate, and respond to criminal or terrorist activity. Recognizing that the centers are a critical mechanism for sharing information, the federal government--including the Department of Homeland Security (DHS), Department of Justice (DOJ), and the Program Manager for the Information Sharing Environment (PM-ISE), which has primary responsibility for governmentwide information sharing--is taking steps to partner with fusion centers. This testimony focuses on (1) the characteristics of fusion centers as of September 2007 and (2) federal efforts to help alleviate challenges centers identified. This testimony is based on GAO's October 2007 report on 58 fusion centers and related federal efforts to support them as well as updated information GAO obtained in March 2008 by reviewing plans describing selected federal efforts and attending the second annual national fusion center conference. Almost all states and several local governments have established or are in the process of establishing fusion centers that vary in their characteristics. Centers were generally established to address gaps in information sharing, and the majority of the centers GAO contacted had adopted broad missions that could include both counterterrorism and law enforcement-related information. While law enforcement entities, such as state police, are the lead or managing agencies in the majority of the centers GAO contacted, the centers varied in their staff sizes and partnerships with other agencies. The majority of the operational fusion centers GAO contacted had federal personnel, including from DHS or the Federal Bureau of Investigation (FBI), assigned to them as of September 2007. DHS and DOJ have several efforts under way that begin to address challenges fusion center officials identified. DHS and DOJ have provided many fusion centers access to their information systems, but fusion center officials cited challenges accessing and managing multiple information systems. Both DHS and the FBI have provided security clearances for state and local personnel and set timeliness goals for granting clearances. However, officials cited challenges obtaining and using clearances. DHS, DOJ, and the PM-ISE have also taken steps to develop guidance and provide technical assistance to fusion centers, for instance, by issuing guidelines for establishing and operating centers. However, officials at 21 centers cited challenges with the availability of training for mission-specific issues. DHS and DOJ have continued providing a technical assistance program for fusion centers and disseminated a baseline capabilities draft in March 2008 that outlines minimum operational standards for fusion centers. While this support and guidance is promising, it is too soon to determine the extent to which it will address challenges identified by officials contacted. Finally, officials in 43 of the 58 fusion centers contacted reported facing challenges related to obtaining personnel, and officials in 54 centers reported challenges with funding, some of which affected these centers' sustainability. To support fusion centers, both DHS and the FBI have assigned, and continue to assign, personnel to the centers. To help address funding issues, DHS has provided funding for fusion-center related activities. The National Strategy for Information Sharing, issued in October 2007 by the President, states that the federal government will support the establishment of fusion centers and help sustain them through grant funding, technical assistance, and training. However, some fusion center officials raised concerns about how specifically the federal government was planning to assist state and local governments to sustain fusion centers as it works to incorporate fusion centers into the ISE and to implement the strategy. Thu, 17 Apr 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08627sp.pdf From the terrorist attacks of September 11, 2001, to Hurricane Katrina, homeland security risks vary widely. The nation can neither achieve total security nor afford to protect everything against all risks. Managing these risks is especially difficult in today's environment of globalization, increasing security interdependence, and growing fiscal challenges for the federal government. It is increasingly important that organizations effectively target homeland security funding--totaling nearly $65 billion in 2008 federal spending alone--to address the nation's most critical priorities. GAO convened a forum of experts on October 25, 2007, to advance a national dialogue on applying risk management to homeland security. Broadly defined, risk management is a process that helps policymakers assess risk, strategically allocate finite resources, and take actions under conditions of uncertainty. Participants included federal, state, and local officials and risk management experts from the private sector and academia. The forum addressed effective practices, challenges federal agencies face in applying risk management to homeland security, and actions that can strengthen homeland security risk management. Comments expressed during the proceedings do not necessarily represent the views of any one participant, the organizations they represent, or GAO. Participants reviewed a draft of this report and their comments were incorporated, as appropriate. Forum participants discussed risk management practices currently used or being considered in the private and public sectors, such as the position of chief risk officer (CRO). Private sector CROs communicate information about risks to the business executives responsible for mitigating risks and steer mitigation efforts. A government CRO could address the need forleadership in public sector risk management initiatives, such as improving emergency response and disaster recovery efforts. Participants also noted differences between t