Recent planned and attempted acts of terrorism on U.S. soil underscore the importance of the government's continued need to ensure that terrorism-related information is shared in an effective and timely manner. The Intelligence Reform and Terrorism Prevention Act of 2004, as amended, mandated the creation of the Information Sharing Environment (ISE), which is described as an approach for sharing terrorism-related information that may include any method determined necessary and appropriate. GAO was asked to assess to what extent the Program Manager for the ISE and agencies have (1) made progress in developing and implementing the ISE and (2) defined an enterprise architecture (EA) to support ISE implementation efforts. In general, an EA provides a modernization blueprint to guide an entity's transition to its future operational and technological environment. To do this work, GAO (1) reviewed key statutes, policies, and guidance; ISE annual reports; and EA and other best practices and (2) interviewed relevant agency officials.
Since GAO last reported on the ISE in June 2008, the Program Manager for the ISE and agencies have made progress in implementing a discrete set of goals and activities and are working to establish an "end state vision" that could help better define what the ISE is intended to achieve and include. However, these actions have not yet resulted in a fully functioning ISE. Consistent with the Intelligence Reform and Terrorism Prevention Act of 2004 (Intelligence Reform Act), the ISE is to provide the means for sharing terrorism-related information across five communities--homeland security, law enforcement, defense, foreign affairs, and intelligence--in a manner that, among other things, leverages ongoing efforts. To date, the ISE has primarily focused on the homeland security and law enforcement communities and related sharing between the federal government and state and local partners, to align with priorities the White House established for the ISE. It will be important that all relevant agency initiatives--such as those involving the foreign affairs and intelligence communities--are leveraged by the ISE to enhance information sharing governmentwide. The Program Manager and agencies also have not yet identified the incremental costs necessary to implement the ISE--which would allow decision makers to plan for and prioritize future investments--or addressed GAO's 2008 recommendation to develop procedures for determining what work remains. Completing these activities would help to provide a road map for the ISE moving forward. The administration has taken steps to strengthen the ISE governance structure, but it is too early to gauge the structure's effectiveness. The Program Manager and ISE agencies have developed architecture guidance and products to support ISE implementation, such as the "ISE Enterprise Architecture Framework," which is intended to enable long-term business and technology standardization and information systems planning, investing, and integration. However, the architecture guidance and products do not fully describe the current and future information sharing environment or include a plan for transitioning to the future ISE. For example, the EA framework describes information flows for only 3 of the 24 current business processes. In addition, the Program Manager's approach to managing its ISE EA program does not fully satisfy the core elements described in EA management best practices. For example, an EA program management plan for the ISE does not exist. The Program Manager stated that his office's approach to developing ISE architecture guidance is based on, among other things, the office's interpretation of the Intelligence Reform Act. Nevertheless, the act calls for the Program Manager to, among other things, plan for and oversee the implementation of the ISE, and officials from the key agencies said that the lack of detailed and implementable ISE guidance was one limiting factor in developing agency information sharing architectures. Without establishing an improved EA management foundation, including an ISE EA program management plan, the federal government risks limiting the ability of ISE agencies to effectively plan for and implement the ISE and more effectively share critical terrorism-related information. GAO recommends that in defining a road map for the ISE, the Program Manager ensure that relevant initiatives are leveraged, incremental costs are defined, and an EA program management plan is established that defines how EA management practices and content will be addressed. The Program Manager generally agreed with these recommendations.
Recommendations for Executive Action
|Office of the Program Manager--Information Sharing Environment||To help ensure effective implementation of the ISE, and to support future progress in developing and implementing the ISE, and after the end state is defined, the Program Manager, with full participation from relevant stakeholders, should, in consultation with the Information Sharing and Access Interagency Policy Committee (ISA IPC) and key ISE agencies, determine to what extent relevant agency initiatives across all five communities could be better leveraged by the ISE so that their benefits can be realized governmentwide.|
|Office of the Program Manager--Information Sharing Environment||To help ensure effective implementation of the ISE, and to support future progress in developing and implementing the ISE, and after the end state is defined, the Program Manager, with full participation from relevant stakeholders, should, in coordination with the ISA IPC and the Office of Management and Budget (OMB), task the key ISE agencies to define, to the extent possible, the incremental costs needed to help ensure successful implementation of the ISE and prioritize investments.|
|Office of the Program Manager--Information Sharing Environment||To better define ISE EA guidance and effectively manage EA activities to support ISE implementation efforts, the Program Manager should, in consultation with the ISA IPC and key ISE agencies, establish an ISE EA program management plan that (1) reflects ISE EA program work activities, events, and time frames for improving ISE EA management practices and addressing missing architecture content and (2) defines accountability mechanisms to help ensure that this program management plan is implemented.|