What We Found
The federal government has made significant progress in promoting the sharing of information on terrorist threats, and has met all of our criteria for removal from the High-Risk List. The Program Manager and key departments and agencies met the leadership commitment and capacity criteria in 2015, and have subsequently sustained efforts in both these areas. For example, the Program Manager clearly articulated a vision for the ISE that reflects the government’s terrorism-related information sharing priorities. Key departments and agencies also continued to allocate resources to operations that improve information sharing, including developing better technical capabilities.
The Program Manager and key departments and agencies also developed, generally agreed upon, and executed the 2013 Strategic Implementation Plan (Implementation Plan), which includes the overall strategy and more specific planning steps to achieve the ISE. Further, they have demonstrated that various information sharing initiatives are being used across multiple agencies as well as state, local, and private sector stakeholders. For example, the Project Manager has developed a comprehensive framework for managing enterprise architecture to help share and integrate terrorism-related information among multiple stakeholders in the ISE. Specifically, the Project Interoperability initiative includes technical resources and other guidance that promote greater information system compatibility and performance. Furthermore, the key departments and agencies have applied the concepts of the Project Interoperability initiative to improve mission operations by better linking different law enforcement databases, and facilitating better geospatial analysis, among other things.
In addition, the Program Manager and key departments and agencies have continued to devise and implement ways to measure the effect of the ISE on information sharing to address terrorist and other threats to the homeland. They developed performance metrics for specific information-sharing initiatives (e.g., fusion centers) used by various stakeholders to receive and share information. The Program Manager and key departments and agencies have also documented mission-specific accomplishments (e.g., related to maritime domain awareness) where the Program Manager helped connect previously incompatible information systems. The Program Manager has also partnered with DHS to create an Information Sharing Measure Development Pilot that intends to better measure the effectiveness of information sharing across all levels of the ISE.
Further, the Program Manager and key departments and agencies have used the Implementation Plan to track progress, address challenges, and substantially achieve the objectives in the National Strategy for Information Sharing and Safeguarding. The Implementation Plan contains 16 priority objectives, and by the end of fiscal year 2016, 13 of the 16 priority objectives were completed. The Program Manager transferred the remaining 3 objectives, which were all underway, to other entities with the appropriate technical expertise to continue implementation through fiscal year 2019.
In our 2013 high-risk update, we listed nine action items that were critical for moving the ISE forward. In that report, we determined that two of those action items—demonstrating that the leadership structure has the needed authority to leverage participating departments, and updating the vision for the ISE—had been completed. In our 2015 update, we determined that the Program Manager and key departments had achieved four of the seven remaining action items—demonstrating that departments are defining incremental costs and funding; continuing to identify technological capabilities and services that can be shared collaboratively; demonstrating that initiatives within individual departments are, or will be, leveraged to benefit all stakeholders; and demonstrating that stakeholders generally agree with the strategy, plans, time frames, responsibilities, and activities for substantially achieving the ISE.
For the 2017 update, we determined that the remaining three action items have been completed: establishing an enterprise architecture management capability; demonstrating that the federal government can show, or is more fully developing a set of metrics to measure, the extent to which sharing has improved under the ISE; and demonstrating that established milestones and time frames are being used as baselines to track and monitor progress. Achieving all nine action items has, in effect, addressed our high-risk criteria.
While this demonstrates significant and important progress, sharing terrorism-related information remains a constantly evolving work in progress that requires continued effort and attention from the Program Manager, departments, and agencies. Although no longer a high-risk issue, sharing terrorism-related information remains an area with some risk and continues to be vitally important to homeland security, requiring ongoing oversight as well as continuous improvement to identify and respond to changing threats and technology. Table 11 summarizes the Program Manager’s and key departments’ and agencies’ progress in achieving the action items.
Table 11: Status of Action Items Required to Remove Terrorism-Related Information Sharing from GAO’s High-Risk List
Action Item Status
Demonstrate that the Information Sharing and Access Interagency Policy Committee has needed authority, is leveraging participating departments, and is producing results.
Update the vision for the Information Sharing Environment (ISE)—the information sharing capabilities and procedures that need to be in place to help ensure terrorism-related information is accessible and identifiable to relevant federal, state, local, private, and foreign partners.
Demonstrate that departments are defining incremental costs and funding needed to complete the responsibilities and activities which substantially achieve the ISE.
Capacity to resolve risk
Continue to identify technological capabilities and services that can be shared collaboratively within and across the ISE, consistent with a federated architecture approach.
Capacity to resolve risk
Demonstrate that initiatives within individual departments are, or will be, leveraged to benefit all relevant federal, state, local, and private security stakeholders participating in the ISE.
Action plans that provide corrective measures
Establish an enterprise architecture management capability and demonstrate that it will be used to guide selection of projects for substantially achieving the ISE.
Action plans that provide corrective measures
Demonstrate that stakeholders generally agree with the strategy, plans, time frames, their responsibilities, and their activities for substantially achieving the ISE.
Action plans that provide corrective measures
Demonstrate that the federal government can show the extent to which sharing has improved under the ISE, or can show it has actions underway to more fully develop a set of metrics and processes to measure results achieved, both from individual projects and activities, as well as from the overall ISE.
Monitor and validate the effectiveness of corrective measures
Demonstrate that established milestones and time frames are being used as baselines to track and monitor progress on individual projects and in substantially achieving the overall ISE.
Source: GAO analysis of Office of the Program Manager for the Information Sharing Environment and key department documents, interviews, and prior GAO reports. | GAO-17-317.
aWe determined that these action items were complete in our 2013 high-risk update.
bWe determined that these action items were complete in our 2015 high-risk update.
 Office of the Program Manager for the Information Sharing Environment, Strategic Implementation Plan for the National Strategy for Information Sharing and Safeguarding (Washington, D.C.: December 2013). In December 2012, the President signed the National Strategy for Information Sharing and Safeguarding, which provides guidance on implementing policies, standards, and technologies that promote secure and responsible national security information sharing. This document builds on the 2010 National Security Strategy and the 2007 National Strategy for Information Sharing. The December 2012 national strategy identifies priority objectives, which have been incorporated into the Implementation Plan.
 An enterprise architecture, or modernization blueprint, is intended to provide a clear and comprehensive picture of an entity, whether it is an organization (e.g., federal department or agency) or a functional or mission area that cuts across more than one organization (e.g., financial management). This picture consists of snapshots of the enterprise’s current and target operational and technological environments, and contains a road map for transitioning from the current to the target environment.
 Project Interoperability refers to a collection of policies and guidance related to information interoperability. Information interoperability is the ability to share and use information in a consistent, efficient way across multiple organizations and information technology (IT) systems to accomplish operational missions. From a technical perspective, interoperability refers to the capability of systems to communicate with one another and to exchange and use information and is achieved developed in part by using common technical standards and definitions to manage information.
In February 2017 we removed Establishing Effective Mechanisms for Sharing and Managing Terrorism-Related Information to Protect the Homeland from the high risk list.
Since 2015, the Program Manager (Program Manager) for the Information Sharing Environment (ISE) and key departments and agencies have made significant progress to strengthen how intelligence on terrorism, homeland security, and law enforcement, as well as other information (collectively referred to in this section as terrorism-related information) is shared among federal, state, local, tribal, international, and private sector partners. As a result, the Program Manager and key stakeholders have met all five criteria for addressing our high risk designation, and we are removing this issue from our High-Risk List. While this progress is commendable, it does not mean the government has eliminated all risk associated with sharing terrorism-related information. It remains imperative that the Program Manager and key departments and agencies continue their efforts to advance and sustain the ISE. Continued oversight and attention is also warranted given the issue’s direct relevance to homeland security as well as the constant evolution of terrorist threats and changing technology. As we have with areas previously removed from the High-Risk List, we will continue to monitor this area, as appropriate, to ensure that the improvements are sustained. If significant problems again arise, we will consider reapplying the high risk designation.
The Program Manager, the individual responsible for planning, overseeing, and managing the ISE, along with the key departments and agencies—the Departments of Homeland Security (DHS), Justice (DOJ), State (State), and (DOD), and the Office of the Director of National Intelligence (ODNI)—are critical to implementing and sustaining the ISE. Following the terrorist attacks of 2001, Congress and the executive branch took numerous actions aimed explicitly at establishing a range of new measures to strengthen the nation’s ability to identify, detect, and deter terrorism-related activities. For example, the ISE was established in accordance with the Intelligence Reform and Terrorism Prevention Act of 2004 (Intelligence Reform Act), as amended, to facilitate the sharing of terrorism-related information. Figure 22 depicts the relationship between the various stakeholders and disciplines involved with the sharing and safeguarding of terrorism-related information through the ISE.
Figure 22: Elements of the Information Sharing Environment
 The Office of the Program Manager for the ISE is situated within and funded through amounts appropriated to ODNI. Additional departments and agencies also participate in the ISE, including Air Force Intelligence, Surveillance, and Reconnaissance; Central Intelligence Agency; Department of Commerce; Department of Energy; Department of Health and Human Services; Department of the Interior; Department of Transportation; Department of the Treasury; National Counterterrorism Center; National Geospatial-Intelligence Agency; and National Reconnaissance Office.
 See Pub. L. No. 108-458, § 1016, 118 Stat. 3638, 3664-70 (2004) 6 U.S.C. § 485). See also 6 U.S.C. § 482 (requiring the establishment of procedures for the sharing of homeland security information).
In February 2017 we removed Establishing Effective Mechanisms for Sharing and Managing Terrorism-Related Information to Protect the Homeland from the high risk list. While this progress is commendable, it does not mean the government has eliminated all risk associated with sharing terrorism-related information. It remains imperative that the Program Manager and key departments and agencies continue their efforts to advance and sustain the Information Sharing Environment. Continued oversight and attention is also warranted given the issue’s direct relevance to homeland security as well as the constant evolution of terrorist threats and changing technology. As we have with areas previously removed from the High-Risk List, we will continue to monitor this area, as appropriate, to ensure that the improvements are sustained. If significant problems again arise, we will consider reapplying the high risk designation.