Information Sharing Environment: Better Road Map Needed to Guide Implementation and Investments
Highlights
Recent planned and attempted acts of terrorism on U.S. soil underscore the importance of the government's continued need to ensure that terrorism-related information is shared in an effective and timely manner. The Intelligence Reform and Terrorism Prevention Act of 2004, as amended, mandated the creation of the Information Sharing Environment (ISE), which is described as an approach for sharing terrorism-related information that may include any method determined necessary and appropriate. GAO was asked to assess to what extent the Program Manager for the ISE and agencies have (1) made progress in developing and implementing the ISE and (2) defined an enterprise architecture (EA) to support ISE implementation efforts. In general, an EA provides a modernization blueprint to guide an entity's transition to its future operational and technological environment. To do this work, GAO (1) reviewed key statutes, policies, and guidance; ISE annual reports; and EA and other best practices and (2) interviewed relevant agency officials.
Since GAO last reported on the ISE in June 2008, the Program Manager for the ISE and agencies have made progress in implementing a discrete set of goals and activities and are working to establish an "end state vision" that could help better define what the ISE is intended to achieve and include. However, these actions have not yet resulted in a fully functioning ISE. Consistent with the Intelligence Reform and Terrorism Prevention Act of 2004 (Intelligence Reform Act), the ISE is to provide the means for sharing terrorism-related information across five communities--homeland security, law enforcement, defense, foreign affairs, and intelligence--in a manner that, among other things, leverages ongoing efforts. To date, the ISE has primarily focused on the homeland security and law enforcement communities and related sharing between the federal government and state and local partners, to align with priorities the White House established for the ISE. It will be important that all relevant agency initiatives--such as those involving the foreign affairs and intelligence communities--are leveraged by the ISE to enhance information sharing governmentwide. The Program Manager and agencies also have not yet identified the incremental costs necessary to implement the ISE--which would allow decision makers to plan for and prioritize future investments--or addressed GAO's 2008 recommendation to develop procedures for determining what work remains. Completing these activities would help to provide a road map for the ISE moving forward. The administration has taken steps to strengthen the ISE governance structure, but it is too early to gauge the structure's effectiveness. The Program Manager and ISE agencies have developed architecture guidance and products to support ISE implementation, such as the "ISE Enterprise Architecture Framework," which is intended to enable long-term business and technology standardization and information systems planning, investing, and integration. However, the architecture guidance and products do not fully describe the current and future information sharing environment or include a plan for transitioning to the future ISE. For example, the EA framework describes information flows for only 3 of the 24 current business processes. In addition, the Program Manager's approach to managing its ISE EA program does not fully satisfy the core elements described in EA management best practices. For example, an EA program management plan for the ISE does not exist. The Program Manager stated that his office's approach to developing ISE architecture guidance is based on, among other things, the office's interpretation of the Intelligence Reform Act. Nevertheless, the act calls for the Program Manager to, among other things, plan for and oversee the implementation of the ISE, and officials from the key agencies said that the lack of detailed and implementable ISE guidance was one limiting factor in developing agency information sharing architectures. Without establishing an improved EA management foundation, including an ISE EA program management plan, the federal government risks limiting the ability of ISE agencies to effectively plan for and implement the ISE and more effectively share critical terrorism-related information. GAO recommends that in defining a road map for the ISE, the Program Manager ensure that relevant initiatives are leveraged, incremental costs are defined, and an EA program management plan is established that defines how EA management practices and content will be addressed. The Program Manager generally agreed with these recommendations.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status Sort descending |
|---|---|---|
| Office of the Program Manager--Information Sharing Environment | To help ensure effective implementation of the ISE, and to support future progress in developing and implementing the ISE, and after the end state is defined, the Program Manager, with full participation from relevant stakeholders, should, in consultation with the Information Sharing and Access Interagency Policy Committee (ISA IPC) and key ISE agencies, determine to what extent relevant agency initiatives across all five communities could be better leveraged by the ISE so that their benefits can be realized governmentwide. |
Closed – Implemented
As part of the 2015 high risk update, GAO conducted a review of the current state of terrorism-related information sharing. As part of that review, we revisited the recommendations we made in our 2011 report on the Information Sharing Environment (ISE). In the 2011 report, we noted that the ISE could benefit from leveraging individual department's information sharing initiatives and that the Program Manager--in consultation with the information sharing policy committee (within the Executive Office of the President) and key departments--should determine potential ways to realize such benefits government-wide. The 2013 ISE Annual Report to Congress identified several instances where key agencies were incorporating other agencies' initiatives. For example, the Federal Bureau of Investigation's (FBI) eGuardian system allows law enforcement agencies to submit suspicious activity reports into a single system that is accessible by thousands of law enforcement personnel. In the 2013 ISE annual report, 11 of 15 agencies that participate in the ISE reported that they use the FBI's eGuardian system. Also, in the 2014 Performance Assessment Questionnaire--which surveys the federal agencies involved in the ISE to gain an understanding of the overall state of information sharing among and between federal agencies--numerous agencies also mentioned fusion center information sharing as an initiative that they were leveraging. Specifically, all agencies that answered the 2014 question related to fusion center progress reported satisfaction with improvements made in the last year to enhance the capabilities and performance of the national network of fusion centers. This included improving the sharing of threat and encounter information between the federal government and state, local, and private partners. The above examples demonstrate that progress has been made in leveraging individual department initiatives across the ISE. Based on these and other actions, we consider this recommendation to be closed as implemented.
|
| Office of the Program Manager--Information Sharing Environment | To help ensure effective implementation of the ISE, and to support future progress in developing and implementing the ISE, and after the end state is defined, the Program Manager, with full participation from relevant stakeholders, should, in coordination with the ISA IPC and the Office of Management and Budget (OMB), task the key ISE agencies to define, to the extent possible, the incremental costs needed to help ensure successful implementation of the ISE and prioritize investments. |
Closed – Implemented
As part of the 2015 high risk update, GAO conducted a review of the current state of terrorism-related information sharing. As part of that review, we revisited the recommendations we made in our 2011 report on the Information Sharing Environment (ISE). In our interviews that supported the 2015 update, officials from each of the five key ISE departments (the Departments of Homeland Security, Justice, State, and Defense, as well as the Office of the Director of National Intelligence) said that information sharing activities are a daily activity that go hand in hand with the mission of the agency and related budgets, and are not separate mandates to fund. Therefore, the officials noted that there is no need to separately identify incremental costs since information sharing activities and costs are embedded within the agencies' mission operations. The Program Manager for the Information Sharing Environment and department officials also noted that the ISE Implementation Plan--which provides detailed guidance for the 16 priority objectives that are fundamental to creating the standards, technologies, and cooperation necessary to advance information sharing--assigns priority objectives to those departments whose mission most aligns to the initiatives under each objective, thereby helping to ensure that the activities receive funding. Based on these actions, we consider this recommendation to be closed as implemented.
|
| Office of the Program Manager--Information Sharing Environment | To better define ISE EA guidance and effectively manage EA activities to support ISE implementation efforts, the Program Manager should, in consultation with the ISA IPC and key ISE agencies, establish an ISE EA program management plan that (1) reflects ISE EA program work activities, events, and time frames for improving ISE EA management practices and addressing missing architecture content and (2) defines accountability mechanisms to help ensure that this program management plan is implemented. |
Closed – Implemented
The Program Manager for the Information Sharing Environment (PM-ISE) has taken sufficient steps to address the intent of our recommendation. With respect to developing an enterprise architecture program management plan, the PM-ISE developed a strategic management plan that identifies key enterprise architecture-related activities as well as time frames for these activities. The PM-ISE also developed architecture guidance to help address missing architecture content. For example, the Information Interoperability Framework provides guidance for describing architecture components (e.g., operational capabilities, technical standards, and exchange patterns) that help enable information sharing and interoperability. In addition, version 2.0 of the Common Profile Framework, issued in January 2015, provides additional guidance for enabling information sharing within and across organizations. With respect to defining accountability mechanisms, the 2014 strategic implementation plan describes architecture-related activities, dates when the activities are to be completed, and the entities responsible for completing the activities. In addition, the PM-ISE's annual reports to Congress provide updates on actions taken to address some of these activities. Based on these actions, we consider this recommendation to be closed as implemented.
|