Homeland Security: Office of Intelligence and Analysis Should Improve Privacy Oversight and Assessment of Its Effectiveness
Fast Facts
The DHS Office of Intelligence and Analysis collects and shares homeland security data with its partners in law enforcement, the intelligence community, and the private sector. While doing so, it's important to protect U.S. citizens and residents' rights and privacy.
But the office hasn't done some required audits that would ensure that its personnel are following policies to protect these rights. For example, auditing the information systems that contain sensitive data would tell the office whether the personnel who accessed them had the appropriate clearance and permissions.
Our recommendations address this and other issues we found.
Highlights
What GAO Found
GAO found that the Department of Homeland Security (DHS) Office of Intelligence and Analysis collected input from its mission centers and partners to prioritize threats and guide intelligence production during fiscal years 2019 to 2022. Specifically, the office (1) integrated Intelligence Community priorities into a single framework; (2) coordinated with DHS intelligence components to prioritize threats identified in that framework; and (3) solicited input from state, local, and other partners to refine priorities and inform product development.
GAO also found that the Office of Intelligence and Analysis is not fully implementing activities intended to monitor whether personnel are following its policies to protect the privacy, civil rights, and civil liberties of U.S. persons, including U.S. citizens and lawful permanent residents. For example, the office has not conducted two required monitoring activities: audits of information systems and audits of bulk data.
Audits Required by the Intelligence Oversight Guidelines
aBulk data are large quantities of data acquired without the use of discriminants (e.g., specific identifiers or search terms), most of which does not have intelligence value.
The office has not identified who is responsible for conducting these audits. By doing so, and by ensuring that relevant staff conduct these audits, the office will be better positioned to address any failures to protect privacy, civil rights, and civil liberties within its information systems and bulk data transfers.
The Office of Intelligence and Analysis tracks 13 performance measures, but it lacks information about its effectiveness because the performance measures do not clearly align with its strategic goals. For example, the office does not have a performance measure relating to its strategic goal of protecting privacy and civil liberties or of promoting technological innovation. Developing performance measures that clearly align with its strategic goals would give leadership information about the office's overall effectiveness.
In addition, officials said the office intends to use data from questionnaires attached to its intelligence products to better understand its customer interests. However, the office has not assessed whether these data are fulfilling its intent. By conducting such an assessment, the office may be better positioned to produce intelligence that aligns with the interests and needs of its customers.
Why GAO Did This Study
The DHS Office of Intelligence and Analysis provides information to DHS components and other partners to identify and mitigate threats to homeland security. Because such reporting can involve information about U.S. persons, the office issued Intelligence Oversight Guidelines that identify safeguards to protect privacy, civil rights, and civil liberties.
GAO was asked to review how the office sets priorities; protects privacy, civil rights, and civil liberties; and assesses its effectiveness. This report examines (1) how the office prioritizes threats, (2) the extent to which it monitors implementation of its Intelligence Oversight Guidelines, and (3) the extent to which it assesses its effectiveness.
GAO assessed the office's monitoring activities against its guidelines, reviewed performance information, and interviewed officials and a nongeneralizable selection of partners. This included eight DHS intelligence components, seven state and local agencies, and three private-sector partners, selected on the basis of geographic location and other factors.
Recommendations
GAO is making nine recommendations, including that the Office of Intelligence and Analysis (1) identify who is responsible for conducting audits of information systems and bulk data and ensure these audits are conducted, (2) develop performance measures that clearly align with strategic goals, and (3) assess the extent to which customer feedback data improve its understanding of customers' interests. The Department of Homeland Security agreed with our recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of Intelligence and Analysis | The Under Secretary for Intelligence and Analysis should ensure that I&A's intelligence oversight branch documents the reviews it conducts to verify I&A personnel's compliance with I&A's guidelines for protecting privacy, civil rights, and civil liberties. (Recommendation 1) |
The agency concurred with this recommendation and said it planned to address it by developing standard operating procedures that direct oversight personnel to document their compliance inquiries and reviews. In March 2024, the agency completed work on a preliminary inquiry standard operating procedure that directs staff to memorialize the results of all inquiries. This recommendation will remain open pending I&A's completion of a second standard operating procedure on conducting compliance reviews. I&A estimates completing work on the remaining procedure by July 2024.
|
| Office of Intelligence and Analysis | The Under Secretary for Intelligence and Analysis should establish a goal for the number of compliance reviews that I&A's intelligence oversight branch is to conduct during a given period to verify personnel's compliance with I&A's guidelines for protecting privacy, civil rights, and civil liberties. (Recommendation 2) |
The agency concurred with the recommendation and, in March 2024, was in the process of finalizing a performance plan for the Intelligence Oversight Officer that sets a goal of completing 6 preliminary inquiries or compliance reviews during fiscal year 2024. The recommendation will remain open pending receipt of the performance plan.
|
| Office of Intelligence and Analysis | The Under Secretary for Intelligence and Analysis should assess the intelligence oversight branch's performance against its goal for compliance reviews, including identifying any factors preventing it from meeting this goal and any needed corrective actions. (Recommendation 3) |
The agency concurred with this recommendation and in March 2024 said it anticipates reviewing the performance of the intelligence oversight branch against its goal for compliance reviews by April 2024. At this time, it will also ensure a schedule for compliance reviews for the second half of fiscal year 2024.
|
| Office of Intelligence and Analysis | The Under Secretary for Intelligence and Analysis should establish time frames for completing I&A's standard operating procedure for conducting preliminary inquiries and should finalize this procedure according to these time frames. (Recommendation 4) |
The agency concurred with this recommendation, and in August 2023, it said it planned to issue a standard operating procedure for preliminary inquiries in October 2023. In February 2024, I&A sent GAO its completed standard operating procedure for conducting preliminary inquiries, and the recommendation is closed as implemented.
|
| Office of Intelligence and Analysis | The Under Secretary for Intelligence and Analysis should identify who is responsible for conducting the audits of information systems and bulk data described in I&A's Intelligence Oversight Guidelines, and to whom the results of these audits should be reported. (Recommendation 5) |
The agency concurred with this recommendation and said it would develop a standard operating procedure for conducting audits of information systems and bulk data that would identify the entities responsible for these audits and to whom the results should be reported. In March 2024 the agency reported that work on the procedure would be completed by July 2024.
|
| Office of Intelligence and Analysis | The Under Secretary for Intelligence and Analysis should ensure that the responsible entities conduct audits of information systems and bulk data, as described in I&A's Intelligence Oversight Guidelines. (Recommendation 6) |
The agency concurred with this recommendation. In March 2024, I&A officials said they planned to set a goal for the number of audits of information systems and bulk data to be completed for the remainder of fiscal year 2024 and would assess the agency's progress against that goal by the end of September 2024.
|
| Office of Intelligence and Analysis | The Under Secretary for Intelligence and Analysis should develop performance measures for I&A that clearly align with and assess progress toward its strategic goals. (Recommendation 7) |
The agency concurred with this recommendation. In March 2024, the agency reported that it was working with the relevant internal offices to propose adjustments to its current performance measures and to add new measures for upcoming fiscal years. Specifically, the agency has worked to align each proposed measure to its fiscal year 2020-2024 strategic plan. In addition, as I&A develops its fiscal year 2025-2029 strategic plan, the agency reported that it will continue to collaborate with appropriate entities to align performance measures with strategic goals. The agency estimates completing work on this recommendation in December 2024.
|
| Office of Intelligence and Analysis | The Under Secretary for Intelligence and Analysis should develop and implement a process to submit the statutorily required annual report related to customer feedback on intelligence products to relevant congressional committees. (Recommendation 8) |
The agency concurred with this recommendation. In early March 2024, I&A reported that it had drafted the congressional report for fiscal year 2023 and plans to submit the report to Congress by March 29, 2024. Going forward, I&A plans to submit the required reports annually, by the end of each fiscal year. This recommendation will remain open, pending GAO's receipt of a copy of the required report.
|
| Office of Intelligence and Analysis | The Under Secretary for Intelligence and Analysis should assess the extent to which customer feedback data meet its need to understand its customers' interests and, if necessary, take steps to collect more appropriate data. (Recommendation 9) |
The agency concurred with this recommendation and, in March 2024, said that it had collected additional customer feedback data through a new collection form, assessed the data, and based on the results, made changes to collect additional feedback. The recommendation will remain open pending GAO's receipt of the results of the assessment and an explanation of how I&A used the customer feedback to understand its customers' interests.
|