This page lists reports and testimonies related to terrorism issued since April 1979. http://www.gao.gov/docsearch/featured/terrorism.html Mon, 23 Nov 2009 01:09:23 -0500 GAO http://www.gao.gov/images/title_object.jpg http://www.gao.gov/ Feed provided by GAO. Click to visit. http://www.gao.gov/new.items/d10230t.pdf Pervasive and sustained cyber attacks continue to pose a potentially devastating threat to the systems and operations of the federal government. In recent months, federal officials have cited the continued efforts of foreign nations and criminals to target government and private sector networks; terrorist groups have expressed a desire to use cyber attacks to target the United States; and press accounts have reported attacks on the Web sites of government agencies. The ever-increasing dependence of federal agencies on computerized systems to carry out essential, everyday operations can make them vulnerable to an array of cyber-based risks. Thus it is increasingly important for the federal government to have effective information security controls in place to safeguard its systems and the information they contain. GAO was asked to provide a statement describing (1) cyber threats to federal information systems and cyber-based critical infrastructures, (2) control deficiencies at federal agencies that make these systems and infrastructures vulnerable to cyber threats, and (3) opportunities that exist for improving federal cybersecurity. In preparing this statement, GAO relied on its previously published work in this area. Cyber-based threats to federal systems and critical infrastructure are evolving and growing. These threats can be unintentional or intentional, targeted or non-targeted, and can come from a variety of sources, including criminals, terrorists, and adversarial foreign nations, as well as hackers and disgruntled employees. These potential attackers have a variety of techniques at their disposal, which can vastly enhance the reach and impact of their actions. For example, cyber attackers do not need to be physically close to their targets, their attacks can easily cross state and national borders, and cyber attackers can more easily preserve their anonymity. Further, the growing interconnectivity between information systems, the Internet, and other infrastructure presents increasing opportunities for such attacks. In addition, reports of security incidents from federal agencies are on the rise, increasing by over 200 percent from fiscal year 2006 to fiscal year 2008. Compounding the growing number and kinds of threats, GAO--along with agencies and their inspectors general--has identified significant weaknesses in the security controls on federal information systems, resulting in pervasive vulnerabilities. These include deficiencies in the security of financial systems and information and vulnerabilities in other critical federal information systems. GAO has identified weaknesses in all major categories of information security controls at federal agencies. For example, in fiscal year 2008, weaknesses were reported in such controls at 23 of 24 major agencies. Specifically, agencies did not consistently authenticate users to prevent unauthorized access to systems; apply encryption to protect sensitive data; and log, audit, and monitor security-relevant events, among other actions. An underlying cause of these weaknesses is agencies' failure to fully or effectively implement information security programs, which entails assessing and managing risk, developing and implementing security policies and procedures, promoting security awareness and training, monitoring the adequacy of security controls, and implementing appropriate remedial actions. Multiple opportunities exist to enhance cybersecurity. In light of weaknesses in agencies' information security controls, GAO and inspectors general have made hundreds of recommendations to improve security, many of which agencies are implementing. In addition, the White House and the Office of Management and Budget, collaborating with other agencies, have launched several initiatives aimed at improving aspects of federal cybersecurity. The Department of Homeland Security, which plays a key role in coordinating cybersecurity activities, also needs to fulfill its responsibilities, such as developing capabilities for protecting cyber-reliant critical infrastructures and implementing lessons learned from a major cyber simulation exercise. Finally, a panel of experts convened by GAO made several recommendations for improving the nation's cybersecurity strategy. Realizing these opportunities for improvement can help ensure that the federal government's systems, information, and critical cyber-reliant infrastructure are effectively protected. Tue, 17 Nov 2009 00:00:00 -0500 http://www.gao.gov/new.items/d10178r.pdf In March 2009, out of concern that the overall security situation in Afghanistan had not improved after more than 7 years of U.S. and international efforts, the administration completed a 60-day strategic review of U.S. policy and the security environment in Afghanistan and Pakistan. Based on this review, and recognizing the vital U.S. interest in addressing security threats posed by extremists in Afghanistan and Pakistan, the administration announced a strategic goal of disrupting, dismantling, and eventually defeating these extremists and eliminating their safe havens in both Afghanistan and Pakistan. Subsequently, in August 2009, the United States issued an integrated civilian-military campaign plan for support to Afghanistan. The strategy and campaign plan call for, among other things, the execution of an integrated counterinsurgency mission and continued efforts to build the capacity of military and civilian elements of the Afghan government to lead counterinsurgency and counterterrorism efforts and provide internal security for the Afghan people. Accordingly, the focus for U.S. forces in Afghanistan will be to (1) secure Afghanistan from insurgent and terrorist threats and (2) rapidly train Afghanistan National Security Forces (ANSF) to lead military and law enforcement operations. Afghanistan's security situation has deteriorated significantly since 2005, affecting all aspects of U.S. and allied reconstruction operations. As we reported in April 2009, the rise in enemy-initiated attacks on civilians and on U.S., Afghan, and coalition security forces has resulted from various factors, including a resurgence of the Taliban, the limited capabilities of Afghan security forces, a thriving illicit drug trade, and threats emanating from insurgent safe havens in Pakistan. Since 2005, attacks on civilians, as well as on Afghan and coalition forces, have increased every year. The most recent data available, as of August 2009, showed the highest rate of enemy-initiated attacks since Afghanistan's security situation began to deteriorate. Overall, nearly 13,000 attacks were recorded between January and August 2009--more than two and a half times the number experienced during the same period last year and more than five times the approximately 2,400 attacks reported in all of 2005. Violence has generally been concentrated in the eastern and southern regions of Afghanistan where U.S. forces operate, with insurgents making increasing use of improvised explosive devices, suicide attacks, and attacks targeting infrastructure and development projects. As figure 1 illustrates, the pattern of attacks is seasonal, generally peaking from June through September each year. Although never reaching the highest level of attacks in Iraq, the number of attacks in Afghanistan surpassed those in Iraq for the first time in July 2008 and has continued to exceed levels in Iraq in recent months. Developing a self-reliant Afghanistan is a key end-state goal articulated in the U.S. strategy for Afghanistan, which notes that achieving such an outcome will enable the United States to withdraw combat forces and make a sustained commitment to Afghan political and economic development. While U.S. and international development projects in Afghanistan have made some progress, the deterioration of security has impeded efforts to stabilize and rebuild the country. In particular, U.S. officials have cited poor security as having caused delays, disruptions, and even abandonment of certain reconstruction projects, while also hampering management and oversight of such efforts. For instance, the administration's Special Representative for Afghanistan and Pakistan has identified the need for more security in order for civilian personnel and contractors to do their work in Afghanistan. Similarly, the commander of the International Security Assistance Force (ISAF) and U.S. forces in Afghanistan testified in his June 2009 confirmation hearing that improving security was a prerequisite for the development of local governance and economic growth in Afghanistan. As of November 2009, there were reportedly about 67,000 U.S. military personnel in Afghanistan--an increase of more than 90 percent from the force level of 35,000 we previously reported as of February 2009. According to DOD, by the end of 2009 U.S. troop levels will rise further to about 68,000. Additionally, as of October 2009, there were reportedly about 36,000 non-U.S. military personnel in ISAF--an increase from the reported February 2009 force level of about 32,000. Furthermore, as of September 2009, DOD reported 95,000 Afghan National Army personnel assigned to the ANSF. According to DOD, the ANSF will reach its authorized end-strength of 230,000 army and police personnel by October 2010. Thu, 05 Nov 2009 00:00:00 -0500 http://www.gao.gov/new.items/d1095.pdf Prior to the Joint Improvised Explosive Device Defeat Organization's (JIEDDO) establishment in 2006, no single entity was responsible for coordinating the Department of Defense's (DOD) counter improvised explosive device (IED) efforts. JIEDDO was established to coordinate and focus all counter-IED efforts, including ongoing research and development, throughout DOD. This report, which is one in a series of congressionally mandated GAO reports related to JIEDDO's management and operations, assesses the extent to which 1) capability gaps were initially identified in DOD's effort to defeat IEDs and how these gaps and other factors led to the development of JIEDDO, 2) JIEDDO has maintained visibility over all counter-IED efforts, 3) JIEDDO has coordinated the transition of JIEDDO-funded initiatives to the military services, and 4) JIEDDO has developed criteria for the counter-IED training initiatives it will fund. To address these objectives, GAO reviewed and analyzed relevant documents and met with DOD and service officials. With the escalation of the IED threat in Iraq, DOD identified several counter-IED capability gaps that included shortcomings in the areas of counter-IED technologies, qualified personnel with expertise in counter-IED tactics, training, dedicated funding, and expedited acquisition processes. For example, prior to JIEDDO's establishment, many different DOD entities focused on counter-IED issues, but coordination among these various efforts was informal and ad hoc. DOD's efforts to focus on addressing these gaps culminated in the creation of JIEDDO, but its creation was done in the absence of DOD having formal guidance for establishing joint organizations. Further, DOD did not systematically evaluate all preexisting counter-IED resources to determine whether other entities were engaged in similar efforts. JIEDDO and the services lack full visibility over counter-IED initiatives throughout DOD. First, JIEDDO and the services lack a comprehensive database of all existing counter-IED initiatives, limiting their visibility over counter-IED efforts across DOD. Although JIEDDO is currently developing a management system that will track initiatives as they move through JIEDDO's acquisition process, the system will only track JIEDDO-funded initiatives--not those being independently developed and procured by the services and other DOD components. Second, the services lack full visibility over those JIEDDO-funded initiatives that bypass JIEDDO's acquisition process. With limited visibility, both JIEDDO and the services are at risk of duplicating efforts. JIEDDO faces difficulties with transitioning Joint IED defeat initiatives to the military services, in part because JIEDDO and the services have difficulty resolving the gap between JIEDDO's transition timeline and DOD's base budget cycle. As a result, the services are mainly funding initiatives with funding for overseas contingency operations rather than their base budgets. Continuing to fund transferred initiatives with overseas contingency operations appropriations does not ensure funding availability for those initiatives in future years since these appropriations are not necessarily renewed from one year to the next. This transition is also hindered when service requirements are not fully considered during the development of joint-funded counter-IED initiatives, as evidenced by two counter-IED jamming systems. As a result, JIEDDO may be investing in counter-IED solutions that do not fully meet existing service requirements. JIEDDO's lack of clear criteria for the counter-IED training initiatives it will fund has affected its counter-IED training investment decisions. As a result, JIEDDO has funded training initiatives that may have primary uses other than defeating IEDs. In March 2009, JIEDDO attempted to update its criteria for joint training initiatives by listing new requirements; however, these guidelines also could be broadly interpreted. Without specific criteria for counter-IED training initiatives, DOD may find that it lacks funding for future initiatives more directly related to the counter-IED mission. Thu, 29 Oct 2009 00:00:00 -0400 http://www.gao.gov/new.items/d10186t.pdf Improvised explosive devices (IED) are the number-one threat to troops in Iraq and Afghanistan, accounting for almost 40 percent of the attacks on coalition forces in Iraq. Although insurgents' use of IEDs in Iraq has begun to decline, in Afghanistan the number of IED incidents has significantly increased. The Joint IED Defeat Organization (JIEDDO) was created to lead, advocate, and coordinate all DOD efforts to defeat IEDs. Its primary role is to provide funding to the military services and DOD agencies to rapidly develop and field counter-IED solutions. Through fiscal year 2009, Congress has appropriated over $16 billion to JIEDDO. In addition, other DOD components, including the military services, have devoted at least $1.5 billion to the counter-IED effort--which does not include $22.7 billion for Mine Resistant Ambush Protected vehicles. This testimony is based on a report that GAO is issuing today as well as preliminary observations from ongoing work that GAO plans to report in early 2010. In the report being issued today, GAO is recommending that JIEDDO (1) improve its visibility of counter-IED efforts across DOD, (2) develop a complete plan to guide the transition of initiatives, and (3) define criteria for its training initiatives to help guide its funding decisions. DOD generally concurred with GAO's recommendations and noted actions to be taken. Since its creation, JIEDDO has taken several steps to improve its management of counter-IED efforts. For instance, GAO's ongoing work has found that JIEDDO has been improving the management of its efforts to defeat IEDs, including developing and implementing a strategic plan that provides an overarching framework for departmentwide efforts to defeat IEDs, as well as a JIEDDO-specific strategic plan. Also, as noted in the report GAO is issuing today, JIEDDO and the services have taken steps to improve visibility over their counter-IED efforts, and JIEDDO has taken several steps to support the ability of the services and defense agencies to program and fund counter-IED initiatives. However, several significant challenges remain that affect DOD's ability to oversee JIEDDO. Some of these challenges are identified in GAO's report being released today along with recommendations to address them. For example, one challenge is a lack of full visibility by JIEDDO and the services over counter-IED initiatives throughout DOD. Although JIEDDO and various service organizations are developing and maintaining their own counter-IED initiative databases, JIEDDO and the services lack a comprehensive database of all existing counter-IED initiatives, which limits their visibility over counter-IED efforts across the department. In addition, JIEDDO faces difficulties coordinating the transition of funding responsibility for joint counter-IED initiatives to the services, due to gaps between JIEDDO's transition timeline and DOD's base budget cycle. JIEDDO's initiative transitions also are hindered when service requirements are not fully considered during JIEDDO's acquisition process. JIEDDO also lacks clear criteria for defining what counter-IED training initiatives it will fund and, as a result, has funded training activities that may have primary uses other than defeating IEDs. Additionally, GAO's ongoing work has identified other oversight challenges. For example, JIEDDO lacks a means as well as reliable data to gauge the effectiveness of its counter-IED efforts. GAO's work has identified several areas in which data on the effectiveness and progress of IED-defeat initiatives are unreliable or inconsistently collected. In some cases, data are not collected in-theater because the initiatives may not be designed with adequate data-collection procedures. Another challenge facing JIEDDO is its inconsistent application of its counter-IED initiative acquisition process, allowing initiatives to bypass some or all of the process's key review and approval steps. Further, JIEDDO lacks adequate internal controls to ensure DOD that it is achieving its objectives. For example, in July 2009, JIEDDO reported that its internal controls system had a combination of deficiencies that constituted a material weakness. Such a weakness could adversely affect JIEDDO's ability to meet its objectives. Finally, JIEDDO has not developed a process for identification and analysis of the risks it faces in achieving its objectives from both external and internal sources, and it has not assessed its performance over time or ensured that the findings of audits and other reviews have been promptly resolved. As GAO completes its ongoing work it expects to issue a report with recommendations to address these issues. Thu, 29 Oct 2009 00:00:00 -0400 http://www.gao.gov/new.items/d10123.pdf DOD plays a support role in managing Chemical, Biological, Radiological, Nuclear, and High-Yield Explosives (CBRNE) incidents, including providing capabilities to save lives, alleviate hardship or suffering, and minimize property damage. This report addresses the extent to which (1) DOD's CBRNE consequence management plans and capabilities are integrated with other federal plans; (2) DOD has planned for and structured its force to provide CBRNE consequence management assistance; (3) DOD's CBRNE Consequence Management Response Forces (CCMRF) are prepared for their mission; and (4) DOD has CCMRF funding plans that are linked to requirements for specialized CBRNE capabilities. GAO reviewed DOD's plans for CBRNE consequence management and documents from the Department of Homeland Security (DHS) and FEMA. GAO also met with officials from the Assistant Secretary of Defense for Homeland Defense, U.S Northern Command, the military services, the National Guard Bureau, and some CCMRF units. DOD has its own CBRNE consequence management plans but has not integrated them with other federal plans because those federal entities have not completed all elements of the Integrated Planning System mandated by Presidential directive in December 2007. The system is to develop and link planning documents at the federal, state, and local levels. While the system's framework is established, the CBRNE concept and strategic plans that provide further guidance are incomplete. DOD has had operational plans in place and revises these plans regularly. However, until the Integrated Planning System and its associated plans are complete, DOD's plans and those of other federal and state entities will not be integrated, and it will remain unclear whether DOD's CCMRF will address potential gaps in capabilities. We previously recommended and DHS agreed that FEMA should develop a program management plan and schedule to complete the planning system. With a goal to respond to multiple, near-simultaneous, catastrophic CBRNE incidents, DOD has plans to provide needed capabilities, but its response times may not meet incident requirements, it may lack sufficient capacity in some capabilities, and it faces challenges to its strategy for sourcing all three CCMRFs with available units. Without assigned units and plans that integrate the active and reserve portions of CCMRF, and agreements between DOD and the states on availability of National Guard units and the duty status in which they would respond to an incident requiring federal forces, DOD's ability to train and deploy forces in a timely manner is at risk. DOD has taken a number of actions in the past year to improve the readiness of units assigned to the first CCMRF, increasing both individual and collective training focused on the mission and identifying the mission as high priority. However, the CCMRF has not conducted realistic full force field training to confirm units' readiness to assume the mission or to deploy rapidly. Competing demands of overseas missions may distract from a unit's focus on the domestic mission, and some CCMRF units rotate more frequently than stated goals. These training and force rotation problems have prevented DOD from providing the kind of stability to the force that would allow units to build cohesiveness. DOD is making progress in identifying and providing funding and equipment to meet CCMRF mission requirements; however, its efforts to identify all requirements have not been completed, and funding responsibilities are spread across the department and are not subject to central oversight. When the CCMRF mission priority increased in the spring of 2008, more funding was provided. However, units did not have dedicated funding and thus purchased equipment with funding also used for other missions. DOD lacks visibility over total funding requirements. Without an overarching approach to requirements and funding and a centralized focal point to ensure that all requirements have been identified and funded, DOD's ability to ensure that its forces are prepared to carry out this high-priority mission remains challenged. Wed, 07 Oct 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09399.pdf Incidents of airport workers using access privileges to smuggle weapons through secured airport areas and onto planes have heightened concerns regarding commercial airport security. The Transportation Security Administration (TSA), along with airports, is responsible for security at TSA-regulated airports. To guide risk assessment and protection of critical infrastructure, including airports, the Department of Homeland Security (DHS) developed the National Infrastructure Protection Plan (NIPP). GAO was asked to examine the extent to which, for airport perimeters and access controls, TSA (1) assessed risk consistent with the NIPP; (2) implemented protective programs, and evaluated its worker screening pilots; and (3) established a strategy to guide decision making. GAO examined TSA documents related to risk assessment activities, airport security programs, and worker screening pilots; visited nine airports of varying size; and interviewed TSA, airport, and association officials. Although TSA has implemented activities to assess risks to airport perimeters and access controls, such as a commercial aviation threat assessment, it has not conducted vulnerability assessments for 87 percent of the nation's approximately 450 commercial airports or any consequence assessments. As a result, TSA has not completed a comprehensive risk assessment combining threat, vulnerability, and consequence assessments as required by the NIPP. While TSA officials said they intend to conduct a consequence assessment and additional vulnerability assessments, TSA could not provide further details, such as milestones for their completion. Conducting a comprehensive risk assessment and establishing milestones for its completion would provide additional assurance that intended actions will be implemented, provide critical information to enhance TSA's understanding of risks to airports, and help ensure resources are allocated to the highest security priorities. Since 2004, TSA has taken steps to strengthen airport security and implement new programs; however, while TSA conducted a pilot program to test worker screening methods, clear conclusions could not be drawn because of significant design limitations and TSA did not document key aspects of the pilot. TSA has taken steps to enhance airport security by, among other things, expanding its requirements for conducting worker background checks and implementing a worker screening program. In fiscal year 2008 TSA pilot tested various methods to screen airport workers to compare the benefits, costs, and impacts of 100 percent worker screening and random worker screening. TSA designed and implemented the pilot in coordination with the Homeland Security Institute (HSI), a federally funded research and development center. However, because of significant limitations in the design and evaluation of the pilot, such as the limited number of participating airports--7 out of about 450--it is unclear which method is more cost-effective. TSA and HSI also did not document key aspects of the pilot's design, methodology, and evaluation, such as a data analysis plan, limiting the usefulness of these efforts. A well-developed and well-documented evaluation plan can help ensure that pilots generate needed performance information to make effective decisions. While TSA has completed these pilots, developing an evaluation plan for future pilots could help ensure that they are designed and implemented to provide management and Congress with necessary information for decision making. TSA's efforts to enhance the security of the nation's airports have not been guided by a unifying national strategy that identifies key elements, such as goals, priorities, performance measures, and required resources. For example, while TSA's various airport security efforts are implemented by federal and local airport officials, TSA officials said that they have not identified or estimated costs to airport operators for implementing security requirements. GAO has found that national strategies that identify these key elements strengthen decision making and accountability; in addition, developing a strategy with these elements could help ensure that TSA prioritizes its activities and uses resources efficiently to achieve intended outcomes. Wed, 30 Sep 2009 00:00:00 -0400 http://www.gao.gov/new.items/d091022r.pdf Since 2001, Congress has provided the Department of Defense (DOD) with $893 billion in supplemental and annual appropriations, as of June 2009, primarily for Overseas Contingency Operations (OCO).1 DOD's reported annual obligations2 for OCO have shown a steady increase from about $0.2 billion in fiscal year 2001 to about $162.4 billion in fiscal year 2008. For fiscal year 2009, Congress appropriated $151 billion in war-related requests. A total of $89.1 billion has been obligated through the third quarter of fiscal year 2009 through June 2009. The United States' commitments to OCO will likely involve the continued investment of significant resources, requiring decision makers to consider difficult trade-offs as the nation faces an increasing long-range fiscal challenge. The magnitude of future costs will depend on several direct and indirect cost variables and, in some cases, decisions that have not yet been made. DOD's future costs will likely be affected by the pace and duration of operations, the types of facilities needed to support troops overseas, redeployment plans, and the amount of equipment to be repaired or replaced. DOD compiles and reports monthly and cumulative incremental obligations incurred to support OCO in a monthly report commonly called the Contingency Operations Status of Funds Report. DOD leadership uses this report, along with other information, to advise Congress on the costs of the war and to formulate future OCO budget requests. DOD reports these obligations by appropriation, contingency operation, and military service or defense agency. DOD has prepared monthly reports on the obligations incurred for its involvement in OCO since fiscal year 2001. As of June 2009, Congress has appropriated a total of about $893 billion primarily for OCO since 2001. Of that amount, $151 billion was appropriated for use in fiscal year 2009. DOD has reported obligations of about $744 billion for OCO from fiscal year 2001 through fiscal year 2008 and for fiscal year 2009 (October 2008 through June 2009). The $149 billion difference between DOD's appropriations and reported obligations can generally be attributed to the remaining fiscal year 2009 appropriations; multiyear funding for procurement; military construction; and research, development, test, and evaluation from previous OCO-related appropriations that have yet to be obligated; and obligations for classified and other items, which DOD considers to be non-OCO related, that are not reported in DOD's cost-of-war reports. Of DOD's total cumulative reported obligations for OCO through June 2009 (about $744 billion), about $570 billion is for operations in and around Iraq as part of Operation Iraqi Freedom, and about $146 billion is for operations in Afghanistan, the Horn of Africa, the Philippines, and elsewhere as part of Operation Enduring Freedom. The remainder of about $28 billion is for operations in defense of the homeland as part of Operation Noble Eagle. DOD's reported obligations for Operation Iraqi Freedom have consistently increased each fiscal year since operations began. The increases in reported obligations for Operation Iraqi Freedom are in part due to continued costs for military personnel, such as military pay and allowances for mobilized reservists, and for rising operation and maintenance expenses, such as higher contract costs for housing, food, and services and higher fuel costs. In fiscal year 2009, through June 2009, DOD reported obligations of about $89.1 billion, which is more than one half of the total amount of obligation it reported for all of fiscal year 2008. Reported obligations for Operation Iraqi Freedom for the same period continue to account for the largest portion of total reported OCO obligations by operation--about $61.5 billion. In contrast, reported obligations associated with Operation Enduring Freedom total about $27.4 billion, and reported obligations associated with Operation Noble Eagle total about $138.2 million. Fri, 25 Sep 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09883.pdf The U.S. government considers the Kingdom of Saudi Arabia a vital partner in combating terrorism. The strong diplomatic relationship between the United States and Saudi Arabia, founded more than 70 years ago, was strained by the Al Qaeda attacks of September 11, 2001, that were carried out in large part by Saudi nationals and killed thousands of U.S. citizens. GAO was asked to report on (1) the U.S. government strategy to collaborate with and assist the Kingdom of Saudi Arabia to counter terrorism and terrorism financing, and (2) U.S. government agencies' assessment of and the Saudi government's views on progress toward the goals of this strategy. GAO analyzed relevant U.S. and Saudi strategy, planning, and evaluation documents related to efforts since 2005, and discussed these efforts with subject matter experts and U.S. and Saudi officials in Washington, D.C., and Riyadh and Jeddah, Saudi Arabia. GAO submitted a copy of this report to intelligence agencies, the National Security Council, and the Departments of Defense, Energy, Homeland Security, Justice, State, and Treasury for their review and comment. The U.S. government strategy to collaborate with Saudi Arabia on counterterrorism utilizes existing diplomatic and security-related efforts to create an active antiterrorism coalition by enhancing the Saudi government's ability to combat terrorists and prevent financial support to extremists. These objectives are contained in Department of State's (State) Mission Strategic Plans (MSP) for Saudi Arabia for fiscal years 2006 through 2009, and also reflected in a January 2008 report from State to the Congress on its strategy for Saudi Arabia. The MSPs include performance targets to measure progress on efforts to combat terrorism and its financing, such as providing security training to the Saudi government, strengthening Saudi financial institutions, and implementation of relevant Saudi regulations. U.S. and Saudi officials report progress on countering terrorism and its financing within Saudi Arabia, but noted challenges, particularly in preventing alleged funding for terrorism and violent extremism outside of Saudi Arabia. In April 2009, State assessed progress related to its goal of building an active U.S.-Saudi antiterrorist coalition as "on target." U.S. and Saudi officials report progress in enhancing the Saudi government's ability to combat terrorists, and note the Saudi government's efforts have disrupted Al Qaeda's terrorist network within Saudi Arabia. However, these officials noted Saudi Arabia's neighbor, Yemen, is emerging as a base from which Al Qaeda terrorists can launch attacks against U.S. and Saudi interests. U.S. and Saudi officials also report progress on efforts to prevent financial support to extremists, citing, for example, the Saudi government's regulations on sending charitable contributions overseas, and the arrest and prosecution of individuals providing support for terrorism. However, U.S. officials remain concerned about the ability of Saudi individuals and charitable organizations to support terrorism outside of Saudi Arabia, and noted limited Saudi enforcement capacity and terrorists' use of cash couriers as challenges. Despite these concerns, some performance targets related to countering terrorism financing were removed from State's current MSP. According to State officials, these changes were made either because a specific target was no longer considered feasible or because progress was made toward the target. Thu, 24 Sep 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09794.pdf In 2004, Congress combined preexisting and newly created units to form the Office of Terrorism and Financial Intelligence (TFI) within the Department of the Treasury (Treasury). TFI's mission is to integrate intelligence and enforcement functions to (1) safeguard the financial system against illicit use and (2) combat rogue nations, terrorist facilitators, and other national security threats. In the 5 years since TFI's creation, questioned have been raised about how TFI is managed and allocates its resources. As a result, GAO was asked to analyze how TFI (1) implements its functions, particularly in collaboration with interagency partners, (2) conducts strategic resource planning, and (3) measures its performance. To conduct this analysis, GAO reviewed Treasury and TFI planning documents, performance reports, and workforce data, and interviewed officials from Treasury and its key interagency partners. TFI undertakes five functions, each implemented by a TFI component, in order to achieve its mission. TFI officials cite the analysis of financial intelligence as a critical part of TFI's efforts because it underlies TFI's ability to utilize many of its tools. They said that the creation of OIA was critical to Treasury's ability to effectively identify illicit financial networks. To achieve its mission, TFI's five components often work with each other, other U.S. government agencies, the private sector, or foreign governments. Officials from TFI and its interagency partners cited strong collaboration in many areas, such as effective information sharing between FinCEN and the Justice Department (Justice). Officials differed, however, about the quality of interagency collaboration involving international forums. Treasury officials who led this collaboration stated that it runs smoothly and that they were unaware of any significant concerns, while Justice and State officials reported declining collaboration and unclear mechanisms to enhance or sustain it. While TFI and some of its components have conducted selected strategic resource planning activities, TFI as a unit has not fully adopted key practices that enhance such efforts. For example, TFI and its components have produced multiple strategic planning documents in recent years, but the objectives in some of these documents are not clearly aligned with resources needed to achieve them. As a result, it may be unclear whether TFI has sufficient resources to address its objectives. Also, though TFI has undertaken some workforce planning activities, it lacks a process for performing comprehensive strategic workforce planning. Thus, it is unclear whether TFI is able to effectively address persistent workforce challenges. Also, TFI has not yet developed appropriate performance measures, changing their number and substance each year. Though TFI's current measures fully address many attributes of effective performance measures, they do not cover all TFI core program activities. TFI officials acknowledge the need for improvement and have worked since 2007 to develop one overall performance measure to assess TFI. Yet questions remain about when TFI will implement its new measure and whether it will effectively gauge TFI's performance. Thu, 24 Sep 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09996t.pdf A terrorist's use of a radiological dispersal device (RDD) or improvised nuclear device (IND) to release radioactive materials into the environment could have devastating consequences. The timely cleanup of contaminated areas, however, could speed the restoration of normal operations, thus reducing the adverse consequences from an incident. This testimony examines (1) the extent to which federal agencies are planning to fulfill their responsibilities to assist cities and their states in cleaning up areas contaminated with radioactive materials from RDD and IND incidents; (2) what is known about the federal government's capability to effectively cleanup areas contaminated with radioactive materials from RDD and IND incidents, and (3) suggestions from government emergency management officials on ways to improve federal preparedness to provide assistance to recover from RDD and IND incidents. We also discuss recovery activities in the United Kingdom. This testimony is based on our ongoing review of recovery preparedness issues for which we examined applicable federal laws and guidance; interviewed officials from the Department of Homeland Security (DHS), Federal Emergency Management Agency (FEMA), Department of Energy (DOE), and Environmental Protection Agency (EPA); and surveyed emergency management officials from 13 large cities and their states, as well as FEMA and EPA regional office officials. DHS, through FEMA, is responsible for developing a comprehensive emergency management system to respond to and recover from natural disasters and terrorists attacks, including RDD and IND attacks. The response phase would involve evacuations and providing medical treatment to those who were injured; the recovery phase would include cleaning up the radioactive contamination from an attack in order to permit people to return to their homes and businesses. To date, much federal attention has been given to developing a response framework, with less attention to recovery. Our survey found that almost all cities and states would be so overwhelmed by an RDD or IND incident that they would rely on the federal government to conduct almost all analysis and cleanup activities that are essential first steps towards recovery. However, we found that the federal government has not sufficiently planned to undertake these activities. For example, FEMA has not issued a national disaster recovery strategy or plans for RDD and IND incidents as required by law. Existing federal guidance provides only limited direction for federal agencies to develop their own recovery plans and conduct exercises to test preparedness. Out of over 70 RDD and IND exercises conducted in the last 5 years, only three have included interagency recovery discussions following a response exercise. Although DOE and EPA have experience in the cleanup of small-scale radiation-contaminated areas, their lack of knowledge and capability to apply approaches to address the magnitude of an RDD or an IND incident could increase recovery costs and delay completion. According to anexpert at Idaho National Laboratory, experience has shown that not selecting the appropriate decontamination technologies can generate waste types that are more difficult to remove than the original material and can create more debris requiring disposal--leading to increased costs. Limitations in laboratory capacity to rapidly test thousands of material samples during cleanup, and uncertainty regarding where to dispose of radioactive debris could also slow the recovery process. At least two-thirds of the city, state, and federal respondents expressed concern about federal capability to provide the necessary analysis and cleanup actions to promote recovery after these incidents. Nearly all survey respondents had suggestions to improve federal recovery preparedness for RDD and IND incidents. For example, almost all the cities and states identified the need for a national disaster recovery strategy to address gaps and overlaps in federal guidance. All but three cities wanted additional guidance, for example, on monitoring radioactivity levels, cleanup standards, and management of radioactive waste. Most cities wanted more interaction with federal agencies and joint exercising to test recovery preparedness. Finally, our review of the United Kingdom's preparedness to recover from radiological terrorism showed that that country has already taken actions similar to those suggested by our survey respondents, such as issuing national recovery guidance, conducting a full-scale recovery exercise, and publishing a national handbook for radiation incidents. Mon, 14 Sep 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09849.pdf U.S. Northern Command (NORTHCOM) exercises to test preparedness to perform its homeland defense and civil support missions. GAO was asked to assess the extent to which NORTHCOM is (1) consistent with Department of Defense (DOD) training and exercise requirements, (2) involving interagency partners and states in its exercises, (3) using lessons learned and corrective actions to improve preparedness, and (4) integrating its exercises with the National Exercise Program (NEP). To do this, GAO reviewed NORTHCOM and NEP guidance and postexercise documentation, assessed NORTHCOM compliance, and compared DOD and NEP exercise requirements. NORTHCOM's exercise program is generally consistent with the requirements of DOD's Joint Training System, but its exercise reporting is inconsistent. Since the command was established in 2002, NORTHCOM has conducted 13 large-scale exercises and generally completed exercise summary reports within the required time frame. However, those reports did not consistently include certain information, such as areas needing improvement, because NORTHCOM lacks guidance that specifies exercise reports' content and format, potentially impacting its ability to meet internal standards for planning and execution of joint exercises, and to compare and share exercise results over time with interagency partners and states. Nineteen federal agencies and organizations and 17 states and the District of Columbia have participated in one or more of the seven large-scale exercises that NORTHCOM has conducted since September 2005. However, NORTHCOM faces challenges in involving states in the planning, conduct, and assessment of its exercises, such as adapting its exercise system and practices to involve other federal, state, local, and tribal agencies that do not have the same practices or level of planning resources. Inconsistencies with how NORTHCOM involves states in exercises are occurring in part because NORTHCOM officials lack experience dealing with states and do not have a consistent process for including states in exercises. Without such a process, NORTHCOM increases the risk that its exercises will not provide benefits for all participants, impact the seamless exercise of all levels of government, and potentially affect NORTHCOM's ability to provide civil support capabilities. NORTHCOM has a systematic lessons learned and corrective action program to improve preparedness, but gaps remain with collecting and sharing lessons with agency and state partners and managing corrective actions. Access to the system NORTHCOM uses for managing exercise observations is limited for non-DOD participants, and DOD believes that the Department of Homeland Security's system is not adequately protected from unauthorized users. NORTHCOM's mitigation steps have not resolved the issues. In addition, about 20 percent of the corrective actions tracked by NORTHCOM were being closed prematurely due to gaps in oversight. Closing issues prematurely increases the risk that issues will reoccur and limits the knowledge gained and value of the exercise. NORTHCOM has taken steps to integrate its exercises with the NEP, but guidance is not consistently applied. NORTHCOM has participated in several NEP exercises and is leading its first major NEP exercise in the fall of 2009. However, NORTHCOM has used DOD's Joint Training System planning and documentation requirements rather than DHS's requirements, because NEP guidance is not clear on what exercise planning standard should be used and DOD guidance does not address the issue. The states we visited use NEP guidance. Differences between NEP and DOD guidance could affect the ability of all participants to develop effective working relationships. Wed, 09 Sep 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09983.pdf The September 11 terrorist attacks have heightened concerns about the security of the nation's icons and parks, which millions of people visit every year. The National Park Service (Park Service) within the Department of the Interior (Interior) is responsible for securing nearly 400 park units that include icons and other parks. In 2004, GAO identified a set of key protection practices that include: allocating resources using risk management, leveraging technology, information sharing and coordination, performance measurement and testing, and strategic management of human capital. As requested, GAO determined whether the Park Service's security efforts for national icons and parks reflected key practices. To meet this objective, GAO used its key practices as criteria, reviewed five icons and parks to gain firsthand knowledge, analyzed Interior documents, and interviewed Interior officials. The Park Service has implemented a range of security improvements since the September 11 terrorist attacks and has worked to integrate security into its primary mission to preserve national icons and parks for the public's enjoyment. For example, it has established a senior-level security manager position and taken steps to strengthen security at the icons, and is developing a risk management program for small parks. These efforts exhibit some aspects of the key protection practices, but GAO found limitations in each of the areas. The Park Service does not allocate resources using risk management servicewide or cost-effectively leverage technology. While the Park Service, with assistance from Interior, has conducted risk assessments and implemented countermeasures to enhance security at the icons, some critical vulnerabilities remain. Moreover, the Park Service has not advanced this risk management approach for icons to the rest of its national parks. Without a servicewide risk management approach, the Park Service lacks assurance that security efforts are focused where they are needed. Furthermore, while icons and parks may use a variety of security technologies and other countermeasures, they do not have guidance for evaluating the cost-effectiveness of these investments, thus limiting assurances of efficiency and cost-effectiveness. Additionally, the Park Service faces limitations with sharing and coordinating information internally and lacks a servicewide approach for routine performance measurement and testing. Although the Park Service collaborates with external organizations, it lacks comparable arrangements for internal security communications and, as a result, parks are not equipped to share information with one another on common security problems and solutions. Furthermore, the Park Service has not established security performance measures and lacks an analysis tool that could be used to evaluate program effectiveness and inform an overall risk management strategy. Thus, icons and parks have little information on the status and performance of security that they can use to manage daily activities or that Park Service management can use to manage security throughout the organization. Finally, strategic human capital management is an area of concern because of the Park Service's lack of clearly defined security roles and a security training curriculum. For example, staff that are assigned security duties are generally not required to meet qualifications or undergo specialized training. Absent a security training curriculum, there is less assurance that staff are well-equipped to effectively identify and mitigate risks at national icons and parks. Fri, 28 Aug 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09927t.pdf DOD plays a support role in managing Chemical, Biological, Radiological, Nuclear, and High-Yield Explosives (CBRNE) incidents, including providing capabilities needed to save lives, alleviate hardship or suffering, and minimize property damage. This testimony addresses GAO's preliminary observations on DOD's role in CBRNE consequence management efforts and addresses the extent to which (1) DOD's plans and capabilities are integrated with other federal government plans, (2) DOD has planned for and structured its force to provide CBRNE consequence management assistance, (3) DOD's CBRNE Consequence Management Response Forces (CCMRF) are prepared to perform their mission; and (4) DOD has funding plans for the CCMRF that are linked to requirements for specialized CBRNE capabilities. GAO reviewed DOD's plans for CBRNE consequence management and documents from the Department of Homeland Security (DHS) and the Federal Emergency Management Agency. GAO also met with officials from the Undersecretary of Defense for Homeland Defense, U.S Northern Command, U.S. Army Forces Command, U.S. Army North, the National Guard Bureau, and some CCMRF units. DOD has its own CBRNE consequence management plans but has not integrated them with other federal government plans because all elements of the Integrated Planning System mandated by Presidential directive in December 2007 have not been completed. The system is to develop and link planning documents at the federal, state, and local levels. While the system's framework is established, the CBRNE concept and strategic plans that provide further guidance are incomplete. DOD has had operational plans in place and revises these plans regularly. However, until the Integrated Planning System and its associated plans are complete, DOD's plans and those of other federal and state entities will not be integrated, and it will remain unclear whether DOD's CCMRF will address potential gaps in capabilities. With a goal to respond to multiple, near-simultaneous, catastrophic CBRNE incidents, DOD has plans to provide the needed capabilities, but its planned response times may not meet incident requirements, it may lack sufficient capacity in some capabilities, and it faces challenges to its strategy for sourcing all three CCMRFs with available units. Without assigned units and plans that integrate the active and reserve portions of the CCMRF, and agreements between DOD and the states on the availability of National Guard units and the duty status in which they would respond to an incident requiring federal forces, DOD's ability to train and deploy forces in a timely manner to assist civil authorities to respond to multiple CBRNE incidents is at risk. DOD has taken a number of actions in the past year to improve the readiness of units assigned to the CCMRF, increasing both individual and collective training focused on the mission and identifying the mission as high priority. However, the CCMRF has not conducted realistic full force field training to confirm units' readiness to assume the mission or to deploy rapidly. Competing demands of overseas missions may distract from a unit's focus on the domestic mission, and some CCMRF units rotate more frequently than stated goals. These training and force rotation problems have prevented DOD from providing the kind of stability to the force that would allow units to build cohesiveness. DOD is making progress in identifying and providing funding and equipment to meet CCMRF mission requirements; however, its efforts to identify total program requirements have not been completed, and funding responsibilities have been assigned across the department and are not subject to central oversight. When the CCMRF mission priority increased in the spring of 2008, more funding was provided. However, units did not have dedicated funding and thus purchased equipment with existing funding which is also used for other missions. DOD lacks visibility over the mission's total funding requirements. Without an overarching approach to developing requirements and providing funding and a centralized focal point to ensure that all requirements have been identified and funded, DOD's ability to ensure that its forces are prepared to carry out this high priority mission remains challenged. Tue, 28 Jul 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09903t.pdf By deploying armed air marshals onboard selected flights, the Federal Air Marshal Service (FAMS), a component of the Transportation Security Administration (TSA), plays a key role in helping to protect approximately 29,000 domestic and international flights operated daily by U.S. air carriers. This testimony discusses (1) FAMS's operational approach or "concept of operations" for covering flights, (2) an independent evaluation of the operational approach, and (3) FAMS's processes and initiatives for addressing workforce-related issues. Also, this testimony provides a list of possible oversight issues related to FAMS. This testimony is based on GAO's January 2009 report (GAO-09-273), with selected updates in July 2009. For its 2009 report, GAO analyzed policies and procedures regarding FAMS's operational approach and a July 2006 classified assessment of that approach. Also, GAO analyzed employee working group reports and related FAMS's initiatives for addressing workforce-related issues, and interviewed FAMS headquarters officials and 67 air marshals (selected to reflect a range in levels of experience). Because the number of air marshals is less than the number of daily flights, FAMS's operational approach is to assign air marshals to selected flights it deems high risk--such as the nonstop, long-distance flights targeted on September 11, 2001. In assigning air marshals, FAMS seeks to maximize coverage of flights in 10 targeted high-risk categories, which are based on consideration of threats, vulnerabilities, and consequences. In July 2006, the Homeland Security Institute, a federally funded research and development center, independently assessed FAMS's operational approach and found it to be reasonable. However, the institute noted that certain types of flights were covered less often than others. The institute recommended that FAMS increase randomness or unpredictability in selecting flights and otherwise diversify the coverage of flights within the various risk categories. In its January 2009 report, GAO noted that the Homeland Security Institute's evaluation methodology was reasonable and that FAMS had taken actions (or had ongoing efforts) to implement the institute's recommendations. To address workforce-related issues, FAMS's previous Director, who served until June 2008, established a number of processes and initiatives, such as working groups, listening sessions, and an internal Web site for agency personnel to provide anonymous feedback to management. These efforts have produced some positive results. For example, FAMS revised its policy for airport check-in and aircraft boarding procedures to help protect the anonymity of air marshals in mission status, and FAMS modified its mission scheduling processes and implemented a voluntary lateral transfer program to address certain quality-of-life issues. The air marshals GAO interviewed expressed satisfaction with FAMS's efforts to address workforce-related issues. The current FAMS Director has expressed a commitment to continue applicable processes and initiatives. Also, FAMS has plans to conduct a workforce satisfaction survey of all employees every 2 years, building upon an initial survey conducted in fiscal year 2007. GAO's review found that the potential usefulness of future surveys could be enhanced by ensuring that the survey questions and the answer options are clearly structured and unambiguous and that additional efforts are considered for obtaining the highest possible response rates. To its credit, FAMS has made progress in addressing various operational and quality-of-life issues that affect the ability of air marshals to perform their aviation security mission. However, sustaining progress will require ongoing consideration by FAMS management--and continued oversight by congressional stakeholders--of key questions, such as how to foster career sustainability for air marshals given that maintaining an effective operational tempo can at times be incompatible with supporting a work-life balance. Thu, 23 Jul 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09820.pdf The Project BioShield Act of 2004 (BioShield Act) increased the federal government's ability to procure needed countermeasures to address threats from chemical, biological, radiological, and nuclear agents. Under the BioShield Act, the Department of Health and Human Services (HHS) was provided with new contracting authorities (increased simplified acquisition and micropurchase thresholds, and expanded abilities to use procedures other than full and open competition and personal services contracts) and was authorized to use about $5.6 billion in a Special Reserve Fund to procure countermeasures. Based on the BioShield Act's mandate, GAO reviewed (1) how HHS has used its purchasing and contracting authorities, and (2) the extent to which HHS has internal controls in place to manage and help ensure the appropriate use of its new authorities. To do this work, GAO reviewed contract files and other HHS documents, including internal control guidance, which GAO compared with federal statutes and federal internal control standards. Since 2004, HHS has awarded nine contracts using its Special Reserve Fund (Fund) purchasing authority under the BioShield Act to procure countermeasures that address anthrax, botulism, smallpox, and radiation poisoning. HHS may procure countermeasures that are approved by the Food and Drug Administration and ones that are unapproved, but are within 8 years of approval. Of the nine contracts, one was terminated for convenience and the remaining eight are valued at almost $2 billion. HHS officials told GAO that additional contracts are likely to be awarded in the near future as the Fund provides funding through fiscal year 2013. In addition, HHS has used one of its new contracting authorities, simplified acquisition procedures, although it has not used this authority since 2005. HHS has established internal controls on its new purchasing and contracting authorities. In addition to the language in the BioShield Act, which sets up a broad framework of controls over the use of the Special Reserve Fund, the internal controls for this purchasing authority are documented in a variety of internal policy and procedure documents and interagency agreements, which provide guidance on roles and responsibilities for how the controls are to be implemented. In response to BioShield Act requirements, HHS also established internal controls for three of the contracting authorities: the increased simplified acquisition threshold and its use with Special Reserve Funds, the increased micropurchase threshold, and the use of personal services contracts. Federal internal control standards state that, among other things, management needs to comprehensively identify risks, analyze them for possible effect, and determine how risks should be managed. Although some of the risk statements in a memo HHS issued identify some risks and one mentions possible negative consequences that could occur without proper controls in place, the risk statements for using the increased micropurchase threshold and increased simplified acquisition procedures lack analysis of specific risks. In particular, the memo does not discuss a key risk associated with using simplified acquisition procedures--namely, that an agency is prohibited from obtaining cost or pricing data for acquisitions at or below the simplified acquisition threshold. Without this data, the agency may not be able to determine if the price of a contract is fair and reasonable. Moreover, not having adequately documented and appropriately communicated risk assessments potentially results in future employees not knowing or understanding the risks or trade-offs involved in using the authorities. With employee turnover, HHS' reliance on the knowledge of current personnel to appropriately implement key controls will not enable future employees to make sound, informed, and consistent decisions. Tue, 21 Jul 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09738.pdf In 2004, the Department of State (State) Inspector General (IG) concluded that State's three-bureau structure for conducting arms control and nonproliferation policy did not adequately address post-September 11 challenges, including possible terrorist use of weapons of mass destruction. The IG also noted that State had yet to formalize the responsibilities of the three bureaus in its Foreign Affairs Manual (FAM), which sets out agency organization and functions. Between late 2005 and early 2006, State created a new two-bureau structure to better address these issues and improve efficiency GAO was asked to assess the extent to which State addressed (1) the objectives of its 2005-2006 reorganization and (2) key transformation practices. For this effort, GAO reviewed State documents pertaining to the reorganization and staffing data for the affected bureaus in the periods before and after the reorganization and interviewed former and current State officials in Washington, D.C. State cannot demonstrate that the 2005-2006 restructuring of its Nonproliferation, Arms Control, and Verification and Compliance bureaus achieved all of its objectives because it did not clearly define the objectives and lacked metrics to assess them. State's objectives were to enable it to better focus on post -September 11 challenges; reduce bureaucratic inefficiencies and top-heavy management; and eliminate overlap. State sought to achieve its first objective by creating new offices and roles to address terrorism and counterproliferation issues. To meet its second objective, State merged three bureaus having 30 offices and functions into two bureaus having 26 offices and functions and freed up staff slots for these new roles, but problems with workload mismatches persisted after the reorganization as State employees noted it left some offices overworked and some offices underworked. State cannot demonstrate that it met its third objective, reducing top-heavy management, as its goals were undefined. Although it reduced the number of senior executives from 27 to 20 and reduced office directorships, the overall number of higher-ranking employees increased from 91 to 100 and executive office staff increased from 44 to 50. Moreover, concerns about mission overlap persist, in part because bureau roles remain undefined in the FAM. State's reorganization addressed few of the key practices for organizational mergers and transformations that GAO developed in 2002. These practices are found to be at the center of successful mergers and transformations. As illustrated below, State generally addressed one key practice, partially addressed two, and did not address the remaining five. For example, State did not address establishing coherent mission and strategic goals because it did not define an end state with measurable goals, nor did it devise a means to gauge progress toward such goals or assess the results of actions taken. As a result, State lacks reasonable assurance that the reorganization achieved its objectives or that it can identify any lessons learned. Wed, 15 Jul 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09791r.pdf Since 2001, Congress has provided the Department of Defense (DOD) with $888 billion in supplemental and annual appropriations, as of June 2009, primarily for Overseas Contingency Operations (OCO). DOD's reported annual obligations for OCO have shown a steady increase from about $0.2 billion in fiscal year 2001 to about $162.4 billion in fiscal year 2008. For fiscal year 2009 OCO, Congress provided DOD with about $65.9 billion in the fiscal year 2009 DOD Appropriations Act and about $80.0 billion in a supplemental appropriation enacted in June 2009. A total of $59.6 billion has been obligated through the second quarter of fiscal year 2009 through March 2009. The United States' commitments to OCO will likely involve the continued investment of significant resources, requiring decision makers to consider difficult trade-offs as the nation faces an increasing long-range fiscal challenge. The magnitude of future costs will depend on several direct and indirect cost variables and, in some cases, decisions that have not yet been made. DOD's future costs will likely be affected by the pace and duration of operations, the types of facilities needed to support troops overseas, redeployment plans, and the amount of equipment to be repaired or replaced. DOD compiles and reports monthly and cumulative incremental obligations incurred to support OCO in a monthly report commonly called the Contingency Operations Status of Funds Report. DOD leadership uses this report, along with other information, to advise Congress on the costs of the war and to formulate future OCO budget requests. DOD reports these obligations by appropriation, contingency operation, and military service or defense agency. DOD has prepared monthly reports on the obligations incurred for its involvement in OCO since fiscal year 2001. Section 1221 of the National Defense Authorization Act for Fiscal Year 2006 requires us to submit quarterly updates to Congress on the costs of Operation Iraqi Freedom and Operation Enduring Freedom based on DOD's monthly cost-of-war reports. This report, which responds to this requirement, contains our analysis of DOD's reported obligations for overseas contingencies through March 2009. Specifically, we assessed (1) DOD's cumulative appropriations and reported obligations for military operations in support of overseas contingencies and (2) DOD's fiscal year 2009 reported obligations from October 2008 through March 2009, the latest data available for OCO by military service and appropriation account. As of March 2009, Congress has appropriated a total of about $888 billion primarily for OCO since 2001. Of that amount, about $65.9 billion was appropriated in the fiscal year 2009 DOD Appropriations Act and about $80 billion was appropriated in the June 2009 supplemental appropriation for a total of about $145.9 billion for use in fiscal year 2009. DOD has reported obligations of about $714.3 billion for OCO from fiscal year 2001 through fiscal year 2008 and for fiscal year 2009 (October 2008 through March 2009). The $173.7 billion difference between DOD's appropriations and reported obligations can generally be attributed to the remaining fiscal year 2009 appropriations; multiyear funding for procurement; military construction; and research, development, test, and evaluation from previous OCO-related appropriations that have yet to be obligated; and obligations for classified and other items, which DOD considers to be non-OCO related, that are not reported in DOD's cost-of-war reports. As part of our ongoing work, we are reviewing DOD's process for reporting its OCO-related obligations. Fri, 10 Jul 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09491.pdf From fiscal years 2006 through 2008, the Department of Homeland Security (DHS) has allocated about $755 million dollars to transit agencies through its Transit Security Grant Program (TSGP) to protect transit systems and the public from terrorist attacks. GAO was asked to evaluate the extent to which (1) TSGP funds are allocated and awarded based on risk; (2) DHS has allocated, awarded, and distributed TSGP grants in accordance with statutory deadlines and leading practices for collaborating agencies; and (3) DHS has evaluated the effectiveness of the TSGP and its investments. To address these objectives, GAO reviewed the TSGP risk model, fund allocation methodology and program documents, such as TSGP guidance, and interviewed DHS and transit officials, among other steps. DHS has used a risk analysis model to allocate TSGP funding and award grants to higher-risk transit agencies, although transit agency officials have expressed concerns about changes that have occurred since the TSGP's inception, such as revised priorities. The TSGP risk model includes all three elements of risk--threat, vulnerability, and consequence--but can be strengthened by measuring variations in vulnerability. DHS has held vulnerability constant, which limits the model's overall ability to assess risk and more precisely allocate funds. Although the Transportation Security Administration (TSA) allocated about 90 percent of funding to the highest-risk agencies, lower-risk agency awards were based on other factors in addition to risk. In addition, TSA has revised the TSGP's approach, methodology and funding priorities each year since 2006. These changes have raised predictability and flexibility concerns among transit agencies because they make engaging in long-term planning difficult. DHS met the statutory timeline requirements for allocating and awarding grants, but the two agencies that manage the TSGP--TSA and Federal Emergency Management Agency (FEMA)--lack defined roles and responsibilities, and only 3 percent of the funds awarded for fiscal years 2006 through 2008 have been spent as of February 2009. There is no documentation articulating the roles and responsibilities of the agencies, and grant information has not been passed between the two agencies which affected TSA's ability to share grant status information with transit agencies. DHS met statutory deadlines for releasing grant guidance and acting upon applications, but management and resource issues have resulted in delays in approving projects and making funds available, including (1) lengthy project negotiations between transit agencies and TSA; (2) a backlog of required environmental reviews; and (3) a reported lack of personnel to conduct required reviews. As a result, according to FEMA records, as of February 2009, transit agencies have spent about $21 million of the $755 million that has been awarded for fiscal years 2006 through 2008. This spending rate is, in part, caused by agencies receiving authorization to spend grant dollars late in the grant period. Despite concerns over delays, FEMA has not communicated time frames for providing funding. In April 2004, GAO reported that timely grant awards are imperative to provide intended benefits. DHS has reported taking some actions to address delays, including shortening project approval times and hiring staff, but the effectiveness of these efforts is unknown. Although FEMA has taken initial efforts to develop measures to assess the effectiveness of its grant programs, TSA and FEMA lack a plan and related milestones for developing measures specifically for the TSGP, and thus DHS does not have the capability to measure the effectiveness of the program or its investments. Without such a plan, it will be difficult for TSA and FEMA to provide reasonable assurance that measures are being developed to assess the effectiveness of the program as intended. While FEMA is responsible for the financial controls and audits of the TSGP, it does not have a mechanism to systematically collect data and track grant projects throughout the grant process. As a result, FEMA cannot assess whether awards are timely or funds are being used effectively to reduce risk and increase transit system security Mon, 08 Jun 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09125r.pdf This report formally transmits a briefing in response to a Congressional request. Specifically, Congress requested that GAO update our January 2005 report entitled, Gun Control and Terrorism: FBI Could Better Manage Firearm-Related Background Checks Involving Terrorist Watch List Records, GAO-05-127 (Washington, D.C.: Jan. 19, 2005). Under the Brady Handgun Violence Prevention Act and implementing regulations, the Federal Bureau of Investigation (FBI) and designated state and local criminal justice agencies use the FBI's National Instant Criminal Background Check System (NICS) to conduct checks on individuals before federal firearms licensees (gun dealers) may transfer any firearm to an unlicensed individual. Also, to assist the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), the FBI conducts NICS background checks on individuals seeking to obtain a federal explosives license or permit. Under current law, there is no basis to automatically prohibit a person from possessing firearms or explosives because they appear on the terrorist watch list. Rather, there must be a disqualifying factor (i.e., prohibiting information) pursuant to federal or state law, such as a felony conviction or illegal immigration status. In response to the request, this report addresses (1) the number of NICS background checks involving terrorist watch list records, the related results, and the FBI's current procedures for handling these checks and (2) the extent to which the FBI has taken action to collect information from NICS background checks involving terrorist watch list records and share this information with counterterrorism officials to support investigations and other counterterrorism activities. In summary, from February 2004 through February 2009, FBI data show that 963 NICS background checks resulted in valid matches with terrorist watch list records; of these matches, approximately 90 percent were allowed to proceed because the checks revealed no prohibiting information and about 10 percent were denied. Regarding FBI procedures for handling these checks, in response to a recommendation in our January 2005 report, the FBI began conducting all NICS background checks involving terrorist watch list records in July 2005--including those generated via state operations--to ensure consistency in handling. Moreover, in April 2005, the FBI issued guidance to its field offices on the availability and use of information collected as a result of NICS background checks involving terrorist watch list records to help support investigations and other counterterrorism efforts. In April 2007, the Department of Justice (DOJ) provided legislative language to Congress that would give the Attorney General discretionary authority to deny the transfer of firearms or the issuance of a firearm or explosives license or permit when a NICS background check reveals that the purchaser is a known or suspected terrorist and the Attorney General reasonably believes that the person may use a firearm or explosives in connection with terrorism. A related bill was introduced in the 111th Congress and is currently pending (H.R. 2159). Neither DOJ's proposed legislative language nor the related bill include provisions for the development of guidelines further delineating the circumstances under which the Attorney General could exercise this authority. In October 2007, we reported that agencies that use terrorist watch list records to screen for potential terrorists use applicable laws or other guidelines as a basis for determining what related actions to take, if any, such as the criteria that are used for determining which subjects of watch list records should be precluded from boarding an aircraft. Further, Homeland Security Presidential Directive 11 requires that terrorist watch list records be used in a manner that safeguards legal rights, including freedoms, civil liberties, and information privacy guaranteed by federal law. Guidelines delineating how the Attorney General could use any new authority would help DOJ and its component agencies (1) provide accountability and a basis for monitoring to ensure that the intended goals for, and expected results of, the screening are being achieved and (2) ensure that terrorist watch list records are used in accordance with requirements outlined in the Presidential directive. In response to our questions, DOJ was noncommittal on whether it would develop guidelines if legislation providing the Attorney General with discretionary authority to deny firearms or explosives transactions involving subjects of terrorist watch list records was enacted. Thu, 21 May 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09622.pdf The U.S. government is one of the largest donors to Palestinians. It provided nearly $575 million in assistance in fiscal year 2008. This assistance is provided through the U.S. Agency for International Development (USAID) and through contributions to international organizations, primarily the United Nations Relief and Works Agency for Palestine Refugees in the Near East (UNRWA). The Department of State (State) oversees U.S. contributions to UNRWA. To help ensure that U.S. funds for these programs are not provided to individuals or entities engaged in terrorist activities, USAID and State must comply with restrictions under U.S. law. GAO was asked to (1) assess the extent to which USAID has complied with its antiterrorism policies and procedures and (2) assess State's and UNRWA's policies and procedures to support conformance with U.S. statutory conditions. GAO reviewed U.S. and UNRWA documents; interviewed USAID, State, and UNRWA officials; and conducted fieldwork in Israel, Jerusalem, and Jordan. USAID strengthened its antiterrorism policies and procedures and complied with them in making new prime awards, but had weaknesses related to compliance at the subaward level. ("Prime awardee" refers to an organization that directly receives USAID funding to implement projects. "Subawardee" refers to an organization that receives funding from prime awardees.) USAID strengthened its policies and procedures in response to our 2006 recommendations by, for example, strengthening its vetting process, which involves investigating a person or entity for links to terrorism. Since 2006, USAID has instituted new procedures to monitor prime awardee compliance with antiterrorism requirements, which have allowed it to take some actions to address areas of concern. The agency has hired a specialist who reviews prime awardees' subaward files for compliance with its antiterrorism policies. All 32 new prime awards made by USAID in fiscal year 2008 included all applicable clauses. USAID obtained the applicable antiterrorism certifications and conducted required vetting for all applicable new prime awards. For a random sample of fiscal year 2008 subawards, applicable antiterrorism certifications were obtained and vetting was conducted. However, an estimated 17 percent of subawards had insufficient evidence to assess compliance related to mandatory clauses. For the remaining subawards, an estimated 5 percent did not contain the mandatory clauses at the time of the award. GAO also found limitations in the agency's monitoring of subawards for inclusion of mandatory clauses. Since 2003, State and UNRWA have strengthened policies and procedures to conform with conditions on U.S. contributions to UNRWA, but weaknesses remain. Section 301(c) of the Foreign Assistance Act of 1961, as amended, prohibits U.S. contributions to UNRWA except on the condition that UNRWA take all possible measures to assure that no part of the U.S. contribution shall be used to furnish assistance to, among others, any refugee who has engaged in any act of terrorism. UNRWA has agreed to conform to conditions on U.S. contributions, but State has not established criteria to determine whether UNRWA's actions are consistent with this agreement. While State has not defined the key term "all possible measures" or defined nonconformance, it has strengthened some policies and procedures to oversee UNRWA's conformance. UNRWA has strengthened policies and procedures to promote neutrality of its beneficiaries, staff, contractors, and facilities that cover a broader range of conduct than covered in section 301(c). UNRWA reported denying approximately 110 applications for cash assistance to refugees since July 2006, because the agency found the refugees' behavior was inconsistent with UN neutrality or restrictions related to section 301(c). However, limitations exist. UNRWA said it has screened all staff, contractor, and beneficiary names against a UN Security Council list of potential terrorists and found no matches. However, the list does not include Hamas and Hezbollah, which the United States has designated as foreign terrorist organizations. Finally, internal UNRWA audits do not assess controls for all cash assistance programs or whether contracts contain antiterrorism clauses. Tue, 19 May 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09292.pdf To enhance aviation security, the Department of Homeland Security's (DHS) Transportation Security Administration (TSA) developed a program--known as Secure Flight--to assume from air carriers the function of matching passenger information against terrorist watch-list records. In accordance with a mandate in the Department of Homeland Security Appropriations Act, 2008, GAO's objective was to assess the extent to which TSA met the requirements of 10 statutory conditions related to the development of the Secure Flight program. GAO is required to review the program until all 10 conditions are met. In September 2008, DHS certified that it had satisfied all 10 conditions. To address this objective, GAO (1) identified key activities related to each of the 10 conditions; (2) identified federal guidance and best practices that are relevant to successfully meeting each condition; (3) analyzed whether TSA had demonstrated, through program documentation and oral explanation, that the guidance was followed and best practices were met; and (4) assessed the risks associated with not fully following applicable guidance and meeting best practices. As of April 2009, TSA had generally achieved 9 of the 10 statutory conditions related to the development of the Secure Flight program and had conditionally achieved 1 condition (TSA had defined plans, but had not completed all activities for this condition). Also, TSA's actions completed and those planned have reduced the risks associated with implementing the program. Although DHS asserted that TSA had satisfied all 10 conditions in September 2008, GAO completed its initial assessment in January 2009 and found that TSA had not demonstrated Secure Flight's operational readiness and that the agency had generally not achieved 5 of the 10 statutory conditions. Consistent with the statutory mandate, GAO continued to review the program and, in March 2009, provided a draft of this report to DHS for comment. In the draft report, GAO noted that TSA had made significant progress and had generally achieved 6 statutory conditions, conditionally achieved 3 conditions, and had generally not achieved 1 condition. After receiving the draft report, TSA took additional actions and provided GAO with documentation to demonstrate progress related to 4 conditions. Thus, GAO revised its assessment in this report. Related to the condition that addresses the efficacy and accuracy of search tools, TSA had not yet developed plans to periodically assess the performance of the Secure Flight system's name-matching capabilities, which would help ensure that the system is working as intended. GAO will continue to review the Secure Flight program until all 10 conditions are generally achieved. Wed, 13 May 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09661t.pdf Information security is a critical consideration for any organization that depends on information systems and computer networks to carry out its mission or business. It is especially important for government agencies, where maintaining the public's trust is essential. The need for a vigilant approach to information security has been demonstrated by the pervasive and sustained computerbased (cyber) attacks against the United States and others that continue to pose a potentially devastating impact to systems and the operations and critical infrastructures that they support. GAO was asked to describe (1) cyber threats to federal information systems and cyberbased critical infrastructures and (2) control deficiencies that make these systems and infrastructures vulnerable to those threats. To do so, GAO relied on its previous reports and reviewed agency and inspectors general reports on information security. Cyber threats to federal information systems and cyber-based critical infrastructures are evolving and growing. These threats can be unintentional and intentional, targeted or nontargeted, and can come from a variety of sources, such as foreign nations engaged in espionage and information warfare, criminals, hackers, virus writers, and disgruntled employees and contractors working within an organization. Moreover, these groups and individuals have a variety of attack techniques at their disposal, and cyber exploitation activity has grown more sophisticated, more targeted, and more serious. As government, private sector, and personal activities continue to move to networked operations, as digital systems add ever more capabilities, as wireless systems become more ubiquitous, and as the design, manufacture, and service of information technology have moved overseas, the threat will continue to grow. In the absence of robust security programs, agencies have experienced a wide range of incidents involving data loss or theft, computer intrusions, and privacy breaches, underscoring the need for improved security practices. These developments have led government officials to become increasingly concerned about the potential for a cyber attack. According to GAO reports and annual security reporting, federal systems are not sufficiently protected to consistently thwart cyber threats. Serious and widespread information security control deficiencies continue to place federal assets at risk of inadvertent or deliberate misuse, financial information at risk of unauthorized modification or destruction, sensitive information at risk of inappropriate disclosure, and critical operations at risk of disruption. For example, over the last several years, most agencies have not implemented controls to sufficiently prevent, limit, or detect access to computer networks, systems, and information, and weaknesses were reported in such controls at 23 of 24 major agencies for fiscal year 2008. Agencies also did not always configure network devices and service properly, segregate incompatible duties, or ensure that continuity of operations plans contained all essential information. An underlying cause for these weaknesses is that agencies have not yet fully or effectively implemented key elements of their agencywide information security programs. To improve information security, efforts have been initiated that are intended to strengthen the protection of federal information and information systems. For example, the Comprehensive National Cybersecurity Initiative was launched in January 2008 and is intended to improve federal efforts to protect against intrusion attempts and anticipate future threats. Until such opportunities are seized and fully exploited and GAO recommendations to mitigate identified control deficiencies and implement agencywide information security programs are fully and effectively implemented, federal information and systems will remain vulnerable. Tue, 05 May 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09612t.pdf This testimony discusses GAO's recently issued report on the North American Aerospace Defense Command's (NORAD) and the Department of Defense's (DOD) air sovereignty alert (ASA) operations. According to the National Strategy for Aviation Security, issued in March 2007, and officials from U.S. intelligence agencies with whom we met, air attacks are still a threat to the United States and its people. To address this threat, NORAD and DOD have fully fueled, fully armed aircraft and trained personnel on alert 24 hours a day, 365 days a year, at 18 ASA sites across the United States. Of the 18 sites, 16 are maintained by Air National Guard (ANG) units and 2 are maintained by active duty Air Force units. If warranted, NORAD can increase personnel, aircraft, and the number of ASA sites based on changes in threat conditions. The Air Force provides NORAD with personnel and equipment, including F-15 and F-16 aircraft, for these operations. ASA units are tasked to conduct and train for both expeditionary missions (e.g., military operations in Iraq) and ASA operations. This testimony will discuss whether (1) NORAD routinely conducts risk assessments to determine the appropriate operational requirements; (2) the Air Force has implemented ASA operations as a steady-state mission, which would require programming funding and measuring readiness, in accordance with NORAD, DOD, and Air Force guidance; and (3) the Air Force has developed a plan to address the recapitalization challenges to sustaining ASA operations for the future. Although NORAD had performed some risk assessments in response to individual DOD leadership inquiries about ASA operations, it had not done routine risk assessments as part of a risk-based management approach to determine ASA operational requirements. Moreover, NORAD has not conducted similar assessments since 2006. Although its units are conducting ASA operations, the Air Force had not implemented these operations as a steady-state mission in accordance with NORAD, DOD, and Air Force directives and guidance. For example, in response to a December 2002 NORAD declaration of a steady-state air defense mission, the Air Force issued a directive assigning specific functions and responsibilities to support the mission. According to the directive, the Air Force was to take 140 actions to implement ASA as a steady-state mission. NORAD partially assessed readiness through inspections; however, the Air Force, which as the force provider is responsible for measuring readiness for its missions by evaluating personnel, training, and the quantity and quality of equipment needed, has not done so for ASA operations. Air Force officials said they do not perform such assessments because the service has not formally assigned the mission to the units. Specifically, the Air Force issues mission Designed Operational Capability statements that identify the unit's mission(s) and related requirements (e.g., type anumber of personnel). Because the Air Force did not implement ASA operations as a steady-state mission in accordance with NORAD, DOD, and Air Force guidance, at the time of our review ASA units were experiencing a number of difficulties that challenged their ability to perform both their expeditionary missions and ASA operations. The unit commanders we interviewed identified funding, personnel, and dual tasking of responsibilities as the top three factors affecting ASA operations. Wed, 22 Apr 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09473sp.pdf The United States has provided approximately $38.6 billion in reconstruction assistance to Afghanistan and has over 35,000 troops in the country as of February 2009. Some progress has occurred in areas such as economic growth, infrastructure development, and training of the Afghan National Security Forces (ANSF), but the overall security situation in Afghanistan has not improved after more than 7 years of U.S. and international efforts. In response, the new administration plans to deploy approximately 21,000 additional troops1 to Afghanistan this year, and has completed a strategic review of U.S. efforts in Afghanistan and Pakistan. Based on our past work and the significance of U.S. efforts in Afghanistan to the overall U.S. counterinsurgency strategy, we have highlighted Afghanistan as an urgent oversight issue facing this Congress. The government of Afghanistan, with the assistance of the international community, developed the Afghanistan National Development Strategy (ANDS), which was finalized in June 20083, as a guiding document for achieving Afghanistan's reconstruction goals. The ANDS articulates the priorities of the government of Afghanistan as consisting of four major areas: (1) security; (2) governance, rule of law, and human rights; (3) economic and social development; and (4) counternarcotics. The United States adopted the ANDS as a guiding document for its efforts, and has also identified an end state for Afghanistan using four strategic goals: namely, that Afghanistan is: (1) never again a safe haven for terrorists and is a reliable, stable ally in the Global War on Terror (GWOT); (2) moderate and democratic, with a thriving private sector economy; (3) capable of governing its territory and borders; and (4) respectful of the rights of all its citizens. In discussing his new strategy for Afghanistan and Pakistan in March 2009, the President noted his goals were to disrupt, dismantle, and defeat al Qaeda in Pakistan and Afghanistan, and to prevent their return to either country in the future. In addition, according to Department of State (State) officials, the U.S. Embassy in Afghanistan is assembling provincial plans for security and development. Department of Defense (DOD), State, and U.S. Agency for International Development (USAID) officials have suggested that securing, stabilizing, and reconstructing Afghanistan will take at least a decade and require continuing international assistance. Security in Afghanistan has worsened significantly in the last 3 years, impeding both U.S. and international partners' efforts to stabilize and rebuild the country. The security situation, including the overall increase in insurgent attacks from 2005 to 2008, is the result of a variety of factors including a resurgence of the Taliban in the south, the limited capabilities of Afghan security forces, a continuing and thriving illicit drug trade in the south, and the threat emanating from insurgent safe havens in Pakistan. Between fiscal years 2002 and 2009, the United States provided approximately $38.6 billion to support Afghanistan's reconstruction goals, which can often be characterized as construction. According to DOD, $22 billion of the $38.6 billion has been disbursed. Over half of the $38.6 billion was provided to support the development of the Afghan national army and police forces. Almost a third of the funding was provided to support economic and social development efforts, such as the construction of roads and schools, and the remainder was provided to governance, rule of law, and human rights and counternarcotics programs. Since 2003, we have issued 21 reports and testimonies on U.S. efforts in Afghanistan. Over the course of this work we have identified improvements that were needed as well as many obstacles that affect success and should be considered in program planning and implementation. In most of the U.S. efforts in the past, we found the need for improved planning, including the development of coordinated interagency plans that include measurable goals, specific time frames, cost estimates, and identification of external factors that could significantly affect efforts in key areas such as building Afghanistan's national security forces. We also concluded that several existing conditions, such as worsening security; the lack of a coordinated, detailed interagency plan; and the limited institutional capacity of the Afghanistan government continue to create challenges to the U.S. efforts to assist with securing, stabilizing, and rebuilding Afghanistan. To assist the 111th Congress, GAO is highlighting key issues for consideration in developing oversight agendas and determining the way forward in securing and stabilizing Afghanistan. Significant oversight will be needed to help ensure visibility over the cost and progress of these efforts. The suggested areas for additional oversight include the following topics: (1) U.S. and international commitments, (2) Security environment, (3) U.S. forces and equipment, (4) Afghan national security forces, (5) Counternarcotics efforts, (6) Economic development, (7) Government capacity, (8) Accountability for U.S. provided weapons, and (9) Oversight of contractor performance. Tue, 21 Apr 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09626sp.pdf This is an E-supplement to GAO-09-473SP. In its Afghanistan National Development Strategy, the Afghan Government, in conjunction with international donors, established the goal of completing a fully upgraded regional highway network by the end of 2008. The construction of the regional highways was a top road reconstruction priority of the Afghan government and interational donors, as these roads were expected to foster regional trade and contribute to Afghanistan's economic development. The United States and two other donors committed more than $1.5 billion for the over-3,200-kilomteres-long regional highway network and had completed about 60 percent (1,954 kilometers) of these highways as of February 2008. The United States, through the Agency for International Development (USAID), had completed the construction of the 715 kilometers of the regional highways it funded. In addition, it also managed the construction for the 115-kilometer-long Saudi-funded section, which is complete. As of February 2008, construction of an additional 29 percent (932 kilometers) of the regional highway network was ongoing and donors committed funding but had yet to start construction of the remaining 11 percent (354 kilometers). Completion of at least 300 kilometers of the regional highway network was not expected until December 2009, in part because funding was not committed until September 2006. Tue, 21 Apr 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09243.pdf An attack on the U.S. freight rail system could be catastrophic because rail cars carrying highly toxic materials often traverse densely populated urban areas. The Department of Homeland Security's (DHS) Transportation Security Administration (TSA) is the federal entity primarily responsible for securing freight rail. GAO was asked to assess the status of efforts to secure this system. This report discusses (1) stakeholder efforts to assess risks to the freight rail system and TSA's development of a risk-based security strategy; (2) actions stakeholders have taken to secure the system since 2001, TSA's efforts to monitor and assess their effectiveness, and any challenges to implementing future actions; and (3) the extent to which stakeholders have coordinated efforts. GAO reviewed documents, including TSA's freight rail strategic plan; conducted site visits to seven U.S. cities with significant rail operations involving hazardous materials; and interviewed federal and industry officials. Federal and industry stakeholders have completed a range of actions to assess risks to freight rail since September 2001, and TSA has developed a security strategy; however, TSA's efforts have primarily focused on one threat, and its strategy does not fully address federal guidance or key characteristics of a successful national strategy. Specifically, TSA's efforts to assess vulnerabilities and potential consequences to freight rail have focused almost exclusively on rail shipments of certain highly toxic materials, in part, because of concerns about their security in transit and limited resources. However, other federal and industry assessments have identified additional potential security threats, including risks to critical infrastructure and cybersecurity. Although many stakeholders agreed with TSA's initial strategy, going forward TSA has agreed that including other identified threats in its freight rail security strategy is important, and reported that it is reconsidering its strategy to incorporate other threats. Additionally, in 2004, GAO reported that successful national strategies should identify performance measures with targets, among other elements. TSA's security strategy could be strengthened by including targets for three of its four performance measures and revising its approach for the other measure to ensure greater consistency in how performance results are quantified. Federal and industry stakeholders have also taken a range of actions to secure freight rail, many of which have focused on securing certain toxic material rail shipments and have been implemented by industry voluntarily; however, TSA lacks a mechanism to monitor security actions and evaluate their effectiveness, and new requirements could pose challenges for future security efforts. GAO's Standards for Internal Control in the Federal Government calls for controls to be designed to ensure ongoing monitoring. While the freight rail industry has taken actions to better secure shipments and key infrastructure, TSA has limited ability to assess the impacts of these actions because it lacks a mechanism to systematically track them and evaluate their effectiveness. Having such information could strengthen TSA's efforts to efficiently target its resources to where actions have not been effective. New, mandatory security planning and procedural requirements will also necessitate additional federal and industry efforts and resources, and may pose some implementation challenges for both federal and industry stakeholders. Federal and industry stakeholders have also taken a number of steps to coordinate their freight rail security efforts; however, federal coordination can be enhanced by more fully leveraging the resources of all relevant federal agencies. GAO previously identified a number of leading practices for effective coordination that could help TSA strengthen coordination with federal and private sector stakeholders. Tue, 21 Apr 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09449r.pdf Since 2001, Congress has provided the Department of Defense (DOD) with about $808 billion in supplemental and annual appropriations, as of March 2009, primarily for military operations in support of the Global War on Terrorism (GWOT). DOD's reported annual obligations for GWOT have shown a steady increase from about $0.2 billion in fiscal year 2001 to about $162.4 billion in fiscal year 2008. For fiscal year 2009, Congress provided DOD with about $65.9 billion in supplemental appropriations for GWOT as of March 2009 and the President plans on requesting an additional $75.5 billion in supplemental appropriations for GWOT for the remainder of the fiscal year. A total of $31.0 billion has been obligated in the first quarter of fiscal year 2009 through December 2008. The United States' commitments to GWOT will likely involve the continued investment of significant resources, requiring decision makers to consider difficult trade-offs as the nation faces an increasing long-range fiscal challenge. The magnitude of future costs will depend on several direct and indirect cost variables and, in some cases, decisions that have not yet been made. DOD's future costs will likely be affected by the pace and duration of operations, the types of facilities needed to support troops overseas, redeployment plans, and the amount of equipment to be repaired or replaced. DOD compiles and reports monthly and cumulative incremental obligations incurred to support GWOT in a monthly report commonly called the Contingency Operations Status of Funds Report. DOD leadership uses this report, along with other information, to advise Congress on the costs of the war and to formulate future GWOT budget requests. DOD reports these obligations by appropriation, contingency operation, and military service or defense agency. DOD has prepared monthly reports on the obligations incurred for its involvement in GWOT since fiscal year 2001. Section 1221 of the National Defense Authorization Act for Fiscal Year 2006 requires GAO to submit quarterly updates to Congress on the costs of Operation Iraqi Freedom and Operation Enduring Freedom based on DOD's monthly cost-of-war reports. This report, which responds to this requirement, contains our analysis of DOD's reported obligations for military operations in support of GWOT through December 2008. Specifically, we assessed (1) DOD's cumulative appropriations and reported obligations for military operations in support of GWOT and (2) DOD's fiscal year 2009 reported obligations from October 2008 through December 2008, the latest data available for GWOT by military service and appropriation account. As of December 2008, Congress has appropriated a total of about $808 billion primarily for GWOT operations since 2001. Of that amount, about $187 billion has been provided for fiscal year 2008 and about $65.9 billion has been appropriated for use in fiscal year 2009. DOD plans on requesting an additional $75.5 billion in supplemental funds for fiscal year 2009. DOD has reported obligations of about $685.7 billion for military operations in support of the war from fiscal year 2001 through fiscal year 2008 and for fiscal year 2009 (October through December 2008). The $122.3 billion difference between DOD's appropriations and reported obligations can generally be attributed to multiyear funding for procurement; military construction; and research, development, test, and evaluation from previous GWOT-related appropriations that have yet to be obligated; and obligations for classified and other items, which DOD considers to be non-GWOT related, that are not reported in DOD's costof- war reports. DOD's reported obligations for Operation Iraqi Freedom have consistently increased each fiscal year since operations began. The increases in reported obligations for Operation Iraqi Freedom are in part due to continued costs for military personnel, such as military pay and allowances for mobilized reservists, and for rising operation and maintenance expenses, such as higher contract costs for housing, food, and services and higher fuel costs. In contrast, DOD's reported obligations for Operation Noble Eagle have consistently decreased since fiscal year 2003, largely because of the completion of repairs to the Pentagon and upgrades in security at military installations that were onetime costs, as well as a reduction in combat air patrols and in the number of reserve personnel guarding government installations. Reported obligations for Operation Enduring Freedom have ranged from $10.3 billion to $20.1 billion each fiscal year since 2003. Recent increases in reported obligations for Operation Enduring Freedom are in part caused by higher troop levels in Afghanistan, the costs associated with training Afghan security forces, and the need to repair and replace equipment after several years of ongoing operations. DOD's reported obligations for Operation Iraqi Freedom have consistently increased each fiscal year since operations began. The increases in reported obligations for Operation Iraqi Freedom are in part due to continued costs for military personnel, such as military pay and allowances for mobilized reservists, and for rising operation and maintenance expenses, such as higher contract costs for housing, food, and services and higher fuel costs. In addition, the need to repair and replace equipment because of the harsh combat and environmental conditions in theater and the ongoing costs associated with the surge strategy announced in January 2007, which provided for the deployment of additional troops, have further increased obligations for Operation Iraqi Freedom. In contrast, DOD's reported obligations for Operation Noble Eagle have consistently decreased since fiscal year 2003, largely because of the completion of repairs to the Pentagon and upgrades in security at military installations that were onetime costs, as well as a reduction in combat air patrols and in the number of reserve personnel guarding government installations. Reported obligations for Operation Enduring Freedom have ranged from $10.3 billion to $20.1 billion each fiscal year since 2003. Recent increases in reported obligations for Operation Enduring Freedom are in part caused by higher troop levels in Afghanistan, the costs associated with training Afghan security forces, and the need to repair and replace equipment after several years of ongoing operations. Mon, 30 Mar 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09492.pdf Numerous incidents around the world have highlighted the vulnerability of commercial vehicles to terrorist acts. Commercial vehicles include over 1 million highly diverse truck and intercity bus firms. Within the Department of Homeland Security (DHS), the Transportation Security Administration (TSA) has primary federal responsibility for ensuring the security of the commercial vehicle sector, while vehicle operators are responsible for implementing security measures for their firms. GAO was asked to examine: (1) the extent to which TSA has assessed security risks for commercial vehicles; (2) actions taken by key stakeholders to mitigate identified risks; and (3) TSA efforts to coordinate its security strategy with other federal, state, and private sector stakeholders. GAO reviewed TSA plans, assessments, and other documents; visited a nonrandom sample of 26 commercial truck and bus companies of varying sizes, locations, and types of operations; and interviewed TSA and other federal and state officials and industry representatives. TSA has taken actions to evaluate the security risks associated with the commercial vehicle sector, including assessing threats and initiating vulnerability assessments, but more work remains to fully gauge security risks. Risk assessment uses a combined analysis of threat, vulnerability, and consequence to estimate the likelihood of terrorist attacks and the severity of their impact. TSA conducted threat assessments of the commercial vehicle sector and has also cosponsored a vulnerability assessment pilot program in Missouri. However, TSA's threat assessments generally have not identified the likelihood of specific threats, as required by DHS policy. TSA has also not determined the scope, method, and time frame for completing vulnerability assessments of the commercial vehicle sector. In addition, TSA has not conducted consequence assessments, or leveraged the consequence assessments of other sectors. As a result of limitations with its threat, vulnerability, and consequence assessments, TSA cannot be sure that its approach for securing the commercial vehicle sector addresses the highest priority security needs. Moreover, TSA has not developed a plan or time frame to complete a risk assessment of the sector. Nor has TSA completed a report on commercial trucking security as required by the Implementing Recommendations of the 9/11 Commission Act (9/11 Commission Act). Key government and industry stakeholders have taken actions to strengthen the security of commercial vehicles, but TSA has not assessed the effectiveness of federal programs. TSA and the Department of Transportation (DOT) have implemented programs to strengthen security, particularly those emphasizing the protection of hazardous materials. States have also worked collaboratively to strengthen commercial vehicle security through their transportation and law enforcement officials' associations, and the establishment of fusion centers. TSA also has begun developing and using performance measures to monitor the progress of its program activities to secure the commercial vehicle sector, but has not developed measures to assess the effectiveness of these actions in mitigating security risks. Without such information, TSA will be limited in its ability to measure its success in enhancing commercial vehicle security. While TSA has also taken actions to improve coordination with federal, state, and industry stakeholders, more can be done to ensure that these coordination efforts enhance security for the sector. TSA signed joint agreements with DOT and supported the establishment of intergovernmental and industry councils to strengthen collaboration. TSA and DOT completed an agreement to avoid duplication of effort as required by the 9/11 Commission Act. However, some state and industry officials GAO interviewed reported that TSA had not clearly defined stakeholder roles and responsibilities consistent with leading practices for collaborating agencies. TSA has not developed a means to monitor and assess the effectiveness of its coordination efforts. Without enhanced coordination with the states, TSA will have difficulty expanding its vulnerability assessments. Fri, 27 Mar 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09476t.pdf From fiscal year 2001 through July 2008, Congress provided more than $808 billion to the Department of Defense (DOD) for the Global War on Terrorism, including military operations in Iraq and Afghanistan. Moreover, since fiscal year 2003, about $49 billion has been provided to U.S. agencies for reconstruction and stabilization in Iraq and $32 billion for similar efforts in Afghanistan since fiscal year 2002. In February 2009, President Obama announced a new U.S. strategy for Iraq and plans to develop a new comprehensive strategy for Afghanistan. This statement is based on GAO's extensive body of work--more than 150 products since 2003--examining U.S. efforts in Iraq and Afghanistan. While U.S. efforts face unique circumstances in Iraq and Afghanistan, success in both countries depends on addressing three common challenges: (1) establishing and maintaining a basic level of security, (2) building a sustainable economic foundation, and (3) holding governments accountable for political commitments and building their capacity to govern. These challenges underscore the need for comprehensive U.S. strategies that optimize U.S. strategic interests, host country priorities, and the international community's resources and expertise. In Iraq, much U.S.-funded reconstruction took place prior to July 2007 in an environment of deteriorating security. Oil, electricity, and water projects were subject to insurgent attacks and threats, which raised costs and caused delays. While violence has declined, security conditions remain fragile, according to DOD. Iraq's oil resources provide a foundation for economic growth. However, Iraq's investment in infrastructure has been limited, despite budget surpluses. The government's limited capacity to deliver services poses a challenge as well. The United States has held the government to commitments to pass key legislation and hold elections, but further progress in reconciliation, such as legislation to share oil and gas revenues and resolve claims over disputed territories, is needed. In Afghanistan, a lack of security has put U.S.-funded infrastructure projects, development of Afghan security forces, and other efforts at risk. Projects have been delayed and costs increased. The drug trade helps finance the Taliban and other insurgents and contributes to instability. Given Afghanistan's poor economy, the country's development will depend on foreign assistance. The Afghanistan National Development Strategy, established with U.S. and international support, is underfunded and may not be financially viable. The Afghan government's lack of capacity also hinders the country from meeting its development goals. The ministries do not have the personnel with the expertise to maintain U.S. and other donor-financed infrastructure projects, and corruption exacerbates this problem. As it further defines and develops its strategies for Iraq and Afghanistan, the Administration should incorporate characteristics of an effective national strategy. Both strategies should clearly define the objectives of U.S. efforts and measures to assess progress; identify risks; estimate costs; and integrate U.S., international, and host country efforts. For example, the strategy for Iraq should clarify what conditions the United States expects to achieve to ensure that troops are drawn down responsibly. The U.S. strategy for Afghanistan should estimate the cost of helping the country implement its development strategy. It should also assess the risk to U.S. infrastructure investments if Afghanistan does not obtain the donor assistance and technical capacity to maintain them. Finally, U.S. strategies should guide the development and implementation of interagency operational plans and sector level plans. Wed, 25 Mar 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09294sp.pdf To assist the 111th Congress, this report presents a series of issue papers for consideration in developing congressional oversight agendas and determining the way forward in securing and stabilizing Iraq. These papers are based on the continuing work of the U.S. Government Accountability Office (GAO) and the more than 130 Iraq-related products we have issued since May 2003. Since fiscal year 2001, Congress has provided about $808 billion to the Department of Defense (DOD) for military efforts primarily in support of the Global War on Terrorism. The majority of this amount has been for military operations in support of Operation Iraqi Freedom. Moreover, since fiscal year 2003, about $49 billion has been provided to U.S. agencies for stabilization and reconstruction efforts in Iraq, including developing Iraq's security forces, enhancing Iraq's capacity to govern, and rebuilding Iraq's oil, electricity, and water sectors, among other activities. This report expands on issues discussed on GAO's transition Web site. In January 2007, President Bush announced The New Way Forward in Iraq to stem violence and enable the Iraqi government to foster national reconciliation. To support the strategy, the United States increased its military presence through a surge of brigade combat teams and associated forces. In June 2008, we reported that the United States had made some progress in reducing overall violence in Iraq and working with the Iraqi government to pass legislation promoting national reconciliation. In February 2009, President Obama described a new strategy for Iraq consisting of three parts: (1) the responsible removal of combat brigades, (2) sustained diplomacy on behalf of a more peaceful and prosperous Iraq, and (3) comprehensive U.S. engagement across the region. According to DOD, the United States plans to reduce the number of combat troops from about 140,000 projected in March 2009 to about 128,000 by September 2009--a difference of 12,000 troops representing two brigades and their support units. Under the schedule announced by the President, U.S. force levels would decline further by August 31, 2010, to no more than 50,000 troops. Under the November 2008 bilateral security agreement6 between the United States and Iraq, the United States must remove all of its remaining forces by December 31, 2011. Key issues that should be considered in further defining the new strategy and its supporting operational plans are as follows: (1) The security agreement establishes dates for repositioning U.S. forces in Iraq and removing them from the country--a significant change from the United States' prior, conditions-based strategy for Iraq. A responsible drawdown in Iraq will need to balance the timetable established in the security agreement, military doctrine that calls for the delineation of conditions that must exist before military operations can end, and the wishes of the Iraqi government. (2) If the United States adheres to the timetable contained in the security agreement, DOD will need to remove about 140,000 troops by the end of 2011. The redeployment of these forces and the removal of their equipment and material will be a massive and expensive effort. (3) The large U.S. military presence has provided vital support to civilian operations and has undertaken many traditionally civilian tasks. In moving forward, the United States will need to consider how to transition from a predominantly military presence to a civilian one as U.S. forces draw down. (4) As U.S reconstruction efforts end, Iraq will need to develop the capacity to spend its resources, particularly on investment that will further economic development and deliver essential services to its people. GAO estimates that the Iraqi government had a cumulative budget surplus of $47 billion at the end of 2008. Tue, 24 Mar 2009 00:00:00 -0400 http://www.gao.gov/new.items/d0963.pdf Given the global context of the war on drugs--coupled with growing recognition since September 11, 2001 (9/11), of the nexus between drug trafficking and terrorism--the mission of the Drug Enforcement Administration (DEA) and efforts to forge effective interagency partnerships and coordination are increasingly important. GAO was asked to examine, in the context of the post-9/11 environment, DEA's (1) priorities, (2) interagency partnerships and coordination mechanisms, and (3) strategic plan and performance measures. GAO reviewed DEA policy, planning, and budget documents and visited 7 of DEA's 21 domestic field offices and 3 of its 7 regional offices abroad-- sites selected to reflect diverse drug-trafficking threats, among other factors. GAO also contacted other relevant federal agencies-- including U.S. Immigration and Customs Enforcement (ICE) and U.S. Customs and Border Protection (CBP)--and various state and local partner agencies. Since 9/11, while continuing its primary mission of enforcing U.S. controlled substances laws, DEA has supported U.S. counterterrorism efforts by prioritizing narcoterrorism cases--drug-trafficking cases linked to terrorism-- and by implementing other policies and actions, such as collecting terrorismrelated intelligence from confidential informants and foreign partners. Also, DEA is using a new enforcement authority to pursue and arrest narcoterrorists--even those who operate outside the United States. Because most of the nation's illegal drug supply is distributed by Mexican drug organizations, DEA's partnerships and coordination with Department of Homeland Security (DHS) agencies that have border-related missions-ICE and CBP--are important. However, an outdated interagency agreement-and long-standing disputes involving ICE's drug enforcement role and DEA's oversight of that role--have led to conflicts and the potential for duplicative investigative efforts. Another interagency agreement, predating CBP's formation under DHS, has led to operational inefficiencies, as reflected in a bifurcated process for handling illegal drugs seized at the nation's borders. That is, drugs seized by CBP between ports of entry are to be referred to DEA, but drugs seized at ports of entry are to be referred to ICE. According to CBP, an updated agreement that specifies a standardized process would be more efficient and less confusing. Further, in conducting the war on drugs, an important interagency coordination mechanism is the Special Operations Division, a DEA-led intelligence center that targets the command and control capabilities of major drug-trafficking organizations. Another coordination mechanism is the Organized Crime Drug Enforcement Task Force (OCDETF) Fusion Center, which collects and analyzes drug-trafficking and related financial information and disseminates investigative leads. However, ICE is providing limited information to the Special Operations Division and is not participating in the OCDETF Fusion Center. As a result, according to DEA, these coordination entities are not as effective as they could be. Resolution of these interagency issues necessitates involvement by both the Attorney General and the Secretary of Homeland Security, given that their respective departments' component agencies have been unable to reach mutually acceptable agreements. Notably, because of links between drug trafficking and terrorism, DEA has established new partnerships with the Department of Defense (DOD), especially in Afghanistan, where they share intelligence and DOD provides airlift and other support for DEA operations. DEA's strategic plan has not been updated since 2003; also, DEA's annual performance plans do not provide results-focused measures for assessing the agency's post-9/11 activities, such as counterterrorism efforts. A current and comprehensive strategic planning and performance measurement framework would help to ensure accountability by providing crucial information to DEA's senior leadership for making management decisions and to the Congress and the administration for assessing program effectiveness. In February 2009, DOJ reported that it was reviewing DEA's updated strategic plan. Fri, 20 Mar 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09302.pdf Since September 11, 2001, Congress has provided about $808 billion to the Department of Defense (DOD) for the Global War on Terrorism (GWOT) in addition to funding in DOD's base budget. Prior GAO reports have found DOD's reported GWOT cost data unreliable and found problems with transparency over certain costs. In response, DOD has made several changes to its cost-reporting procedures. Congress has shown interest in increasing the transparency of DOD's cost reporting and funding requests for GWOT. Under the Comptroller General's authority to conduct evaluations on his own initiative, GAO assessed (1) DOD's progress in improving the accuracy and reliability of its GWOT cost reporting, and (2) DOD's methodology for reporting GWOT costs by contingency operation. For this engagement, GAO analyzed GWOT cost data and applicable guidance, as well as DOD's corrective actions. While DOD and the military services continue to take steps to improve the accuracy and reliability of some aspects of GWOT cost reporting, DOD lacks a sound approach for identifying costs of specific contingency operations, raising concerns about the reliability of reported information, especially on the cost of Operation Iraqi Freedom. Specifically, the department has undertaken initiatives such as requiring components to sample and validate their GWOT cost transactions and launching a new contingency cost-reporting system that will automate the collection of GWOT cost data from components' accounting systems and produce a new report comparing reported obligations and disbursements to GWOT appropriations data. Also, the military services have taken several steps to correct weaknesses in the reliability of their cost data. Limitations in DOD's approach to identifying the costs of Operation Iraqi Freedom and Operation Enduring Freedom may, in some cases, result in the overstatement of costs, and could lead to these costs being included in DOD's GWOT funding requests rather than the base budget. DOD guidance emphasizes the importance of accurately reporting the cost of contingency operations. However, while the Army and Marine Corps are capturing totals for procurement and certain operation and maintenance costs, they do not have a methodology for determining what portion of these GWOT costs are attributable to Operation Iraqi Freedom versus Operation Enduring Freedom and have reported all these costs as attributable to Operation Iraqi Freedom. In addition, the military services have reported some costs, such as those for Navy forward-presence missions, as part of Operation Iraqi Freedom or Operation Enduring Freedom, even though they are not directly attributable to either operation. In September 2005, DOD expanded the definition of incremental costs for large-scale contingencies, such as those for GWOT, to include expenses beyond direct incremental costs. This expanded definition provides no guidance on what costs beyond those attributable to the operation can be considered incremental and reported. Consequently, the military services have made their own interpretations as to whether and how to include costs not directly attributable to GWOT contingency operations. Without a methodology for determining what portion of GWOT costs is attributable to Operation Iraqi Freedom or Operation Enduring Freedom, reported costs for Operation Iraqi Freedom may be overstated. Furthermore, unless DOD reconsiders whether expenses not directly attributable to specific GWOT operations should be included as incremental costs, the military services may continue to include these expenses as part of Operation Iraqi Freedom and Operation Enduring Freedom, reported costs for both operations may be overstated, and DOD may continue to request funding for these expenses in GWOT funding requests instead of including them as part of the base budget. Expenses beyond those directly attributable to either operation may be more reflective of the enduring nature of GWOT and its cost implications should be part of the annual budget debate. Tue, 17 Mar 2009 00:00:00 -0400 http://www.gao.gov/new.items/d09275.pdf A key mission of the International Atomic Energy Agency (IAEA) is promoting the peaceful uses of nuclear energy through its Technical Cooperation (TC) program, which provides equipment, training, fellowships, and other services to its member states. The United States provides approximately 25 percent of the TC program's annual budget. This report addresses the (1) extent to which the United States and IAEA have policies limiting member states' participation in the TC program on the basis of nuclear proliferation and related concerns; (2) extent to which the United States and IAEA evaluate and monitor TC projects for proliferation concerns; and (3) any limitations and challenges in IAEA's management of the TC program. To address these issues, GAO interviewed relevant officials at the Departments of State (State) and Energy (DOE) and IAEA; analyzed IAEA, DOE, and national laboratory data; and assessed State and IAEA policies toward the TC program. Neither State nor IAEA seeks to systematically limit TC assistance to countries the United States has designated as state sponsors of terrorism--Cuba, Iran, Sudan, and Syria--even though under U.S. law these countries are subject to sanctions. Together, these four countries received more than $55 million in TC assistance from 1997 through 2007. In addition, TC funding has been provided to states that are not party to the Treaty on the Non-Proliferation of Nuclear Weapons (NPT)--India, Israel, and Pakistan--and neither the United States nor IAEA has sought to exclude these countriesfrom participating in the TC program. Finally, IAEA member statesare not required to complete comprehensive safeguards or additional protocol agreements with IAEA--which allow IAEA to monitor declared nuclear activities and detect clandestine nuclear programs--to be eligible for TC assistance, even though U.S. and IAEA officials have stressed the need for all countries to bring such arrangements into force as soon as possible. The proliferation concerns associated with the TC program are difficult for the United States to fully identify, assess, and resolve for several reasons. While State has implemented an interagency process to review proposed TC projects for proliferation risks, the effectiveness of these reviews is limited because IAEA does not provide the United States with sufficient or timely information on TC proposals. Of the 1,565 TC proposals reviewed by DOE and the U.S. national laboratories for possible proliferation risks from 1998 through 2006, information for 1,519 proposals, or 97 percent, consisted of only project titles. IAEA faces several limitations and challenges in effectively managing the TC program. First, the TC program's impact in meeting development and other needs of member states is unclear because IAEA has not updated and revised the program's performance metrics since 2002. Second, the TC program is limited by financial constraints, including the failure of many member states to pay their full share of support to the program's Technical Cooperation Fund (TCF). In 2007, the TCF experienced a shortfall of $3.5 million, or 4 percent, of the $80 million total target budget, because 62 member states did not pay their full expected contributions, including 47 states that made no payment at all. Furthermore, IAEA has not developed a policy for determining when countries should be graduated from receiving TC assistance, including those defined by the UN as high-income countries. Finally, the TC program's long-term viability is uncertain because of limitations in IAEA efforts to track how project results are sustained and because of shortcomings in strategies to develop new TC program partners and donors. Thu, 05 Mar 2009 00:00:00 -0500 http://www.gao.gov/new.items/d0985.pdf Numerous incidents around the world have highlighted the vulnerability of commercial vehicles to terrorist acts. Commercial vehicles include over 1 million highly diverse truck and intercity bus firms. Within the Department of Homeland Security (DHS), the Transportation Security Administration (TSA) has primary federal responsibility for ensuring the security of the commercial vehicle sector, while vehicle operators are responsible for implementing security measures for their firms. GAO was asked to examine: (1) the extent to which TSA has assessed security risks for commercial vehicles; (2) actions taken by key stakeholders to mitigate identified risks; and (3) TSA efforts to coordinate its security strategy with other federal, state, and private sector stakeholders. GAO reviewed TSA plans, assessments, and other documents; visited a nonrandom sample of 26 commercial truck and bus companies of varying sizes, locations, and types of operations; and interviewed TSA and other federal and state officials and industry representatives. TSA has taken actions to evaluate the security risks associated with the commercial vehicle sector, including assessing threats and initiating vulnerability assessments, but more work remains to fully gauge security risks. Risk assessment uses a combined analysis of threat, vulnerability, and consequence to estimate the likelihood of terrorist attacks and the severity of their impact. TSA conducted threat assessments of the commercial vehicle sector and has also cosponsored a vulnerability assessment pilot program in Missouri. However, TSA's threat assessments generally have not identified the likelihood of specific threats, as required by DHS policy. TSA has also not determined the scope, method, and time frame for completing vulnerability assessments of the commercial vehicle sector. In addition, TSA has not conducted consequence assessments, or leveraged the consequence assessments of other sectors. As a result of limitations with its threat, vulnerability, and consequence assessments, TSA cannot be sure that its approach for securing the commercial vehicle sector addresses the highest priority security needs. Moreover, TSA has not developed a plan or time frame to complete a risk assessment of the sector. Nor has TSA completed a report on commercial trucking security as required by the Implementing Recommendations of the 9/11 Commission Act (9/11 Commission Act). Key government and industry stakeholders have taken actions to strengthen the security of commercial vehicles, but TSA has not assessed the effectiveness of federal programs. TSA and the Department of Transportation (DOT) have implemented programs to strengthen security, particularly those emphasizing the protection of hazardous materials. States have also worked collaboratively to strengthen commercial vehicle security through their transportation and law enforcement officials' associations, and the establishment of fusion centers. TSA also has begun developing and using performance measures to monitor the progress of its program activities to secure the commercial vehicle sector, but has not developed measures to assess the effectiveness of these actions in mitigating security risks. Without such information, TSA will be limited in its ability to measure its success in enhancing commercial vehicle security. While TSA has also taken actions to improve coordination with federal, state, and industry stakeholders, more can be done to ensure that these coordination efforts enhance security for the sector. TSA signed joint agreements with DOT and supported the establishment of intergovernmental and industry councils to strengthen collaboration. TSA and DOT completed an agreement to avoid duplication of effort as required by the 9/11 Commission Act. However, some state and industry officials GAO interviewed reported that TSA had not clearly defined stakeholder roles and responsibilities consistent with leading practices for collaborating agencies. TSA has not developed a means to monitor and assess the effectiveness of its coordination efforts. Without enhanced coordination with the states, TSA will have difficulty expanding its vulnerability assessments. Fri, 27 Feb 2009 00:00:00 -0500 http://www.gao.gov/new.items/d09263sp.pdf Since 2002, destroying the terrorist threat and closing the terrorist safe haven along Pakistan's border with Afghanistan have been key national security goals. The United States has provided Pakistan, an important ally in the war on terror, with more than $12.3 billion for a variety of activities, in part to address these goals. About half of this amount has been to reimburse Pakistan for military-related support, including combat operations in and around the Federally Administered Tribal Areas (FATA). Despite 6 years of U.S. and Pakistani government efforts, al Qaeda has regenerated its ability to attack the United States and continues to maintain a safe haven in Pakistan's FATA. As the United States considers how it will go forward with efforts to assist Pakistan in securing, stabilizing, and developing its FATA and Western Frontier bordering Afghanistan, it is vital that efforts to develop a comprehensive plan using all elements of national power be completed and that continued oversight and accountability over funds used for these efforts are in place. This report provides background information on Pakistan; the status of U.S. government efforts to develop a comprehensive plan; and information on the goals, funding, and current status of U.S. efforts to use various elements of national power (i.e., military, law enforcement, development and economic assistance, and diplomacy) to combat terrorism in Pakistan. The scope of this report does not include the plans, goals, operations, activities, and accomplishments of the intelligence community. Mon, 23 Feb 2009 00:00:00 -0500 http://www.gao.gov/new.items/d0957.pdf The nation's highway transportation system is vast and open--vehicles and their operators can move freely and with almost no restrictions. Securing the U.S. highway infrastructure system is a responsibility shared by federal, state and local government, and the private sector. Within the Department of Homeland Security (DHS), the Transportation Security Administration (TSA) has primary responsibility for ensuring the security of the sector. GAO was asked to assess the progress DHS has made in securing the nation's highway infrastructure. This report addresses the extent to which federal entities have conducted and coordinated risk assessments; DHS has developed a risk-based strategy; and stakeholders, such as state and local transportation entities, have taken voluntary actions to secure highway infrastructure -- and the degree to which DHS has monitored such actions. To conduct this work, GAO reviewed risk assessment results and TSA's documented security strategy, and conducted interviews with highway stakeholders. Federal entities have several efforts underway to assess threat, vulnerability, and consequence--the three elements of risk--for highway infrastructure; however, these efforts have not been systematically coordinated among key federal partners and the results are not routinely shared. Several component agencies and offices within DHS and the Department of Transportation (DOT) are conducting individual risk assessment efforts of highway infrastructure vulnerabilities, and collectively have completed assessments of most of the critical highway assets identified in 2007. However, key DHS entities reported that they were not coordinating these activities or sharing the results. According to the National Infrastructure Protection Plan, TSA is responsible for coordinating risk assessment programs. Establishing mechanisms to enhance coordination of risk assessments among key federal partners could strengthen and validate assessments and leverage limited federal resources. DHS, through TSA, has developed and implemented a strategy to guide highway infrastructure security efforts, but the strategy is not informed by available risk assessments and lacks some key characteristics GAO has identified for effective national strategies. In May 2007, TSA issued the Highway Modal Annex, which is intended to serve as the principal strategy for implementing key programs for securing highway infrastructure. While its completion was an important first step to guide protection efforts, GAO identified a number of limitations that may influence its effectiveness. For example, the Annex is not fully based on available risk information, although DHS's Transportation Systems -Sector Plan and the National Infrastructure Protection Plan call for risk information to be used to guide all protection efforts. Lacking such information, DHS cannot provide reasonable assurance that its current strategy is effectively addressing security gaps, prioritizing investments based on risk, and targeting resources toward security measures that will have the greatest impact. GAO also identified a number of additional characteristics of effective national strategies that were missing or incomplete in the current Highway Modal Annex. Federal entities, along with other highway sector stakeholders, have taken a variety of actions to mitigate risks to highway infrastructure; however, DHS, through TSA, lacks a mechanism to determine the extent to which voluntary security measures have been employed to protect critical assets. Specifically, highway stakeholders have developed publications and training, conducted research and development activities, and implemented specific voluntary protective measures for infrastructure assets, such as fencing and cameras. However, TSA does not have a mechanism to monitor protective measures implemented for critical highway infrastructure assets, although TSA is tasked with evaluating the effectiveness and efficiency of federal initiatives to secure surface transportation modes. Without such a monitoring mechanism, TSA cannot determine the level of security preparedness of the nation's critical highway infrastructure. Fri, 30 Jan 2009 00:00:00 -0500 http://www.gao.gov/new.items/d09184.pdf According to U.S. intelligence, the threat to U.S airspace remains. The North American Aerospace Defense Command (NORAD) is to defend U.S. air space and the U.S. Air Force has 18 sites in the United States that conduct air sovereignty alert (ASA) operations. ASA operations support fighter aircraft in conducting homeland air defense operations. GAO examined the extent to which (1) NORAD has adopted a risk-based management approach to determine ASA operational requirements; (2) the Air Force has implemented ASA operations as a steady-state mission in accordance with Department of Defense (DOD), NORAD, and Air Force directives and guidance; (3) the Air Force assesses the readiness of units conducting ASA operations; and (4) the Air Force faces challenges in sustaining ASA operations for the future and what plans, if any, it has to address such challenges. GAO reviewed relevant ASA guidance, directives, and planning documents; and interviewed DOD officials, including the commanders of all 18 ASA sites. Responding to individual requests from DOD, NORAD has done some assessments to determine ASA operational requirements. NORAD has not adopted a risk-based approach to determining ASA requirements, including routine risk assessments. Although GAO previously reported on the benefits to organizations that routinely do risk assessments to determine program requirements, NORAD does not conduct such assessments because DOD does not require NORAD to do so. However, such assessments could enhance NORAD's ability to determine and apply the appropriate levels and types of units, personnel, and aircraft for the ASA mission. The Air Force has not implemented ASA operations in accordance with DOD, NORAD, and Air Force directives and guidance, which instruct the Air Force to establish ASA as a steady-state (ongoing and indefinite) mission. The Air Force has not implemented the 140 actions it identified to establish ASA as a steady-state mission, which included integrating ASA operations into the Air Force's planning, programming, and funding cycle. The Air Force has instead been focused on other priorities, such as overseas military operations. While implementing ASA as a steady-state mission would not solve all of the challenges the units must address, it would help them mitigate some of the challenges associated with conducting both their ASA and warfighting missions. NORAD has partially assessed the readiness of ASA units; however the Air Force has not evaluated personnel, training, and quantity and quality of equipment. Readiness measures are designed to ensure that DOD forces are properly trained, equipped, and prepared to conduct their assigned missions. For example, while NORAD evaluated the extent to which aircraft were maintained for ASA operations and the units' ability to respond to an alert and to locate and intercept aircraft, it did not evaluate training. Because the Air Force has not implemented ASA as a steady-state mission or formally assigned the mission to the units, it does not assess ASA readiness. By assessing the readiness of units that consistently conduct ASA operations, DOD would be better assured that these units are organized, trained, and equipped to perform ASA operations. The Air Force faces two challenges to sustaining its ASA capabilities over the long term--(1) replacing or extending the service life of aging fighter aircraft and (2) replacing ASA units with equipment and trained personnel when they deploy. For example, if aircraft are not replaced by 2020, 11 of the 18 current air sovereignty alert sites could be without aircraft. The Air Force has not developed plans to mitigate these challenges because it has been focused on other priorities. Plans would provide the Air Force information that could assist it in ensuring the long-term sustainability of ASA operations and the capability of ASA units to protect U.S. airspace. Tue, 27 Jan 2009 00:00:00 -0500 http://www.gao.gov/new.items/d09271.pdf The federal government is the world's largest and most complex entity, with about $3 trillion in outlays in fiscal year 2008 funding a broad array of programs and operations. GAO's biennial reports on high-risk areas, done since 1990, are meant to bring focus to specific areas needing added attention. Areas are identified, in some cases, as high risk due to their greater vulnerabilities to fraud, waste, abuse, and mismanagement. GAO also identifies high-risk areas needing broad-based transformation to address major economy, efficiency, or effectiveness challenges. In this 2009 update for the 111th Congress, GAO presents the status of high-risk areas listed in 2007 and identifies new high-risk areas warranting attention by Congress and the executive branch. Solutions to high-risk problems offer the potential to save billions of dollars, dramatically improve service to the public, strengthen confidence and trust in the performance and accountability of the U.S. government, and ensure the ability of government to deliver on its promises. In January 2007, GAO detailed 27 high-risk areas and, in March 2008, added a 28th--planning for the 2010 Census. In the last 2 years, progress has been made in most of the 27 areas, although the extent varies. Overall, federal departments and agencies, as well as Congress, have shown a continuing commitment to addressing high-risk challenges, including taking steps to help correct several of the problems' root causes. In particular, the Office of Management and Budget has led an initiative to work with agencies to develop corrective action plans for high-risk areas. GAO has determined that sufficient progress has been made to remove the high-risk designation from one area: the Federal Aviation Administration's (FAA) air traffic control modernization. Since 2007, FAA has continued to make progress in addressing the root causes of its past problems and has committed to sustaining this progress in the future. Continued attention from the executive branch and Congress is needed to make additional progress in other areas. This year, GAO is designating three new high-risk areas. The first new area is modernizing the outdated U.S. Financial Regulatory System. As a result of significant market developments that, in recent decades, have outpaced a fragmented and outdated regulatory structure, significant reforms to the U.S. regulatory system are critically and urgently needed. The current regulatory approach has significant weaknesses that if not addressed will continue to expose the U.S. financial system to serious risks. Determining how to create and implement a regulatory system that reflects new market realities is a key step to reducing the likelihood that our nation will experience another financial crisis similar to the current one. The second new area is protecting public health through enhanced oversight of medical products. Concerns have been expressed about FDA's ongoing ability to fulfill its mission of ensuring the safety and efficacy of drugs, biologics, and medical devices. GAO's work examining a variety of issues at FDA echoes the conclusions reached by others that the agency is facing significant challenges that compromise its ability to protect Americans from unsafe and ineffective products. FDA needs to, among other things, improve the data it uses to manage the foreign drug inspection program, conduct more inspections of foreign establishments, systematically prioritize and track promotional materials for review, and adopt management tools to ensure that drug sponsors comply with regulations on the presentation of clinical trial results. The third new area is transforming EPA's processes for assessing and controlling toxic chemicals. EPA does not have sufficient chemical assessment information to determine whether it should establish controls to limit public exposure to many chemicals that may pose substantial health risks. Actions are needed to streamline and increase the transparency of the Integrated Risk Information System and to enhance EPA's ability under the Toxic Substances Control Act to obtain health and safety information from the chemical industry. Thu, 22 Jan 2009 00:00:00 -0500 http://www.gao.gov/new.items/d09273.pdf By deploying armed air marshals onboard selected flights, the Federal Air Marshal Service (FAMS), a component of the Transportation Security Administration (TSA), plays a key role in helping to protect approximately 29,000 domestic and international flights operated daily by U.S. air carriers. GAO was asked to examine (1) FAMS's operational approach or "concept of operations" for covering flights, (2) to what extent this operational approach has been independently evaluated, and (3) the processes and initiatives FAMS established to address workforce-related issues. GAO analyzed documented policies and procedures regarding FAMS's operational approach and a July 2006 classified report based on an independent evaluation of that approach. Also, GAO analyzed employee working group reports and other documentation of FAMS's processes and initiatives for addressing workforce-related issues, and interviewed the FAMS Director, other senior officials, and 67 air marshals (selected to reflect a range in levels of experience). This report is the public version of a restricted report (GAO-09-53SU) issued in December 2008. Because the number of air marshals is less than the number of daily flights, FAMS's operational approach is to assign air marshals to selected flights it deems high risk--such as the nonstop, long-distance flights targeted on September 11, 2001. In assigning air marshals, FAMS seeks to maximize coverage of flights in 10 targeted high-risk categories, which are based on consideration of threats, vulnerabilities, and consequences. In July 2006, the Homeland Security Institute, a federally funded research and development center, independently assessed FAMS's operational approach and found it to be reasonable. However, the institute noted that certain types of flights were covered less often than others. The institute recommended that FAMS increase randomness or unpredictability in selecting flights and otherwise diversify the coverage of flights within the various risk categories. As of October 2008, FAMS had taken actions (or had ongoing efforts) to implement the Homeland Security Institute's recommendations. GAO found the institute's evaluation methodology to be reasonable. To address workforce-related issues, FAMS's previous director, who served until June 2008, established a number of processes and initiatives--such as working groups, listening sessions, and an internal Web site--for agency personnel to provide anonymous feedback to management on any topic. These efforts have produced some positive results. For example, FAMS revised its policy for airport check-in and aircraft boarding procedures to help protect the anonymity of air marshals in mission status, and FAMS adjusted its flight scheduling process for air marshals to support a better work-life balance. The air marshals GAO interviewed expressed satisfaction with FAMS efforts to address workforce-related issues. Further, the current FAMS Director, after being designated in June 2008 to head the agency, issued a broadcast message to all employees, expressing a commitment to continue applicable processes and initiatives. Also, FAMS has plans to conduct a workforce satisfaction survey of all employees every 2 years, building upon an initial survey conducted in fiscal year 2007. Although the 2007 survey indicated positive changes since the prior year, it was answered by 46 percent of the workforce, well short of the 80-percent response rate that the Office of Management and Budget (OMB) encourages for ensuring that results reflect the views of the target population. OMB guidance gives steps, such as extending the cut-off date for responding, that could improve the response rate of future surveys. Also, several of the 2007 survey questions were ambiguous, and response options were limited. Addressing these design considerations could enhance future survey results. Wed, 14 Jan 2009 00:00:00 -0500 http://www.gao.gov/new.items/d0939.pdf The Terrorism Risk Insurance Act of 2002 (TRIA) is credited with stabilizing insurance markets after the September 11, 2001, attacks by requiring insurers to offer terrorism coverage to commercial property owners (property/casualty insurance), and specifying that the federal government is liable for a large share of related losses. While TRIA covers attacks involving conventional weapons, insurers may use exceptions that may exclude coverage for attacks with nuclear, biological, chemical, or radiological (NBCR) weapons, which has raised concerns about the potential economic consequences of such attacks. TRIA's 2007 reauthorization directed GAO to review (1) the extent to which insurers offer NBCR coverage, (2) factors that contribute to the willingness of insurers to provide NBCR coverage, and (3) policy options for expanding coverage for NBCR risks. To do this work, GAO reviewed studies and reports and interviewed more than 100 industry participants about the availability of NBCR coverage in the market. GAO provided a draft of this report to the Department of the Treasury and the National Association of Insurance Commissioners (NAIC). Treasury and NAIC said that they found the report informative and useful. NAIC did express what it said was a philosophical difference of opinion with GAO's characterization of risk-based premiums for workers' compensation insurers. Consistent with the findings of a September 2006 GAO report on the market for NBCR terrorism insurance, property/casualty insurers still generally seek to exclude such coverage from their commercial policies. In doing so, insurers rely on long-standing standard exclusions for nuclear and pollution risks, although such exclusions may be subject to challenges in court because they were not specifically drafted to address terrorist attacks. Commercial property/casualty policyholders, including companies that own high-value properties in large cities, generally reported that they could not obtain NBCR coverage. Unlike commercial property/casualty insurers, insurers in workers' compensation, group life, and health lines reported generally providing NBCR coverage because states generally do not allow them to exclude these risks. Commercial property/casualty insurers generally remain unwilling to offer NBCR coverage because of uncertainties about the risk and the potential for catastrophic losses, according to industry participants. Insurers face challenges in reliably estimating the severity and frequency of NBCR attacks for several reasons, including accounting for the multitude of weapons and locations that could be involved (ranging from an anthrax attack on a single building to a nuclear explosion in a populated area) and the difficulty or perhaps impossibility of predicting terrorists' intentions. Without the capacity to reliably estimate the severity and frequency of NBCR attacks, which would be necessary to set appropriate premiums, insurers focus on determining worst-case scenarios (which with NBCR weapons can result in losses that would render insurers insolvent). For example, a nuclear detonation could destroy many insured properties throughout an entire metropolitan area. Workers' compensation, group life, and health insurers that generally cannot exclude NBCR coverage from their policies also face challenges in managing these risks. For example, workers' compensation insurers said they face challenges in setting premiums that they believe would cover the potential losses associated with an attack involving NBCR weapons. GAO reviewed two proposals that have been made to address the lack of NBCR coverage in the commercial property/casualty market. The first proposal, part of an early version of the bill to reauthorize TRIA in 2007, would have required insurers to offer NBCR coverage, with the federal government assuming a greater share of potential losses than it would for conventional attacks. Some industry participants supported this proposal because insurers otherwise would not offer NBCR coverage and because a substantial federal backstop was necessary to mitigate the associated risks. However, others said that some insurers might withdraw from the market if mandated to offer NBCR coverage, even with a substantial federal backstop. In a second proposal by some industry participants, the federal government would assume all potential NBCR risks through a separate insurance program and charge premiums for doing so. However, critics said the government might face substantial losses on such an NBCR insurance program because it might not be able to determine or charge appropriate premiums. Fri, 12 Dec 2008 00:00:00 -0500 http://www.gao.gov/new.items/d0993.pdf Covering nearly 4,000 miles of land and water from Washington to Maine, the U.S.-Canadian border is the longest undefended border in the world. Various Department of Homeland Security (DHS) component agencies share responsibility for northern border security, primarily U.S. Customs and Border Protection (CBP), in collaboration with other federal, state, local, tribal, and Canadian entities. The Implementing Recommendations of the 9/11 Act of 2007 required the Secretary of Homeland Security to submit a report to Congress that addresses the vulnerabilities along the northern border, and provides recommendations and required resources to address them. The act also required GAO to review and comment on this report. In response to this mandate, GAO examined (1) the extent to which the DHS report to Congress is responsive to the legislative requirements and (2) actions that may be necessary to address northern border vulnerabilities in addition to the actions addressed in the report. To conduct this work, GAO reviewed DHS plans, reports, and other documents, and interviewed DHS officials. The DHS February 2008 report to Congress is not fully responsive to legislative requirements in providing information for improving northern border security. In particular, DHS provided a listing of northern border vulnerabilities and initiatives to address them, but did not include recommendations and additional resources that are needed to protect the northern border. DHS officials provided several reasons for the lack of specificity and gaps in reported information, including the fact that the component agencies' priorities for action and resources are reflected in the existing budget process, and that they had nothing further to recommend or request through this report. However, budget documents do not reflect the resources needed over time to achieve control of the northern border. The lack of this information makes it difficult for Congress to consider future actions and resources needed. DHS is developing northern border strategic plans and a risk-management process to help guide and prioritize action and resources, and fully implementing recommendations from past GAO evaluations would also provide benefit in addressing northern border security vulnerabilities. DHS is currently developing strategic plans that are intended to provide overall direction in addressing vulnerabilities in northern border security. DHS is also developing a risk-management process to assist in prioritizing efforts and resources that will provide greatest benefit to national security. DHS officials have said that the success of various pilot projects, such as DHS's testing of new technology, will likely change the level and mix of resources needed to protect the northern border. In the meantime, DHS could take action to reduce vulnerabilities by implementing recommendations made in past evaluations. DHS has implemented 11 GAO recommendations designed to improve border security, but 39 recommendations are yet to be fully addressed. Eighteen of these open recommendations were made within the last year. However, 21 recommendations for improving use of air and marine assets, improving screening processes at the ports of entry, and deploying nuclear detection equipment--which DHS and other agencies generally agreed to take action to implement--have remained open for at least 1 year and, in some cases, over 3 years. GAO believes these outstanding recommendations continue to have merit and should be implemented. Tue, 25 Nov 2008 00:00:00 -0500 http://www.gao.gov/new.items/d09105r.pdf Since the 1960s, classified satellite information collected by intelligence agencies has been used, from time to time, by federal civilian agencies and other non-intelligence entities for civil, scientific, and environmental purposes (such as mapping, disaster relief, and environmental research). These uses have historically been coordinated by the Civil Applications Committee (CAC) led by the U.S. Geological Survey, a component of the Department of the Interior. Following the events of September 11, 2001, attention has turned to information sharing as a key element in developing comprehensive and practical approaches to defending against potential terrorist attacks. Having information on threats, vulnerabilities, and incidents can help an agency better understand the risks and determine what preventive measures should be implemented. The ability to share such terrorism-related information can also unify the efforts of federal, state, and local government agencies, as well as the private sector in preventing or minimizing terrorist attacks. Exchanging terrorism-related information continues to be a significant challenge for federal, state, and local governments--one that we recognize is not easily addressed. Accordingly, since January 2005, we have designated information sharing for homeland security a high-risk area. Citing a growing need to use classified satellite information for civil or domestic purposes, in 2005, an independent study group reviewed the future role of the CAC and concluded that although the civil domestic users were well supported through the CAC, homeland security and law enforcement users lacked a coherent, organized, and focused process to access classified satellite information. In 2007, the Office of the Director of National Intelligence designated the Department of Homeland Security (DHS) as the executive agency and home of a newly created National Applications Office (NAO), whose mission would be to process requests for classified satellite information from, among others, nontraditional users of intelligence for civil, homeland security, and law enforcement purposes. DHS established a process whereby potential requesters for classified satellite information annually submit memorandums generally describing the information they plan to ask for, followed by a more detailed review of each actual request to ensure legal compliance. The Consolidated Appropriations Act, 2008, prohibited funds from being made available to commence operations of the NAO until the Secretary of Homeland Security certified that the program complies with all existing laws, including all applicable privacy and civil liberties standards, and that certification was reviewed by GAO. On April 9, 2008, in a letter to Members of Congress, the Secretary of the Department of Homeland Security certified that the NAO complies with all existing laws, including all applicable privacy and civil liberties standards. The Secretary also provided a charter for the office, privacy and civil liberties impact assessments, and NAO standard operating procedures. Our objectives were to determine the extent to which DHS justified its certification that the NAO complies with (1) all applicable laws, (2) privacy standards, and (3) civil liberties standards. Although the department has established procedures for legal review, it has not yet fully addressed all outstanding issues regarding how the planned operations of the NAO, as described in the department's certification documents, are to comply with legal requirements. Specifically, DHS has not resolved legal and policy issues associated with NAO support for law enforcement. The NAO charter states that requests for law enforcement domain uses (i.e., activities relating to enforcing criminal or civil laws or investigating violations thereof) will not be accepted by the NAO until interagency agreement is reached on unresolved legal and policy issues. An independent study group had determined that the legality of using satellite imagery of domestic subjects for law enforcement purposes raised difficult issues that had not been fully settled. Work has begun to address these issues, and the department now plans to recertify the NAO's compliance with all laws before accepting requests related to law enforcement. Recertification following the resolution of legal and policy concerns will be an important element in providing assurance that NAO operations are in compliance with all applicable laws. The DHS Privacy Office worked with NAO program officials to define privacy protections for the program and prepared a privacy assessment that discussed high-level privacy protections. Further, DHS has recently taken additional steps to justify its certification of compliance with privacy standards. The NAO civil liberties impact assessment identified a number of areas of potential concern regarding civil rights and civil liberties. Although the NAO program office addressed several of these issues--such as the need to develop and conduct training on civil liberties issues--the department has not indicated how the NAO would address other significant issues, including the potential for improper use or retention of intelligence information by customers and the potential for overly broad annual memorandums about customers' planned uses, which may facilitate the acceptance of requests that should be rejected. Thu, 06 Nov 2008 00:00:00 -0500 http://www.gao.gov/new.items/d0949.pdf The events of September 11, 2001, and operations in Afghanistan and Iraq have made it critical for military units to identify individuals they encounter and share this information with other units and federal agencies. Biometrics are unique personal aspects such as fingerprints and iris images used to identify an unfamiliar person. Federal agencies with national security missions, such as the Departments of Homeland Security (DHS) and State (DOS), need access to certain biometrics data gathered by the Department of Defense (DOD). GAO was asked to determine to what extent (1) DOD has guidance on the biometrics data to be collected to support military activities, and (2) there may be gaps in biometrics information shared between DOD and DHS. This is a public version of a For Official Use Only report, GAO-08-430NI, issued in May 2008. GAO examined DOD's guidance for field collection of biometrics data, biometrics sharing agreements, and information on national level efforts to enhance data sharing. DOD has issued guidance on the biometrics data collected from individuals who are detained or allowed access to U.S. bases in Iraq, but has not issued guidance on data to be collected during field activities where U.S. forces encounter hostile or questionable individuals such as in Afghanistan and Iraq. DOD has allowed commanders to determine the type of data to collect, such as fingerprints or iris images, during their operations. GAO's analysis showed that allowing for this flexibility results in the collection of different data that are not necessarily comparable to each other. Some units may collect iris images while others collect fingerprints, which are not comparable data. Broader national security implications can arise, such as military personnel's inability to identify someone who has harmed or attempted to harm U.S. or coalition forces. These newly collected data are not necessarily comparable with data collected by other units or with federal databases that store biometrics data, such as the FBI's fingerprint database, DOD's biometric database, or the DHS biometric database. Having a standard set of data would help ensure consistent identification and confirmation of an individual's identity thus allowing forces to compare data across multiple databases in different commands. A standard set of data also would allow for comparison of new biometrics data collected in the field with existing biometrics data. DOD shares biometrics data that it collects on non-U.S. persons with other federal agencies through a variety of inter-agency agreements, but some gaps in data sharing may remain. Since the events of September 11, 2001, the President and Congress have issued policies that require agencies to share counterterrorism information, and agencies have in turn issued their own policies. National efforts to develop policies about such information sharing are still in development. In January 2007, the Deputy Secretary of Defense issued a memo that stated that DOD would immediately adopt the practice of sharing, when asked, unclassified DOD biometrics data records with other U.S. agencies that have counterterrorism missions--this includes data related to terrorism information but excludes data pertaining to U.S. persons. According to a DHS memorandum, DHS is not regularly receiving updates on certain types of DOD biometrics data that it could use. DHS officials told GAO they could use such data in various ways, such as to prohibit individuals from entering the United States who are determined to be inadmissible based on these data and other relevant information. GAO found that DHS officials are consulting with DOD on how to obtain additional biometrics data from DOD. Until national level policies are developed, opportunities to reduce gaps in national security through comprehensive data sharing may be lost unless remaining needs for biometrics data are identified and filled as appropriate and in accordance with U.S. laws and regulations and international agreements. Wed, 15 Oct 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081058.pdf Since September 11, 2001, the United States has established tools to address the threat to the U.S. financial system of money laundering and terrorist financing. One such tool is Section 311 of the USA PATRIOT Act of 2001, which authorizes the Secretary of the Treasury (Treasury) to prohibit U.S. financial institutions from maintaining certain accounts for foreign banks if they involve foreign jurisdictions or institutions found to be of primary money laundering concern. To make this finding, Treasury examines several factors and generally issues a proposed rule announcing its intent to apply Section 311 restrictions. GAO was asked to examine (1) the process used to implement Section 311 restrictions, (2) the process Treasury follows to finalize or withdraw a proposed rule, and (3) how Treasury assesses the impact of Section 311. GAO reviewed financial and investigative U.S. government documents and met with government officials and representatives of affected banks. Treasury's informal process to implement Section 311 was consistent with requirements in U.S. law. From 2002 to 2005, Treasury identified 11 cases--3 jurisdictions and 8 institutions--as being of primary money laundering concern and issued proposed rules for 10 of these cases. As required, Treasury consulted with the Departments of Justice and State prior to issuing the proposed rules. However, Justice and State officials said that it was difficult for them to effectively assess the evidence on some Section 311 cases because Treasury provided them limited time. In 2006, Treasury changed its process by forming an interagency working group to discuss potential threats to the U.S. financial system. But it is unclear if the new process addressed the agencies' concerns since Treasury has issued no Section 311 findings since 2005. Treasury determines whether to finalize or withdraw a proposed Section 311 rule by reviewing written comments and sometimes meeting with interested parties. The duration of a proposed rule is significant because U.S. financial institutions act immediately in response to its announcement. However, Treasury has taken years to complete this process in some cases. In April 2008, Treasury withdrew two of three notices--all open for between 3 and 5 years--after GAO discussed the cases with Treasury officials. Contributing to this lag was the absence of required timeframes for completing the action and of written guidance specifying a Treasury office to finalize the actions. Treasury views Section 311 as effective because it isolates target institutions from the U.S. financial system and encourages some foreign governments to strengthen their anti-money laundering authorities. However, some foreign government officials said that Section 311's implementation precluded their own enforcement or regulatory actions against targeted institutions as U.S. action was unilateral or provided too little information for them to act. Justice officials said that if Section 311's application is viewed as unsubstantiated, some countries may be less likely to cooperate with the U.S. government on other law enforcement matters or sanctions. Treasury officials recognized the concerns, but did not believe they diminished Section 311's effectiveness. Tue, 30 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081065.pdf The Department of Defense (DOD), in its response to unconventional threats from terrorists, uses biometrics technologies that identify physical attributes, including fingerprints and iris scans. However, coordinating the development and implementation of biometrics and ensuring interoperability across DOD has been difficult to achieve. Biometrics also is an enabling technology for identity management, a concept that seeks to manage personally identifiable information to enable improved governmentwide sharing and analysis of identity information. GAO was asked to examine the extent to which DOD has established biometrics goals and objectives, implementing guidance for managing biometrics activities, and a designated budget. To address these objectives, GAO reviewed documentation, including DOD biometrics policy and directives, and interviewed key DOD officials involved with making policy and funding decisions regarding biometrics. DOD established, in October 2006, the Principal Staff Assistant, who is the Director of Defense Research and Engineering, and an Executive Committee as part of its attempts to improve the management of its biometrics activities. However, as of August 2008, it had not established management practices that include clearly defined goals and objectives, implementing guidance that clarifies decision-making procedures for the Executive Committee, and a designated biometrics budget. First, while DOD has stated some general goals for biometrics, such as providing recognized leadership and comprehensive planning policy, it has not articulated specific program objectives, the steps needed to achieve those objectives, and the priorities, milestones, and performance measures needed to gauge results. Second, DOD issued a directive in 2008 to establish biometrics policy and assigned general responsibilities to the Executive Committee and the Principal Staff Assistant but has not issued implementing guidance that clarifies decision-making procedures. The Executive Committee is chaired by the Principal Staff Assistant and includes a wide array of representatives from DOD communities such as intelligence, acquisitions, networks and information integration, personnel, and policy and the military services. The Executive Committee is responsible for resolving biometrics management issues, such as issues between the military services and joint interests resulting in duplications of effort. However, the committee does not have guidance for making decisions that can resolve management issues. Past DOD reports have noted difficulties in decision making and accountability in the management of its biometrics activities. Third, DOD also has not established a designated budget for biometrics that links resources to specific objectives and provides a consolidated view of the resources devoted to biometrics activities. Instead, it has relied on initiative-by-initiative requests for supplemental funding, which may not provide a predictable stream of funding for biometrics. Prior GAO work on performance management demonstrates that successful programs incorporate such key management practices, and for several years, DOD reports and studies have also called for DOD to establish such practices for its biometrics activities. Similarly, a new presidential directive issued in June 2008 supports the establishment of these practices in addition to calling for a governmentwide framework for the sharing of biometrics data. DOD officials have said that DOD's focus has been on quickly fielding biometrics systems and maximizing existing systems to address immediate warfighting needs in Afghanistan and Iraq. This focus on responding to immediate warfighting needs and the absence of the essential management practices have contributed to operational inefficiencies in managing DOD's biometrics activities, such as DOD's difficulties in sharing biometrics data within and outside the department. For example, in May 2008 GAO recommended that DOD establish guidance specifying a standard set of biometrics data for collection during military operations in the field. These shortcomings may also impede DOD's implementation of the June 2008 presidential directive and the overall identity management operating concept. Fri, 26 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081108r.pdf Since the attacks of September 11, 2001, combating terrorism has been one of the nation's highest priorities. As part of that effort, preventing nuclear and radioactive material from being smuggled into the United States--perhaps to be used by terrorists in a nuclear weapon or in a radiological dispersal device (a "dirty bomb")--has become a key national security objective. On April 15, 2005, the president directed the establishment, within the Department of Homeland Security (DHS), of the Domestic Nuclear Detection Office (DNDO), whose duties include acquiring and supporting the deployment of radiation detection equipment. In October 2006, Congress enacted the SAFE Port Act, which made DNDO responsible for the development, testing, acquisition and deployment of a system to detect radiation at U.S. ports of entry. An important component of this system is the deployment of radiation portal monitors, large stationary detectors through which cargo containers and trucks pass as they enter the United States. Prior to DNDO's creation, another DHS agency--U.S. Customs and Border Protection (CBP)--managed programs for deployment of radiation detection equipment. In 2002, CBP began the radiation portal monitor project, deploying radiation detection equipment at U.S. ports of entry. This program initially deployed portal monitors, known as polyvinyl toluene monitors (PVT), and handheld detection technologies, such as radioactive isotope identification devices (RIID). CBP also established a system of standard operating procedures to guide its officers in the use of this equipment. Current procedures include conducting primary inspections with PVTs to detect the presence of radioactivity, and secondary inspections with PVTs and RIIDs to confirm and identify the source and determine whether it constitutes a threat. After its creation, DNDO assumed responsibility for the development, testing, and deployment of radiation detection equipment, while CBP maintained its role of operating the equipment at U.S. ports of entry. Currently deployed PVTs are capable of detecting radiation, but they have an inherent limitation because they are unable to identify specific radioactive isotopes and therefore cannot distinguish between dangerous and benign materials. CBP officers also use RIIDs to identify different types of radioactive material. However, RIIDs are limited in their ability to identify nuclear material. DNDO believes that these deficiencies may delay legitimate commerce at ports of entry, and that CBP may use an inordinate amount of inspection resources for radiation detection at the expense of other missions, such as drug interdiction. Our independent cost estimate suggests that from 2007 through 2017 the total cost of DNDO's program to equip U.S. ports of entry with radiation detection equipment will likely be about $3.1 billion, but could range from $2.6 billion to $3.8 billion. We based our estimate on the anticipated costs of DNDO implementing its 2006 project execution plan, the most recent official documentation of the program. According to this plan, DNDO will buy and deploy multiple types of ASPs, including those designed to screen rail cars, and airport and seaport cargo, as well as mobile ASPs--spectroscopic equipment mounted on vehicles--to provide greater flexibility in screening commerce. The project execution plan also targets several types of PVTs for purchase and deployment. DNDO's cost estimate of $2.1 billion to equip U.S. ports of entry with radiation detection equipment is unreliable because it omits major project costs and relies on a flawed methodology. For example, although the normal life expectancy of the standard cargo ASP is about 10 years, DNDO's estimate considers only 8 years--fiscal years 2006 through 2013. According to DNDO officials, OMB's budget submission software allows only a limited number of years of costs to be included. Furthermore, DNDO's cost estimate does not include all of the elements of the ASPs' life cycle, as it omits estimates for maintenance and operational sustainment of ASPs. Finally, contrary to OMB and DHS guidelines, DNDO did not provide detailed documentation of ASP costs, which raises questions about the adequacy and reliability of the agency's estimates. DNDO officials told us on several occasions during the course of our review the agency is no longer following the 2006 project execution plan. These officials told us the scope of the agency's current ASP deployment strategy has been reduced to only the standard cargo portal monitor. Although we repeatedly requested documentation of DNDO's current official deployment strategy, the agency did not provide such official information. In fact, DNDO officials continued to cite the 2006 project execution plan as the most recent official deployment documentation. In July 2008, the agency provided a 1-page spreadsheet of summary information outlining DNDO's current plans to buy and deploy ASPs and PVTs. Our analysis of these summary data indicates the total cost to deploy standard cargo portals over the period 2008 through 2017 will be about $2.0 billion, but could range from $1.7 billion to $2.3 billion. These data also indicate that between fiscal years 2008 and 2014, DNDO plans to deploy 717 ASP and 1,005 PVT standard cargo portals. Furthermore, agency officials acknowledged the program requirements that would have been fulfilled by the discontinued ASPs remain valid, including screening rail cars, airport cargo, and cargo at seaport terminals, but the agency has no current plans for how such screening will be accomplished. These officials told us the technology to accomplish these requirements likely will not be ASP monitors. We believe a comprehensive estimate of the cost to provide radiation detection equipment for U.S. ports of entry should account for meeting these objectives, even if DNDO decides that ASP technology is not suited to them. However, a DNDO official responsible for overseeing the agency's operations told us in August 2008 that DNDO's ASP deployment strategy could change dramatically depending on the outcome of ongoing ASP testing. In our view, it is difficult to assess the total costs of the ASP program because of the frequent changes in DNDO's deployment strategy. Furthermore, the Congress needs a complete understanding of DNDO's deployment strategy before approving additional ASP program funds. Mon, 22 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081128r.pdf Since 2001, Congress has provided the Department of Defense (DOD) with about $807 billion in supplemental and annual appropriations, as of September 2008, primarily for military operations in support of the Global War on Terrorism (GWOT). DOD's reported annual obligations for GWOT have shown a steady increase from about $0.2 billion in fiscal year 2001 to about $139.8 billion in fiscal year 2007. The United States' commitments to GWOT will likely involve the continued investment of significant resources, requiring decision makers to consider difficult trade-offs as the nation faces an increasing long-range fiscal challenge. The magnitude of future costs will depend on several direct and indirect cost variables and, in some cases, decisions that have not yet been made. DOD's future costs will likely be affected by the pace and duration of operations, the types of facilities needed to support troops overseas, redeployment plans, and the amount of equipment to be repaired or replaced. DOD compiles and reports monthly and cumulative incremental obligations incurred to support GWOT in a monthly Supplemental and Cost of War Execution Report. DOD leadership uses this report, along with other information, to advise Congress on the costs of the war and to formulate future GWOT budget requests. DOD reports these obligations by appropriation, contingency operation, and military service or defense agency. The monthly cost reports are typically compiled within the 45 days after the end of the reporting month in which the obligations are incurred. DOD has prepared monthly reports on the obligations incurred for its involvement in GWOT since fiscal year 2001. Section 1221 of the National Defense Authorization Act for Fiscal Year 2006 requires us to submit quarterly updates to Congress on the costs of Operation Iraqi Freedom and Operation Enduring Freedom based on DOD's monthly Supplemental and Cost of War Execution Reports. This report, which responds to this requirement, contains our analysis of DOD's reported obligations for military operations in support of GWOT through June 2008. Specifically, we assessed (1) DOD's cumulative appropriations and reported obligations for military operations in support of GWOT and (2) DOD's fiscal year 2008 reported obligations from October 2007 through June 2008, the latest data available for GWOT by military service and appropriation account. As of September 2008, Congress has appropriated a total of about $807 billion primarily for GWOT operations since 2001. Of that amount, about $187 billion has been provided for fiscal year 2008 and about $65.9 billion has been appropriated for use in fiscal year 2009. DOD will likely request additional funds for fiscal year 2009. DOD has reported obligations of about $594.9 billion for military operations in support of the war from fiscal year 2001 through fiscal year 2007 and fiscal year 2008 (October 2007 through June 2008). The $212.1 billion difference between DOD's appropriations and reported obligations can generally be attributed to certain fiscal year 2008 appropriations; multiyear funding for procurement, military construction, and research, development, test, and evaluation from previous GWOT-related appropriations that have yet to be obligated; and obligations for classified and other items, which DOD considers to be non-GWOT related, that are not reported in DOD's cost-of-war reports. This difference also includes the $65.9 billion appropriated for fiscal year 2009. As part of our ongoing work, we are reviewing DOD's rationale for reporting its GWOT related obligations. Mon, 15 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08982.pdf Since the September 2001 terrorist attacks, Congress has provided about $800 billion as of July 2008 to the Department of Defense (DOD) for military operations in support of the Global War on Terrorism (GWOT). GWOT budget requests have grown in scope and the amount requested has increased every year. DOD uses various processes and the Contingency Operations Support Tool (COST) to estimate costs for these operations and to develop budget requests. GAO assessed (1) how DOD uses COST and other processes to develop GWOT budget requests and (2) what actions DOD has taken to ensure COST adheres to best practices for cost estimation. GAO interviewed DOD officials and others to determine how the services develop GWOT budget requests using COST and other processes. GAO also used its Cost Assessment Guide as criteria for best practices for cost estimation. The services use COST as part of their process to develop a GWOT budget request. While the Army relies more on the estimate resulting from COST, the other services adjust the results of COST to reflect estimates they generate outside of COST, based on historical obligation data and other information. DOD's financial management regulation and other guidance require components to use COST to develop an estimate for the deployment and sustainment of military personnel and equipment for ongoing operations in support of GWOT. While all services use COST to develop an initial estimate, Air Force, Marine Corps, and Navy budget officials alter the results of the tool to match information provided by lower level commands and historical obligation data that they believe are more accurate than the COST-generated estimate. These officials stated that the tool routinely overestimates some costs and therefore most changes made are decreases in the amount estimated by COST. These officials believe that the requirement to use COST to develop a GWOT budget request is a duplicative process to their preferred method of using historical obligation data and other information better suited to their specific service. For example, they stated that COST better represents the needs of Army ground forces and the tool has not been refined to be as effective for estimating needs for their service's mission. These officials also mentioned that COST is better suited for developing estimates for smaller-scale contingency operations than for the lengthy deployments and sustainment phases associated with a large campaign such as GWOT. To develop estimates for items that are outside the scope of COST, such as procurement and certain contracts, the military services rely primarily on needs assessments developed by commanders and historical obligation data. DOD has taken steps to improve the performance and reliability of COST; however, COST could benefit from an independent review of the tool's adherence to best practices for high-quality cost estimation as described in GAO's Cost Assessment Guide. COST has been refined many times and cost factors are routinely updated in an effort to use the most current information available to develop an estimate. DOD officials stated they are confident in the tool's ability to provide reasonable estimates because COST is frequently updated. However, COST has not been assessed against best practices for cost estimation to determine whether COST can provide high-quality estimates that are well documented, comprehensive, accurate, and credible. While GAO did not undertake a full assessment of COST against best practices, it determined that some features of the tool meet best practices while other features would benefit from further review. For example, the tool adheres to several best practices for a comprehensive and accurate cost estimate, such as frequent updates to the structure of COST and the data the tool uses to generate estimates. However, COST relies on GWOT obligation data that GAO has identified as being of questionable reliability. A thorough, independent review of COST against best practices could provide decision makers with information about whether the tool creates cost estimates for GWOT expenses that are well documented, comprehensive, accurate, and credible. Mon, 15 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081057.pdf The Terrorism Risk Insurance Act of 2002 (TRIA) specifies that the federal government assume significant financial responsibility for insured losses on commercial properties resulting from future terrorist attacks. While TRIA has been credited with stabilizing markets for terrorism insurance after the September 11, 2001, attacks, questions remain as to whether certain policyholders, especially those located in large urban areas viewed as being at high risk of attack, may still face challenges in obtaining coverage. GAO was asked to conduct a study to describe (1) whether the availability of terrorism insurance for commercial properties is constrained in any geographic markets, (2) factors limiting insurers' willingness to provide coverage, and (3) advantages and disadvantages of selected public policy options to increase the availability of such insurance. To address these objectives, GAO analyzed available data and interviewed industry participants, including those with expertise in specific geographic markets considered to be at high, moderate, or low risk of attack (Atlanta, Boston, Chicago, New York, San Francisco, and Washington, D.C.). GAO provided a draft of this report to the Department of the Treasury and the National Association of Insurance Commissioners (NAIC). Treasury and NAIC said the report was informative and useful. While some owners of high-value properties in major cities may face initial challenges obtaining terrorism insurance coverage compared with most policyholders nationwide, they generally have reported that they could meet current coverage requirements through a variety of approaches. Many industry participants said that terrorism insurance is currently available nationwide at prices viewed as reasonable and that the TRIA program was a key reason for these favorable conditions. However, some policyholders that own large, high-value properties in densely built urban areas viewed as at high risk of attack, particularly in Manhattan and to a lesser extent in Chicago and San Francisco, may still face initial challenges obtaining desired amounts of coverage at prices viewed as reasonable, according to industry participants. To address these challenges, some policyholders purchased coverage from a large number of insurers, which can be a time-consuming and complicated process for policyholders and their insurance brokers. Others purchased coverage in a separate policy (rather than as part of an overall property insurance package) which may be more costly, or self-insured. While TRIA specifies that the federal government assume substantial financial responsibility for insured losses associated with future terrorist attacks, the steps insurers take to manage the risks they do face appear to be the primary reason some policyholders face challenges in obtaining coverage. Insurers said they seek to mitigate potential terrorism losses by limiting the amount of property coverage that they offered in specific areas of cities, such as downtown locations or areas considered to be at high risk of attack. These risk mitigation efforts generally make obtaining coverage more difficult or costly for policyholders with high-value properties in these areas, according to a variety of sources GAO contacted. Industry participants also said that the availability of reinsurance (insurance for insurers) and the views of rating agencies can limit the availability of coverage in such cities. Industry participants had no consensus on whether TRIA should be modified or additional actions taken to increase the availability of terrorism coverage, and identified advantages and disadvantages of selected policy proposals that have been included in legislation, discussed in prior GAO reports, or suggested by industry participants to increase such coverage. A proposal to increase the federal government's current responsibility under TRIA for the insured losses associated with a future attack could make insurers more willing to offer coverage in affected areas. For example, one large insurer said that the proposal might make the company more willing to immediately offer additional coverage in cities viewed as at high risk of attack. However, any such benefits might be limited for reasons including the widespread insurance market disruptions that may result from another attack. This proposal, along with several other proposals analyzed in the report, also would increase the federal government's exposure to the losses associated with terrorist attacks, which is already 85 percent of losses up to $100 billion annually, after an industry deductible. Mon, 15 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081136t.pdf Domestic air carriers are responsible for checking passenger names against terrorist watch-list records to identify persons who should be denied boarding (the No Fly List) or who should undergo additional security scrutiny (the Selectee List). The Transportation Security Administration (TSA) is to assume this function through its Secure Flight program. However, due to program delays, air carriers retain this role. This testimony discusses (1) TSA's requirements for domestic air carriers to conduct watch-list matching, (2) the extent to which TSA has assessed compliance with watch-list matching requirements, and (3) TSA's progress in developing Secure Flight. This statement is based on GAO's report on air carrier watch-list matching (GAO-08-992) being released today and GAO's previous and ongoing reviews of Secure Flight. In conducting this work, GAO reviewed TSA security directives and TSA inspections guidance and results, and interviewed officials from 14 of 95 domestic air carriers. TSA's requirements for domestic air carriers to conduct watch-list matching include a requirement to identify passengers whose names are either identical or similar to those on the No Fly and Selectee lists. Similar-name matching is important because individuals on the watch list may try to avoid detection by making travel reservations using name variations. According to TSA, there have been incidents of air carriers failing to identify potential matches by not successfully conducting similar-name matching. However, until revisions were initiated in April 2008, TSA's security directives did not specify what types of similar-name variations were to be considered. Thus, in interviews with 14 air carriers, GAO found inconsistent approaches to conducting similar-name matching, and not every air carrier reported conducting similar-name comparisons. In January 2008, TSA conducted an evaluation of air carriers and found deficiencies in their capability to conduct similar-name matching. Thus, in April 2008, TSA revised the No Fly List security directive to specify a baseline capability for conducting watch-list matching and reported that it planned to similarly revise the Selectee List security directive. While recognizing that the new baseline capability will not address all vulnerabilities, TSA emphasized that establishing the baseline capability should improve air carriers' performance of watch-list matching and is a good interim solution pending the implementation of Secure Flight. TSA has undertaken various efforts to assess domestic air carriers' compliance with watch-list matching requirements; however, until 2008, TSA had conducted limited testing of air carriers' similar-name-matching capability. In 2005, for instance, TSA evaluated the capability of air carriers to identify names that were identical--but not similar--to those in terrorist watch-list records. Also, TSA's internal guidance did not specifically direct inspectors to test air carriers' similar-name-matching capability, nor did the guidance specify the number or types of name variations to be assessed. Records in TSA's database for regular inspections conducted during 2007 made reference to name-match testing in only 61 of the 1,145 watch-list-related inspections that GAO reviewed. During the course of GAO's review, and prompted by findings of the evaluation conducted in January 2008, TSA reported that its guidance for inspectors would be revised to help ensure air carriers' compliance with security directives. Although TSA has plans to strengthen its oversight efforts, it is too early to determine the extent to which TSA will provide oversight of air carriers' compliance with the revised security directives. In February 2008, GAO reported that TSA has made progress in developing Secure Flight but that challenges remained, including the need to more effectively manage risk and develop more robust cost and schedule estimates (GAO-08-456T). If these challenges are not addressed effectively, the risk of the program not being completed on schedule and within estimated costs is increased, and the chances of it performing as intended are diminished. TSA plans to begin assuming watch-list matching from air carriers in January 2009. Tue, 09 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08992.pdf Air carriers remain a front-line defense against acts of terrorism that target the nation's civil aviation system. A key responsibility of air carriers is to check passengers' names against terrorist watch-list records to identify persons who should be prevented from boarding (the No Fly List) or who should undergo additional security scrutiny (the Selectee List). Eventually, the Transportation Security Administration (TSA) is to assume this responsibility through its Secure Flight program. However, due to program delays, air carriers retain this role. You asked GAO to review domestic air carriers' watch-list-matching processes. GAO examined (1) the watch-list-matching requirements air carriers must follow that have been established by TSA, and (2) the extent to which TSA has assessed air carriers' compliance with these requirements. GAO reviewed TSA's security directives, internal guidance used by TSA's inspectors to assess air carriers' compliance with requirements, and inspection results, as well as interviewed staff from 14 of 95 domestic air carriers (selected to reflect a range in operational sizes). This report is the public version of a restricted report (GAO-08-453SU) issued in July 2008. TSA's requirements for domestic air carriers to conduct watch-list matching include a requirement to identify passengers whose names are either identical or similar to those on the No Fly and Selectee lists. Similar-name matching is important because individuals on the watch list may try to avoid detection by making travel reservations using name variations. According to TSA's Office of Intelligence, there have been incidents of air carriers failing to identify potential matches by not successfully conducting similar-name matching. However, until revisions were initiated in April 2008, TSA's security directives did not specify what types of similar-name variations were to be considered by air carriers. Thus, in interviews with 14 air carriers GAO found inconsistent approaches to conducting similar-name matching. Due to such inconsistency, a passenger could be identified as a match by one air carrier and not by another. In addition, not every air carrier reported conducting similar name comparisons. Further, in January 2008, TSA conducted an evaluation of air carriers and found deficiencies in their capability to conduct similar-name matching. Shortly thereafter, in April 2008, TSA revised the No Fly List security directive to specify a baseline capability for conducting watch-list matching, and TSA reported that it planned to similarly revise the Selectee List security directive. Because the baseline capability requires that air carriers compare only the types of name variations specified in the directive, TSA recognizes that the new baseline capability will not address all vulnerabilities. However, TSA emphasized that establishing the baseline capability should improve air carriers' performance of watch-list matching and, in TSA's view, is the best interim solution pending the implementation of Secure Flight. TSA has undertaken various efforts to assess domestic air carriers' compliance with watch-list matching requirements; however, until 2008, TSA had conducted limited testing of air carriers' similar-name-matching capability. In 2005, for instance, TSA conducted an evaluation to determine whether air carriers had the capability to identify names that were identical--but not similar--to those on the No Fly List. Also, regarding regularly conducted inspections, TSA's guidance did not specifically direct inspectors to test air carriers' similar-name-matching capability, nor did the guidance specify the number or types of name variations to be assessed. Records in TSA's database for regular inspections conducted during 2007 made reference to name-match testing in 61 of the 1,145 watch-list-related inspections that GAO reviewed. Without criteria or standards for air carriers to follow in comparing name variations, TSA did not have a uniform basis for assessing compliance and addressing deficiencies. However, during the course of GAO's review and prompted by findings of the evaluation conducted in January 2008, TSA reported that its guidance for inspectors would be revised to help ensure air carriers' compliance with security directives. Although TSA has plans to strengthen its oversight of air carriers' compliance with the revised security directives, it is too early to assess the extent of such oversight since TSA's efforts are ongoing and not completed. Tue, 09 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081038r.pdf In the years since the 2001 terrorist attacks, balancing the need to secure U.S. borders while maintaining the flow of legitimate cross-border travel and commerce has taken on an added importance. The United States and Canada share a border that extends nearly 4,000 miles, and one of the world's largest trading relationships. Each year, approximately 70 million travelers and 35 million vehicles cross the border from Canada into the United States, according to the Department of Homeland Security (DHS). Given the volume of cross-border travel and trade between the United States and Canada, border congestion and the resulting wait times have a substantial economic impact on both nations. Furthermore, according to an analysis by DHS, the heightened emphasis on border security following the 2001 terrorist attacks has lengthened processing time for travelers and cargo crossing into the United States. Recognizing the need to improve both border security and border-crossing efficiency, the United States and Canada have cooperated on various cross-border management initiatives intended to increase the flow of legitimate travel across the border while maintaining security. For example, to facilitate the travel of low-risk prescreened individuals across the northern border, the United States and Canada jointly operate the NEXUS program. The NEXUS program allows registered border residents and frequent cross-border travelers identified as low-risk individuals access to dedicated lanes and expedited processing with minimal inspection. The United States and Canada also coordinate on border law enforcement programs such as the Integrated Border Enforcement Team Program (IBET), which is a bi-national, multi-agency law enforcement initiative that (1) provides, where necessary, support to national security investigations associated to the Canada/United States border and (2) investigates illegal cross-border activities. A key collaborative effort to improve security and relieve congestion at the ports of entry across the northern border is to move customs and immigration inspection activities away from the border--a concept known as "land preclearance" or "shared border management." In December 2004, the United States and Canada announced that the two governments had agreed to move forward with a land preclearance pilot project at the Buffalo, New York-Fort Erie, Ontario Peace Bridge and at one other border crossing site along the northern border, which had not yet been determined. The land preclearance pilot project flowed from the 2001 Smart Border Declaration and its associated action plan, which was meant to enhance the security along the northern border while facilitating information sharing and the legitimate flow of people and goods, and securing infrastructure. The preclearance pilot at the Peace Bridge would involve the relocation of all U.S. border inspection operations for both commercial and passenger traffic from the U.S. side of the border in Buffalo, New York, to the Canadian side of the border in Fort Erie, Ontario. From 2005 to 2007, the United States and Canada were engaged in negotiations to implement land preclearance at the Buffalo-Fort Erie Peace Bridge ports of entry. However, in April 2007, these negotiations were officially terminated by DHS. Section 566 of the 2008 DHS Appropriations Act mandates that we conduct a study on DHS's use of shared border management to secure the borders of the United States. In accordance with the mandate and discussions with Committee staff, this report addresses the following questions: (1) What negotiations have been conducted by the Department of Homeland Security regarding the shared border management pilot project? (2) What issues led to the termination of shared border management negotiations? From 2005 to 2007, the United States and Canada were engaged in negotiations to implement a land preclearance pilot project (also referred to as "shared border management"), which would have relocated the U.S. border inspection facility from the Buffalo, New York, side of the Peace Bridge to the Fort Erie, Ontario, side. All CBP inspections and operations would then take place before travelers and cargo entered the United States. The Peace Bridge site was selected for the pilot because it is one of the busiest commercial crossings between the United States and Canada, yet the existing border infrastructure at the Peace Bridge contributes to a number of security and border crossing inefficiencies, according to DHS. Specifically, DHS had concluded that the U.S. inspection facility, which is located near the center of downtown Buffalo, is outdated, undersized, and lacks the modern amenities a port of its size should have to operate efficiently and securely. The facility is located on 17 acres of land, as opposed to the 80 acres that CBP recommends for a large port of entry. DHS has reported that additional inspection space is needed to address these infrastructure issues, but there is no easily available land adjacent to the facility in Buffalo. On the Canadian side of the Peace Bridge in Fort Erie, there are approximately 70 acres of land available on which the U.S. inspection facility could have been co-located with Canadian inspection facilities. In April 2007, DHS officially terminated negotiations with Canada because a mutually acceptable framework for United States-Canada shared border management could not be reached. Officials from both countries agreed that negotiations were conducted in good faith, and the two governments were able to reach accommodations on several key issues raised during the negotiations, such as the approval of all of the authorities Canada sought for its U.S.-based preclearance area, and the arming of CBP officers at the preclearance site on Canadian soil. However, certain issues pertaining to each country's sovereignty and the law enforcement authorities of U.S. CBP officers operating on Canadian soil could not be resolved. These issues included concerns over arrest authority; the right of individuals to withdraw an application to enter the United States while at the land preclearance site in Canada; mutually agreeable fingerprinting processes; how information collected by U.S. officials at the land preclearance site would be shared; and concerns that future interpretations of the Canadian Charter could adversely impact U.S. authorities at the preclearance site. Thu, 04 Sep 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08851.pdf The Department of Defense (DOD) established the Defense Critical Infrastructure Program (DCIP) to assure the availability of mission-critical infrastructure, including surface, sea, and air transportation assets to carry out its missions. GAO was asked to evaluate (1) the extent to which the U.S. Transportation Command (TRANSCOM) has identified, prioritized, and assessed critical transportation assets; (2) the extent to which DOD installation personnel have taken actions to help assure the availability of critical transportation assets, both within and independent of DCIP; and (3) how DOD is funding critical transportation asset assurance. GAO examined a nonprojectable sample of 22 critical transportation assets, reviewed relevant DOD guidance and documents, and interviewed cognizant officials. TRANSCOM has taken some actions to identify, prioritize, and assess its critical transportation assets but, according to officials from the Office of the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD[HD&ASA]), its methodology for doing so, until recently, has been inconsistent with the intent of DOD's various DCIP guidance and with the approach adopted by some of the other combatant commands and military services. TRANSCOM considers entire installations--military air bases, seaports, and commercial airports--as critical assets, rather than identifying assets with greater specificity, such as individual runways, navigation aids, and fuel storage facilities. This methodology diminishes the reliability of the critical transportation asset list, a condition that impedes DOD's ability to prioritize its critical assets departmentwide and effectively target spending on risk-reduction efforts. Further, TRANSCOM was using its vulnerability assessments to identify specific critical transportation assets on the installations. This practice conflicts with DOD's DCIP guidance not to use vulnerability assessments to identify critical assets. Though TRANSCOM officials stated that they now plan to discontinue this practice, they were unable to provide ASD(HD&ASA) or GAO with any documentation to confirm that this decision had occurred officially. Further, TRANSCOM's memorandum of understanding with the Joint Staff to participate as transportation subject matter experts on the Joint Staff's vulnerability assessments with a DCIP module is still in draft. In May 2008, TRANSCOM officials told GAO that they now plan to use the draft DCIP critical asset identification process to reevaluate its 300 identified critical transportation assets; however, a timeline to complete this has not yet been determined. DOD installation personnel at the 22 sites GAO visited have taken actions to help assure the availability of critical transportation assets; however, these actions have routinely occurred independent of DCIP. Consequently, they do not consider the full spectrum of threats and hazards and they tend to focus on preventing mass personnel casualties instead of critical asset assurance. DCIP's impact at the installations where the assets are located was negligible because of the lack of service-specific guidance. This gap in guidance hinders installation personnel's ability to make informed risk management decisions based on asset criticality. Coordination efforts between installation personnel and non-DOD owners of critical transportation assets and supporting public works infrastructure were substantial, but have been focused on the protection of people and not on asset assurance. DOD has allocated approximately $283 million for DCIP from fiscal years 2004 to 2008, including $8.6 million to TRANSCOM for its combatant command and defense sector responsibilities. Critical infrastructure assurance efforts also have been funded through other DOD complementary programs, such as the Antiterrorism Program, and through foreign government contributions. Although existing DCIP funding does not include funding for remediating asset vulnerabilities, remediation has been funded from these other sources. Fri, 15 Aug 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08538.pdf Oceangoing cargo containers play a vital role in global trade but can also pose a risk of terrorist exploitation. U.S. Customs and Border Protection (CBP), part of the Department of Homeland Security (DHS), oversees security of the supply chain--the flow of goods from manufacturer to retailer. CBP anticipates that adoption of uniform, international customs security standards could eventually lead to a system of mutual recognition whereby the customs security-related practices and programs taken by one customs administration are recognized and accepted by another administration. In response to congressional requesters, GAO determined (1) actions CBP has taken to develop and implement international supply chain security standards, (2) actions CBP has taken with international partners to achieve mutual recognition of customs security practices, and (3) issues CBP and foreign customs administrations anticipate in implementing 100 percent scanning of U.S.-bound container cargo. To conduct its work, GAO analyzed CBP documents on supply chain security programs and international cooperation initiatives and met with CBP officials and foreign customs officials from various trading partner nations. Also, GAO drew upon its related reports and testimony on supply chain security issued earlier this year--GAO-08-187 (Jan. 25), GAO-08-240 (Apr. 25), and GAO-08-533T (June 12). DHS provided technical comments on a draft of this report, which GAO incorporated where appropriate. To develop and implement international supply chain security standards, CBP has taken a lead role in working with foreign customs administrations and the World Customs Organization (WCO). Through the Container Security Initiative (CSI), CBP places staff at foreign seaports to work with host nation customs officials to identify high-risk container cargo bound for the United States, and through the Customs-Trade Partnership Against Terrorism (C-TPAT), CBP forms voluntary partnerships to enhance security measures with international businesses involved in oceangoing trade with the United States. In collaboration with 11 other members of the WCO, CBP developed the Framework of Standards to Secure and Facilitate Global Trade (SAFE Framework), which is based in part on the core concepts of the CSI and C-TPAT programs and provides standards for collaboration among customs administrations and entities participating in the supply chain. The SAFE Framework was adopted by the 173 WCO member customs administrations in June 2005; and as of July 2008 154 had signed letters of intent to implement the standards. CBP has actively engaged with international partners to define and achieve mutual recognition of customs security practices. Broadly, for example, CBP contributed to development of the SAFE Framework, which calls for a system of mutual recognition. More specifically, in June 2007, CBP signed a mutual recognition arrangement with New Zealand--the first such arrangement in the world--to recognize each other's customs-to-business partnership programs. Furthermore, in June of this year, CBP signed mutual recognition agreements with Jordan and Canada. By early 2009, CBP anticipates obtaining a mutual recognition agreement with the European Commission, which represents the 27 member nations of the European Union. CBP actively engages in the implementation of international customs security standards, however recent law, such as The Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Act) requiring that 100 percent of U.S.-bound container cargo be scanned at foreign seaports--using a nonintrusive inspection process involving equipment such as X-rays and radiation detection equipment--may affect worldwide adoption of international supply chain security standards. CBP and some foreign partners have stated that unless additional resources are made available, 100 percent scanning could not be met. Given limited resources, CBP and European custom administration officials said that 100 percent scanning may provide a lower level of security if customs officers are diverted from focusing on high-risk container cargo. Under the current risk-management system, for example, the scanned images of high-risk containers are to be reviewed in a very detailed manner. However, according to WCO and industry officials, if all containers are to be scanned, the reviews may not be as thorough. Further, a European customs administration reported that 100 percent scanning could have a negative impact on the flow of commerce and also would affect trade with developing countries disproportionately. Fri, 15 Aug 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08887sp.pdf The United States and the international community have stressed that a coordinated response is required to address the global threat from transnational terrorism. Multilateral engagements provide opportunities to foster relationships with traditional and nontraditional partner countries. Partnerships also can raise common awareness of the threat and build the trust necessary to share information that could prevent and detect terrorist acts. GAO convened a forum on April 22, 2008, to advance the dialogue on how partnerships can mitigate the conditions that foster transnational terrorism and to identify potential strategies for overcoming challenges faced in engaging in such partnerships. Participants included representatives from U.S. government agencies, foreign embassies, nongovernmental and multilateral organizations, policy institutes, the private sector, and academia. The forum focused on (1) the partnership efforts and key practices of the U.S. government and its partners, (2) challenges to these efforts and practices, and (3) strategies to overcome the challenges. Comments expressed during the proceedings do not necessarily represent the views of all participants, the organizations they represent, or GAO. Participants reviewed a draft of this summary, and their comments were incorporated, as appropriate. Forum participants discussed the types of partnerships or initiatives they have engaged in to counter the enabling environment that fosters transnational terrorism. Some of the partnership activities that participants cited include information sharing, training and capacity building, dialogue and education on counterterrorism, and conducting on-the-ground assessments. A few participants voiced concerns that certain labels for partnership programs could limit program effectiveness. Some participants also described characteristics of effective partnerships, such as shared objectives and common understanding of terminology. Participants identified and ranked the challenges they currently face or have perceived in their partnerships to combat transnational terrorism. The top five challenges were (1) cultural differences and lack of trust, (2) differences in political views/foreign policy objectives, (3) differences in relationships with states from which extremists emerge, (4) lack of funding, and (5) lack of consensus about the underlying causes of terrorism. Participants discussed strategies for overcoming some of the challenges. A few participants suggested that funding for counterterrorism programs and activities be made more flexible, so that it could be allocated where needed and have the most impact. Some participants indicated it would be helpful to gain a better understanding of extremist ideologies and the underlying causes of terrorism before making decisions about funding. A few participants also mentioned that knowledge and "practical capacity" in countering terrorism need to be integrated, so that the United States and its partners can gain a better understanding of extremism and current adversaries. Thu, 31 Jul 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08860.pdf In fiscal year 2005, the Trans-Sahara Counterterrorism Partnership (TSCTP) was established to eliminate terrorist safe havens in northwest Africa by strengthening countries' counterterrorism capabilities and inhibiting the spread of extremist ideology. Funds obligated for TSCTP in fiscal years 2005 through 2007 and committed for fiscal year 2008 by the Department of State (State), the U.S. Agency for International Development (USAID), and the Department of Defense (DOD) have amounted to about $353 million for activities in nine partner countries. In this report, GAO examines (1) the distribution of funds for TSCTP and the types of activities supported and (2) the program's implementation, including the extent to which it is guided by a comprehensive, integrated strategy. GAO has reported previously on the need for a strategy that includes priorities and milestones that can help agencies collaborate in combating terrorism. GAO analyzed TSCTP-related documents and conducted work in Mali, Morocco, and Mauritania. In fiscal years 2005 through 2007, State, USAID, and DOD distributed about 74 percent of their obligations for TSCTP to Chad, Mali, Mauritania, and Niger; about 3 percent to Algeria, Morocco, and Tunisia; and about 8 percent to Nigeria and Senegal. The remaining 15 percent was distributed through regional assistance, such as military exercises in multiple partner countries. The agencies expected to distribute about half of total funds committed for TSCTP for fiscal year 2008 to Chad, Mali, Mauritania, and Niger and the remainder among the other countries. State, USAID, and DOD have supported a wide range of diplomacy, development assistance, and military activities aimed at strengthening partner countries' counterterrorism capacity and inhibiting the spread of extremist ideology. For example, State--the lead agency for TSCTP--has hosted educational programs intended to marginalize violent extremists; USAID supported efforts to improve education and health; and DOD has provided counterterrorism training in marksmanship and border patrol to the militaries of partner countries. Several factors have hampered the key agencies' implementation of TSCTP activities, in some cases limiting their ability to collaborate in working to combat terrorism. First, the agencies lack a comprehensive, integrated strategy for their TSCTP activities, and the documents used in planning the activities do not prioritize proposed activities or identify milestones needed to measure progress or make improvements. Second, disagreements about whether State should have authority over DOD personnel temporarily assigned to conduct TSCTP activities in partner countries have led to DOD's suspending some activities, for example, in Niger. Third, fluctuation in State's and USAID's distribution of funds for TSCTP resulted in suspension of a peace-building program in Mali. Fourth, although the agencies measure activities' outputs, such as the number of foreign military personnel trained, they do not measure their activities' outcomes in combating terrorism--for instance, any decrease in extremism in the targeted countries. Thu, 31 Jul 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08588.pdf Cyber analysis and warning capabilities are critical to thwarting computer-based (cyber) threats and attacks. The Department of Homeland Security (DHS) established the United States Computer Emergency Readiness Team (US-CERT) to, among other things, coordinate the nation's efforts to prepare for, prevent, and respond to cyber threats to systems and communications networks. GAO's objectives were to (1) identify key attributes of cyber analysis and warning capabilities, (2) compare these attributes with US-CERT's current capabilities to identify whether there are gaps, and (3) identify US-CERT's challenges to developing and implementing key attributes and a successful national cyber analysis and warning capability. To address these objectives, GAO identified and analyzed related documents, observed operations at numerous entities, and interviewed responsible officials and experts. Cyber analysis and warning capabilities include (1) monitoring network activity to detect anomalies, (2) analyzing information and investigating anomalies to determine whether they are threats, (3) warning appropriate officials with timely and actionable threat and mitigation information, and (4) responding to the threat. GAO identified 15 key attributes associated with these capabilities. While US-CERT's cyber analysis and warning capabilities include aspects of each of the key attributes, they do not fully incorporate all of them. For example, as part of its monitoring, US-CERT obtains information from numerous external information sources; however, it has not established a baseline of our nation's critical network assets and operations. In addition, while it investigates if identified anomalies constitute actual cyber threats or attacks as part of its analysis, it does not integrate its work into predictive analyses. Further, it provides warnings by developing and distributing a wide array of notifications; however, these notifications are not consistently actionable or timely. US-CERT faces a number of newly identified and ongoing challenges that impede it from fully incorporating the key attributes and thus being able to coordinate the national efforts to prepare for, prevent, and respond to cyber threats. The newly identified challenge is creating warnings that are consistently actionable and timely. Ongoing challenges that GAO previously identified, and made recommendations to address, include employing predictive analysis and operating without organizational stability and leadership within DHS, including possible overlapping roles and responsibilities. Until US-CERT addresses these challenges and fully incorporates all key attributes, it will not have the full complement of cyber analysis and warning capabilities essential to effectively performing its national mission. Thu, 31 Jul 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08637t.pdf In 2005, GAO placed the issue of information sharing for homeland security on its high-risk list of federal functions needing broad-based transformation and since then has monitored the government's progress in resolving barriers to sharing. This testimony discusses three key information sharing efforts: (1) the actions that have been taken to guide the design and implementation of the Information Sharing Environment (ISE) and to report on its progress, (2) the characteristics of state and local fusion centers and the extent to which federal efforts are helping to address some of the challenges centers reported, and (3) the progress made in developing streamlined policies and procedures for designating, marking, safeguarding, and disseminating sensitive but unclassified information. This testimony is based on GAO's products issued from March 2006 through July 2008 and selected updates conducted in July 2008. In a report being released today, GAO concludes that the ISE, under the leadership of a designated Program Manager, has had a measure of success, but lacks a road map for guiding the ISE, ensuring accountability, and assessing progress. The Program Manager's Office issued an implementation plan in November 2006 to guide the design of the ISE, has carried out a number of steps in that plan, and has leveraged existing efforts and resources agencies independently pursued for improving information sharing. However, this plan lacks important elements essential to effectively implement the ISE. Gaps exist in (1) defining the ISE's scope, such as determining all the terrorism-related information that should be part of the ISE; (2) clearly communicating and distinguishing the role of the Program Manager and other stakeholders; and (3) determining the results to be achieved by the ISE (that is, how information sharing is improved) along with associated milestones, performance measures, and the individual projects. Two annual reports on progress have been issued. Each identifies annual goals and individual ISE efforts, but neither reports on the extent to which the ISE has improved information sharing. GAO reported in October 2007 that fusion centers, established by states and localities to collaborate with federal agencies to improve information sharing, vary widely but face similar challenges--especially related to funding and sustaining operations--that the federal government is helping to address but are not yet resolved. While the centers varied in their level of maturity, capability, and characteristics, most fusion centers focused on processing information on crimes and hazards, as well as terrorism-related information. Fusion center officials reported facing challenges such as obtaining specific, clear guidance and training; obtaining and retaining qualified personnel; and securing funding for center operations over the long term. The Department of Homeland Security and the Federal Bureau of Investigation were helping to address these challenges by, for example, providing technical assistance and training, personnel, and grant funding. Also, legislation has been proposed to clarify how funding may be used to hire and retain intelligence analysts. Although the myriad of sensitive but unclassified designations has been a long-standing problem, progress has been made in establishing processes for designating, marking, safeguarding, and disseminating this information. In March 2006, GAO reported that each federal agency determined sometimes inconsistent designations to apply to its sensitive but unclassified information and this could lead to challenges in information sharing, such as confusion on how to protect the information. Thus, GAO recommended that the Directors of National Intelligence and the Office of Management and Budget issue a policy that consolidates sensitive but unclassified designations. In a May 2008 memorandum, the President adopted "controlled unclassified information" (CUI) to be the single categorical designation for sensitive but unclassified information throughout the executive branch and provided a framework for designating, marking, safeguarding, and disseminating CUI. Wed, 23 Jul 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081021t.pdf In January 2007, the President announced a new U.S. strategy to stem the violence in Iraq and help the Iraqi government foster conditions for national reconciliation. In The New Way Forward, the Administration articulated near-term goals to achieve over a 12- to 18-month period and reasserted the end state for Iraq: a unified, democratic, federal Iraq that can govern, defend, and sustain itself and is an ally in the war on terror. To support this strategy, the United States increased its military presence and financial commitments for Iraq operations. This testimony discusses (1) progress in meeting key security, legislative, and economic goals of The New Way Forward; and (2) past and current U.S. strategies for Iraq and the need for an updated strategy. GAO reviewed documents and interviewed officials from U.S. agencies, MNF-I, the UN, and the Iraqi government. GAO also had staff stationed in Baghdad. Since 2003, GAO has issued about 140 Iraq-related products, which provided baseline information for this assessment. The United States has made some progress in achieving key goals stated in The New Way Forward. Looking forward, many challenges remain, and an updated strategy is essential. In the security area, violence--as measured by the number of enemy-initiated attacks--decreased about 80 percent from June 2007 to June 2008, trained Iraqi security forces have increased substantially, and many units are leading counterinsurgency operations. However, as of July 2008, 8 of 18 provincial governments do not yet have lead responsibility for security in their provinces, and DOD reported that, in June 2008, less than 10 percent of Iraqi security forces were at the highest readiness level and therefore considered capable of performing operations without coalition support. The security environment remains volatile and dangerous. In the legislative area, Iraq has enacted key legislation to return some Ba'athists to government, grant amnesty to detained Iraqis, and define provincial powers. The unfinished Iraqi legislative agenda includes enacting laws that will provide the legal framework for sharing oil revenues, disarming militias, and holding provincial elections. On economic and infrastructure issues, Iraq spent only 24 percent of the $27 billion it budgeted for its reconstruction efforts between 2005 and 2007. Although crude oil production improved for short periods, the early July 2008 average production capacity of about 2.5 million barrels per day was below the U.S. goal of 3 million barrels per day. In addition, while State reports that U.S. goals for Iraq's water sector are close to being reached, the daily supply of electricity in Iraq met only slightly more than half of demand in early July 2008. Since 2003, the United States has developed and revised multiple strategies to address security and reconstruction needs in Iraq. The New Way Forward responded to failures in prior U.S. plans and the escalating violence that occurred in 2006. However, this strategy and the military surge that was central to it end in July 2008, and many agree that the situation remains fragile. GAO recommends an updated strategy for Iraq for several reasons. First, much has changed in Iraq since The New Way Forward began in January 2007. Violence is down, U.S. surge forces are leaving, and the United States is negotiating a security agreement with Iraq to replace the expiring UN mandate. Second, The New Way Forward only articulates U.S. goals and objectives for the phase that ends in July 2008. Third, the goals and objectives of The New Way Forward are contained in disparate documents rather than a single strategic plan. Furthermore, the classified MNF-I/U.S. Embassy Joint Campaign Plan is not a strategic plan; it is an operational plan with limitations that GAO will discuss during the closed portion of the hearing. Wed, 23 Jul 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08960t.pdf The United States faces potentially dangerous biological threats that occur naturally or may be the result of a terrorist attack. The Department of Homeland Security (DHS) is developing two major initiatives to provide early detection and warning of biological threats: the National Biosurveillance Integration Center (NBIC), a center for integrating and coordinating information on biological events of national significance, and the BioWatch program that operates systems used to test the air for biological agents. The Implementing Recommendations of the 9/11 Commission Act of 2007 requires DHS to establish a fully operational NBIC by September 30, 2008. This statement discusses the status of DHS's efforts to (1) make NBIC fully operational by the mandated deadline, and (2) improve the BioWatch program's technology. GAO's preliminary observations of these two programs are based on our ongoing work mandated by the Implementing Recommendations of the 9/11 Commission Act of 2007 to review U.S. biosurveillance efforts. To conduct this work, GAO reviewed related statutes; federal directives; and DHS planning, development, and implementation documents on these two initiatives. We also interviewed DHS program officials to obtain additional information about NBIC and BioWatch. DHS reviewed a draft of this testimony and provided technical comments, which were incorporated as appropriate. DHS has made progress making NBIC fully operational by September 30, 2008, as required by the Implementing Recommendations of the 9/11 Commission Act of 2007, but it is unclear what operations the center will be capable of carrying out at that point. DHS has acquired facilities and hired staff for the center but has not yet defined what capabilities the center will have in order to be considered fully operational. DHS has also started to coordinate biosurveillance efforts with other agencies, but DHS has not yet formalized some key agreements to fulfill NBIC's integration mission. For example, DHS has signed memoranda of understanding with 6 of 11 agencies DHS identified to support the operations of NBIC. However, DHS has not yet completed other key agreements to, for example, facilitate the technical exchange of information, such as data on human health, between NBIC and the agencies. In addition, a contractor DHS hired to enhance NBIC's information technology system delivered an upgrade to the system on April 1, 2008, intended to enhance data integration capabilities. However, before this upgrade can be used effectively, DHS officials said that NBIC will need to train its employees to use the system and negotiate interagency agreements to define the data that the agencies using the system will provide. DHS officials expect that NBIC will complete the training in early 2009. DHS has two ongoing efforts to improve the detection technology used by the BioWatch program, which deploys detectors to collect data that are then analyzed to detect the presence of specific biological agents. First, the Directorate for Science and Technology (S&T) within DHS is developing next-generation detectors for the BioWatch program. DHS plans for this new technology to collect air samples and automatically test the samples for a broader range of biological agents than the current technology. Under the current system, samples are manually collected and taken to a laboratory for analysis. DHS plans to operationally test and evaluate the new automatic technology in April 2009 and to begin replacing its existing detection technology in 2010. Operational testing and evaluation of the new technology is planned to take place in April 2009, about 1 year later than DHS initially planned, because S&T officials received revised requirements for the new system about 4 months before S&T was scheduled to complete development of the system. Second, while S&T is completing its work on the new detection technology, DHS is developing an interim solution, managed by the Office of Health Affairs, to enhance its current detection technology. This interim solution is intended to automatically analyze air samples for the same number of biological agents currently monitored by the BioWatch program. Contingent on successful operational testing and evaluation that is to start in November 2008, DHS plans to decide whether to acquire over 100 of these enhanced detectors. Wed, 16 Jul 2008 00:00:00 -0400 http://www.gao.gov/new.items/d081003r.pdf Members of the Committee requested that GAO provide additional comments to a number of post-hearing questions after GAO testified before the Subcommittee on Management, Investigations, and Oversight on the Department of Homeland Security's (DHS) Preparedness for Catastrophic Disasters. The responses are generally based on work associated with previously issued GAO products, which were conducted in accordance with generally accepted government auditing standards. Because the responses are based on prior work, we did not obtain comments from DHS. Tue, 15 Jul 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08919r.pdf The terrorist attacks of September 11, 2001, on the World Trade Center in New York City and the Pentagon in Arlington, Virginia, are estimated to have resulted in insured losses amounting to $32.5 billion. Subsequent to the attacks, insurers largely stopped offering terrorism insurance coverage to commercial property owners, which raised significant concerns about potential negative economic consequences. To help restore confidence and stability in property insurance markets, Congress enacted and the President signed the Terrorism Risk Insurance Act of 2002 (TRIA). Under TRIA, the federal government assumed significant responsibility for the potential insured financial losses associated with future terrorist attacks. While TRIA, which was reauthorized in 2005 and again in 2007, has been credited with stabilizing markets for commercial property insurance, some building owners, Members of Congress, and other industry participants remain concerned that there may still be gaps in coverage. In particular, they have expressed concerns about the ability of policyholders located in large urban areas that are viewed as being at high risk of attack to obtain terrorism insurance coverage. Under the 2007 statute that reauthorized TRIA coverage, GAO was required to conduct a study to determine if specific markets in the United States have any unique constraints on the amount of terrorism insurance available and to evaluate options to enhance coverage. This law required GAO to submit a report to the Committee on Banking, Housing, and Urban Affairs of the Senate and the Committee on Financial Services of the House of Representatives no later than June 23, 2008. The purpose of this report is to document our compliance with this reporting requirement. While commercial property terrorism insurance coverage appears to be available nationwide at rates policyholders view as reasonable, certain policyholders may face challenges in obtaining desired amounts of coverage or obtaining coverage at prices they view as reasonable. The policyholders experiencing these challenges were typically those that own large, high-value properties in areas where many large buildings are clustered, particularly in urban areas viewed as at high risk of attack, such as Manhattan, and to a lesser extent certain areas of other major cities, such as Chicago and San Francisco, according to policyholders and brokers. While TRIA limits insurers' financial exposure related to future terrorist attacks, several insurers said they remained concerned about the exposure they retain, and their efforts to minimize potential losses appear to be the primary reason some policyholders face challenges in obtaining coverage. Insurance industry participants and analysts had no consensus on whether TRIA should be modified or additional actions taken to increase the availability of terrorism insurance coverage. Industry analysts and participants identified the advantages and disadvantages of various policy proposals that have been made to increase terrorism insurance coverage. One proposal involves lowering insurers' TRIA deductibles in areas affected by a future large terrorist attack under the premise that further relieving insurers of the financial consequences of such attacks would make them more willing to offer terrorism insurance coverage. Some industry participants believe that another option, allowing insurers to establish tax-deductible reserves for terrorist attacks, could increase insurers' ability to provide terrorism insurance coverage. However, others said that establishing the appropriate size of such reserves would be difficult. Finally, some industry analysts and participants said that changing the federal tax code to encourage the issuance of catastrophe bonds within the United States could allow capital from the securities markets to help cover the potential costs of terrorist attacks. Fri, 11 Jul 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08852.pdf Since 2002, the Department of Homeland Security (DHS) has distributed almost $20 billion in funding to enhance the nation's capabilities to respond to acts of terrorism or other catastrophic events. In fiscal year 2007, DHS provided approximately $1.7 billion to states and urban areas through its Homeland Security Grant Program (HSGP) to prevent, protect against, respond to, and recover from acts of terrorism or other catastrophic events. As part of the Omnibus Appropriations Act of 2007, GAO was mandated to review the methodology used by DHS to allocate HSGP grants. This report addresses (1) the changes DHS has made to its risk-based methodology used to allocate grant funding from fiscal year 2007 to fiscal year 2008 and (2) whether the fiscal year 2008 methodology is reasonable. To answer these questions, GAO analyzed DHS documents related to its methodology and grant guidance, interviewed DHS officials about the grant process used in fiscal year 2007 and changes made to the process for fiscal year 2008, and used GAO's risk management framework based on best practices. For fiscal year 2008 HSGP grants, DHS is primarily following the same methodology it used in fiscal year 2007, but incorporated metropolitan statistical areas (MSAs) within the model used to calculate risk. The methodology consists of a three-step process--a risk analysis of urban areas and states based on measures of threat, vulnerability and consequences, an effectiveness assessment of applicants' investment justifications, and a final allocation decision. The principal change in the risk analysis model for 2008 is in the definition of the geographic boundaries of eligible urban areas. In 2007, the footprint was defined using several criteria, which included a 10-mile buffer zone around the center city. Reflecting the requirements of the Implementing Recommendations of the 9/11 Commission Act of 2007, DHS assessed risk for the Census Bureau's 100 largest MSAs by population in determining its 2008 Urban Areas Security Initiative (UASI) grant allocations. This change altered the geographic footprint of the urban areas assessed, aligning them more closely with the boundaries used by government agencies to collect some of the economic and population data used in the model. This may have resulted in DHS using data in its model that more accurately estimated the population and economy of those areas. The change to the use of MSA data in fiscal year 2008 also resulted in changes in the relative risk rankings of some urban areas. As a result, DHS officials expanded the eligible urban areas in fiscal year 2008 to a total of 60 UASI grantees, in part, to address the effects of this change to MSA data, as well as to ensure that all urban areas receiving fiscal year 2007 funding continued to receive funding in fiscal year 2008, according to DHS officials. Generally, DHS has constructed a reasonable methodology to assess risk and allocate funds within a given fiscal year. The risk analysis model DHS uses as part of its methodology includes empirical risk analysis and policy judgments to select the urban areas eligible for grants (all states are guaranteed a specified minimum percentage of grant funds available) and to allocate State Homeland Security Program (SHSP) and UASI funds. However, our review found that the vulnerability element of the risk analysis model has limitations that reduce its value. Measuring vulnerability is considered a generally-accepted practice in assessing risk; however, DHS's current risk analysis model does not measure vulnerability for each state and urban area. Rather, DHS considered all states and urban areas equally vulnerable to a successful attack and assigned every state and urban area a vulnerability score of 1.0 in the risk analysis model, which does not take into account any geographic differences. Thus, as a practical matter, the final risk scores are determined by the threat and consequences scores. Fri, 27 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08180.pdf First responders are responsible for responding to terrorist-related and accidental releases of CBRN materials in urban areas. Two primary tools for identifying agents released and their dispersion and effect are equipment to detect and identify CBRN agents in the environment and plume models to track the dispersion of airborne releases of these agents. GAO reports on the limitations of the CBRN detection equipment, its performance standards and capabilities testing, plume models available for tracking urban dispersion of CBRN materials, and information for determining how exposure to CBRN materials affects urban populations. To assess the limitations of CBRN detection equipment and urban plume modeling for first responders' use, GAO met with and obtained data from agency officials and first responders in three states. While the Department of Homeland Security (DHS) and other agencies have taken steps to improve homeland defense, local first responders still do not have tools to accurately identify right away what, when, where, and how much chemical, biological, radiological, or nuclear (CBRN) materials are released in U.S. urban areas, accidentally or by terrorists. Equipment local first responders use to detect radiological and nuclear material cannot predict the dispersion of these materials in the atmosphere. No agency has the mission to develop, certify, and test equipment first responders can use for detecting radiological materials in the atmosphere. According to DHS, chemical detectors are marginally able to detect an immediately dangerous concentration of chemical warfare agents. Handheld detection devices for biological agents are not reliable or effective. DHS's BioWatch program monitors air samples for biothreat agents in selected U.S. cities but does not provide first responders with real-time detection capability. Under the BioWatch system, a threat agent is identified within several hours to more than 1 day after it is released, and how much material is released cannot be determined. DHS has adopted few standards for CBRN detection equipment and has no independent testing program to validate whether it can detect CBRN agents at the specific sensitivities manufacturers claim. DHS has a mission to develop, test, and certify first responders' CB detection equipment, but its testing and certification cover equipment DHS develops, not what first responders buy. Interagency studies show that federal agencies' models to track the atmospheric release of CBRN materials have major limitations in urban areas. DHS's national TOPOFF exercises have demonstrated first responders' confusion over competing plume models' contradictory results. The Interagency Modeling and Atmospheric Assessment Center (IMAAC), created to coordinate modeling predictions, lacks procedures to resolve contradictory predictions. Evaluations and field testing of plume models developed for urban areas show variable predictions in urban environments. They are limited in obtaining accurate data on the characteristics and rate of CBRN material released. Data on population density, land use, and complex terrain are critical to first responders, but data on the effects of exposure to CBRN materials on urban populations have significant gaps. Scientific research is lacking on how low-level exposure to CBRN material affects civilian populations, especially elderly persons, children, and people whose immune systems are compromised. Fri, 27 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08492.pdf The attacks on 9/11 underscored the federal government's need to facilitate terrorism-related information sharing among government, private sector, and foreign stakeholders. In response, the Intelligence Reform and Terrorism Prevention Act of 2004 mandated the creation of the Information Sharing Environment (ISE), which is described as an approach for the sharing of terrorism-related information. A presidentially appointed Program Manager oversees ISE development with assistance from the Information Sharing Council (ISC), a forum for 16 information sharing officials from federal agencies and departments. GAO was asked to report on (1) what actions have been taken to guide the design and implementation of the ISE and (2) what efforts have been made to report on progress in implementing the ISE. To perform this work, GAO reviewed related laws, directives, guidance, and ISE planning and reporting documents and interviewed officials from the Program Manager's office and key agencies who serve on the ISC. To guide ISE design and implementation, the Program Manager has issued an implementation plan, completed a number of tasks therein, and included other information sharing initiatives in the ISE, but the plan does not include some important elements to implement the ISE. The plan provides an initial structure and approach for ISE design and implementation. For example, the plan includes steps toward protecting information privacy and describes a two-phased approach for implementing the ISE by June 2009 consisting of 89 action items. Completed activities include, among others, development of proposed common terrorism information sharing standards. In addition, other federal, state, and local initiatives to enhance information sharing across the government are being incorporated in the ISE. These initiatives include partnering with state and local area fusion centers--created primarily to improve information sharing within a state or local area--to develop a national network of these centers. Nevertheless, Office of the Program Manager officials said that the 89 action items do not address all the activities that must be completed to implement the ISE. Work remains, including defining and communicating the ISE's scope, such as determining all terrorism-related information that should be part of the ISE, and communicating that information to stakeholders involved in the development of the ISE. In addition, the desired results to be achieved by the ISE, that is, how information sharing is to be improved, the specific milestones, and the individual projects--or initiatives--to achieve these results have not yet been determined. Defining the scope of a program, desired results, milestones, and projects are essential in providing a road map to effectively implement a program. Without such a road map, the Program Manager and stakeholders risk not being able to effectively manage implementation of the ISE. To report on progress in implementing the ISE, the Program Manager issued an annual report in September 2007, which highlighted individual accomplishments and included several annual performance goals, and has since begun to develop performance measures, but neither effort provides for an assessment of overall progress in ISE implementation and of how much work remains. Some individual accomplishments contributing to the ISE occurred under the implementation plan; others, prior to and separate from ISE creation efforts. In keeping with federal guidance, GAO's work, and the work of others in strategic planning, performance measurement, and program management, the implementation plan contained six strategic goals and the annual report four performance goals for 2008. Also, the Program Manager has begun to develop some performance measures, but they focus on counting activities accomplished rather than results achieved. For example, the measures include the number of ISE organizations with a procedure in place for suspicious activity reports, but not how the reports are used and what difference they are making in sharing to help prevent terrorist attacks. GAO acknowledges that creating such measures is difficult, particularly since the program is still being designed, but until these measures are refined, future attempts to measure and report on progress will be hampered. Wed, 25 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08904t.pdf From the terrorist attacks of September 11, 2001, to Hurricane Katrina, homeland security risks vary widely. The nation can neither achieve total security nor afford to protect everything against all risks. Managing these risks is especially difficult in today's environment of globalization, increasing security interdependence, and growing fiscal challenges for the federal government. Broadly defined, risk management is a process that helps policymakers assess risk, strategically allocate finite resources, and take actions under conditions of uncertainty. GAO convened a forum of 25 national and international experts on October 25, 2007, to advance a national dialogue on applying risk management to homeland security. Participants included federal, state, and local officials and risk management experts from the private sector and academia. Forum participants identified (1) what they considered to be effective risk management practices used by organizations from the private and public sectors and (2) key challenges to applying risk management to homeland security and actions that could be taken to address them. Comments from the proceedings do not necessarily represent the views of all participants, the organizations of the participants, or GAO. Participants reviewed a draft of this report and their comments were incorporated, as appropriate. Forum participants identified what they considered to be effective public and private sector risk management practices. For example, participants discussed the private sector use of a chief risk officer, though they did not reach consensus on how to apply the concept of the chief risk officer to the public sector. One key practice for creating an effective chief risk officer, participants said, was defining reporting relationships within the organization in a way that provides sufficient authority and autonomy for a chief risk officer to report to the highest levels of the organization. Participants stated that the U.S. government needs a single risk manager. One participant suggested that this lack of central leadership has resulted in distributed responsibility for risk management within the administration and Congress and has contributed to a lack of coordination on spending decisions. Participants also discussed examples of public sector organizations that have effectively integrated risk management practices into their operations, such as the U.S. Coast Guard, and compared and contrasted public and private sector risk management practices. According to the participants at our forum, three key challenges exist to applying risk management to homeland security: improving risk communication, political obstacles to risk-based resource allocation, and a lack of strategic thinking about managing homeland security risks. Many participants agreed that improving risk communication posed the single greatest challenge to using risk management principles. To address this challenge, participants recommended educating the public and policymakers about the risks we face and the value of using risk management to establish priorities and allocate resources; engaging in a national discussion to reach a public consensus on an acceptable level of risk; and developing new communication practices and systems to alert the public during an emergency. In addition, to address strategic thinking challenges, participants recommended the government develop a national strategic planning process for homeland security and governmentwide risk management guidance. To improve public-private sector coordination, forum participants recommended that the private sector should be more involved in the public sector's efforts to assess risks and that more state and local practitioners and experts be involved through intergovernmental partnerships. Wed, 25 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08806.pdf The United States has reimbursed Pakistan, a key ally in the global war on terror, about $5.56 billion in Coalition Support Funds (CSF) for its efforts to combat terrorism along its border with Afghanistan. The Department of Defense (Defense) provides CSF to 27 coalition partners for costs incurred in direct support of U.S. military operations. Pakistan is the largest recipient of CSF, receiving 81 percent of CSF reimbursements as of May 2008. This report focuses on (1) the extent to which Defense has consistently applied its guidance to validate the reimbursements claimed by Pakistan and (2) how the Office of the Defense Representative to Pakistan's (ODRP) role has changed over time. To address these objectives, GAO reviewed CSF oversight procedures, examined CSF documents, and interviewed Defense officials in Washington, D.C., U.S. Central Command in Florida, and Pakistan. Defense Comptroller issued new guidance in 2003 to enhance CSF oversight. The guidance calls for, among other things, CSF reimbursement claims to contain quantifiable information that indicates the incremental nature of support (i.e., above and beyond normal operations), validation that the support or service was provided, and copies of invoices or documentation supporting how the costs were calculated. While Defense generally conducted macro-level analytical reviews called for in its guidance, such as determining whether the cost is less than that which would be incurred by the United States for the same service, for a large number of reimbursement claims Defense did not obtain detailed documentation to verify that claimed costs were valid, actually incurred, or correctly calculated. GAO found that Defense did not consistently apply its existing CSF oversight guidance. For example, as of May 2008, Defense paid over $2 billion in Pakistani reimbursement claims for military activities covering January 2004 through June 2007 without obtaining sufficient information that would enable a third party to recalculate these costs. Furthermore, Defense may have reimbursed costs that (1) were not incremental, (2) were not based on actual activity, or (3) were potentially duplicative. GAO also found that additional oversight controls were needed. For example, there is no guidance for Defense to verify currency conversion rates used by Pakistan, which if performed would enhance Defense's ability to monitor for potential overbillings. Defense's guidance does not specifically task ODRP with attempting to verify Pakistani military support and expenses, despite recognition by Defense officials that such verification is best performed by U.S. officials in Pakistan, who have access to Pakistani officials and information. As such, ODRP did not try to verify Pakistan CSF claims from January 2004 through August 2006. Beginning in September 2006, without any formal guidance or directive to do so from U.S. Central Command or the Defense Comptroller, ODRP began an effort to validate Pakistani military support and expenses. This increased verification effort on the part of ODRP contributed to an increase in the amount of Pakistani government CSF claims disallowed and deferred. Prior to ODRP's increased verification efforts, the average percentage of Pakistani claims disallowed or deferred for January 2004 through August 2006 was a little over 2 percent. In comparison, the average percentage of Pakistani claims disallowed or deferred for September 2006 through February 2007 was 6 percent and for the most recent claims (March 2007 through June 2007) processed in February 2008, was approximately 22 percent. However, ODRP's continued oversight activity is not assured, as Defense had not developed formal guidance delineating how and to what degree ODRP should attempt to verify Pakistani claims for reimbursement. GAO recognizes that Defense may not be able to fully verify every Pakistani claim without the ability to access Pakistani records or do onsite monitoring. However, such ability would enhance CSF oversight. Tue, 24 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08932t.pdf The United States has reimbursed Pakistan, a key ally in the global war on terror, about $5.56 billion in Coalition Support Funds (CSF) for its efforts to combat terrorism along its border with Afghanistan. The Department of Defense (Defense) provides CSF for costs incurred in direct support of U.S. military operations. Pakistan is the largest recipient of CSF, receiving 81 percent of CSF reimbursements. This testimony focuses on (1) the extent to which Defense has consistently applied its guidance to validate the reimbursements claimed by Pakistan and (2) how the Office of the Defense Representative to Pakistan's (ODRP) role has changed over time. This statement is based on a concurrently issued GAO report titled Combating Terrorism: Increased Oversight and Accountability Needed over Pakistan Reimbursement Claims for Coalition Support Funds, GAO-08-806 (Washington, D.C.: June 24, 2008). Defense Comptroller issued new guidance in 2003 to enhance CSF oversight. The guidance calls for, among other things, CSF reimbursement claims to contain quantifiable information that indicates the incremental nature of support (i.e., above and beyond normal operations), validation that the support or service was provided, and copies of invoices or documentation supporting how the costs were calculated. While Defense generally conducted macro-level analytical reviews called for in its guidance, such as determining whether the cost is less than that which would be incurred by the United States for the same service, for a large number of reimbursement claims Defense did not obtain detailed documentation to verify that claimed costs were valid, actually incurred, or correctly calculated. GAO found that Defense did not consistently apply its existing CSF oversight guidance. For example, as of May 2008, Defense paid over $2 billion in Pakistani reimbursement claims for military activities covering January 2004 through June 2007 without obtaining sufficient information that would enable a third party to recalculate these costs. Furthermore, Defense may have reimbursed costs that (1) were not incremental, (2) were not based on actual activity, or (3) were potentially duplicative. GAO also found that additional oversight controls were needed. For example, there is no guidance for Defense to verify currency conversion rates used by Pakistan, which if performed would enhance Defense's ability to monitor for potential overbillings. Defense's guidance does not specifically task ODRP with attempting to verify Pakistani military support and expenses, despite recognition by Defense officials that such verification is best performed by U.S. officials in Pakistan, who have access to Pakistani officials and information. As such, ODRP did not try to verify Pakistan CSF claims from January 2004 through August 2006. Beginning in September 2006, without any formal guidance or directive to do so from U.S. Central Command or the Defense Comptroller, ODRP began an effort to validate Pakistani military support and expenses. This increased verification effort on the part of ODRP contributed to an increase in the amount of Pakistani government CSF claims disallowed and deferred. Prior to ODRP's increased verification efforts, the average percentage of Pakistani claims disallowed or deferred for January 2004 through August 2006 was a little over 2 percent. In comparison, the average percentage of Pakistani claims disallowed or deferred for September 2006 through February 2007 was 6 percent and for the most recent claims (March 2007 through June 2007) processed in February 2008, was approximately 22 percent. However, ODRP's continued oversight activity is not assured, as Defense had not developed formal guidance delineating how and to what degree ODRP should attempt to verify Pakistani claims for reimbursement. GAO recognizes that Defense may not be able to fully verify every Pakistani claim without the ability to access Pakistani records or do onsite monitoring. However, such ability would enhance CSF oversight. Tue, 24 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08672.pdf The safety and economic security of the United States depends on the secure use of the world's seaports and waterways. Homeland Security Presidential Directive-13 (HSPD-13, also referred to as National Security Presidential Directive-41) directs the coordination of U.S. maritime security policy through the creation of a National Strategy for Maritime Security and supporting implementation plans. GAO was asked to evaluate this strategy and its eight supporting plans. This report discusses: (1) the extent to which the strategy and its supporting plans contain desirable characteristics of an effective national strategy, and (2) the reported status of the implementation of these plans. To conduct this work, GAO evaluated the National Strategy for Maritime Security and its supporting plans against the desirable characteristics of an effective national strategy that GAO identified in February 2004, reviewed HSPD-13 and supporting plans, and reviewed documents on the status of the plans' implementation. Of the six desirable characteristics of an effective national strategy that GAO identified in 2004, the National Strategy for Maritime Security and its eight supporting implementation plans address four and partially address the remaining two. Documents provided by the Maritime Security Working Group--an interagency body responsible for monitoring and assessing the implementation of the maritime strategy--indicate that the implementation status of the eight supporting plans varies. For example, as of November 2007, implementation of one plan had been completed, while another has reached the assessment phase (e.g., lessons learned and best practices), and a third has reached the execution phase (e.g., exercises and operations). The other five plans remain primarily in the planning phase. The working group is monitoring the implementation of 76 actions across the plans, and reported 6 of these are completed and 70 are ongoing. Fri, 20 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08598.pdf Concerns have grown that terrorists could use radioactive materials and sealed sources (materials sealed in a capsule) to build a "dirty bomb"-- a device using conventional explosives to disperse radioactive material. In 2003, GAO found weaknesses in the Nuclear Regulatory Commission's (NRC) radioactive materials licensing process and made recommendations for improvement. For this report, GAO assesses (1) the progress NRC has made in implementing the 2003 recommendations, (2) other steps NRC has taken to improve its ability to track radioactive materials, (3) Customs and Border Protection's (CBP) ability to detect radioactive materials at land ports of entry, and (4) CBP's ability to verify that such materials are appropriately licensed prior to entering the United States. To perform this work, GAO assessed documents and interviewed NRC and CBP officials in headquarters and in several field locations. NRC has implemented three of the six recommendations in GAO's 2003 report on the security of radioactive sources. It has worked with the 35 states to which it ceded primary authority to regulate radioactive materials and sources and others to (1) identify sealed sources of greatest concern, (2) enhance requirements to secure radioactive sources, and (3) ensure security requirements are implemented. In contrast, NRC has made limited progress toward implementing recommendations to (1) modify its process for issuing licenses to ensure that radioactive materials cannot be purchased by those with no legitimate need for them, (2) determine how to effectively mitigate the potential psychological effects of malicious use of such materials, and (3) examine whether certain radioactive sources should be subject to more stringent regulations. Beyond acting on GAO's recommendations, NRC has also taken four steps to improve its ability to monitor and track radioactive materials. First, NRC created an interim national database to monitor the licensed sealed sources containing materials that pose the greatest risk of being used in a dirty bomb. Second, NRC is developing a National Source Tracking System to replace the interim database and provide more comprehensive, frequently updated information on potentially dangerous sources. However, this system has been delayed by 18 months and is not expected to be fully operational until January 2009. Third, NRC is also developing a Web-based licensing system that will include more comprehensive information on all sources and materials that require NRC or state approval to possess. Finally, NRC is developing a license verification system that will draw information from the other new systems to enable officials and vendors to verify that those seeking to bring these radioactive materials into the country or purchase them are licensed to do so. However, these systems are more than 3 years behind schedule and may not include the licensing information, initially at least, on radioactive materials regulated by agreement states--which represent over 80 percent of all U.S. licenses for such materials. The delays in the deployment and full development of these systems are especially consequential because NRC has identified their deployment as key to improving the control and accountability of radioactive materials. While CBP has a comprehensive system in place to detect radioactive materials entering the United States at land borders, some equipment that is used to protect CBP officers is in short supply. Specifically, vehicles, cargo, and people entering the United States at most ports of entry along the Canadian and Mexican borders are scanned for radioactive materials with radiation detection equipment capable of detecting very small amounts of radiation. However we found that personal radiation detectors are not available to all officers who need them. Moreover, while CBP has systems in place to verify the legitimacy of radioactive materials licenses, it has not effectively communicated to officers at the borders when they must contact officials to verify the license for a given sealed source. Consequently, some CPB officers are not following current guidance, and some potentially dangerous radioactive materials have entered the country without license verification. Thu, 19 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08853r.pdf Since 2001, Congress has provided the Department of Defense (DOD) with hundreds of billions of dollars in supplemental and annual appropriations for military operations in support of the Global War on Terrorism (GWOT). DOD's reported annual obligations for GWOT have shown a steady increase from about $0.2 billion in fiscal year 2001 to about $139.8 billion in fiscal year 2007. To continue GWOT operations, the President requested $189.3 billion in appropriations for DOD in fiscal year 2008. As of May 2008, Congress has provided DOD with about $86.8 billion of this request, including $16.8 billion for Mine Resistant Ambush Protected vehicles. Congress has not finalized action on the remaining $102.5 billion. In addition, the President also requested about $66 billion in appropriations for DOD in fiscal year 2009 for GWOT, which was submitted along with DOD's annual budget request. The United States' commitments to GWOT will likely involve the continued investment of significant resources, requiring decision makers to consider difficult trade-offs as the nation faces an increasing long-range fiscal challenge. The magnitude of future costs will depend on several direct and indirect cost variables and, in some cases, decisions that have not yet been made. DOD's future costs will likely be affected by the pace and duration of operations, the types of facilities needed to support troops overseas, redeployment plans, and the amount of equipment to be repaired or replaced. DOD compiles and reports monthly and cumulative incremental obligations incurred to support GWOT in a monthly Supplemental and Cost of War Execution Report. DOD leadership uses this report, along with other information, to advise Congress on the costs of the war and to formulate future GWOT budget requests. DOD reports these obligations by appropriation, contingency operation, and military service or defense agency. The monthly cost reports are typically compiled within the 45 days after the end of the reporting month in which the obligations are incurred. DOD has prepared monthly reports on the obligations incurred for its involvement in GWOT since fiscal year 2001. Section 1221 of the National Defense Authorization Act for Fiscal Year 2006 requires us to submit quarterly updates to Congress on the costs of Operation Iraqi Freedom and Operation Enduring Freedom based on DOD's monthly Supplemental and Cost of War Execution Reports. This report, which responds to this requirement, contains our analysis of DOD's reported obligations for military operations in support of GWOT through March 2008. Specifically, we assessed (1) DOD's cumulative appropriations and reported obligations for military operations in support of GWOT and (2) DOD's fiscal year 2008 reported obligations through March 2008, the latest data available for GWOT by military service and appropriation account. From fiscal year 2001 through fiscal year 2007, and for the first quarter of fiscal year 2008 through December 2007, Congress has provided DOD with a total of about $635.9 billion for its efforts in support of GWOT. DOD has reported obligations of about $562 billion for military operations in support of the war from fiscal year 2001 through fiscal year 2007 and for the second quarter of fiscal year 2008 through March 2008. The $73.9 billion difference between DOD's GWOT appropriations and reported obligations can generally be attributed to certain fiscal year 2008 appropriations and multiyear funding for procurement; military construction; and research, development, test, and evaluation from previous GWOT-related appropriations that have yet to be obligated and obligations for classified and other activities, which are not reported in DOD's cost-of-war reports. As part of our ongoing work, we are reviewing DOD's rationale for reporting its GWOT related obligations. Of DOD's total cumulative reported obligations for GWOT through March 2008 (about $562 billion), about $435.1 billion is for operations in and around Iraq as part of Operation Iraqi Freedom, and about $98.9 billion is for operations in Afghanistan, the Horn of Africa, the Philippines, and elsewhere as part of Operation Enduring Freedom. The remaining about $28 billion is for operations in defense of the homeland as part of Operation Noble Eagle. In fiscal year 2008, through March 2008, DOD's total reported obligations of about $69.8 billion are about half of the total amount of obligations it reported for all of fiscal year 2007. Reported obligations for Operation Iraqi Freedom continue to account for the largest portion of total reported GWOT obligations by operation--about $57 billion. In contrast, reported obligations associated with Operation Enduring Freedom total about $12.7 billion, and reported obligations associated with Operation Noble Eagle total about $89.3 million. Fri, 13 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08668.pdf Potential terrorist attacks and the possibility of naturally occurring disease outbreaks have raised concerns about the "surge capacity" of the nation's health care systems to respond to mass casualty events. GAO identified four key components of preparing for medical surge: (1) increasing hospital capacity, (2) identifying alternate care sites, (3) registering medical volunteers, and (4) planning for altering established standards of care. The Department of Health and Human Services (HHS) is the primary agency for hospital preparedness, including medical surge. GAO was asked to examine (1) what assistance the federal government has provided to help states prepare for medical surge, (2) what states have done to prepare for medical surge, and (3) concerns states have identified related to medical surge. GAO reviewed documents from the 50 states and federal agencies. GAO also interviewed officials from a judgmental sample of 20 states and from federal agencies, as well as emergency preparedness experts. Following a mass casualty event that could involve thousands, or even tens of thousands, of injured or ill victims, health care systems would need the ability to "surge," that is, to adequately care for a large number of patients or patients with unusual medical needs. The federal government has provided funding, guidance, and other assistance to help states prepare for medical surge in a mass casualty event. From fiscal years 2002 to 2007, the federal government awarded the states about $2.2 billion through the Office of the Assistant Secretary for Preparedness and Response's Hospital Preparedness Program to support activities to meet their preparedness priorities and goals, including medical surge. Further, the federal government provided guidance for states to use when preparing for medical surge, including Reopening Shuttered Hospitals to Expand Surge Capacity, which contains a checklist that states can use to identify entities that could provide more resources during a medical surge. Based on a review of state emergency preparedness documents and interviews with 20 state emergency preparedness officials, GAO found that many states had made efforts related to three of the key components of medical surge, but fewer have implemented the fourth. More than half of the 50 states had met or were close to meeting the criteria for the five medical-surge-related sentinel indicators for hospital capacity reported in the Hospital Preparedness Program's 2006 midyear progress reports. For example, 37 states reported that they could add 500 beds per million population within 24 hours of a mass casualty event. In a 20-state review, GAO found that all 20 were developing bed reporting systems and most were coordinating with military and veterans hospitals to expand hospital capacity, 18 were selecting various facilities for alternate care sites, 15 had begun electronic registering of medical volunteers, and fewer of the states--7 of the 20--were planning for altered standards of medical care to be used in response to a mass casualty event. State officials in GAO's 20-state review reported that they faced challenges relating to all four key components in preparing for medical surge. For example, some states reported concerns related to maintaining adequate staffing levels to increase hospital capacity, and some reported concerns about reimbursement for medical services provided at alternate care sites. According to some state officials, volunteers were concerned that if state registries became part of a national database they might be required to provide services outside their own state. Some states reported that they had not begun work on or completed altered standards of care guidelines due to the difficulty of addressing the medical, ethical, and legal issues involved in making life-or-death decisions about which patients would get access to scarce resources. While most of the states that had adopted or were drafting altered standards of care guidelines reported using federal guidance as they developed these guidelines, some states also reported that they needed additional assistance. Fri, 13 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08868t.pdf The Homeland Security Act was enacted in November 2002, creating the Department of Homeland Security (DHS) to improve homeland security following the September 11, 2001, terrorist attacks on the United States. The act centralized the leadership of many homeland security activities under a single federal department and, accordingly, DHS has the dominant role in implementing this national strategy. This testimony discusses the status of DHS's actions in fulfilling its responsibilities to (1) establish policies to define roles and responsibilities for national emergency preparedness efforts and prepare for the transition between presidential administrations, and (2) develop operational plans and performance metrics to implement these roles and responsibilities and coordinate federal resources for disaster planning and response. This testimony is based on prior GAO work performed from September 2006 to June 2008 focusing on DHS's efforts to address problems identified in the many post-Katrina reviews. DHS has taken several actions to define national roles and responsibilities and capabilities for emergency preparedness efforts in key policy documents and has begun preparing for the upcoming transition between presidential administrations. DHS prepared initial versions of key policy documents that describe what should be done and by whom (National Response Plan in 2004), how it should be done (the National Incident Management System in 2004) and how well it should be done (the interim National Preparedness Goal in 2005). DHS subsequently developed and issued revisions to these documents to improve and enhance its national-level policies, such as the National Preparedness Guidelines in 2007 which was the successor to the interim National Preparedness Goal. Most recently, DHS developed the National Response Framework (NRF), the successor to the National Response Plan, which became effective in March 2008. This framework describes the doctrine that guides national response actions and the roles and responsibilities of officials and entities involved in response efforts. Clarifying roles and responsibilities will be especially critical as a result of the coming change in administrations and the associated transition of key federal officials with homeland security preparedness and response roles. To cope with the absence of many political appointed executives from senior roles, DHS has designated career executives to carry out specific responsibilities in the transition between presidential administrations and recently provided information to this Committee on its transition plans. To assist in planning to execute an efficient and effective administration transition, DHS has also contracted with the Council for Excellence in Government to identify key roles and responsibilities for the Department and its homeland security partners for responding to disasters during the transition between administrations. DHS is still developing operational plans to guide other federal agencies' response efforts and metrics for assessing federal capabilities. Two essential supplements to the new National Response Framework--response guides for federal partners and an integrated planning system--are still under development. Also, DHS is still establishing a process to measure the nation's overall preparedness based on a list of targeted capabilities and has not yet completed an inventory of all federal response capabilities. The measures and metrics associated with these targeted capabilities are not standards, but serve as guides for planning, training, and exercise activities. However, DHS policy does not direct development of these capabilities to address national priorities for federal agencies. For example, for the national priority to "Strengthen Interoperable and Operable Communications Capabilities" the National Preparedness Guidelines state that communications capabilities are developed to target levels in the states, tribal areas, territories, and designated urban areas that are consistent with measures and metrics established for targeted capabilities; federal agencies' interoperability is not addressed. Wed, 11 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08875t.pdf The Department of State's (State) Antiterrorism Assistance (ATA) program's objectives are to provide partner nations with counterterrorism training and equipment, improve bilateral ties, and increase respect for human rights. State's Office of the Coordinator for Counterterrorism (S/CT) provides policy guidance and its Bureau of Diplomatic Security, Office of Antiterrorism, Assistance (DS/T/ATA), manages program operations. GAO assessed (1) State's guidance for determining ATA priorities, (2) how State coordinates ATA with other counterterrorism programs, (3) the extent State established ATA program goals and measures, and (4) State's reporting on U.S. counterterrorism assistance. This statement is based on a February 2008, GAO report titled Combating Terrorism: State Department's Antiterrorism Program Needs Improved Guidance and More Systematic Assessments of Outcomes, GAO-08-336 (Washington, D.C.: Feb. 29, 2008). S/CT provides minimal guidance to help prioritize ATA program recipients, and S/CT and DS/T/ATA did not systematically align ATA assistance with U.S. assessments of foreign partner counterterrorism needs. S/CT provided policy guidance to DS/T/ATA through quarterly meetings and a tiered list of priority countries, but the list did not provide guidance on country counterterrorism-related program goals, objectives, or training priorities. S/CT and DS/T/ATA also did not consistently use country-specific needs assessments and program reviews to plan assistance. S/CT had established mechanisms to coordinate the ATA program with other U.S. international efforts to combat terrorism. S/CT held interagency meetings with officials from the Department of State, Defense, Justice, and Treasury and other agencies as well as ambassador-level regional strategic coordinating meetings. GAO did not find any significant duplication or overlap among the various U.S. international counterterrorism efforts. State had made progress in establishing goals and intended outcomes for the ATA program, but S/CT and DS/T/ATA did not systematically assess the outcomes and, as a result, could not determine the effectiveness of program assistance. For example, although sustainability is a principal focus, S/CT and DS/T/ATA had not set clear measures of sustainability or integrated sustainability into program planning. State reporting on U.S. counterterrorism assistance abroad was incomplete and inaccurate. S/CT had not provided a congressionally mandated annual report to Congress on U.S. government-wide assistance related to combating international terrorism since 1996. After 1996, S/CT has only submitted to Congress annual reports on the ATA program, such as the number of students trained and courses offered. Moreover, these reports contained inaccurate program information. Additionally, the reports lacked comprehensive information of the results on program assistance that would be useful to Congress. Wed, 04 Jun 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08610.pdf Following the World Trade Center (WTC) attack, the Congress appropriated more than $8 billion to the Department of Homeland Security's (DHS) Federal Emergency Management Agency for response and recovery activities. The Department of Health and Human Services (HHS) received some of this funding to establish health screening and monitoring programs for responders to the disaster and later received additional appropriations to fund treatment. In total, about $369.2 million has been appropriated or awarded for the WTC health programs. GAO previously reported on problems that these programs have had in ensuring the availability of services for all responders. GAO was asked to examine lessons from the WTC health programs that could guide future programs. GAO examined (1) lessons from the programs' experience and (2) HHS actions or plans that incorporate the lessons. GAO interviewed WTC health program officials and other experts and reviewed DHS and HHS documents. GAO identified five important lessons from the experience of the WTC health programs that could help with the development of responder health programs in the event of a future disaster. First, registering all responders during a response to a disaster could improve implementation of screening and monitoring services. Second, designing and implementing screening and monitoring programs that foster the ability to conduct epidemiologic research could improve the understanding of health effects experienced by responders and help determine the need for ongoing monitoring. Third, providing timely mental health screening and monitoring that is integrated with physical health screening and monitoring could improve the ability to accurately diagnose physical and mental health conditions and prevent more serious mental health conditions from developing. Fourth, including a treatment referral process in screening and monitoring programs could improve the ability of responders to gain access to needed treatment. Fifth, making comparable services available to all responders, regardless of their employer or geographic location, could ensure more equitable access to services for responders and help ensure that data collected about responders' health are consistent and comprehensive. HHS has taken steps to facilitate responder registration, but has not developed a department-level plan for responder health programs. HHS's Agency for Toxic Substances and Disease Registry has developed a survey instrument that state and local entities can adopt to register responders and other individuals exposed to a disaster. In a separate effort, HHS's Office of the Assistant Secretary for Preparedness and Response is taking steps to establish a system to register HHS employees and other federal public health and medical personnel who are deployed to a disaster, but it has not completed this effort. HHS has not developed a department-level plan for designing and implementing responder health programs that incorporates the five lessons from the WTC health programs. As a result, HHS has not indicated whether its policies and actions following a disaster or emergency would apply these lessons. Another consequence of not having a plan is that HHS has not described its components' roles and responsibilities for designing and implementing responder health programs. It has not identified which HHS components would be involved in responder health programs, which component would take the lead, how the expertise of various components would be used, or how efforts would be coordinated. In the absence of a department-level plan, HHS's National Institute for Occupational Safety and Health developed a proposal in February 2008 for a project to develop strategies to ensure responder safety and health. While GAO concluded that this proposal is a step in the right direction for addressing responder health issues, it noted that the proposal does not fully address the lessons that have been identified from the WTC health programs. Fri, 30 May 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08623.pdf Under the Visa Waiver Program (VWP), citizens from 27 countries can travel to the United States visa free. Terrorism concerns involving VWP country citizens have led some to suggest eliminating or suspending the program, while the executive branch is considering adding countries to it. Legislation passed in 2007 led the Department of Homeland Security (DHS) to develop its Electronic System for Travel Authorization (ESTA), to screen VWP country citizens before they travel to the United States; if found ineligible, travelers will need to apply for a visa. GAO reviewed how (1) program elimination or suspension, (2) program expansion, and (3) ESTA could affect visa demand, resource needs, and revenues. We collected traveler, staffing, facilities, and cost data from the Department of State (State), DHS, and embassy officials and developed estimates related to the three scenarios above. The potential elimination or suspension of the Visa Waiver Program could cause dramatic increases in visa demand--from around 500,000 (the average number of people from VWP countries who obtain a U.S. visa each year) to as much as 12.6 million (the average number of people who travel to the United States from VWP countries each year)--that could overwhelm visa operations in the near term. To meet visa demand, State officials said they could need approximately 45 new facilities, which we estimate could cost $3.8 billion to $5.7 billion. We estimate State would also need substantially more staff--around 540 new Foreign Service officers at a cost of around $185 million to $201 million per year, and 1,350 local Foreign Service national staff at around $168 million to $190 million per year, as well as additional management and support positions for a total annual cost of $447 million to $486 million. Because VWP elimination would increase the number of travelers needing a visa, we estimate annual visa fee revenues would increase substantially, by $1.7 billion to $1.8 billion, and would offset the year-to-year recurring staffing costs. State has done limited planning for how it would address increased visa demand if the program were suspended or eliminated. Adding countries to the Visa Waiver Program would reduce visa demand in those countries, but likely have a relatively limited effect overall on resources needed to meet visa demand and on State's visa fee revenues. The volume of visa applications is relatively small in most of the 13 "Road Map" countries the executive branch is considering for expansion. If all 13 Road Map countries were to join the program, and if all of those countries' citizens who previously traveled with visas were to travel to the United States without visas, the reduction in workload would, we estimate, permit State to move about 21 to 31 Foreign Service officers to other posts in need, and to cut 52 to 77 Foreign Service national positions. In addition, though program expansion would result in less space needed for visa operations, this would likely result in little or no building or lease savings because any resulting excess consular space is in government-owned facilities, and could not be sold. If all 13 Road Map countries were admitted to the Visa Waiver Program, we estimate that State would lose approximately $74 million to $83 million each year in collected visa fees, offsetting any savings in personnel costs. State and DHS officials acknowledged that the implementation of ESTA could increase visa demand in VWP countries, though neither State nor DHS has developed estimates of the increase. DHS is currently developing ESTA, and DHS officials told us the ESTA rejection rate could be between 1 percent and 3 percent, but they currently do not know. In addition, State and embassy officials believe some travelers might choose to apply for a visa rather than face potential, unexpected travel disruptions due to ESTA. Neither DHS nor State has attempted to estimate how these two factors would affect visa demand, and, as a result, State has not estimated what additional resources would be needed to manage the demand, and what additional visa fees would be received. However, State officials told us that, if 1 percent to 3 percent of current VWP travelers came to embassies in VWP countries for visas, it could greatly increase visa demand at some locations, which could significantly disrupt visa operations. Thu, 22 May 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08775t.pdf The control systems that regulate the nation's critical infrastructures face risks of cyber threats, system vulnerabilities, and potential attacks. Securing these systems is therefore vital to ensuring national security, economic well-being, and public health and safety. While most critical infrastructures are privately owned, the Tennessee Valley Authority (TVA), a federal corporation and the nation's largest public power company, provides power and other services to a large swath of the American Southeast. GAO was asked to testify on its public report being released today on the security controls in place over TVA's critical infrastructure control systems. In doing this work, GAO examined the security practices in place at TVA facilities; analyzed the agency's information security policies, plans, and procedures in light of federal law and guidance; and interviewed agency officials responsible for overseeing TVA's control systems and their security. TVA had not fully implemented appropriate security practices to secure the control systems used to operate its critical infrastructures at facilities GAO reviewed. Multiple weaknesses within the TVA corporate network left it vulnerable to potential compromise of the confidentiality, integrity, and availability of network devices and the information transmitted by the network. For example, almost all of the workstations and servers that GAO examined on the corporate network lacked key security patches or had inadequate security settings. Furthermore, TVA did not adequately secure its control system networks and devices on these networks, leaving the control systems vulnerable to disruption by unauthorized individuals. Network interconnections provided opportunities for weaknesses on one network to potentially affect systems on other networks. For example, weaknesses in the separation of network segments could allow an individual who gained access to a computing device connected to a less secure portion of the network to compromise systems in a more secure portion of the network, such as the control systems. In addition, physical security at multiple locations that GAO reviewed did not sufficiently protect the control systems. For example, live network jacks connected to TVA's internal network at certain facilities GAO reviewed had not been adequately secured from unauthorized access. As a result, TVA's control systems were at increased risk of unauthorized modification or disruption by both internal and external threats. An underlying reason for these weaknesses was that TVA had not consistently implemented significant elements of its information security program. For example, the agency lacked a complete and accurate inventory of its control systems and had not categorized all of its control systems according to risk, limiting assurance that these systems are adequately protected. In addition, TVA's patch management process lacked a mechanism to effectively prioritize vulnerabilities. As a result, patches that were identified as critical, meaning they should be applied immediately to vulnerable systems, were not applied in a timely manner. Numerous opportunities exist for TVA to improve the security of its control systems. For example, TVA can strengthen logical access controls, improve physical security, and fully implement its information security program. If TVA does not take sufficient steps to secure its control systems and fully implement an information security program, it risks not being able to respond properly to a major disruption that is the result of an intended or unintended cyber incident. Wed, 21 May 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08526.pdf Securing the control systems that regulate the nation's critical infrastructures is vital to ensuring our economic security and public health and safety. The Tennessee Valley Authority (TVA), a federal corporation and the nation's largest public power company, generates and distributes power in an area of about 80,000 square miles in the southeastern United States. GAO was asked to determine whether TVA has implemented appropriate information security practices to protect its control systems. To do this, GAO examined the security practices in place at several TVA facilities; analyzed the agency's information security policies, plans, and procedures against federal law and guidance; and interviewed agency officials who are responsible for overseeing TVA's control systems and their security. TVA has not fully implemented appropriate security practices to secure the control systems and networks used to operate its critical infrastructures. Both its corporate network infrastructure and control systems networks and devices were vulnerable to disruption. The corporate network was interconnected with control systems networks GAO reviewed, thereby increasing the risk that security weaknesses on the corporate network could affect those control systems networks. On TVA's corporate network, certain individual workstations lacked key software patches and had inadequate security settings, and numerous network infrastructure protocols and devices had limited or ineffective security configurations. In addition, the intrusion detection system had significant limitations. On control systems networks, firewalls reviewed were either inadequately configured or had been bypassed, passwords were not effectively implemented, logging of certain activity was limited, configuration management policies for control systems software were inconsistently implemented, and servers and workstations lacked key patches and effective virus protection. In addition, physical security at multiple locations did not sufficiently protect critical control systems. As a result, systems that operate TVA's critical infrastructures are at increased risk of unauthorized modification or disruption by both internal and external threats. An underlying reason for these weaknesses is that TVA had not consistently implemented significant elements of its information security program. Although TVA had developed and implemented program activities related to contingency planning and incident response, it had not consistently implemented key activities related to developing an inventory of systems, assessing risk, developing policies and procedures, developing security plans, testing and monitoring the effectiveness of controls, completing appropriate training, and identifying and tracking remedial actions. For example, the agency lacked a complete inventory of its control systems and had not categorized all of its control systems according to risk, thereby limiting assurance that these systems were adequately protected. Agency officials stated that they plan to complete these risk assessments and related activities but have not established a completion date. Key information security policies and procedures were also in draft or under revision. Additionally, the agency's patch management process lacked a way to effectively prioritize vulnerabilities. TVA had only completed one system security plan, and another plan was under development. The agency had also tested the effectiveness of its control systems' security using outdated federal guidance, and many control systems had not been tested for security. In addition, only 25 percent of relevant agency staff had completed required role-based security training in fiscal year 2007. Furthermore, while the agency had developed a process to track remedial actions for information security, this process had not been implemented for the majority of its control systems. Until TVA fully implements these security program activities, it risks a disruption of its operations as a result of a cyber incident, which could impact its customers. Wed, 21 May 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08820t.pdf Since 2002, destroying the terrorist threat and closing safe havens have been key national security goals. The United States has provided Pakistan, a key ally in the war on terror, more than $10 billion in funds and assistance. Pakistan's Federally Administered Tribal Areas' (FATA) rugged terrain, poor economic conditions, low literacy, underdeveloped infrastructure, and unique legal structure, all add to the complexity of efforts to address the terrorist threat in the FATA. This testimony discusses the (1) progress of U.S. national security goals in the FATA, (2) status of U.S. efforts to develop a comprehensive plan, and (3) oversight of U.S. Coalition Support Funds (CSF) provided to Pakistan. The testimony is based on recent reports on the status of a comprehensive plan (GAO-08-622) and preliminary observations on the use and oversight of U.S. CSF (GAO-08-735R). The United States has not met its national security goals to destroy terrorist threats and close the safe haven in Pakistan's FATA. According to U.S. officials and intelligence documents, since 2002, al Qaeda and the Taliban have used Pakistan's FATA and the border region to attack Pakistani, Afghan, as well as U.S. and coalition troops; plan and train for attacks against U.S. interests; destabilize Pakistan; and spread radical Islamist ideologies that threaten U.S. interests. GAO found broad agreement that al Qaeda had established a safe haven in the FATA. A 2008 DNI assessment states that al Qaeda is now using the FATA to put into place the last elements necessary to launch another attack against America. The United States has relied principally on the Pakistani military to address its national security goals in the FATA. Of the approximately $5.8 billion directed at efforts in the FATA border region from 2002 through 2007, about 96 percent ($5.56 billion) was U.S. CSF, used to reimburse the Pakistani military. U.S. and Pakistani government officials recognize that relying primarily on the Pakistani military has not succeeded in neutralizing al Qaeda and preventing the establishment of a safe haven in the FATA. The National Strategy for Combating Terrorism (2003), independent 9/11 Commission (2004), and congressional legislation (2004 and 2007) called for a comprehensive plan that included all elements of national power--diplomatic, military, intelligence, development assistance, economic, and law enforcement support to address the threat in the FATA. Since 2002, the U.S. Embassy in Pakistan has not had a Washington-supported, comprehensive plan to combat terrorists and close the terrorist safe haven. In 2006, the United States and Pakistan began an effort to focus on other elements of national power beyond military. However, as of last month there was not a formally approved comprehensive plan and support from the recently elected Pakistani government was uncertain. Continued oversight is required to ensure the development and effective implementation of a comprehensive plan and the proper use of the billions of U.S. dollars devoted to assisting Pakistan in its efforts to combat terrorism in the FATA. Preliminary results from GAO's ongoing work on the oversight of U.S. CSF indicate that Defense may have recently increased its oversight of CSF. In 2007, Defense officials at the U.S. embassy in Pakistan--the Office of the Defense Representative to Pakistan (ODRP)--began playing a larger role in overseeing CSF reimbursement claims. Furthermore, Defense recently deferred or disallowed a larger amount of Pakistani claims. For the months September 2004 - February 2007, Defense disallowed or deferred an average of just over 2 percent of the Pakistani government's CSF claims. For the most recent claims (March - June 2007) processed in February 2008, Defense disallowed or deferred over 20 percent. The extent of ODRP's oversight in the future is unclear, given that its role has not been formalized. Tue, 20 May 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08757.pdf From January 2003 to September 2007, GAO testified before the Committee on three occasions to describe security vulnerabilities that terrorists could exploit to enter the country. GAO's first two testimonies focused on covert testing at ports of entry--the air, sea, and land locations where international travelers can legally enter the United States. In its third testimony, GAO focused on limited security assessments of unmanned and unmonitored border areas between land ports of entry. GAO was asked to summarize the results of covert testing and assessment work for these three testimonies. This report discusses the results of testing at land, sea, and air ports of entry; however, the majority of GAO's work was focused on land ports of entry. The unmanned and unmonitored border areas GAO assessed were defined as locations where the government does not maintain a manned presence 24 hours per day or where there was no apparent monitoring equipment in place. GAO assessed a nonrepresentative selection of these locations and did not attempt to evaluate all potential U.S. border security vulnerabilities. Further, GAO's work was limited in scope and cannot be projected to represent systemic weaknesses. In response to this report, DHS provided a written update on numerous border protection efforts it has taken to enhance border security since 2003. GAO did not attempt to verify the information provided by DHS, but has included the response in this report. GAO investigators identified numerous border security vulnerabilities, both at ports of entry and at unmanned and unmonitored land border locations between the ports of entry. In testing ports of entry, undercover investigators carried counterfeit drivers' licenses, birth certificates, employee identification cards, and other documents, presented themselves at ports of entry and sought admittance to the United States dozens of times. They arrived in rental cars, on foot, by boat, and by airplane. They attempted to enter in four states on the northern border (Washington, New York, Michigan, and Idaho), three states on the southern border (California, Arizona, and Texas), and two other states requiring international air travel (Florida and Virginia). In nearly every case, government inspectors accepted oral assertions and counterfeit identification provided by GAO investigators as proof of U.S. citizenship and allowed them to enter the country. In total, undercover investigators made 42 crossings with a 93 percent success rate. On several occasions, while entering by foot from Mexico and by boat from Canada, investigators were not even asked to show identification. For example, at one border crossing in Texas in 2006, an undercover investigator attempted to show a Customs and Border Protection (CBP) officer his counterfeit driver's license, but the officer said, "That's fine, you can go" without looking at it. As a result of these tests, GAO concluded that terrorists could use counterfeit identification to pass through most of the tested ports of entry with little chance of being detected. In its most recent work, GAO shifted its focus from ports of entry and primarily performed limited security assessments of unmanned and unmonitored areas between ports of entry. The names of the states GAO visited for this limited security assessment have been withheld at the request of CBP. In four states along the U.S.-Canada border, GAO found state roads that were very close to the border that CBP did not appear to monitor. In three states, the proximity of the road to the border allowed investigators to cross undetected, successfully simulating the cross-border movement of radioactive materials or other contraband into the United States from Canada. For example, in one apparently unmanned, unmonitored area on the northern border, the U.S. Border Patrol was alerted to GAO's activities through the tip of an alert citizen. However, the responding U.S. Border Patrol agents were not able to locate the investigators and their simulated contraband. Also on the northern border, GAO investigators located several ports of entry in one state on the northern border that had posted daytime hours and were unmanned overnight. Investigators observed that surveillance equipment was in operation, but that the only preventive measure to stop an individual from crossing the border into the United States was a barrier across the road that could be driven around. GAO also identified potential security vulnerabilities on federally managed lands adjacent to the U.S.-Mexico border. GAO concluded that CBP faces significant challenges on the northern border, and that a determined cross-border violator would likely be able to bring radioactive materials or other contraband undetected into the United States by crossing the U.S.-Canada border at any of the assessed locations. Fri, 16 May 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08735r.pdf According to U.S. embassy officials in Islamabad and unclassified U.S. intelligence documents, since 2002, al Qaeda and the Taliban have used Pakistan's Federally Administered Tribal Areas (FATA) and the border region to attack Pakistani, Afghan, U.S. and coalition troops; plan and train for attacks against U.S. interests; destabilize Pakistan; and spread radical Islamist ideologies that threaten U.S. interests. Since October 2001, the United States has provided Pakistan with over $10 billion for military, economic, and development activities in support of the critical U.S. national security goals of destroying terrorist threats and closing terrorist safe havens. A major component of this effort has been U.S. Coalition Support Funds (CSF) reimbursed to Pakistan. The purpose of CSF is to reimburse coalition countries for logistical and military support provided to United States military operations in the global war on terror. In Pakistan, reimbursements through CSF are intended to enable the government of Pakistan to attack terrorist networks in the FATA and stabilize the border areas. It is structured as a reimbursement mechanism in which the U.S. Department of Defense (Defense) policy is to validate that support was provided, costs were incurred, and these costs were incremental to normal Pakistani military operations. We were asked to assess how CSF reimbursements have been used to meet U.S. goals in Pakistan, and what controls exist to ensure that reimbursements are for legitimate claims. For the period covering October 2001 through June 2007, the United States reimbursed Pakistan about $5.56 billion in CSF for military operations in FATA and other support in the war on terror. CSF reimbursement funds are paid directly into the Pakistani government treasury and become sovereign funds. Once they become sovereign funds, the U.S. government has no oversight authority over these funds. In response to a Defense Inspector General review conducted in 2003, DOD implemented additional guidance to improve oversight of the CSF reimbursed to Pakistan. Moreover, in 2007, the Office of the Defense Representative to Pakistan (ODRP) began playing a larger role in overseeing CSF reimbursement claims. In performing oversight, ODRP reviews the Pakistani claims and indicates that to the best of their knowledge military support was provided and expenses were actually incurred. U.S. Central Command (CENTCOM) then validates that Pakistani operations listed were essential to support U.S. military operations in the theater. The claims are sent to the Office of the Under Secretary of Defense for Comptroller, who (1) performs a macro-level review comparing the cost to similar operations, and (2) assesses whether the cost categories are reasonable, selected subcategories are reasonable compared to U.S. costs, and costs are consistent with previous claims. In addition, both the Undersecretary of Defense for Policy and the State Department verify that the reimbursement is consistent with the U.S. government's National Security Strategy and that the CSF payment does not adversely impact the balance of power in the region. In recent months, Defense has disallowed or deferred a significantly greater amount of CSF reimbursement claims from Pakistan. Tue, 06 May 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08636t.pdf Following the September 11 terrorist attacks, state and local governments formed fusion centers, collaborative efforts to detect, prevent, investigate, and respond to criminal or terrorist activity. Recognizing that the centers are a critical mechanism for sharing information, the federal government--including the Department of Homeland Security (DHS), Department of Justice (DOJ), and the Program Manager for the Information Sharing Environment (PM-ISE), which has primary responsibility for governmentwide information sharing--is taking steps to partner with fusion centers. This testimony focuses on (1) the characteristics of fusion centers as of September 2007 and (2) federal efforts to help alleviate challenges centers identified. This testimony is based on GAO's October 2007 report on 58 fusion centers and related federal efforts to support them as well as updated information GAO obtained in March 2008 by reviewing plans describing selected federal efforts and attending the second annual national fusion center conference. Almost all states and several local governments have established or are in the process of establishing fusion centers that vary in their characteristics. Centers were generally established to address gaps in information sharing, and the majority of the centers GAO contacted had adopted broad missions that could include both counterterrorism and law enforcement-related information. While law enforcement entities, such as state police, are the lead or managing agencies in the majority of the centers GAO contacted, the centers varied in their staff sizes and partnerships with other agencies. The majority of the operational fusion centers GAO contacted had federal personnel, including from DHS or the Federal Bureau of Investigation (FBI), assigned to them as of September 2007. DHS and DOJ have several efforts under way that begin to address challenges fusion center officials identified. DHS and DOJ have provided many fusion centers access to their information systems, but fusion center officials cited challenges accessing and managing multiple information systems. Both DHS and the FBI have provided security clearances for state and local personnel and set timeliness goals for granting clearances. However, officials cited challenges obtaining and using clearances. DHS, DOJ, and the PM-ISE have also taken steps to develop guidance and provide technical assistance to fusion centers, for instance, by issuing guidelines for establishing and operating centers. However, officials at 21 centers cited challenges with the availability of training for mission-specific issues. DHS and DOJ have continued providing a technical assistance program for fusion centers and disseminated a baseline capabilities draft in March 2008 that outlines minimum operational standards for fusion centers. While this support and guidance is promising, it is too soon to determine the extent to which it will address challenges identified by officials contacted. Finally, officials in 43 of the 58 fusion centers contacted reported facing challenges related to obtaining personnel, and officials in 54 centers reported challenges with funding, some of which affected these centers' sustainability. To support fusion centers, both DHS and the FBI have assigned, and continue to assign, personnel to the centers. To help address funding issues, DHS has provided funding for fusion-center related activities. The National Strategy for Information Sharing, issued in October 2007 by the President, states that the federal government will support the establishment of fusion centers and help sustain them through grant funding, technical assistance, and training. However, some fusion center officials raised concerns about how specifically the federal government was planning to assist state and local governments to sustain fusion centers as it works to incorporate fusion centers into the ISE and to implement the strategy. Thu, 17 Apr 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08622.pdf Since 2002, destroying the terrorist threat and closing the terrorist safe haven have been key national security goals. The United States has provided Pakistan, a key ally in the war on terror, more than $10.5 billion for military, economic, and development activities. Pakistan's Federally Administered Tribal Areas (FATA), which border Afghanistan, are vast unpoliced regions attractive to extremists and terrorists seeking a safe haven. GAO was asked to assess (1) the progress in meeting these national security goals for Pakistan's FATA, and (2) the status of U.S. efforts to develop a comprehensive plan for the FATA. To address these objectives, GAO compared national security goals against assessments conducted by U.S. agencies and reviewed available plans. The United States has not met its national security goals to destroy terrorist threats and close the safe haven in Pakistan's FATA. Since 2002, the United States relied principally on the Pakistan military to address U.S. national security goals. Of the approximately $5.8 billion the United States provided for efforts in the FATA and border region from 2002 through 2007, about 96 percent reimbursed Pakistan for military operations there. According to the Department of State, Pakistan deployed 120,000 military and paramilitary forces in the FATA and helped kill and capture hundreds of suspected al Qaeda operatives; these efforts cost the lives of approximately 1,400 members of Pakistan's security forces. However, GAO found broad agreement, as documented in the National Intelligence Estimate, State, and embassy documents, as well as Defense officials in Pakistan, that al Qaeda had regenerated its ability to attack the United States and had succeeded in establishing a safe haven in Pakistan's FATA. No comprehensive plan for meeting U.S. national security goals in the FATA has been developed, as stipulated by the National Strategy for Combating Terrorism (2003), called for by an independent commission (2004), and mandated by congressional legislation (2007). Furthermore, Congress created the National Counterterrorism Center (NCTC) in 2004 specifically to develop comprehensive plans to combat terrorism. However, neither the National Security Council (NSC), NCTC, nor other executive branch departments have developed a comprehensive plan that includes all elements of national power--diplomatic, military, intelligence, development assistance, economic, and law enforcement support--called for by the various national security strategies and Congress. As a result, since 2002, the U.S. embassy in Pakistan has had no Washington-supported, comprehensive plan to combat terrorism and close the terrorist safe haven in the FATA. In 2006, the embassy, in conjunction with Defense, State, and U.S. Agency for International Development (USAID), and in cooperation with the government of Pakistan, began an effort to focus more attention on other key elements of national power, such as development assistance and public diplomacy, to address U.S. goals in the FATA. However, this does not yet constitute a comprehensive plan. Thu, 17 Apr 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08695t.pdf Following the September 11 terrorist attacks, state and local governments formed fusion centers, collaborative efforts to detect, prevent, investigate, and respond to criminal or terrorist activity. Recognizing that the centers are a critical mechanism for sharing information, the federal government--including the Department of Homeland Security (DHS), Department of Justice (DOJ), and the Program Manager for the Information Sharing Environment (PM-ISE), which has primary responsibility for governmentwide information sharing--is taking steps to partner with fusion centers. This testimony focuses on (1) the characteristics of fusion centers as of September 2007 and (2) federal efforts to help alleviate challenges centers identified. This testimony is based on GAO's October 2007 report on 58 fusion centers and related federal efforts to support them as well as updated information GAO obtained in March 2008 by reviewing plans describing selected federal efforts and attending the second annual national fusion center conference. Almost all states and several local governments have established or are in the process of establishing fusion centers that vary in their characteristics. Centers were generally established to address gaps in information sharing, and the majority of the centers GAO contacted had adopted broad missions that could include both counterterrorism and law enforcement-related information. While law enforcement entities, such as state police, are the lead or managing agencies in the majority of the centers GAO contacted, the centers varied in their staff sizes and partnerships with other agencies. The majority of the operational fusion centers GAO contacted had federal personnel, including from DHS or the Federal Bureau of Investigation (FBI), assigned to them as of September 2007. DHS and DOJ have several efforts under way that begin to address challenges fusion center officials identified. DHS and DOJ have provided many fusion centers access to their information systems, but fusion center officials cited challenges accessing and managing multiple information systems. Both DHS and the FBI have provided security clearances for state and local personnel and set timeliness goals for granting clearances. However, officials cited challenges obtaining and using clearances. DHS, DOJ, and the PM-ISE have also taken steps to develop guidance and provide technical assistance to fusion centers, for instance, by issuing guidelines for establishing and operating centers. However, officials at 21 centers cited challenges with the availability of training for mission-specific issues. DHS and DOJ have continued providing a technical assistance program for fusion centers and disseminated a baseline capabilities draft in March 2008 that outlines minimum operational standards for fusion centers. While this support and guidance is promising, it is too soon to determine the extent to which it will address challenges identified by officials contacted. Finally, officials in 43 of the 58 fusion centers contacted reported facing challenges related to obtaining personnel, and officials in 54 centers reported challenges with funding, some of which affected these centers' sustainability. To support fusion centers, both DHS and the FBI have assigned, and continue to assign, personnel to the centers. To help address funding issues, DHS has provided funding for fusion-center related activities. The National Strategy for Information Sharing, issued in October 2007 by the President, states that the federal government will support the establishment of fusion centers and help sustain them through grant funding, technical assistance, and training. However, some fusion center officials raised concerns about how specifically the federal government was planning to assist state and local governments to sustain fusion centers as it works to incorporate fusion centers into the ISE and to implement the strategy. Wed, 16 Apr 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08251.pdf It has been 5 years since the Department of Defense (DOD) established U.S. Northern Command (NORTHCOM) to conduct homeland defense and civil support missions in the United States. Planning operations in the United States poses unique challenges for traditional military planning. GAO was asked to assess (1) the status of NORTHCOM's plans and the challenges it faces in planning and conducting operations, (2) the number, experience, and training of planning personnel, and (3) the extent to which NORTHCOM coordinates with other federal agencies. To do this, GAO reviewed available NORTHCOM plans, compared them to joint operational planning criteria, compared planning staff with those at other commands, and reviewed documentation and mechanisms for interagency coordination. NORTHCOM has completed--or is in the process of revising--all of the major plans it is required to prepare for its homeland defense and civil support missions, but it faces a number of challenges in planning for and conducting these missions. NORTHCOM has completed its nine required plans. However, NORTHCOM does not know whether supporting plans that must be developed by other DOD organizations to assist NORTHCOM are complete because it has only recently begun to develop a process to track and assess these plans. NORTHCOM faces challenges in three key planning areas. First, NORTHCOM has difficulty identifying requirements for capabilities it may need in part because NORTHCOM does not have more detailed information from the Department of Homeland Security (DHS) or the states on the specific requirements needed from the military in the event of a disaster. Second, NORTHCOM has few regularly allocated forces and few capabilities allocated to its plans. DOD could allocate forces to NORTHCOM and assign specific forces to the command's plans, but this would not guarantee that those forces would not have to be deployed elsewhere. However, it would provide DOD and the NORTHCOM commander with a better basis on which to assess the risk that the command would be unable to successfully execute one or more of its missions. Third, NORTHCOM has difficulty monitoring the readiness of military units for its civil support mission because its plans do not specify mission tasks against which units can be assessed. NORTHCOM has undertaken mitigation efforts to address each challenge, and new national planning guidance may further assist NORTHCOM and DOD in addressing the challenges. Nevertheless, NORTHCOM and DOD can take additional actions to reduce the risk from these gaps and reduce the risk due to the overall uncertainty that stems from the nature of its mission. NORTHCOM has an adequate number of planning personnel, and the command is pursuing opportunities to expand the experience and training for staff needed to perform the command's planning function. NORTHCOM's planning staff is filled at over 96 percent of its authorized positions. NORTHCOM's military planning staff receives the same planning training and education as planners in other combatant commands. To draw upon experience in planning and conducting domestic operations, NORTHCOM has integrated National Guard and U.S. Coast Guard personnel into its headquarters staff. NORTHCOM has also developed a curriculum for required mission-related training courses. Although NORTHCOM has taken actions to improve coordination of its homeland defense and civil support plans and operations with federal agencies, it lacks formalized guidance and procedures--such as memorandums of understanding or charters--to help ensure that interagency coordination efforts or agreements that are reached can be fully relied on. This is important because responding to a major disaster in the United States--natural or man-made--is a shared responsibility of many government agencies with states often requiring federal assistance from DHS and DOD. Wed, 16 Apr 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08646t.pdf The Department of Homeland Security (DHS) began operations in March 2003 with missions that include preventing terrorist attacks from occurring within the United States, reducing U.S. vulnerability to terrorism, minimizing damages from attacks that occur, and helping the nation recover from any attacks. GAO has reported that the implementation and transformation of DHS is an enormous management challenge. GAO's prior work on mergers and acquisitions found that successful transformations of large organizations, even those faced with less strenuous reorganizations than DHS, can take at least 5 to 7 years to achieve. This testimony addresses (1) the progress made by DHS in implementing its management functions; and (2) key issues that have affected the department's implementation efforts. This testimony is based on GAO's August 2007 report evaluating DHS's progress between March 2003 and July 2007; selected reports issued since July 2007; and GAO's institutional knowledge of homeland security and management issues. Within each of its management areas--acquisition, financial, human capital, information technology, and real property management--DHS has made some progress, but has also faced challenges. DHS has recognized the need to improve acquisition outcomes and taken some positive steps to organize and assess the acquisition function, but continues to lack clear accountability for the outcomes of acquisition dollars spent. The department also has not fully ensured proper oversight of its contractors providing services closely supporting inherently government functions. DHS has designated a Chief Financial Officer and taken actions to prepare corrective action plans for its internal control weaknesses. However, DHS has been unable to obtain an unqualified audit opinion of its financial statements, and for fiscal year 2007 the independent auditor identified significant deficiencies in DHS's internal control over financial reporting. DHS has taken actions to implement its human capital system by, for example, issuing a departmental training plan and human capital operational plan. Among other things, DHS still needs to implement a human capital system linked to its strategic plan, establish a market-based and more performance-oriented pay system, and seek more routine feedback from employees. DHS has taken actions to develop information technology management controls, such as developing an information technology human capital plan and developing policies to ensure the protection of sensitive information. However, DHS has not yet fully implemented a comprehensive information security program or a process to effectively manage information technology investments. DHS has developed an Asset Management Plan and established performance measures consistent with Federal Real Property standards. However, DHS has yet to demonstrate full implementation of its Asset Management Plan or full use of asset management inventory information. Various cross-cutting issues have affected DHS's implementation efforts. For example, DHS has not yet updated its strategic plan and put in place structures to help it manage for results. Accountability and transparency are critical to effectively implementingDHS's management functions. GAO has experienced delays in obtaining access to needed information from DHS, though over the past year, GAO's access has improved. GAO is hopeful that planned revisions to DHS's guidance for working with GAO will streamline our access to documents and officials. DHS's 5 year anniversary provides an opportunity for the department to review how it has matured as an organization. As part of our broad range of work, GAO will continue to assess DHS's progress in addressing high-risk issues. In particular, GAO will continue to assess the progress made by the department in its transformation efforts and whether any progress made is sustainable over the long term. Wed, 09 Apr 2008 00:00:00 -0400 http://www.gao.gov/new.items/d08542t.pdf Since September 11, 2001, the need to secure U.S. borders has increased in importance and attracted greater public and Congressional attention. The Department of Homeland Security (DHS) has spent billions of dollars to prevent the illegal entry of individuals and contraband between ports of entry--government-designated locations where DHS inspects persons and goods to determine whether they may be lawfully admitted into the country. Yet, while DHS apprehends hundreds of thousands of such individuals each year, several hundreds of thousands more enter the country illegally and undetected. The U.S. Customs and Border Protection (CBP), a component of DHS, is the lead federal agency in charge of securing our nation's borders. This testimony summarizes GAO's work on DHS's efforts on selected border security operations and programs related to (1) inspecting travelers at U.S. ports of entry, (2) detecting individuals attempting to enter the country illegally between ports of entry, and (3) screening of international travelers before they arrive in the United States and challenges remaining in these areas. GAO's observations are based on products issued from May 2006 through February 2008. In prior reports, GAO has recommended various actions to DHS to, among other things, help address weaknesses in the traveler inspection programs and processes, and challenges in training officers to inspect travelers and documents. DHS has generally agreed with our recommendations and has taken various actions to address them. CBP has taken actions to improve traveler inspections at U.S. ports of entry, but challenges remain. First, CBP has stressed the importance of effective inspections and trained CBP supervisors and officers in interviewing travelers. Yet, weaknesses in travel inspection procedures and lack of physical infrastructure and staff have hampered CBP's ability to inspect travelers thoroughly and detect fraudulent documents. Second, CBP is implementing an initiative requiring citizens of the United States, Bermuda, Canada, and Mexico to present certain identification documents when entering the United States. As of December 2007, actions taken to meet the initiative's requirements include selecting technology to be used at land ports of entry and developing plans to train officers to use it. Finally, DHS has developed a program to collect, maintain, and share data on selected foreign nationals entering and exiting the country. As of October 2007, the agency has invested more than $1.5 billion on the program over 4 years and biometrically-enabled entry capabilities now operate at more than 300 ports of entry. However, though allocating about $250 million since 2003 to exit-related efforts, DHS has not yet detailed how it will verify when travelers exit the country. In November 2005, DHS announced the launch of a multiyear, multibillion-dollar program aimed at securing U.S. borders and reducing immigration of individuals who enter the United States illegally and undetected between ports of entry. One component of this program, which DHS accepted as complete in February 2008, was an effort to secure 28 miles along the southwest border using, among other means, improved cameras and radars. DHS plans to apply the lessons learned to future projects. Another program component, 370 miles of pedestrian fence and 300 miles of vehicle fence, has not yet been completed and DHS will be challenged to do so by its December 2008 deadline due to various factors, such as acquiring rights to border lands. Additionally, DHS is unable to estimate the total cost of this component because various factors are not yet known such as the type of terrain where the fencing is to be constructed. Finally, CBP has experienced unprecedented growth in the number of its Border Patrol agents. While initial training at the academy is being provided, Border Patrol officials expressed concerns about the agency's ability to provide sufficient field training. To screen international travelers before they arrive in the United States, the federal government has implemented new policies and programs, including enhancing visa security and providing counterterrorism training to overseas consular officials. As GAO previously recommended, DHS needs to better manage risks posed by a program that allows nationals from 27 countries to travel to the United States without a visa for certain durations and purposes. Regarding the prescreening of international passengers bound for the United States, CBP has a pilot program that provides additional scrutiny of passengers and their travel documents at foreign airports prior to their departure. CBP has reported several successes through the pilot but has not yet determined whether to make the program permanent. Thu, 06 Mar 2008 00:00:00 -0500 http://www.gao.gov/new.items/d08336.pdf The Department of State's (State) Antiterrorism Assistance (ATA) program's objectives are to provide partner nations with counterterrorism training and equipment, improve bilateral ties, and increase respect for human rights. State's Office of the Coordinator for Counterterrorism (S/CT) provides policy guidance and its Bureau of Diplomatic Security, Office of Antiterrorism Assistance, (DS/T/ATA) manages program operations. GAO assessed (1) State's guidance for determining ATA priorities, (2) how State coordinates ATA with other counterterrorism programs, (3) the extent State established ATA program goals and measures, and (4) State's reporting on U.S. international counterterrorism assistance. To address these objectives, GAO reviewed State documents and met with cognizant officials in Washington, D.C., and four ATA program partner nations. S/CT provides minimal guidance to help prioritize ATA program recipients, and S/CT and DS/T/ATA do not systematically align ATA assistance with U.S. assessments of foreign partner counterterrorism needs. S/CT provides policy guidance to DS/T/ATA through quarterly meetings and a tiered list of priority countries, but the list does not provide guidance on country counterterrorism related program goals, objectives, or training priorities. S/CT and DS/T/ATA also did not consistently use country-specific needs assessments and program reviews to plan assistance. S/CT has established mechanisms to coordinate the ATA program with other U.S. international efforts to combat terrorism. S/CT holds interagency meetings with representatives from the Departments of State, Defense, Justice, and Treasury and other agencies as well as ambassador-level regional strategic coordinating meetings. GAO did not find any significant duplication or overlap among the various U.S. international counterterrorism efforts. State has made progress in establishing goals and intended outcomes for the ATA program, but S/CT and DS/T/ATA do not systematically assess the outcomes and, as a result, cannot determine the effectiveness of program assistance. For example, although sustainability is a principal focus, S/CT and DS/T/ATA have not set clear measures of sustainability or integrated sustainability into program planning. State reporting on U.S. counterterrorism assistance abroad has been incomplete and inaccurate. S/CT has not provided a congressionally mandated annual report to Congress on U.S. government-wide assistance related to combating international terrorism since 1996. After 1996, S/CT has only submitted to Congress annual reports on the ATA program. However, these reports contained inaccurate program information, such as the number of students trained and courses offered. Additionally, the reports lacked comprehensive information on the results of program assistance that would be useful to Congress. Fri, 29 Feb 2008 00:00:00 -0500 http://www.gao.gov/new.items/d08458t.pdf The Visa Waiver Program, which enables citizens of participating countries to travel to the United States without first obtaining a visa, has many benefits, yet also presents security, law enforcement, and illegal immigration risks. In August 2007, Congress passed legislation that provides the Department of Homeland Security (DHS) with the authority to expand the program to additional countries whose nationals' applications for short-term business and tourism visas were refused between 3 and 10 percent of the time in the prior fiscal year. Countries must also meet certain conditions, and DHS must first complete and certify a number of required actions aimed at enhancing the security of the program. This testimony will focus on one of these required actions--namely, that a system be in place that can verify the departure of 97 percent of foreign nationals who depart through U.S. airports (referred to as an air exit system). Our observations are based on our review of relevant legislation, regulations and agency operating procedures, and prior GAO reports on the Visa Waiver Program and immigrant and visitor entry and exit tracking systems, as well as on discussions with federal agency officials. In commenting on a draft of this statement, DHS emphasized that it had not finalized its plan for certifying the "97 percent" requirement, but that the department believes the current plan would meet the legislative requirement. The Department of State also provided technical comments, which we incorporated, as appropriate. On December 12, 2007, DHS reported to us that it will match records of foreign nationals departing the country, as reported by airlines, to the department's existing records of any prior arrivals, immigration status changes, or prior departures from the United States. Using this formula, DHS stated that it can attain a match rate above 97 percent, based on August 2007 data, to certify compliance with the legislative air exit system requirement. DHS told us that it believes this methodology would meet the statutory requirement. On February 21, 2008, DHS indicated that it had not finalized its decision on the methodology the department would use to certify compliance. Nevertheless, the department confirmed that the basic structure of its methodology would not change, and that it would use departure records as the starting point. There are several limitations with this methodology. For example, DHS's methodology does not begin with arrival records and determine if these foreign nationals stayed in the United States beyond their authorized periods of admission (referred to as overstays). Therefore, this methodology will not inform overall and country-specific overstay rates--key factors in determining illegal immigration risks of the Visa Waiver Program. Although most long-term overstays are likely motivated by economic opportunities, a few overstays have been identified as terrorists or involved in terrorist-related activity, including some of the September 11, 2001, hijackers. In addition, DHS's current methodology does not address the accuracy of airlines' transmissions of departure records, and DHS acknowledges that there are weaknesses in the departure data. For example, there may be some visitors who did not leave the country by air even though they were recorded on airlines' manifest data as having departed. The inability of the U.S. government to track the status of visitors in the country, to identify those who overstay their authorized period of visit, and to use this data to compute overstay rates have been longstanding weaknesses in the oversight of the Visa Waiver Program. DHS's plan to meet the "97 percent" requirement in the visa waiver expansion legislation will not address these weaknesses. Thu, 28 Feb 2008 00:00:00 -0500 http://www.gao.gov/new.items/d08457t.pdf The Department of Homeland Security (DHS) began operations in March 2003 with missions that include preventing terrorist attacks from occurring within the United States, reducing U.S. vulnerability to terrorism, minimizing damages from attacks that occur, and helping the nation recover from any attacks. GAO has reported that the implementation and transformation of DHS is an enormous management challenge and that the size, complexity, and importance of the effort make the challenge especially daunting and critical to the nation's security. GAO's prior work on mergers and acquisitions found that successful transformations of large organizations, even those faced with less strenuous reorganizations than DHS, can take at least 5 to 7 years to achieve. This testimony is based on GAO's August 2007 report evaluating DHS's progress between March 2003 and July 2007, selected reports issued since July 2007, and our institutional knowledge of homeland security issues. Since its establishment, DHS has made progress in implementing its management and mission functions in the areas of acquisition, financial, human capital, information technology, and real property management; border security; immigration enforcement and services; aviation, surface transportation, and maritime security; emergency preparedness and response; critical infrastructure protection; and science and technology. In general, DHS has made more progress in its mission areas than in its management areas, reflecting an initial focus on protecting the homeland. While DHS has made progress in implementing its functions in each management and mission area, we identified challenges remaining in each of these areas. These challenges include providing appropriate oversight for contractors; improving financial management and controls; implementing a performance-based human capital management system; implementing information technology management controls; balancing trade facilitation and border security; improving enforcement of immigration laws, enhancing transportation security; and effectively coordinating the mitigation and response to all hazards. Key issues that have affected DHS's implementation efforts are agency transformation, strategic planning and results management, risk management, information sharing, partnerships and coordination, and accountability and transparency. For example, GAO designated DHS's implementation and transformation as high-risk. While DHS has made progress in transforming its component agencies into a fully functioning department, it has not yet addressed key elements of the transformation process, such as developing a comprehensive transformation strategy. The Homeland Security Act of 2002, as amended, requires DHS to develop a transition and succession plan to guide the transition of management functions to a new Administration; DHS is working to develop and implement its approach for managing the transition. DHS has begun to develop performance goals and measures in some areas in an effort to strengthen its ability to measure its progress in key areas. We commend DHS's efforts and have agreed to work with the department to provide input to help strengthen established measures. DHS also has not yet fully adopted and applied a risk management approach in implementing its mission functions. Although some DHS components have taken steps to do so, this approach has not yet been implemented departmentwide. DHS's 5-year anniversary provides an opportunity for the department to review how it has matured as an organization. As part of our broad range of work reviewing DHS's management and mission programs, GAO will continue to assess DHS's progress in addressing high-risk issues. In particular, GAO will continue to assess the progress made by the department in its transformation and information sharing efforts. Wed, 13 Feb 2008 00:00:00 -0500 http://www.gao.gov/new.items/d08476t.pdf In 2003, the Federal Protective Service (FPS) was transferred from the General Services Administration (GSA) to the Department of Homeland Security (DHS) and is currently tasked with providing physical security and law enforcement services to about 8,800 facilities owned or leased by GSA. To accomplish its mission, FPS currently has a workforce of about 1,100 employees and about 15,000 contract guards located throughout the country. While there has not been a large-scale attack on a domestic federal facility since the terrorist attacks of September 11, 2001 and the 1995 terrorist attack on the Oklahoma City Federal Building, it is important that FPS has sufficient resources and an effective approach to protect federal employees and members of the public that work in and visit federal facilities from the risk of crime and terrorist attacks. GAO was asked to provide information and analysis on (1) the extent to which FPS is fulfilling its mission to protect federal employees and facilities and (2) the management challenges FPS faces. To address these objectives, GAO analyzed FPS staffing data and interviewed numerous FPS officials, GSA, tenant agencies, and local police departments. Due to staffing and operational issues, FPS is experiencing difficulties in fully meeting its facility protection mission. According to many FPS officials at regions we visited, these difficulties may expose federal facilities to a greater risk of crime or terrorist attack. FPS' workforce has decreased by nearly 20 percent from almost 1,400 in fiscal year 2004 to about 1,100 at the end of fiscal year 2007. In fiscal year 2007, FPS had about 756 inspectors and police officers, and about 15,000 contract guards who are used primarily to monitor facilities through fixed post assignments and access control. FPS is also implementing a policy to change the composition of its workforce whereby it will essentially eliminate the police officer position and mainly utilize inspectors. One consequence of this change is that, with the exception of a few locations, FPS is not providing proactive patrols in and around federal facilities in order to detect and prevent criminal incidents and terrorism related activities before they occur. FPS has also reduced its hours of operation in many locations and has not always maintained security countermeasures and equipment such as security cameras, magnetometers, x-ray machines, radios, building security assessment equipment, and access control systems at some facilities we visited. For example, at one location we visited, a deceased individual had been found, after three months, in a vacant GSA facility that was not regularly patrolled by FPS. FPS continues to face several management challenges that, according to many FPS officials at regions we visited, have hampered its ability to accomplish its facility protection mission. These include budgetary challenges, a lack of adequate contract guard oversight, and the absence of agreements with local police departments regarding response capabilities or jurisdictional issues at federal facilities. Historically and recently, FPS' revenues have not been sufficient to cover its operational costs. To address its recent revenue shortfall FPS has restricted hiring and travel, limited training and overtime, and eliminated employee performance awards. These measures have had a negative effect on staff morale, contributed to FPS' high attrition rates, and may affect the performance and safety of FPS personnel. Moreover, many FPS officials expressed concern about the lack of oversight of the 15,000 contract guards and poor performance by some guards when responding to crime and incidents at federal facilities. FPS has indicated that they are covering facility protection gaps through increased reliance on local law enforcement but it has not signed any agreements with local law enforcement agencies to ensure local assistance or resolved jurisdictional issues, which could authorize local police to respond to some incidents at federal facilities. Multiple local police departments said they were not aware of FPS' expected reliance on their services. Fri, 08 Feb 2008 00:00:00 -0500 http://www.gao.gov/new.items/d08403.pdf There are 37 research reactors in the United States, mostly located on college campuses. Of these, 33 reactors are licensed and regulated by the Nuclear Regulatory Commission (NRC). Four are operated by the Department of Energy (DOE) and are located at three national laboratories. Although less powerful than commercial nuclear power reactors, research reactors may still be attractive targets for terrorists. As requested, GAO examined the (1) basis on which DOE and NRC established the security and emergency response requirements for DOE and NRC-licensed research reactors and (2) progress that the National Nuclear Security Administration (NNSA) has made in converting U.S. research reactors that use highly enriched uranium (HEU) to low enriched uranium (LEU) fuel. This report summarizes the findings of GAO's classified report on the security of research reactors (GAO-08-156C). DOE developed the security and emergency response requirements for its research reactors using its Design Basis Threat--a process that establishes a baseline threat for which minimum security measures should be developed. These research reactors benefit from the greater security required for the national laboratories where they are located, which store weapons-usable nuclear materials. DOE also has concluded that the consequences of an attack at some of its research reactors could be severe, causing radioactivity to be dispersed over many square miles and requiring the evacuation of nearby areas. As a result, all facilities where DOE reactors are located have extensive plans and procedures for responding to security incidents. NRC based its security and emergency response requirements largely on the regulations it had in place before September 2001. NRC decided that the security assessment it conducted between 2003 and 2006 showed that these requirements were sufficient. While it was conducting this assessment, NRC worked with licensees to improve security when weaknesses were detected. However, GAO found that NRC's assessment contains questionable assumptions that create uncertainty about whether the assessment reflects the full range of security risks and potential consequences of attacks on research reactors. For example, Sandia National Laboratories (SNL)--a contractor NRC used to assist in performing its assessment-- found that some NRC-licensed research reactors may not be prepared for certain types of attacks. However, NRC disagreed with SNL's finding. In 2006, NRC concluded that the consequences of attacks would result in minimal radiological exposure to the public. In addition, NRC assumed that terrorists would use certain tactics in attacking a reactor but did not fully consider alternative attack scenarios that could be more damaging. Finally, NRC assumed that a small part of a reactor could be damaged in an attack, resulting in the release of only a small amount of radioactivity. However, according to experts at Idaho National Laboratories and the Department of Homeland Security, it is possible that a larger part of a reactor could be damaged, which could result in the release of larger amounts of radioactivity. NNSA has made progress in changing from HEU to LEU fuel in U.S. research reactors but may face difficulty in converting some of the remaining research reactors. Since 1978, NNSA has converted eight currently operating U.S. research reactors, including two in 2006. In addition, NNSA plans to convert 10 more U.S. research reactors by September 2014--five of which are scheduled for conversion by 2009. However, NNSA faces difficulties in converting the remaining five reactors because these reactors cannot operate with the currently available LEU fuel. NNSA is now developing a new LEU fuel that will allow the remaining five reactors to operate. However, according to NNSA, developing this fuel has been problematic, as early efforts experienced failures during testing. NNSA officials acknowledged that further setbacks are likely to delay plans to convert these research reactors. Thu, 31 Jan 2008 00:00:00 -0500 http://www.gao.gov/new.items/d08429t.pdf Six years after the attack on the World Trade Center (WTC), concerns persist about health effects experienced by WTC responders and the availability of health care services for those affected. Several federally funded programs provide screening, monitoring, or treatment services to responders. GAO has previously reported on the progress made and implementation problems faced by these WTC health programs. This testimony is based primarily on GAO's testimony, September 11: Improvements Needed in Availability of Health Screening and Monitoring Services for Responders (GAO-07-1229T, Sept. 10, 2007), which updated GAO's report, September 11: HHS Needs to Ensure the Availability of Health Screening and Monitoring for All Responders (GAO-07-892, July 23, 2007). In this testimony, GAO discusses efforts by the Centers for Disease Control and Prevention's National Institute for Occupational Safety and Health (NIOSH) to provide services for nonfederal responders residing outside the New York City (NYC) area. For the July 2007 report, GAO reviewed program documents and interviewed Department of Health and Human Services (HHS) officials, grantees, and others. GAO updated selected information in August and September 2007 and conducted work for this statement in January 2008. In July 2007, following a reexamination of the status of the WTC health programs, GAO recommended that the Secretary of HHS take expeditious action to ensure that health screening and monitoring services are available to all people who responded to the WTC attack, regardless of where they reside. As of January 2008, the department has not responded to this recommendation. As GAO testified in September 2007, NIOSH has not ensured the availability of screening and monitoring services for nonfederal responders residing outside the NYC area, although it has taken steps toward expanding the availability of these services. In late 2002, NIOSH arranged for a network of occupational health clinics to provide screening services. This effort ended in July 2004, and until June 2005 NIOSH did not fund screening or monitoring services for nonfederal responders outside the NYC area. In June 2005, NIOSH funded the Mount Sinai School of Medicine Data and Coordination Center (DCC) to provide screening and monitoring services; however, DCC had difficulty establishing a nationwide network of providers and contracted with only 10 clinics in seven states. In 2006, NIOSH began to explore other options for providing these services, and in 2007 it took steps toward expanding the provider network. Tue, 22 Jan 2008 00:00:00 -0500 http://www.gao.gov/new.items/d0858.pdf The 2006 U.S. National Security Strategy stated that the United States faces challenges from Iran, including Iran's proliferation efforts and involvement in international terrorism. To address these concerns, the United States employs a range of tools, including diplomatic pressure, a military presence in the Gulf, and sanctions. A U.S. sanction is a unilateral restriction or condition on economic activity imposed by the United States for reasons of foreign policy or national security. We were asked to review (1) U.S. sanctions targeting Iran and their implementation, (2) reported sanction impacts, and (3) factors limiting sanctions. To conduct the review, we assessed trade and sanction data, information on Iran's economy and energy sector, and U.S. and international reports on Iran, and discussed sanctions with U.S. officials and Iran experts. Since 1987, U.S. agencies have implemented numerous sanctions against Iran. First, Treasury oversees a ban on U.S. trade and investment with Iran and filed over 94 civil penalty cases between 2003 and 2007 against companies violating the prohibition. This ban may be circumvented by shipping U.S. goods to Iran through other countries. Second, State administers laws that sanction foreign parties engaging in proliferation or terrorism-related activities with Iran. Under one law, State has imposed sanctions in 111 instances against Chinese, North Korean, Syrian, and Russian entities. Third, Treasury or State can use financial sanctions to freeze the assets of targeted parties and reduce their access to the U.S. financial system. U.S. officials report that U.S. sanctions have slowed foreign investment in Iran's petroleum sector, denied parties involved in Iran's proliferation and terrorism activities access to the U.S. financial system, and provided a clear statement of U.S. concerns to the rest of the world. However, other evidence raises questions about the extent of reported impacts. Since 2003, the Iranian government has signed contracts reported at about $20 billion with foreign firms to develop its energy resources. Further, sanctioned Iranian banks may fund their activities in currencies other than the dollar. Moreover, while Iran halted its nuclear weapons program in 2003, according to the November 2007 National Intelligence Estimate, it continues to enrich uranium, acquire advanced weapons technology, and support terrorism. Finally, U.S. agencies do not systematically collect or analyze data demonstrating the overall impact and results of their sanctioning and enforcement actions. Iran's global trade ties and leading role in energy production make it difficult for the United States to isolate Iran and pressure it to reduce proliferation and support for terrorism. For example, Iran's overall trade with the world has grown since the U.S. imposed sanctions, although this trade has fluctuated. Imports rose sharply following the Iran-Iraq war in 1988 and then declined until 1995; most export growth followed the rise in oil prices beginning in 2002. This trade included imports of weapons and nuclear technology. However, multilateral UN sanctions began in December 2006. Tue, 18 Dec 2007 00:00:00 -0500 http://www.gao.gov/new.items/d08141.pdf U. S. energy needs rest heavily on ship-based imports. Tankers bring 55 percent of the nation's crude oil supply, as well as liquefied gases and refined products like jet fuel. This supply chain is potentially vulnerable in many places here and abroad, as borne out by several successful overseas attacks on ships and facilities. GAO's review addressed (1) the types of threats to tankers and the potential consequences of a successful attack, (2) measures taken to protect tankers and challenges federal agencies face in making these actions effective, and (3) plans in place for responding to a successful attack and potential challenges stakeholders face in responding. GAO's review spanned several foreign and domestic ports, and multiple steps to analyze data and gather opinions from agencies and stakeholders. The supply chain faces three main types of threats--suicide attacks such as explosive-laden boats, "standoff" attacks with weapons launched from a distance, and armed assaults. Highly combustible commodities such as liquefied gases have the potential to catch fire or, in a more unlikely scenario, explode, posing a threat to public safety. Attacks could also have environmental consequences, and attacks that disrupt the supply chain could have a severe economic impact. Much is occurring, internationally and domestically, to protect tankers and facilities, but significant challenges remain. Overseas, despite international agreements calling for certain protective steps, substantial disparities exist in implementation. The United States faces limitations in helping to increase compliance, as well as limitations in ensuring safe passage on vulnerable transport routes. Domestically, units of the Coast Guard, the lead federal agency for maritime security, report insufficient resources to meet its own self imposed security standards, such as escorting ships carrying liquefied natural gas. Some units' workloads are likely to grow as new liquefied natural gas facilities are added. Coast Guard headquarters has not developed plans for shifting resources among units. Multiple attack response plans are in place to address an attack, but stakeholders face three main challenges in making them work. First, plans for responding to a spill and to a terrorist threat are generally separate from each other, and ports have rarely exercised these plans simultaneously to see if they work effectively together. Second, ports generally lack plans for dealing with economic issues, such as prioritizing the movement of vessels after a port reopens. The President's maritime security strategy calls for such plans. Third, some ports report difficulty in securing response resources to carry out planned actions. Federal port security grants have generally been directed at preventing attacks, not responding to them, but a more comprehensive risk-based approach is being developed. Decisions about the need for more response capabilities are hindered, however, by a lack of performance measures tying resource needs to effectiveness in response. Mon, 10 Dec 2007 00:00:00 -0500 http://www.gao.gov/new.items/d08232r.pdf Since the September 11, 2001, terrorist attacks, federal agencies have faced the challenge of protecting sensitive information from terrorists and others without a need to know while sharing this information with parties who are determined to have such a need. One form of protection involves identifying and marking such information sensitive but unclassified--information that is generally restricted from public disclosure but not designated as classified national security information. The Department of Homeland Security's (DHS) Transportation Security Administration (TSA) requires that certain information be protected from public disclosure as part of its responsibility for securing all modes of transportation. TSA, through its authority to protect information as sensitive security information (SSI), prohibits the public disclosure of information obtained or developed in the conduct of security activities that, for example, would be detrimental to transportation security. According to TSA, SSI may be generated by TSA, other DHS agencies, airports, aircraft operators, and other regulated parties when they, for example, establish or implement security programs or create documentation to address security requirements. Section 525 of the DHS Appropriations Act, 2007 (Public Law 109-295), required the Secretary of DHS to revise Management Directive (MD) 11056, which establishes DHS policy regarding the recognition, identification, and safeguarding of SSI, to (1) review requests to publicly release SSI in a timely manner and establish criteria for the release of information that no longer requires safeguarding; (2) release certain SSI that is 3 years old, upon request, unless it is determined the information must remain SSI or is otherwise exempt from disclosure under applicable law; and (3) provide common and extensive examples of the 16 categories of SSI to minimize and standardize judgment by persons identifying information as SSI. In addition to answering this mandate, we are following up on a June 2005 report in which we recommended that DHS direct the Administrator of TSA to establish (1) guidance and procedures for using TSA regulations to determine what constitutes SSI, (2) responsibility for the identification and determination of SSI, (3) policies and procedures within TSA for providing training to those making SSI determinations, and (4) internal controls4 that define responsibilities for monitoring compliance with SSI regulations, policies, and procedures and communicate these responsibilities throughout TSA. To respond to the mandate and update the status of all four of our recommendations, we assessed DHS's status in establishing criteria and examples for identifying SSI; efforts in providing training to those that identify and designate SSI; processes for responding to requests to release SSI, including the legislative mandate to review various types of requests to release SSI; and efforts in establishing internal controls that define responsibilities for monitoring SSI policies and procedures. DHS, primarily through TSA's SSI Office, has addressed all of the legislative mandates from the DHS Appropriations Act, 2007, and taken actions to satisfy all of the recommendations from our June 2005 report. DHS revised its MD to address the need for updating SSI guidance, and TSA has established more extensive SSI criteria and examples that respond to requirements in the DHS Appropriations Act, 2007, and our 2005 recommendation that TSA establish guidance and procedures for using TSA regulations to determine what constitutes SSI. TSA's SSI Office is in the process of providing SSI training to all of TSA's employees and contractors in accordance with its recently established policies and procedures, an action that responds to our 2005 recommendation. The office uses a "train the trainer" program in which it instructs SSI program managers and coordinators who are then expected to train appropriate staff in their respective agencies and programs. Several aspects of the SSI training program that we evaluated are consistent with GAO-identified components of a strategic training program. TSA has taken actions to incorporate stakeholder feedback and establish policies to collect data to evaluate its training program and foster a culture of continuous improvement. Consistent with the legislative mandate, DHS has taken actions to update its processes to respond to requests to release SSI. Specifically, DHS revised MD 11056 in accordance with the DHS Appropriations Act, 2007, to incorporate a provision that all requests to publicly release SSI will be reviewed in a timely manner, including SSI that is at least 3 years old. Between February 2006 and January 2007, the SSI Office received 490 requests to review records pertaining to the release of SSI, the majority of which came from government entities (62 percent). The SSI Office worked with the requesting government entity to agree upon a time frame for processing the request. Within the same 12-month period, 30 percent of requests were initiated by the public under the Freedom of Information Act (FOIA). The SSI Office has established a process for reviewing information requested through the FOIA process in 5 days, unless the information consists of more than 100 pages. The remaining 8 percent of requests within the 12-month period came from individuals in connection with litigation, including civil proceedings within the U.S. District Courts. The internal controls that TSA designed for SSI are consistent with governmentwide requirements and respond to our 2005 recommendation. Fri, 30 Nov 2007 00:00:00 -0500 http://www.gao.gov/new.items/d08285t.pdf The Department of Energy (DOE) maintains emergency response capabilities and assets to quickly respond to potential nuclear and radiological threats in the United States. These capabilities are primarily found at DOE's two key emergency response facilities--the Remote Sensing Laboratories at Nellis Air Force Base, Nevada, and Andrews Air Force Base, Maryland. These capabilities took on increased significance after the attacks of September 11, 2001, because of heightened concern that terrorists may try to detonate a nuclear or radiological device in a major U.S. city. DOE is not the only federal agency responsible for addressing nuclear and radiological threats. The Department of Homeland Security (DHS) is responsible for preparing the country to prevent and respond to a potential nuclear or radiological attack. This testimony discusses (1) the benefits of using DOE's aerial background radiation surveys to enhance emergency response capabilities and (2) the physical security measures in place at DOE's two key emergency response facilities and whether they are consistent with DOE guidance. It is based on GAO's report on DOE's nuclear and radiological emergency response capabilities, issued in September 2006 (Combating Nuclear Terrorism: Federal Efforts to Respond to Nuclear and Radiological Threats and to Protect Emergency Response Capabilities Could be Strengthened [Washington, D.C.: Sept. 21, 2006]). DOE has unique capabilities and assets to prevent and respond to a nuclear or radiological attack in the United States. One of these unique capabilities is the ability to conduct aerial background radiation surveys. These surveys can be used to compare changes in radiation levels to (1) help detect radiological threats in U.S. cities more quickly and (2) measure contamination levels after a radiological attack to assist in and reduce the costs of cleanup efforts. Despite the benefits, only one major city has been surveyed. Neither DOE nor DHS has mission responsibility for conducting these surveys. DOE and DHS disagree about which department is responsible for informing cities about the surveys, and funding and conducting surveys if cities request them. In the absence of clear mission responsibility, DOE and DHS have not informed cities about the surveys and have not conducted any additional surveys. DOE's two Remote Sensing Laboratories are protected at the lowest level of physical security allowed by DOE guidance because, according to DOE, capabilities and assets to prevent and respond to nuclear and radiological emergencies have been dispersed across the country and are not concentrated at the laboratories. However, we found a number of critical capabilities and assets that exist only at the Remote Sensing Laboratories and whose loss would significantly hamper DOE's ability to quickly prevent and respond to a nuclear or radiological emergency. These capabilities include the most highly trained teams for minimizing the consequences of a nuclear or radiological attack and the only helicopters and planes than can readily help locate nuclear or radiological devices or measure contamination levels after a radiological attack. Because these capabilities and assets have not been fully dispersed, current physical security measures may not be sufficient for protecting the facilities against a terrorist attack. Thu, 15 Nov 2007 00:00:00 -0500 http://www.gao.gov/new.items/d0848t.pdf In August 2006, the Transportation Security Administration (TSA) substantially modified its passenger screening policies based on the alleged transatlantic bomb plot uncovered by British authorities. With the aim of closing security gaps revealed by the alleged plot, the revised policies severely restricted the amount of liquids, gels, and aerosols TSA allowed passengers to bring through the checkpoint. At the Committee's request, GAO tested whether security gaps exist in the passenger screening process. To perform this work, GAO attempted to (1) obtain the instructions and components needed to create devices that a terrorist might use to cause severe damage to an airplane and threaten the safety of passengers and (2) test whether GAO investigators could pass through airport security checkpoints undetected with all the components needed to create the devices. GAO conducted covert testing at a nonrepresentative selection of 19 airports across the country. After concluding its tests, GAO provided TSA with two timely briefings to help it take corrective action. In these briefings, GAO suggested that TSA consider several actions to improve its passenger screening program, including aspects of human capital, processes, and technology. GAO is currently performing a more systematic review of these issues and expects to issue a comprehensive public report with recommendations for TSA in early 2008. GAO investigators succeeded in passing through TSA security screening checkpoints undetected with components for several improvised explosive devices (IED) and an improvised incendiary device (IID) concealed in their carry-on luggage and on their persons. The components for these devices and the items used to conceal the components were commercially available. Specific details regarding the device components and the methods of concealment GAO used during its covert testing were classified by TSA; as such, they are not discussed in this testimony. Using publicly available information, GAO investigators identified two types of devices that a terrorist could use to cause severe damage to an airplane and threaten the safety of passengers. The first device was an IED made up of two parts--a liquid explosive and a low-yield detonator. Although the detonator itself could function as an IED, investigators determined that it could also be used to set off a liquid explosive and cause even more damage. In addition, the second device was an IID created by combining commonly available products (one of which is a liquid) that TSA prohibits in carry-on luggage. Investigators obtained the components for these devices at local stores and over the Internet for less than $150. Tests that GAO performed at a national laboratory in July 2007, in addition to prior tests in February 2006 that GAO performed in partnership with a law enforcement organization in the Washington, D.C., metro area, clearly demonstrated that a terrorist using these devices could cause severe damage to an airplane and threaten the safety of passengers. Investigators then devised methods to conceal the components for these devices from TSA transportation security officers, keeping in mind TSA policies related to liquids and other items, including prohibited items. By using concealment methods for the components, two GAO investigators demonstrated that it is possible to bring the components for several IEDs and one IID through TSA checkpoints and onto airline flights without being challenged by transportation security officers. In most cases, transportation security officers appeared to follow TSA procedures and used technology appropriately; however, GAO uncovered weaknesses in TSA screening procedures and other vulnerabilities as a result of these tests. For example, although transportation security officers generally enforced TSA's policies, investigators were able to bring a liquid component of the IID undetected through checkpoints by taking advantage of weaknesses identified in these policies. These weaknesses were identified based on a review of public information. TSA determined that specific details regarding these weaknesses are sensitive security information and are therefore not discussed in this testimony. GAO did not notice any difference between the performance of private screeners and transportation security officers during our tests. Thu, 15 Nov 2007 00:00:00 -0500 http://www.gao.gov/new.items/d08192t.pdf U.S. Customs and Border Protection (CBP) is responsible for keeping terrorists and other dangerous people from entering the country while also facilitating the cross-border movement of millions of travelers. CBP carries out this responsibility at 326 air, sea, and land ports of entry. In response to a congressional request, GAO examined CBP traveler inspection efforts, the progress made, and the challenges that remain in staffing and training at ports of entry, and the progress CBP has made in developing strategic plans and performance measures for its traveler inspection program. To conduct its work, GAO reviewed and analyzed CBP data and documents related to inspections, staffing, and training, interviewed managers and officers, observed inspections at eight major air and land ports of entry, and tested inspection controls at eight small land ports of entry. GAO's testimony is based on a report GAO issued November 5, 2007. CBP has had some success in identifying inadmissible aliens and other violators, but weaknesses in its operations increase the potential that terrorists and inadmissible travelers could enter the country. In fiscal year 2006, CBP turned away over 200,000 inadmissible aliens and interdicted other violators. Although CBP's goal is to interdict all violators, CBP estimated that several thousand inadmissible aliens and other violators entered the country though ports of entry in fiscal year 2006. Weaknesses in 2006 inspection procedures, such as not verifying the citizenship and admissibility of each traveler, contribute to failed inspections. Although CBP took actions to address these weaknesses, subsequent follow-up work conducted by GAO months after CBP's actions found that weaknesses such as those described above still existed. In July 2007, CBP issued detailed procedures for conducting inspections including requiring field office managers to assess compliance with these procedures. However, CBP has not established an internal control to ensure field office managers share their assessments with CBP headquarters to help ensure that the new procedures are consistently implemented across all ports of entry and reduce the risk of failed traveler inspections. CBP developed a staffing model that estimates it needs up to several thousand more staff. Field office managers said that staffing shortages affected their ability to carry out anti-terrorism programs and created other vulnerabilities in the inspections process. CBP recognizes that officer attrition has impaired its ability to attain budgeted staffing levels and is in the process of developing a strategy to help curb attrition. CBP has made progress in developing training programs; however, it does not measure the extent to which it provides training to all who need it and whether new officers demonstrate proficiency in required skills. CBP issued a strategic plan for operations at its ports of entry and has collected performance data that can be used to measure its progress in achieving its strategic goals. However, current performance measures do not gauge CBP effectiveness in apprehending inadmissible aliens and other violators, a key strategic goal. Tue, 13 Nov 2007 00:00:00 -0500 http://www.gao.gov/new.items/d08253t.pdf The Federal Bureau of Investigation's (FBI) Terrorist Screening Center (TSC) maintains a consolidated watch list of known or appropriately suspected terrorists and sends records from the list to agencies to support terrorism-related screening. This testimony discusses (1) standards for including individuals on the list, (2) the outcomes of encounters with individuals on the list, (3) potential vulnerabilities in screening processes and efforts to address them, and (4) actions taken to promote effective terrorism-related screening. This statement is based on GAO's report (GAO-08-110). To accomplish the objectives, GAO reviewed documentation obtained from and interviewed officials at TSC, the FBI, the National Counterterrorism Center, the Department of Homeland Security, and other agencies that perform terrorism-related screening. The FBI and the intelligence community use standards of reasonableness to evaluate individuals for nomination to the consolidated terrorist watch list. In general, individuals who are reasonably suspected of having possible links to terrorism--in addition to individuals with known links--are to be nominated. As such, being on the list does not automatically prohibit, for example, the issuance of a visa or entry into the United States. Rather, when an individual on the list is encountered, agency officials are to assess the threat the person poses to determine what action to take, if any. As of May 2007, the consolidated watch list contained approximately 755,000 records. From December 2003 through May 2007, screening and law enforcement agencies encountered individuals who were positively matched to watch list records approximately 53,000 times. Many individuals were matched multiple times. The outcomes of these encounters reflect an array of actions, such as arrests; denials of entry into the United States; and, most often, questioning and release. Within the federal community, there is general agreement that the watch list has helped to combat terrorism by (1) providing screening and law enforcement agencies with information to help them respond appropriately during encounters and (2) helping law enforcement and intelligence agencies track individuals on the watch list and collect information about them for use in conducting investigations and in assessing threats. Regarding potential vulnerabilities, TSC sends records daily from the watch list to screening agencies. However, some records are not sent, partly because screening against them may not be needed to support the respective agency's mission or may not be possible due to the requirements of computer programs used to check individuals against watch list records. Also, some subjects of watch list records have passed undetected through agency screening processes and were not identified, for example, until after they had boarded and flew on an aircraft or were processed at a port of entry and admitted into the United States. TSC and other federal agencies have ongoing initiatives to help reduce these potential vulnerabilities, including efforts to improve computerized name-matching programs and the quality of watch list data. Although the federal government has made progress in promoting effective terrorism-related screening, additional screening opportunities remain untapped--within the federal sector, as well as within critical infrastructure components of the private sector. This situation exists partly because the government lacks an up-to-date strategy and implementation plan for optimizing use of the terrorist watch list. Also lacking are clear lines of authority and responsibility. An up-to-date strategy and implementation plan, supported by a clearly defined leadership or governance structure, would provide a platform to establish governmentwide screening priorities, assess progress toward policy goals and intended outcomes, consider factors related to privacy and civil liberties, ensure that any needed changes are implemented, and respond to issues that hinder effectiveness. Thu, 08 Nov 2007 00:00:00 -0500 http://www.gao.gov/new.items/d0868.pdf Since the September 2001 terrorist attacks, Congress has provided about $542.9 billion, as of May 2007, to the Department of Defense (DOD) for the Global War on Terrorism (GWOT). Prior GAO reports have found DOD's reported GWOT obligation data unreliable and problems with transparency over certain costs. DOD made changes to its reporting procedures, requiring components to perform a monthly variance analysis on obligation data and to include affirmation statements attesting to the accuracy of cost data. Under the Comptroller General's authority to conduct evaluations on his own initiative, GAO assessed (1) the outlook of DOD's reported GWOT obligations for fiscal year 2007 and funding requests for fiscal year 2008, (2) the effect of changes in DOD's GWOT funding guidance, and (3) DOD's progress in implementing variance analysis and affirmation statements. For this engagement, GAO analyzed fiscal year 2007 GWOTrelated appropriations and reported obligations, as well as DOD's corrective actions. Through June 2007, DOD's reported obligations for fiscal year 2007 of $95.4 billion were almost equal to its total reported GWOT obligations for fiscal year 2006. After GWOT obligations are reported for the remaining 3 months of fiscal year 2007, which are now averaging $10.6 billion a month, total obligations will significantly exceed those for fiscal year 2006. Further, changes to the President's fiscal year 2008 GWOT request for DOD have been submitted to fund operational requirements that were not included in the original request. These include decisions in January 2007 to increase or "surge" troop levels in Iraq, and in September 2007 to begin to withdraw these troops during fiscal year 2008. These amendments, totaling nearly $47.6 billion, bring the total fiscal year 2008 GWOT funding request for DOD to about $189.3 billion. Changes in DOD's GWOT funding guidance have resulted in billions of dollars being added to GWOT funding requests for what DOD calls the "longer war against terror," making it difficult to distinguish between incremental costs to support specific contingency operations and base costs. Although emergency funding has historically been used to support unexpected costs of contingency operations, in October 2006, DOD revised guidance to allow for additional costs. As a result, the fiscal year 2007 and 2008 requests included funding for items generally requested in DOD's base budget, such as future weapon systems, transformation, and increases to military end strength. GAO believes similarities, in some cases, between DOD's GWOT and base funding requests, along with the duration of GWOT operations, indicate DOD has reached the point where it should build more funding into its base budget. Without clearly defining the "longer war against terror" and increasing the transparency between incremental and base costs, decision makers cannot assess priorities and potential trade-offs. If the administration believes the nation is engaged in a long-term conflict, the implications should be considered during annual budget deliberations. Continuing to fund GWOT through emergency requests reduces transparency and avoids the necessary reexamination of commitments, investment priorities, and trade-offs. DOD has achieved some positive results and GWOT cost reporting continues to evolve. More action is needed to optimize the tools intended to improve GWOT cost reporting. DOD has begun to improve transparency by requiring components to analyze variances in reported obligations and to disclose reasons for significant changes. GAO found that required explanations, in some instances, were not disclosed due to inadequate management oversight, and other types of analysis could help identify obligations omitted from reports, such as about $1.5 billion in Marine Corps obligations. Also, in some cases, components did not provide required affirmation statements to attest to accuracy nor were they required to disclose the basis for statements or note the outcome of variance analyses. Without more complete information and a more robust methodology, DOD does not yet have the data needed to assess reliability or to be confident adequate steps are taken to validate cost data. Tue, 06 Nov 2007 00:00:00 -0500 http://www.gao.gov/new.items/d08219.pdf U.S. Customs and Border Protection (CBP) is responsible for keeping terrorists and other dangerous people from entering the country while also facilitating the cross-border movement of millions of travelers. CBP carries out this responsibility at 326 air, sea, and land ports of entry. In response to a congressional request, GAO examined CBP traveler inspection efforts, the progress made and the challenges that remain in staffing and training at ports of entry, and the progress CBP has made in developing strategic plans and performance measures for its traveler inspection program. This is a public version of a For Official Use Only report GAO issued on October 5, 2007. To conduct its work, GAO reviewed and analyzed CBP data and documents related to inspections, staffing, and training, interviewed managers and officers, observed inspections at eight major air and land ports of entry, and tested inspection controls at eight small land ports of entry. Information the Department of Homeland Security (DHS) deemed sensitive has been redacted. CBP has had some success in identifying inadmissible aliens and other violators, but weaknesses in its operations increase the potential that terrorists and inadmissible travelers could enter the country. In fiscal year 2006, CBP turned away over 200,000 inadmissible aliens and interdicted other violators. Although CBP's goal is to interdict all violators, CBP estimated that several thousand inadmissible aliens and other violators entered the country though ports of entry in fiscal year 2006. Weaknesses in 2006 inspection procedures, such as not verifying the nationality and admissibility of each traveler, contribute to failed inspections. Although CBP took actions to address these weaknesses, subsequent follow up work conducted by GAO months after CBP's actions found that weaknesses such as those described above still existed. In July 2007, CBP issued detailed procedures for conducting inspections including requiring field office managers to assess compliance with these procedures. However, CBP has not established an internal control to ensure field office managers share their assessments with CBP headquarters to help ensure that the new procedures are consistently implemented across all ports of entry and reduce the risk of failed traveler inspections. CBP developed a staffing model that estimates it needs up to several thousand more staff. Field office managers said that staffing shortages affected their ability to carry out anti-terrorism programs and created other vulnerabilities in the inspections process. CBP recognizes that officer attrition has impaired its ability to attain budgeted staffing levels and is in the process of developing a strategy to help curb attrition. CBP has made progress in developing training programs, yet it does not measure the extent to which it provides training to all who need it and whether new officers demonstrate proficiency in required skills. CPB issued a strategic plan for operations at its ports of entry and has collected performance data that can be used to measure its progress in achieving its strategic goals. However, current performance measures do not gauge CBP effectiveness in apprehending inadmissible aliens and other violators, a key strategic goal. Mon, 05 Nov 2007 00:00:00 -0500 http://www.gao.gov/new.items/d0835.pdf In general, a fusion center is a collaborative effort to detect, prevent, investigate, and respond to criminal and terrorist activity. Recognizing that fusion centers are a mechanism for information sharing, the federal government--including the Department of Homeland Security (DHS), the Department of Justice (DOJ), and the Program Manager for the Information Sharing Environment (PM-ISE), which has primary responsibility for governmentwide information sharing and is located in the Office of the Director of National Intelligence--is taking steps to partner with fusion centers. In response to Congressional request, GAO examined (1) the status and characteristics of fusion centers and (2) to what extent federal efforts help alleviate challenges the centers identified. GAO reviewed center-related documents and conducted interviews with officials from DHS, DOJ, and the PM-ISE, and conducted semistructured interviews with 58 state and local fusion centers. The results are not generalizable to the universe of fusion centers. Data are not available on the total number of local fusion centers. Most states and many local governments have established fusion centers to address gaps in information sharing. Fusion centers across the country vary in their stages of development--from operational to early in the planning stages. Officials in 43 of the centers GAO contacted described their centers as operational, and 34 of these centers had opened since January 2004. Law enforcement entities, such as state police or state bureaus of investigation, are the lead or managing agencies in the majority of the operational centers GAO contacted; however, the centers varied in their staff sizes and partnerships with other agencies. Nearly all of the operational fusion centers GAO contacted had federal personnel assigned to them. For example, DHS has assigned personnel to 17, and the FBI has assigned personnel to about three quarters of the operational centers GAO contacted. DHS and DOJ have several efforts under way that begin to address challenges fusion center officials identified. DHS and DOJ have provided many fusion centers access to their information systems, but fusion center officials cited challenges accessing and managing multiple information systems. Both DHS and the FBI have provided security clearances for state and local personnel and set timeliness goals. However, officials cited challenges obtaining and using security clearances. Officials in 43 of the 58 fusion centers contacted reported facing challenges related to obtaining personnel, and officials in 54 fusion centers reported challenges with funding, some of which affected these centers' sustainability. The officials said that these issues made it difficult to plan for the future and created concerns about the fusion centers' ability to sustain their capability for the long-term. To support fusion centers, both DHS and the FBI have assigned personnel to the centers. To help address funding issues, DHS has made several changes to address restrictions on the use of federal grants funds. These individual agency efforts help address some of the challenges with personnel and funding. However, the federal government has not clearly articulated the long-term role it expects to play in sustaining fusion centers. It is critical for center management to know whether to expect continued federal resources, such as personnel and grant funding, since the federal government, through the information sharing environment, expects to rely on a nationwide network of centers to facilitate information sharing with state and local governments. Finally, DHS, DOJ, and the PM-ISE have taken steps to develop guidance and provide technical assistance to fusion centers, for instance, by issuing guidelines for establishing and operating centers. However, officials at 31 of the 58 centers said they had challenges training their personnel, and officials at 11 centers expressed a need for the federal government to establish standards for training fusion center analysts to help ensure that analysts have similar skills. DHS and DOJ have initiated a technical assistance program for fusion centers. They have also developed a set of baseline capabilities, but the document was still in draft as of September and had not been issued. Tue, 30 Oct 2007 00:00:00 -0400 http://www.gao.gov/new.items/d08126t.pdf Because the safety and economic security of the United States depend in substantial part on the security of its 361 seaports, the United States has a vital national interest in maritime security. The Security and Accountability for Every Port Act (SAFE Port Act), modified existing legislation and created and codified new programs related to maritime security. The Department of Homeland Security (DHS) and its U.S. Coast Guard, Transportation Security Administration, and U.S. Customs and Border Protection have key maritime security responsibilities. This testimony synthesizes the results of GAO's completed work and preliminary observations from GAO's ongoing work related to the SAFE Port Act pertaining to (1) overall port security, (2) security at individual facilities, and (3) cargo container security. To perform this work GAO visited domestic and overseas ports; reviewed agency program documents, port security plans, and post-exercise reports; and interviewed officials from the federal, state, local, private, and international sectors. Federal agencies have improved overall port security efforts by establishing committees to share information with local port stakeholders, taking steps to establish interagency operations centers to monitor port activities, conducting operations such as harbor patrols and vessel escorts, writing port-level plans to prevent and respond to terrorist attacks, testing such plans through exercises, and assessing the security at foreign ports. However, these agencies face resource constraints and other challenges trying to meet the SAFE Port Act's requirements to expand these activities. For example, the Coast Guard faces budget constraints in trying to expand its current command centers and include other agencies at the centers. Similarly, private facilities and federal agencies have taken action to improve security at about 3,000 individual facilities by writing facility-specific security plans, inspecting facilities to determine compliance with their plans, and developing special identification cards for workers to help prevent terrorists from getting access to secure areas. Federal agencies face challenges trying to meet the act's requirements to expand the scope or speed the implementation of such activities. For example, the Transportation Security Administration missed the act's deadline to implement the identification card program at 10 selected ports because of delays in testing equipment and procedures. Federal programs related to the security of cargo containers have also improved as agencies are enhancing systems to identify high-risk cargo, expanding partnerships with other countries to screen containers before they depart for the United States, and working with international organizations to develop a global framework for container security. Federal agencies face challenges implementing container security aspects of the SAFE Port Act and other legislation. For example, Customs and Border Protection must test and implement a new program to scan 100 percent of all incoming containers overseas--a departure from its existing risk-based programs. Tue, 30 Oct 2007 00:00:00 -0400 http://www.gao.gov/new.items/d08194t.pdf The Federal Bureau of Investigation's (FBI) Terrorist Screening Center (TSC) maintains a consolidated watch list of known or appropriately suspected terrorists and sends records from the list to agencies to support terrorism-related screening. This testimony discusses (1) standards for including individuals on the list, (2) the outcomes of encounters with individuals on the list, (3) potential vulnerabilities in screening processes and efforts to address them, and (4) actions taken to promote effective terrorism-related screening. This statement is based on GAO's report (GAO-08-110). To accomplish the objectives, GAO reviewed documentation obtained from and interviewed officials at TSC, the FBI, the National Counterterrorism Center, the Department of Homeland Security, and other agencies that perform terrorism-related screening. The FBI and the intelligence community use standards of reasonableness to evaluate individuals for nomination to the consolidated terrorist watch list. In general, individuals who are reasonably suspected of having possible links to terrorism--in addition to individuals with known links--are to be nominated. As such, being on the list does not automatically prohibit, for example, the issuance of a visa or entry into the United States. Rather, when an individual on the list is encountered, agency officials are to assess the threat the person poses to determine what action to take, if any. As of May 2007, the consolidated watch list contained approximately 755,000 records. From December 2003 through May 2007, screening and law enforcement agencies encountered individuals who were positively matched to watch list records approximately 53,000 times. Many individuals were matched multiple times. The outcomes of these encounters reflect an array of actions, such as arrests; denials of entry into the United States; and, most often, questioning and release. Within the federal community, there is general agreement that the watch list has helped to combat terrorism by (1) providing screening and law enforcement agencies with information to help them respond appropriately during encounters and (2) helping law enforcement and intelligence agencies track individuals on the watch list and collect information about them for use in conducting investigations and in assessing threats. Regarding potential vulnerabilities, TSC sends records daily from the watch list to screening agencies. However, some records are not sent, partly because screening against them may not be needed to support the respective agency's mission or may not be possible due to the requirements of computer programs used to check individuals against watch list records. Also, some subjects of watch list records have passed undetected through agency screening processes and were not identified, for example, until after they had boarded and flew on an aircraft or were processed at a port of entry and admitted into the United States. TSC and other federal agencies have ongoing initiatives to help reduce these potential vulnerabilities, including efforts to improve computerized name-matching programs and the quality of watch list data. Although the federal government has made progress in promoting effective terrorism-related screening, additional screening opportunities remain untapped--within the federal sector, as well as within critical infrastructure components of the private sector. This situation exists partly because the government lacks an up-to-date strategy and implementation plan for optimizing use of the terrorist watch list. Also lacking are clear lines of authority and responsibility. An up-to-date strategy and implementation plan, supported by a clearly defined leadership or governance structure, would provide a platform to establish governmentwide screening priorities, assess progress toward policy goals and intended outcomes, consider factors related to privacy and civil liberties, ensure that any needed changes are implemented, and respond to issues that hinder effectiveness. Wed, 24 Oct 2007 00:00:00 -0400 http://www.gao.gov/new.items/d08171t.pdf Because the safety and economic security of the United States depend in substantial part on the security of its 361 seaports, the United States has a vital national interest in maritime security. The Security and Accountability for Every Port Act (SAFE Port Act), modified existing legislation and created and codified new programs related to maritime security. The Department of Homeland Security (DHS) and its U.S. Coast Guard, Transportation Security Agency, and U.S. Customs and Border Protection have key maritime security responsibilities. This testimony synthesizes the results of GAO's completed work and preliminary observations from GAO's ongoing work related to the SAFE Port Act pertaining to (1) overall port security, (2) security at individual facilities, and (3) cargo container security. To perform this work GAO visited domestic and overseas ports; reviewed agency program documents, port security plans, and post-exercise reports; and interviewed officials from the federal, state, local, private, and international sectors. Federal agencies have improved overall port security efforts by establishing committees to share information with local port stakeholders, taking steps to establish interagency operations centers to monitor port activities, conducting operations such as harbor patrols and vessel escorts, writing port-level plans to prevent and respond to terrorist attacks, testing such plans through exercises, and assessing the security at foreign ports. However, these agencies face resource constraints and other challenges trying to meet the SAFE Port Act's requirements to expand these activities. For example, the Coast Guard faces budget constraints in trying to expand its current command centers and include other agencies at the centers. Similarly, private facilities and federal agencies have taken action to improve security at about 3,000 individual facilities by writing facility-specific security plans, inspecting facilities to ensure they are complying with their plans, and developing special identification cards for workers to prevent terrorists from getting access to secure areas. Federal agencies face challenges trying to meet the act's requirements to expand the scope or speed the implementation of such activities. For example, the Transportation Security Agency missed the act's July 2007 deadline to implement the identification card program at 10 selected ports because of delays in testing equipment and procedures. Federal programs related to the security of cargo containers have also improved as agencies are enhancing systems to identify high-risk cargo, expanding partnerships with other countries to screen containers before they depart for the United States, and working with international organizations to develop a global framework for container security. Federal agencies face challenges implementing container security aspects of the SAFE Port Act and other legislation. For example, Customs and Border Protection must test and implement a new program to screen 100 percent of all incoming containers overseas--a departure from its existing risk-based programs. Tue, 16 Oct 2007 00:00:00 -0400 http://www.gao.gov/new.items/d08140t.pdf Within the Department of Homeland Security (DHS), the Transportation Security Administration's (TSA) mission is to protect the nation's transportation network. Since its inception in 2001, TSA has developed and implemented a variety of programs and procedures to secure commercial aviation and surface modes of transportation, including passenger and freight rail, mass transit, highways, commercial vehicles, and pipelines. Other DHS components, federal agencies, state and local governments, and the private sector also play a role in transportation security. GAO examined (1) the progress DHS and TSA have made in securing the nation's aviation and surface transportation systems, and (2) challenges that have impeded the department's efforts to implement its mission and management functions. This testimony is based on issued GAO reports and testimonies addressing the security of the nation's aviation and surface transportation systems, including a recently issued report (GAO-07-454) that highlights the progress DHS has made in implementing its mission and management functions. In August 2007, GAO reported that DHS had made moderate progress in securing the aviation and surface transportation networks, but that more work remains. Specifically, of the 24 performance expectations GAO identified in the area of aviation security, GAO reported that DHS had generally achieved 17 of these expectations and had generally not achieved 7 expectations. With regard to the security of surface modes of transportation, GAO reported that DHS generally achieved three performance expectations and had generally not achieved two others. DHS and TSA have made progress in many areas related to securing commercial aviation. For example, TSA has undertaken efforts to strengthen airport security; provide and train a screening workforce; prescreen passengers against terrorist watch lists; and screen passengers, baggage, and cargo. With regard to surface transportation modes, TSA has taken steps to develop a strategic approach for securing mass transit, passenger and freight rail, commercial vehicles, highways, and pipelines; establish security standards for certain transportation modes; and conduct threat, criticality, and vulnerability assessments of surface transportation assets, particularly passenger and freight rail. TSA also hired and deployed compliance inspectors and conducted inspections of passenger and freight rail systems. While these efforts have helped to strengthen the security of the transportation network, DHS and TSA still face a number of key challenges in further securing these systems. For example, regarding commercial aviation, TSA has faced difficulties in developing and implementing its advanced passenger prescreening system, known as Secure Flight, and has not yet completed development efforts. In addition, TSA's efforts to enhance perimeter security at airports may not be sufficient to provide for effective security. TSA has also initiated efforts to evaluate the effectiveness of security-related technologies, such as biometric identification systems, but has not developed a plan for implementing new technologies to meet the security needs of individual airports. TSA has also not yet effectively deployed checkpoint technologies to address key existing vulnerabilities, and has not yet developed and implemented technologies needed to screen air cargo. Further, while TSA has initiated efforts to develop security standards for surface transportation modes, these efforts have been limited to passenger and freight rail, and have not addressed commercial vehicles or highway infrastructure, including bridges and tunnels. GAO also reported that a number of issues have impeded DHS's efforts in implementing its mission and management functions, including not always implementing effective strategic planning, or fully adopting and applying a risk management approach with respect to transportation security. Tue, 16 Oct 2007 00:00:00 -0400 http://www.gao.gov/new.items/d08110.pdf The Federal Bureau of Investigation's (FBI) Terrorist Screening Center (TSC) maintains a consolidated watch list of known or appropriately suspected terrorists and sends records from the list to agencies to support terrorism-related screening. Because the list is an important tool for combating terrorism, GAO examined (1) standards for including individuals on the list, (2) the outcomes of encounters with individuals on the list, (3) potential vulnerabilities and efforts to address them, and (4) actions taken to promote effective terrorism-related screening. To conduct this work, GAO reviewed documentation obtained from and interviewed officials at TSC, the FBI, the National Counterterrorism Center, the Department of Homeland Security, and other agencies that perform terrorism-related screening. The FBI and the intelligence community use standards of reasonableness to evaluate individuals for nomination to the consolidated watch list. In general, individuals who are reasonably suspected of having possible links to terrorism--in addition to individuals with known links--are to be nominated. As such, being on the list does not automatically prohibit, for example, the issuance of a visa or entry into the United States. Rather, when an individual on the list is encountered, agency officials are to assess the threat the person poses to determine what action to take, if any. As of May 2007, the consolidated watch list contained approximately 755,000 records. From December 2003 through May 2007, screening and law enforcement agencies encountered individuals who were positively matched to watch list records approximately 53,000 times. Many individuals were matched multiple times. The outcomes of these encounters reflect an array of actions, such as arrests; denials of entry into the United States; and, most often, questioning and release. Within the federal community, there is general agreement that the watch list has helped to combat terrorism by (1) providing screening and law enforcement agencies with information to help them respond appropriately during encounters and (2) helping law enforcement and intelligence agencies track individuals on the watch list and collect information about them for use in conducting investigations and in assessing threats. Regarding potential vulnerabilities, TSC sends records daily from the watch list to screening agencies. However, some records are not sent, partly because screening against them may not be needed to support the respective agency's mission or may not be possible due to the requirements of computer programs used to check individuals against watch list records. Also, some subjects of watch list records have passed undetected through agency screening processes and were not identified, for example, until after they had boarded and flew on an aircraft or were processed at a port of entry and admitted into the United States. TSC and other federal agencies have ongoing initiatives to help reduce these potential vulnerabilities, including efforts to improve computerized name-matching programs and the quality of watch list data. Although the federal government has made progress in promoting effective terrorism-related screening, additional screening opportunities remain untapped--within the federal sector, as well as within critical infrastructure components of the private sector. This situation exists partly because the government lacks an up-to-date strategy and implementation plan for optimizing use of the terrorist watch list. Also lacking are clear lines of authority and responsibility. An up-to-date strategy and implementation plan, supported by a clearly defined leadership or governance structure, would provide a platform to establish governmentwide screening priorities, assess progress toward policy goals and intended outcomes, consider factors related to privacy and civil liberties, ensure that any needed changes are implemented, and respond to issues that hinder effectiveness. Thu, 11 Oct 2007 00:00:00 -0400 http://www.gao.gov/new.items/d08144t.pdf Three U.S. national strategies, developed in the wake of the 9/11 attacks, directed U.S. law enforcement agencies (LEA) to focus on the prevention of terrorist attacks. The strategies called for LEAs to intensify their efforts to help foreign nations identify, disrupt, and prosecute terrorists. This testimony addresses (1) the guidance for LEAs to assist foreign nations to identify, disrupt, and prosecute terrorists and (2) the extent to which LEAs have implemented this guidance. Following the 9/11 attacks, the President issued a series of strategies that provided broad direction for overseas law enforcement efforts to assist foreign nations to identify, disrupt, and prosecute terrorists. However, these strategies did not articulate which LEAs should implement the guidance to enhance efforts to help foreign nations combat terrorism or how they should do so. In December 2004, Congress passed the Intelligence Reform and Terrorism Prevention Act of 2004, which charged the National Counterterrorism Center (NCTC) with developing a plan to use all elements of national power, including LEAs, to combat terrorism. NCTC officials told us they had drafted a general plan, which was approved by the President in June of 2006. According to NCTC, Department of State, Department of Justice, and Department of Homeland Security (DHS) officials, implementing guidance for the plan is under development, and they would not discuss the contents of the plan or the guidance. LEAs have increased efforts to help foreign nations identify, disrupt, and prosecute terrorists. For example, DHS has implemented its Container Security Initiative to screen U.S.-bound cargo at foreign ports, and State has expanded its Antiterrorism Assistance program. However, we found that because most LEAs, with the exception of the Federal Bureau of Investigation, have not been given clear guidance, they lacked clearly defined roles and responsibilities on helping foreign nations identify, disrupt, and prosecute terrorists. In one country we visited, the lack of clear roles and responsibilities between two U.S. LEAs may have compromised several joint operations intended to identify and disrupt potential terrorist activities, according to the U.S. and foreign nation LEAs. In addition, we found LEAs generally lacked guidance on using resources to assist foreign nations in addressing terrorist vulnerabilities and generally lacked performance monitoring systems and formal structures for sharing information and collaborating. We also found that, because comprehensive needs assessments were not conducted, LEAs may not be tailoring their full range of training and assistance to address key terrorism vulnerabilities in foreign countries. Thu, 04 Oct 2007 00:00:00 -0400 http://www.gao.gov/new.items/d08108t.pdf In response to the global spread of emerging infectious diseases and the threat of bioterrorism, high-containment biosafety laboratories (BSL)--specifically biosafety level (BSL)-3 and BSL-4--have been proliferating in the United States. These labs--classified by the type of agents used and the risk posed to personnel, the environment, and the community--often contain the most dangerous infectious disease agents, such as Ebola, smallpox, and avian influenza. This testimony addresses (1) the extent to which there has been a proliferation of BSL-3 and BSL-4 labs, (2) federal agencies' responsibility for tracking this proliferation and determining the associated risks, and (3) the lessons that can be learned from recent incidents at three high-containment biosafety labs. To address these objectives, GAO asked 12 federal agencies involved with high-containment labs about their missions and whether they tracked the number of labs overall. GAO also reviewed documents from these agencies, such as pertinent legislation, regulation, and guidance. Finally, GAO interviewed academic experts in microbiological research. A major proliferation of high-containment BSL-3 and BSL-4 labs is taking place in the United States, according to the literature, federal agency officials, and experts. The expansion is taking place across many sectors--federal, academic, state, and private--and all over the United States. Concerning BSL-4 labs, which handle the most dangerous agents, the number of these labs has increased from 5--before the terrorist attacks of 2001--to 15, including at least 1 in planning stage. Information on expansion is available about high-containment labs that are registered with the Centers for Disease Control and Prevention (CDC) and the U.S. Department of Agriculture's (USDA) Select Agent Program, and that are federally funded. However, much less is known about the expansion of labs outside the Select Agent Program, as well as the nonfederally funded labs, including location, activities, and ownership. No single federal agency, according to 12 agencies' responses to our survey, has the mission to track the overall number of BSL-3 and BSL-4 labs in the United States. Though several agencies have a need to know, no one agency knows the number and location of these labs in the United States. Consequently, no agency is responsible for determining the risks associated with the proliferation of these labs. We identified six lessons from three recent incidents: failure to report to CDC exposures to select agents by Texas A&M University (TAMU); power outage at the CDC's new BSL-4 lab in Atlanta, Georgia; and release of foot-and-mouth disease virus at Pirbright in the United Kingdom. These lessons highlight the importance of (1) identifying and overcoming barriers to reporting in order to enhance biosafety through shared learning from mistakes and to assure the public that accidents are examined and contained; (2) training lab staff in general biosafety, as well as in specific agents being used in the labs to ensure maximum protection; (3) developing mechanisms for informing medical providers about all the agents that lab staff work with to ensure quick diagnosis and effective treatment; (4) addressing confusion over the definition of exposure to aid in the consistency of reporting; (5) ensuring that BSL-4 labs' safety and security measures are commensurate with the level of risk these labs present; and (6) maintenance of high-containment labs to ensure integrity of physical infrastructure over time. Thu, 04 Oct 2007 00:00:00 -0400 http://www.gao.gov/new.items/d0886t.pdf Because the safety and economic security of the United States depend in substantial part on the security of its 361 seaports, the United States has a vital national interest in maritime security. The Security and Accountability for Every Port Act (SAFE Port Act), modified existing legislation and created and codified new programs related to maritime security. The Department of Homeland Security (DHS) and its U.S Coast Guard, Transportation Security Agency, and U.S. Customs and Border Protection have key maritime security responsibilities. This testimony synthesizes the results of GAO's completed work and preliminary observations from GAO's ongoing work pertaining to overall port security, security at individual facilities, and cargo container security. To perform this work GAO visited domestic and overseas ports; reviewed agency program documents, port security plans, and post-exercise reports; and interviewed officials from the federal, state, local, private, and international sectors. Federal agencies have improved overall port security efforts by establishing committees to share information with local port stakeholders, and taking steps to establish interagency operations centers to monitor port activities, conducting operations such as harbor patrols and vessel escorts, writing port-level plans to prevent and respond to terrorist attacks, testing such plans through exercises, and assessing the security at foreign ports. However, these agencies face resource constraints and other challenges trying to meet the SAFE Port Act's requirements to expand these activities. For example, the Coast Guard faces budget constraints in trying to expand its current command centers and include other agencies at the centers. Similarly, private facilities and federal agencies have taken action to improve the security at approximately 3,000 individual facilities by writing facility-specific security plans, and inspecting facilities to make sure they are complying with their plans, and developing special identification cards for workers to prevent terrorist from getting access to secure areas. Again, federal agencies face challenges trying to meet the act's requirements to expand the scope or speed the implementation of such activities. For example, the Transportation Security Agency missed the act's July 2007 deadline to implement the identification card program at 10 selected ports because of delays in testing equipment and procedures. Federal programs related to the security of cargo containers have also improved as agencies are enhancing systems to identify high-risk cargo, expanding partnerships with other countries to screen containers before they depart for the United States, and working with international organizations to develop a global framework for container security. Federal agencies face challenges implementing container security aspects of the SAFE Port Act and other legislation. For example, Customs and Border Protection must test and implement a new program to screen 100 percent of all incoming containers overseas--a departure from its existing risk-based programs. Thu, 04 Oct 2007 00:00:00 -0400 http://www.gao.gov/new.items/d071241t.pdf In general, a fusion center is a collaborative effort to detect, prevent, investigate, and respond to criminal and terrorist activity. Recognizing that fusion centers are a mechanism for information sharing, the federal government--including the Program Manager for the Information Sharing Environment (PM-ISE), who has primary responsibility for governmentwide information sharing, the Department of Homeland Security (DHS), and the Department of Justice (DOJ)--is taking steps to partner with fusion centers. This testimony is based on GAO's draft report on state and local fusion centers. It addresses (1) the status and characteristics of the centers and (2) to what extent federal efforts help alleviate challenges fusion centers identified. In conducting this work GAO reviewed center-related documents and conducted interviews with officials from DHS, DOJ, and the PM-ISE, and semistructured interviews with 58 state and local fusion centers. Most states and many local governments have established fusion centers to address gaps in information sharing. Fusion centers across the country vary in their stages of development--from operational to early in the planning stages. Officials in 43 of the centers GAO contacted described their centers as operational, and 34 of these centers had opened since January 2004. Law enforcement entities, such as state police or state bureaus of investigation, are the lead or managing agencies in the majority of the operational centers GAO contacted. However, the centers varied in their staff sizes and partnerships with other agencies. At least 34 of the 43 operational fusion centers we contacted reported that they had federal personnel assigned to their centers. Products disseminated and services provided vary. DHS and DOJ have several efforts under way that begin to address some of the challenges fusion center officials identified. DHS and DOJ have provided many fusion centers access to their information systems, but fusion center officials cited challenges accessing and managing multiple information systems. Both DHS and the Federal Bureau of Investigation (FBI) have provided security clearances for state and local personnel and set timeliness goals. However, officials cited challenges obtaining and using security clearances. Officials in 43 of the 58 fusion centers contacted reported facing challenges related to obtaining personnel, and officials in 54 fusion centers reported challenges with funding, some of which affected these centers' sustainability. They said that these issues made it difficult to plan for the future, and created concerns about the fusion centers' ability to sustain their capability for the long term. To support fusion centers, both DHS and FBI have assigned personnel to the centers. To help address funding issues, DHS has made several changes to address restrictions on the use of federal grant funds. These individual agency efforts help address some of the challenges with personnel and funding. However, the federal government has not clearly articulated the long-term role it expects to play in sustaining fusion centers. It is critical for center management to know whether to expect continued federal resources, such as personnel and grant funding, since the federal government, through an information sharing environment, expects to rely on a nationwide network of centers to facilitate information sharing with state and local governments. Finally, DHS, DOJ, and the PM-ISE have taken steps to develop guidance and provide technical assistance to fusion centers, for instance by issuing guidelines for establishing and operating centers. However, officials at 31 of the 58 centers said they had challenges training their personnel, and officials at 11 centers expressed a need for the federal government to establish standards for fusion center analyst training to help ensure that analysts have similar skills. DHS and DOJ have initiated a technical assistance program for fusion centers. They have also developed a set of baseline capabilities, but the document is in draft as of September. Thu, 27 Sep 2007 00:00:00 -0400 http://www.gao.gov/new.items/d07884t.pdf The possibility that terrorists and criminals might exploit border vulnerabilities and enter the United States poses a serious security risk, especially if they were to bring radioactive material or other contraband with them. Although Customs and Border Protection (CBP) has taken steps to secure the 170 ports of entry on the northern and southern U.S. borders, Congress is concerned that unmanned and unmonitored areas between these ports of entry may be vulnerable. In unmanned locations, CBP relies on surveillance cameras, unmanned aerial drones, and other technology to monitor for illegal border activity. In unmonitored locations, CBP does not have this equipment in place and must rely on alert citizens or other information sources to meet its obligation to protect the border. Today's testimony will address what GAO investigators found during a limited security assessment of seven border areas that were unmanned, unmonitored, or both--four at the U.S.-Canada border and three at the U.S.-Mexico border. In three of the four locations on the U.S.-Canada border, investigators carried a duffel bag across the border to simulate the cross-border movement of radioactive materials or other contraband. Safety considerations prevented GAO investigators from attempting to cross north into the United States from a starting point in Mexico. On the U.S.-Canada border, GAO found state roads close to the border that CBP did not appear to man or monitor. In some of these locations, the proximity of the road to the border allowed investigators to cross without being challenged by law enforcement, successfully simulating the cross-border movement of radioactive materials or other contraband into the United States from Canada. In one location on the northern border, the U.S. Border Patrol was alerted to GAO activities through the tip of an alert citizen. However, the responding U.S. Border Patrol agents were not able to locate GAO investigators. Also on the northern border, GAO investigators located several ports of entry that had posted daytime hours and were unmanned overnight. On the southern border, investigators observed a large law enforcement and Army National Guard presence on a state road, including unmanned aerial vehicles. Also, GAO identified federally managed lands that were adjacent to the U.S.-Mexico border. These areas did not appear to be monitored or did not have an observable law enforcement presence, which contrasted sharply with GAO observations on the state road. Although CBP is ultimately responsible for protecting federal lands adjacent to the border, CBP officials told GAO that certain legal, environmental, and cultural considerations limit options for enforcement--for example, environmental restrictions and tribal sovereignty rights. Thu, 27 Sep 2007 00:00:00 -0400 http://www.gao.gov/new.items/d071253t.pdf Six years after the attack on the World Trade Center (WTC), concerns persist about health effects experienced by WTC responders and the availability of health care services for those affected. Several federally funded programs provide screening, monitoring, or treatment services to responders. GAO has previously reported on the progress made and implementation problems faced by these WTC health programs, as well as lessons learned from the WTC disaster. This testimony is based on previous GAO work, primarily September 11: HHS Needs to Ensure the Availability of Health Screening and Monitoring for All Responders (GAO-07-892, July 23, 2007). This testimony discusses (1) status of services provided by the Department of Health and Human Services' (HHS) WTC Federal Responder Screening Program, (2) efforts by the Centers for Disease Control and Prevention's National Institute for Occupational Safety and Health (NIOSH) to provide services for nonfederal responders residing outside the New York City (NYC) area, and (3) lessons learned from WTC health programs. For the July 2007 report, GAO reviewed program documents and interviewed HHS officials, grantees, and others. In August and September 2007, GAO updated selected information in preparing this testimony. In July 2007, following a reexamination of the status of the WTC health programs, GAO recommended that the Secretary of HHS take expeditious action to ensure that health screening and monitoring services are available to all people who responded to the WTC attack, regardless of who their employer was or where they reside. As of September 2007 the department has not responded to this recommendation. As GAO reported in July 2007, HHS's WTC Federal Responder Screening Program has had difficulties ensuring the uninterrupted availability of screening services for federal responders. From January 2007 to May 2007, the program stopped scheduling screening examinations because there was a change in the program's administration and certain interagency agreements were not established in time to keep the program fully operational. From April 2006 to March 2007, the program stopped scheduling and paying for specialty diagnostic services associated with screening. NIOSH, the administrator of the program, has been considering expanding the program to include monitoring--that is, follow-up physical and mental health examinations--but has not done so. If federal responders do not receive monitoring, health conditions that arise later may not be diagnosed and treated, and knowledge of the health effects of the WTC disaster may be incomplete. NIOSH has not ensured the availability of screening and monitoring services for nonfederal responders residing outside the NYC area, although it recently took steps toward expanding the availability of these services. In late 2002, NIOSH arranged for a network of occupational health clinics to provide screening services. This effort ended in July 2004, and until June 2005 NIOSH did not fund screening or monitoring services for nonfederal responders outside the NYC area. In June 2005, NIOSH funded the Mount Sinai School of Medicine Data and Coordination Center (DCC) to provide screening and monitoring services; however, DCC had difficulty establishing a nationwide network of providers and contracted with only 10 clinics in seven states. In 2006, NIOSH began to explore other options for providing these services, and in May 2007 it took steps toward expanding the provider network. However, as of September 2007 these efforts are incomplete. Lessons have been learned from the WTC health programs that could assist in the event of a future disaster. Lessons include the need to quickly identify and contact responders and others affected by a disaster, the value of a centrally coordinated approach for assessing individuals' health, and the importance of addressing both physical and mental health effects. Consideration of these lessons by federal agencies is important in planning for the response to future disasters. Thu, 20 Sep 2007 00:00:00 -0400 http://www.gao.gov/new.items/d071228t.pdf Six years after the attack on the World Trade Center (WTC), concerns persist about health effects experienced by WTC responders and the availability of health care services for those affected. Several federally funded programs provide screening, monitoring, or treatment services to responders. GAO has previously reported on the progress made and implementation problems faced by these WTC health programs. This testimony is based on and updates GAO's report, September 11: HHS Needs to Ensure the Availability of Health Screening and Monitoring for All Responders (GAO-07-892, July 23, 2007). In this testimony, GAO discusses the status of (1) services provided by the Department of Health and Human Services' (HHS) WTC Federal Responder Screening Program, (2) efforts by the Centers for Disease Control and Prevention's National Institute for Occupational Safety and Health (NIOSH) to provide services for nonfederal responders residing outside the New York City (NYC) area, and (3) NIOSH's awards to WTC health program grantees for treatment services. In July 2007, following a re-examination of the status of the WTC health programs, GAO recommended that the Secretary of HHS take expeditious action to ensure that health screening and monitoring services are available to all people who responded to the WTC attack, regardless of who their employer was or where they reside. As of early September 2007 the department has not responded to this recommendation. As GAO reported in July 2007, HHS's WTC Federal Responder Screening Program has had difficulties ensuring the uninterrupted availability of screening services for federal responders. From January 2007 to May 2007, the program stopped scheduling screening examinations because there was a change in the program's administration and certain interagency agreements were not established in time to keep the program fully operational. From April 2006 to March 2007, the program stopped scheduling and paying for specialty diagnostic services associated with screening. NIOSH, the administrator of the program, has been considering expanding the program to include monitoring, that is, follow-up physical and mental health examinations, but has not done so. If federal responders do not receive monitoring, health conditions that arise later may not be diagnosed and treated, and knowledge of the health effects of the WTC disaster may be incomplete. NIOSH has not ensured the availability of screening and monitoring services for nonfederal responders residing outside the NYC area, although it recently took steps toward expanding the availability of these services. In late 2002, NIOSH arranged for a network of occupational health clinics to provide screening services. This effort ended in July 2004, and until June 2005 NIOSH did not fund screening or monitoring services for nonfederal responders outside the NYC area. In June 2005, NIOSH funded the Mount Sinai School of Medicine Data and Coordination Center (DCC) to provide screening and monitoring services; however, DCC had difficulty establishing a nationwide network of providers and contracted with only 10 clinics in seven states. In 2006, NIOSH began to explore other options for providing these services, and in May 2007 it took steps toward expanding the provider network. NIOSH has awarded treatment funds to four WTC health programs in the NYC area. In fall 2006, NIOSH awarded $44 million for outpatient treatment and set aside $7 million for hospital care. The New York/New Jersey WTC Consortium and the New York City Fire Department WTC program, which received the largest awards, used NIOSH's funding to continue outpatient services, offer full coverage for prescriptions, and cover hospital care. Tue, 18 Sep 2007 00:00:00 -0400 http://www.gao.gov/new.items/d071197r.pdf In terrorists' hands, weapons-grade nuclear material--known as Category I special nuclear material when in specified forms and quantities--can be used to construct an improvised nuclear device capable of producing a nuclear explosion. Responsibility for the security of Category I special nuclear material is divided between the Department of Energy (DOE) and the Nuclear Regulatory Commission (NRC). Specifically, DOE and the National Nuclear Security Administration (NNSA), a separately organized agency within DOE, are responsible for overseeing physical security at government-owned and contractor-operated sites with Category I special nuclear material. NRC, which is responsible for licensing and overseeing commercially owned facilities with nuclear materials, such as nuclear power plants, is responsible for regulating physical security at those licensees that store and process Category I special nuclear material under contract, primarily for DOE. Because of the risks associated with Category I special nuclear material, both DOE and NRC recognize that effective security programs are essential. The key component in both DOE's and NRC's security programs is each agency's design basis threat (DBT)--classified documents that identify the potential size and capabilities of terrorist threats to special nuclear material. To counter the threat contained in their respective DBTs, both DOE sites and NRC licensees use physical security systems, such as alarms, fences, and other barriers; trained and armed security forces; and operational security procedures, such as a "two-person" rule that prevents unobserved access to special nuclear material. In addition, to ensure DBT requirements are being met and to detect potential security vulnerabilities, DOE and NRC employ a variety of other measures, including inspection programs; reviews; and force-on-force performance tests, in which the site's security forces undergo simulated attacks by a group of mock terrorists. Over the past several years, we have raised concerns about certain aspects of security at DOE sites and at NRC-regulated commercial nuclear power plants. In this context, you asked us to determine (1) whether DOE's and NRC's requirements for protecting Category I special nuclear material from terrorist threats differ from one another; (2) the reasons for any differences between these requirements; and (3) if, as a result, there are differences between how NRC-licensed facilities that store and process Category I special nuclear material and how DOE facilities that store and process Category I special nuclear material are defended against a terrorist attack. Several factors have contributed to the differences between DOE's and NRC's DBTs. First, a key document used in the development of DOE's DBT was the Postulated Threat to U.S. Nuclear Weapon Facilities and Other Selected Strategic Facilities (Postulated Threat). The Postulated Threat is developed by the U.S. intelligence community, principally the Department of Defense's Defense Intelligence Agency, and the security organizations of several different agencies, including DOE and NRC. The most recent Postulated Threat, issued in 2003, identified, among other things, the most likely threats to U.S. facilities with Category I special nuclear material. While NRC participated in the development of the Postulated Threat, NRC believes that the Postulated Threat does not apply to commercial nuclear facilities such as its licensees. Second, DOE and NRC also differ in their consideration of other intelligence information in developing their DBTs. In this context, NRC has developed its DBT to be within the range of what it has determined are the limitations that a private guard force can reasonably be expected to defend against. Specifically, NRC believes that the defense against threats not contained in its DBT is the responsibility of the federal government, in conjunction with state and local governments. Finally, even though they did so in the past, since September 11, 2001, DOE and NRC have not fully cooperated in sharing classified information on potential misuse of Category I special nuclear material. Reflecting the differences in their respective DBTs, we found differences in the actions DOE sites and NRC licensees are taking to increase their preparedness to defeat a large and sophisticated terrorist attack. For example, currently, NRC licensees do not have the same legal authority as DOE sites to acquire heavier weaponry, such as fully automatic weapons, or the same legal authority to use deadly force to protect special nuclear material. NRC is pursuing new regulations, authorized by the Energy Policy Act of 2005, to allow its licensees to use automatic weapons, but expects to take from 1 to 2 years to issue such regulations. At the same time, DOE is implementing plans that, if fully realized, will further increase security at its sites. These plans include developing and deploying improved security technologies; consolidating special nuclear material into fewer, better protected locations; and providing better training and equipment for its security forces. Finally, DOE has better developed tools for assessing security preparedness and understanding vulnerabilities, such as computer modeling and force-on-force testing programs that simulate terrorist attacks on facilities. However, NRC is in the process of adopting computer modeling and implementing a new force-on-force testing program. Tue, 11 Sep 2007 00:00:00 -0400 http://www.gao.gov/new.items/d071229t.pdf Six years after the attack on the World Trade Center (WTC), concerns persist about health effects experienced by WTC responders and the availability of health care services for those affected. Several federally funded programs provide screening, monitoring, or treatment services to responders. GAO has previously reported on the progress made and implementation problems faced by these WTC health programs. This testimony is based on and updates GAO's report, September 11: HHS Needs to Ensure the Availability of Health Screening and Monitoring for All Responders (GAO-07-892, July 23, 2007). In this testimony, GAO discusses the status of (1) services provided by the Department of Health and Human Services' (HHS) WTC Federal Responder Screening Program, (2) efforts by the Centers for Disease Control and Prevention's National Institute for Occupational Safety and Health (NIOSH) to provide services for nonfederal responders residing outside the New York City (NYC) area, and (3) NIOSH's awards to WTC health program grantees for treatment services. For the July 2007 report, GAO reviewed program documents and interviewed HHS officials, grantees, and others. In August and September 2007, GAO updated selected information in preparing this testimony. In July 2007, following a re-examination of the status of the WTC health programs, GAO recommended that the Secretary of HHS take expeditious action to ensure that health screening and monitoring services are available to all people who responded to the WTC attack, regardless of who their employer was or where they reside. As of early September 2007 the department has not responded to this recommendation. As GAO reported in July 2007, HHS's WTC Federal Responder Screening Program has had difficulties ensuring the uninterrupted availability of screening services for federal responders. From January 2007 to May 2007, the program stopped scheduling screening examinations because there was a change in the program's administration and certain interagency agreements were not established in time to keep the program fully operational. From April 2006 to March 2007, the program stopped scheduling and paying for specialty diagnostic services associated with screening. NIOSH, the administrator of the program, has been considering expanding the program to include monitoring, that is, follow-up physical and mental health examinations, but has not done so. If federal responders do not receive monitoring, health conditions that arise later may not be diagnosed and treated, and knowledge of the health effects of the WTC disaster may be incomplete. NIOSH has not ensured the availability of screening and monitoring services for nonfederal responders residing outside the NYC area, although it recently took steps toward expanding the availability of these services. In late 2002, NIOSH arranged for a network of occupational health clinics to provide screening services. This effort ended in July 2004, and until June 2005 NIOSH did not fund screening or monitoring services for nonfederal responders outside the NYC area. In June 2005, NIOSH funded the Mount Sinai School of Medicine Data and Coordination Center (DCC) to provide screening and monitoring services; however, DCC had difficulty establishing a nationwide network of providers and contracted with only 10 clinics in seven states. In 2006, NIOSH began to explore other options for providing these services, and in May 2007 it took steps toward expanding the provider network. NIOSH has awarded treatment funds to four WTC health programs in the NYC area. In fall 2006, NIOSH awarded $44 million for outpatient treatment and set aside $7 million for hospital care. The New York/New Jersey WTC Consortium and the New York City Fire Department WTC program, which received the largest awards, used NIOSH's funding to continue outpatient services, offer full coverage for prescriptions, and cover hospital care. Mon, 10 Sep 2007 00:00:00 -0400 http://www.gao.gov/new.items/d071091.pdf The September 11, 2001, terrorist attacks and World Trade Center (WTC) collapse blanketed Lower Manhattan in dust from building debris. In response, the Environmental Protection Agency (EPA) conducted an indoor clean and test program from 2002 to 2003. In 2003, EPA's Inspector General (IG) recommended improvements to the program and identified lessons learned for EPA's preparedness for future disasters. In 2004, EPA formed an expert panel to, among other goals, guide EPA in developing a second voluntary program; EPA announced this program in 2006. As requested, GAO's report primarily addresses EPA's second program, including the (1) extent to which EPA incorporated IG and expert panel member recommendations and input; (2) factors, if any, limiting the expert panel's ability to meet its goals; (3) completeness of information EPA provided to the public; (4) way EPA estimated resources for the program; and (5) extent to which EPA has acted upon lessons learned regarding indoor contamination from disasters. EPA has incorporated some recommendations and input from the IG and expert panel members into its second program, but its decision not to include other items may limit the overall effectiveness of this program. For example, while EPA agreed to test for more contaminants, it did not agree to evaluate risks in areas north of Canal Street and in Brooklyn. EPA reported that it does not have a basis for expanding the boundaries of its program because it cannot distinguish between normal urban, or background, dust and WTC dust. The expert panel's ability to meet its goals was limited by two factors: (1) EPA officials' belief that some panel goals were more appropriately addressed by other agencies, and (2) EPA's approach to managing the panel process. Furthermore, the majority of expert panel members believe the panel did not meet any of its goals, and that EPA's second program does not respond to the concerns of residents and workers affected by the disaster. EPA's second plan does not fully inform the public about the results of its first program. EPA concluded that a "very small" number of samples from its first program exceeded risk levels for airborne asbestos. However, EPA did not provide information such as how representative the samples were of the affected area. Residents who could have participated in this voluntary second program might have opted not to do so because of EPA's conclusion about its first program. EPA did not develop a comprehensive cost estimate to determine the resources needed to carry out its second program. EPA is implementing this program with $7 million remaining from its first program. While EPA has acted upon lessons learned following this disaster, some concerns remain about its preparedness to respond to indoor contamination following future disasters. Specifically, EPA has not developed protocols on how and when to collect data to determine the extent of indoor contamination, one of the concerns raised by panel members. Wed, 05 Sep 2007 00:00:00 -0400 http://www.gao.gov/new.items/d07891r.pdf Five years after the terrorist attacks of September 11, 2001, concerns continue to be raised about the nation's system for protecting commercial aviation. Past disclosures of terrorists' plans for smuggling liquids onboard aircraft to construct a bomb in flight highlighted the continued need to examine this key aspect of homeland security. One layer of the aviation security system involves the ability of the federal government to respond to actual or potential security threats while a commercial aircraft is in flight. These security threats can include the following: (1) Passengers considered to be security risks to aviation are found to be onboard flights bound for or leaving the United States. (2) Situations develop while the aircraft is in flight--for example, a passenger becomes disruptive or acts suspiciously, a bomb threat is received, or an unidentified package is found onboard the aircraft. (3) A commercial aircraft transmits a signal designed to alert authorities that a hijacking is in process. Procedures for addressing these in-flight security threats involve a wide range of federal agencies and entities. The Department of Homeland Security (DHS) is responsible for taking much of the lead in responding to these incidents, and the Transportation Security Administration (TSA) was established to ensure the security of all modes of transportation--including aviation. Responding to an in-flight threat, however, involves many agencies beyond DHS and TSA. Depending on the nature of the threat, managing and responding to in-flight threats can involve extensive coordination among more than 15 federal agencies and agency components, each with its own set of responsibilities that may influence the threat response. For example, another DHS component, Customs and Border Protection's (CBP) National Targeting Center (NTC), is responsible for comparing names and other identifying information of passengers onboard commercial aircraft flying to or from the United States with terrorist watch lists of persons considered to be potential security risks. If a passenger is determined to match an identity listed on a terrorist watch list, the Federal Bureau of Investigation (FBI), a Department of Justice (DOJ) agency, is often involved in conducting a risk assessment of the threat posed by that passenger while the flight is en route. Further, the Department of Transportation's (DOT) Federal Aviation Administration (FAA) becomes involved with in-flight threats as it monitors aircraft traffic entering into and operating within U.S. airspace to ensure safe operations, while the Department of Defense's (DOD) North American Aerospace Defense Command (NORAD)--a bi-national command established by agreement between the governments of the United States and Canada--becomes involved with the situation as it ensures the air sovereignty and air defense of U.S. airspace. Since these security incidents involve aircraft that are already in flight, timely and effective coordination among these agencies and components is paramount. Congress asked that we examine in-flight security threats and current federal efforts to respond collaboratively to them. In response, on February 28, 2007, we issued a classified report addressing the following questions: (1) What were the number and types of in-flight security incidents that occurred onboard commercial aircraft during 2005 that were reported to TSA, and to what extent did these threats result in aircraft being diverted? (2) What is the process that federal agencies follow to identify, assess, and respond to in-flight security threats? (3) To what extent did interagency coordination problems occur during 2005, if at all, and what steps did the involved agencies take to address any identified problems? Aviation security consists of multiple layers. The Aviation and Transportation Security Act, enacted in November 2001, created TSA as the agency responsible for securing all modes of transportation, including aviation.4 Since then, TSA has worked with other stakeholders to develop a layered approach to ensure the security of commercial aviation, involving multiple diverse and coordinated measures. These measures include enhancing passenger and checked baggage screening, offering security training for flight and cabin crews to handle potential threats onboard aircraft, expanding the Federal Air Marshal Service (FAMS) to place more federal air marshals on domestic and international commercial flights, and training pilots on commercial passenger and cargo aircraft on how to use lethal force against an intruder on the flight deck through the Federal Flight Deck Officers (FFDO) Program. Many agencies are involved in resolving in-flight security threats. this effort requires a significant degree of interagency collaboration and coordination because it involves many different aspects of homeland security, aviation operations, and law enforcement--everything from examining thousands of passenger lists for inbound and outbound international flights to ensure that suspected terrorists are not boarding aircraft, to diverting flights to alternative airports--and, if needed, mobilizing military fighter jets to intercept threatening aircraft. Four main departments are involved in this interagency effort: Homeland Security, Justice, Transportation, and Defense. Additionally, the National Counterterrorism Center (NCTC), a component of the new Office of the Director of National Intelligence, may also be involved. Agencies use interagency communication tools to coordinate during in-flight security threats. Relatively few in-flight incidents were reported during 2005, with a small percentage resulting in aircraft diversions. Process for resolving in-flight security threats requires extensive agency coordination and typically involves four main stages. The four process stages are (1) identifying the threat and notifying affected agencies; (2) sharing pertinent information and collaboratively assessing the severity of the threat; (3) deciding on and carrying out the appropriate in-flight response, such as initiating a diversion; and (4) if necessary, completing the law enforcement response when the flight has landed. Agencies experienced relatively few coordination problems in resolving in-flight security threats and took steps to address them, but opportunities exist to further strengthen coordination. Tue, 31 Jul 2007 00:00:00 -0400 http://www.gao.gov/new.items/d07892.pdf Responders to the World Trade Center (WTC) attack were exposed to many hazards, and concerns remain about long-term health effects of the disaster and the availability of health care services for those affected. In 2006, GAO reported on problems with the Department of Health and Human Services' (HHS) WTC Federal Responder Screening Program and on the Centers for Disease Control and Prevention's (CDC) distribution of treatment funding. GAO was asked to update its 2006 testimony. GAO assessed the status of (1) services provided by the WTC Federal Responder Screening Program, (2) efforts by CDC's National Institute for Occupational Safety and Health (NIOSH) to provide services for nonfederal responders residing outside the New York City (NYC) area, and (3) NIOSH's awards to grantees for treatment services and efforts to estimate service costs. GAO reviewed program documents and interviewed HHS officials, grantees, and others. HHS's WTC Federal Responder Screening Program has had difficulties ensuring the uninterrupted availability of services for federal responders. From January 2007 to May 2007, the program stopped scheduling screening examinations because there was a change in the administration of the WTC Federal Responder Screening Program, and certain interagency agreements were not established in a timely way to keep the program fully operational. In April 2006 the program also stopped scheduling and paying for specialty diagnostic services because a contract with the program's new provider network did not cover these services. Almost a year later, the contract was modified, and the program resumed scheduling and paying for these services in March 2007. NIOSH is considering expanding the WTC Federal Responder Screening Program to include monitoring--follow-up physical and mental health examinations--and is assessing options for funding and service delivery. If federal responders do not receive monitoring, health conditions that arise later may not be diagnosed and treated, and knowledge of the health effects of the WTC disaster may be incomplete. NIOSH has not ensured the availability of screening and monitoring services for nonfederal responders residing outside the NYC area, although it recently took steps toward expanding the availability of these services. In late 2002, NIOSH arranged for a network of occupational health clinics to provide screening services. This effort ended in July 2004, and until June 2005, NIOSH did not fund screening or monitoring services for nonfederal responders outside the NYC area. In June 2005, NIOSH funded the Mount Sinai School of Medicine Data and Coordination Center (DCC) to provide screening and monitoring services; however, DCC had difficulty establishing a nationwide network of providers and contracted with only 10 clinics in 7 states. In 2006, NIOSH began to explore other options for providing these services, and in May 2007, it took steps toward expanding the provider network. However, these efforts are incomplete. NIOSH has awarded treatment funds to four NYC-area programs, but does not have a reliable cost estimate of serving responders. In fall 2006, NIOSH awarded $44 million for outpatient treatment and set aside $7 million for hospital care. The New York/New Jersey WTC Consortium and the New York City Fire Department WTC program, which received the largest awards, used NIOSH's funding to continue outpatient services, offer full coverage for prescriptions, and cover hospital care. Program officials expect that NIOSH's outpatient treatment awards will be spent by the end of fiscal year 2007. NIOSH lacks a reliable estimate of service costs because the estimate that NIOSH and its grantees developed included potential costs for certain program changes that may not be implemented, and in the absence of actual treatment cost data, they relied on questionable assumptions. It is unclear whether the estimate overstates or understates the cost of serving responders. To improve future cost estimates, HHS officials have required the two largest grantees to report detailed cost data. Mon, 23 Jul 2007 00:00:00 -0400 http://www.gao.gov/new.items/d07804r.pdf Referred to as our "third border," the Caribbean Basin has significant maritime links with the United States. Given these links and the region's proximity, the United States is particularly interested in ensuring that the ports in the Caribbean Basin--through which goods bound for this country's ports and cruise ships carrying its citizens must travel--are secure. Section 233 (c) of the Security and Accountability for Every Port Act of 2006 (SAFE Port Act) requires GAO to report on various security-related aspects of Caribbean Basin ports. Our specific objectives were to identify and describe the (1) threats and security concerns in the Caribbean Basin related to port security, (2) actions that foreign governments and local stakeholders have taken in the Caribbean Basin to implement international port security requirements and the challenges that remain, (3) activities reported to be under way by U.S. government agencies to enhance port security in the Caribbean Basin, and (4) potential economic impacts of port security and terrorist attacks in the Caribbean Basin. Between March 29 and April 13, 2007, we briefed Congress on the results of our work to address these objectives. This report summarizes the information provided during those discussions. We conducted our work from October 2006 through June 2007 in accordance with generally accepted government auditing standards. While intelligence sources report that no specific, credible terrorist threats to maritime security exist in the Caribbean Basin, the officials we spoke to indicated that there are a number of security concerns that could affect port security in the region. Caribbean ports contain a variety of facilities such as cargo facilities, cruise ship terminals, and facilities that handle petroleum products and liquefied natural gas. Additionally, several Caribbean ports are among the top cruise ship destinations in the world. Given the volume and value of this maritime trade, the facilities and infrastructure of the maritime transportation system may be attractive targets for a terrorist attack. Our prior work on maritime security issues has revealed that the three most likely modes of attack in the port environment are a suicide attack using an explosive-laden vehicle or vessel, a standoff attack using small arms or rockets, and the traditional armed assault. Beyond the types of facilities and modes of attack to be considered, officials we spoke to identified a number of overarching security concerns that relate to the Caribbean Basin as a whole. Among these concerns are (1) the level of corruption that exists in some Caribbean nations to undermine the rule of law in these countries, (2) organized gang activity occurring in proximity to or within port facilities, and (3) the geographic proximity of many Caribbean countries, which has made them transit countries for cocaine and heroin destined for U.S. markets. Other security concerns in the Caribbean Basin mentioned by U.S. agency officials include stowaways, illegal migration, and the growing influence of Islamic radical groups and other foreign terrorist organizations. Fri, 29 Jun 2007 00:00:00 -0400 http://www.gao.gov/new.items/d07620.pdf Special Operations Command's (SOCOM) duties have greatly increased since the attacks of September 11, 2001. Today, Special Operations Forces are at work in Afghanistan and Iraq, and SOCOM has been assigned to lead U.S. efforts in the Global War on Terrorism. SOCOM's acquisitions budget has also greatly increased in this period--more than doubling from $788 million in 2001 to approximately $1.91 billion in 2006. In light of SOCOM's expanded duties, Congress requested that GAO review SOCOM's management of its acquisition programs. GAO's evaluation includes an assessment of: the types of acquisition programs SOCOM has undertaken since 2001 and whether the programs are consistent with its mission; the extent to which SOCOM's programs have progressed as planned; and the challenges SOCOM faces in managing its acquisition programs. SOCOM has undertaken a diverse set of acquisition programs that are consistent with the command's mission to provide equipment that addresses the unique needs of the Special Operations Forces. SOCOM has committed to spend about $6 billion on these programs. About 88 percent of the programs are relatively small, have short acquisition cycles, and use modified commercial off-the-shelf and nondevelopmental items or modify existing service equipment and assets. SOCOM's acquisition plans--as reflected in its current 5-year plan--continue to focus on relatively small-scale, short-cycle programs with modest development efforts. Overall, SOCOM's acquisition program performance has been mixed. About 60 percent of the acquisition programs SOCOM has undertaken since 2001 have progressed as planned, staying within the original cost and schedule estimates. Included in this grouping are programs that had cost increases because of the need to buy additional quantities of equipment for ongoing combat operations. The other 40 percent of SOCOM's acquisition programs have not progressed as planned and experienced modest to, in a small number of cases, significant cost increases and schedule delays because of a range of technical and programmatic issues. Although fewer in number, the programs that experienced problems comprise about 50 percent of acquisition funding because they tend to be the larger and costlier, platform-based programs that SOCOM is acquiring and those where SOCOM depends on one of the military departments for equipment and program management support. SOCOM faces management and workforce challenges to ensure its acquisition programs are consistently completed on time and within budget. Urgent requirements to support SOCOM's ongoing combat missions have and will continue to challenge SOCOM's ability to balance near- and long- term needs against available funding resources. In addition, SOCOM has difficulty tracking progress on programs where it has delegated management authority to one of the military departments and has not consistently applied a knowledge-based acquisition approach in executing programs, particularly the larger and more complex programs. Furthermore, SOCOM has encountered challenges ensuring it has the workforce size and composition to carry out its acquisition work. Thu, 28 Jun 2007 00:00:00 -0400 http://www.gao.gov/new.items/d07868.pdf In recent years GAO and others have reported on problems in the financial management environment at the Department of Homeland Security's (DHS) Science and Technology Directorate (S&T). S&T was established by the Homeland Security Act of 2002 to, among other things, coordinate the federal government's civilian efforts to identify and develop countermeasures to emerging terrorist threats to our nation. As DHS's primary research and development arm, the directorate is tasked with providing federal, state, local, and tribal officials with state-of-the-art technology and other resources, such as protocols and training procedures for use in responding to, and recovery from, chemical, biological, radiological, nuclear, and explosive attacks. S&T is led by an Under Secretary and has a Chief Financial Officer (CFO) who is responsible for all budgeting and accounting for financial resources. S&T receives funds for research, development, acquisition, and operations. It also receives funds for management and administration that support the operations of the directorate in both headquarters and the field, such as the expenditures for personnel compensation and benefits, travel, and rent. The Department of Homeland Security Appropriations Act, 2007 (Appropriations Act) provided about $973 million for S&T, of which about $838 million (about 86 percent) was for research, development, acquisition, and operations, and $135 million (about 14 percent) was for salaries and expenses of the Office of the Under Secretary and for management and administration of programs and activities. The Appropriations Act restricted S&T from obligating $60 million (about 44 percent) of the $135 million until the Secretary of Homeland Security prepared a fiscal year 2007 expenditure plan that was to be received and approved by the Committees on Appropriations of the Senate and House of Representatives that (1) was broken down by program, project, and activity (PPA), (2) contained a detailed breakdown and justification of the management and administrative costs for each PPA, and (3) described the method utilized to develop the budget for administration costs in the budget requests for fiscal years 2006 and 2007. The Appropriations Act also required GAO to review the plan. In responding to this mandate, we assessed whether S&T's fiscal year 2007 expenditure plan satisfied the above conditions of the Appropriations Act. In April 2007, we briefed Congress on the preliminary results of our work. On May 9, 2007, Congress released the $60 million management and administration funding that had been restricted by the act. The S&T fiscal year 2007 expenditure plan, including related documentation and other information provided by S&T program officials, did not fully satisfy the conditions set forth in the Appropriations Act. Prior to the obligation of the $60 million, the Appropriations Act required S&T to provide an expenditure plan by PPA, as well as a detailed breakdown and justification for the projected management and administrative expenditures by PPA. While the research and development data in the expenditure plan were presented by PPA, such as for laboratory facilities and explosives, the management and administration data were not. For example, S&T's expenditure plan described the projected expenditures for research, development, acquisition, and operations for each specific PPA, whereas the projected management and administrative expenditures were not broken out by these categories. Because the management and administration data were not broken out by PPA, the condition requiring a detailed breakdown and justification of these projected expenditures by PPA was not satisfied. S&T officials indicated that the breakdown and justification of these expenditures were not provided in the expenditure plan because S&T manages these costs by business areas and functions, such as business operations, rather than by PPA. Further, according to S&T officials, the management and administration account represents funds that support S&T's entire mission and, for the most part, are not directly attributable to any one PPA. However, in response to our data request, S&T broke out the projected management and administration expenditures by PPA using various methodologies to estimate the allocation of these costs to each PPA. Using such a methodology is consistent with generally recognized allocation methodologies. For example, S&T apportioned the total business operations expenditures, which include, among other things, rent, supplies, and employee bonuses and awards, to each PPA based on the number of full-time equivalent (FTE) staff budgeted for each of them. According to S&T officials, accounting for these costs by PPA--in order to have actual cost data to use in formulating future estimates rather than allocating projected expenditures across PPAs--would require either significant changes to its financial accounting system or the use of an off-line system designed solely for this purpose. The expenditure plan, including related documentation and other information provided by program officials, partially satisfied the legislative condition to describe the method utilized to derive the budget for projected administration expenditures in the fiscal years 2006 and 2007 budget requests. The plan identified the categories of expenses that the budget requests were intended to cover--such as salaries, benefits, and business operations--and indicated that the fiscal year 2007 budget request was developed based on the prior year expenditures for these categories. However, the plan did not describe the method used to develop each category of expenses. S&T officials acknowledged this and added that in addition to historical expenditure data from S&T's financial systems, the budget requests were also based on projections of new expenses. Fri, 22 Jun 2007 00:00:00 -0400 http://www.gao.gov/new.items/d07705.pdf Computer interconnectivity has produced enormous benefits but has also enabled criminal activity that exploits this interconnectivity for financial gain and other malicious purposes, such as Internet fraud, child exploitation, identity theft, and terrorism. Efforts