This is the accessible text file for GAO report number GAO-04-453R entitled 'Homeland Security Advisory System: Preliminary Observations Regarding Threat Level Increases from Yellow to Orange' which was released on March 11, 2004. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. February 26, 2004: The Honorable Christopher Cox: Chairman: The Honorable Jim Turner: Ranking Minority Member: House Select Committee on Homeland Security: House of Representatives: Subject: Homeland Security Advisory System: Preliminary Observations Regarding Threat Level Increases from Yellow to Orange: Established in March 2002, the Homeland Security Advisory System was designed to disseminate information regarding the risk of terrorist acts to federal, state, and local government agencies and the public. However, this system generated concern among federal, state, and local government agencies regarding whether they are receiving the necessary information to respond appropriately to heightened alerts and about the amount of additional costs protective measures entail. You requested that we review (1) the operations of the Homeland Security Advisory System, including the decision making process for changing the national threat level, notifications to federal, state, and local government agencies of changes in the threat level, and ongoing revisions to the system; (2) guidance and information that federal, state, and local government agencies reportedly used to determine any protective measures to implement when the threat level is raised to high--or code-orange--alert; (3) any protective measures these agencies implemented during code-orange alert periods; (4) any additional costs these agencies reported incurring to implement such measures; and (5) any threat advisory systems that federal, state, or local government agencies had in place before the creation of the Homeland Security Advisory System. This report summarizes our preliminary observations on each of these objectives. The code-orange alert periods covered in this preliminary report and our ongoing work are March 17 to April 16, 2003; May 20 to 30, 2003; and December 21, 2003, to January 9, 2004. The preliminary observations in this report are based on information obtained as of February 9, 2004. This includes responses from 15 of the 28 federal agencies to which we sent a questionnaire regarding the Homeland Security Advisory System and code-orange alert periods, and information from 8 federal agencies, four states, the District of Columbia,[Footnote 1] and nine local governments that we contacted during the design of our methodology. We selected the 8 federal agencies using agencies' reports to the Office of Management and Budget on the amount of homeland security funding they received for fiscal year 2003.[Footnote 2] Five of the 8 selected agencies reported receiving the most homeland security funding. We selected the four states, the District of Columbia, and nine local governments on the basis of their critical infrastructure assets, such as national landmarks, ports, and oil pipelines. The Department of Homeland Security (DHS) generally has not documented the policies and procedures it has used for assessing intelligence information, determining whether to raise or lower the threat level, and notifying federal, state, and local government agencies about changes in threat levels. Thus, our findings about the operations of the Homeland Security Advisory System are principally based on interviews with DHS officials. We will continue to assess the Homeland Security Advisory System and related guidance, measures implemented during code-orange periods, and the costs incurred during code-orange alerts. We expect to issue a final report later this year. On February 23 and 24, 2004, officials representing the Department of Homeland Security provided oral technical comments on this report, which we incorporated as appropriate. We conducted our work from July 2003 to February 2004 in accordance with generally accepted government auditing standards. For more detailed information on our scope and methodology, see enclosure I. Results in Brief: Based on analyses of intelligence, the Secretary of Homeland Security, in consultation with members of the Homeland Security Council,[Footnote 3] determines whether the national threat level should be elevated or lowered. Once the Secretary makes this decision, DHS and others begin the process of notifying federal, state and local government agencies, through various means, such as conference calls. The department has not yet documented its protocols for executing notification. DHS officials told us they are working to develop such documentation. However, they could not provide us with a specific time frame as to when they expect to complete this effort. Federal, state, and local government agencies we met with expressed concern about hearing of threat level changes from media and other sources prior to receiving notification from DHS. DHS officials maintain that the Homeland Security Advisory System is evolving and that they are continually adjusting it to provide additional information regarding specific threats. Various sources, including the Federal Emergency Management Agency (FEMA),[Footnote 4] provided guidance and information to federal, state, and local government agencies to assist them in developing plans for responding to each of the advisory system's five threat levels following establishment of the system in March 2002. Additionally, DHS and others provided federal, state, and local government agencies with guidance and information to assist them in determining actions to take in response to each code-orange alert occurrence. For the most part, the 15 federal agencies responding to our questionnaire noted that the guidance and information they received was useful and timely. However, 14 of these 15 federal agencies, along with officials from three states and six local governments we met with, noted that they would have benefited by receiving additional information on region-, sector-, site-, and event-specific threats when deciding additional actions to take for the three most recent code-orange alerts. We will continue to assess this guidance and information to determine its consistency and the extent to which the entities that provided the guidance and information coordinated with other agencies providing similar information. Federal agencies responding to our questionnaire indicated that they maintain a high security posture and, as a result, did not need to implement a substantial number of additional protective measures to respond to code-orange alerts. For the most part, these 15 federal agencies reported enhancing protective measures they already had in place to respond to the code-orange alerts, such as increasing the frequency of facility security patrols. To a lesser degree, these federal agencies indicated that they continued existing protective measures at their pre-code-orange alert levels, such as the use of intrusion detection systems. To ensure that protective measures operate as intended, federal agencies for which we received questionnaire responses reported conducting tests on the functionality and reliability of protective measures. They also reported receiving confirmation of the enhancement or implementation of measures from component entities, offices, or personnel. Protective measures benefited federal agencies in various ways, but also affected agency operations, according to the agencies responding to our questionnaire. For example, while actions taken during code-orange alerts promoted employees' sense of security, they also resulted in delays for employees entering facilities. State and local government officials we met with noted that their agencies implemented various protective measures for code-orange alerts, including additional law enforcement patrols. Thirteen federal agencies, one state, and six localities provided information on the additional costs incurred during at least two of the three orange alert periods in our review. The cost information the federal agencies provided was generally estimates. Nine agencies reported incurring additional costs while 4 stated that they did not incur any additional costs. Eight of the 9 agencies provided cost estimates, whereas the ninth provided actual costs extracted from its financial accounting system. For the 9 agencies that reported incurring additional costs, we calculated the additional average daily costs incurred during each of the three orange alert periods. The additional average daily costs varied by alert period and ranged from as little as about $160 dollars for a small independent agency to more than $165,000 for a cabinet department. For 8 of the 9 agencies, the additional average daily costs were lower for the third alert period than the first alert period. Cost information for the one state and six localities was limited, and we have little or no information on how those costs were determined. Thus, we cannot assess the reliability and comparability of these costs. Some federal, state, and local government agencies we contacted reported that they have threat advisory systems in place to ensure government agencies are notified of impending emergencies such as natural disasters or terrorist threats, allowing them to prepare a response. These systems, which were generally in place before the creation of the Homeland Security Advisory System, are similar to the Homeland Security Advisory System or have been revised to conform to it and include threat levels with associated protective measures. For example, one federal agency told us that it had developed its own five- level alert system 8 years ago to ensure protection of critical national security assets. While federal, state, and local government agencies said they raise or lower their systems' threat levels to correspond to changes in the national threat level, they also independently change threat levels to respond to specific threats or for large public events. Background: Homeland Security Presidential Directive 3 (HSPD-3) established the Homeland Security Advisory System in March 2002. Through the creation of the Homeland Security Advisory System, HSPD-3 sought to produce a common vocabulary, context, and structure for an ongoing discussion about the nature of threats that confront the nation and the appropriate measures that should be taken in response to those threats. Additionally, HSPD-3 established the Homeland Security Advisory System as a mechanism to inform and facilitate decisions related to securing the homeland among various levels of government, the private sector, and American citizens. The Homeland Security Advisory System, as shown in figure 1, is comprised of five color-coded threat conditions, which represent levels of risk related to potential terror attack. As defined in HSPD-3, risk includes both the probability of an attack occurring and its potential gravity. Figure 1: Homeland Security Advisory System: [See PDF for image] [End of figure] Since its establishment in March 2002, the Homeland Security Advisory System national threat level has remained at elevated alert--code- yellow--except for five periods during which the administration raised it to high alert--code-orange. The periods of code-orange alert follow: * September 10 to 24, 2002; * February 7 to 27, 2003; * March 17 to April 16, 2003; * May 20 to 30, 2003; and: * December 21, 2003, to January 9, 2004. The Homeland Security Advisory System is binding on the executive branch. HSPD-3 directs all federal departments, agencies, and offices, other than military facilities,[Footnote 5] to conform their existing threat advisory systems to the Homeland Security Advisory System. These agencies are responsible for ensuring their systems are consistently implemented in accordance with national threat levels as defined by the Homeland Security Advisory System. Additionally, federal departments and agency heads are responsible for developing protective measures and other antiterrorism or self-protection and continuity plans in response to the various threat levels and operating and maintaining these plans. While HSPD-3 encourages other levels of government and the private sector to conform to the system, their compliance is voluntary. When HSPD-3 first established the Homeland Security Advisory System, it provided the Attorney General with responsibility for administering the Homeland Security Advisory System, including assigning threat conditions in consultation with members of the Homeland Security Council, except in exigent circumstances. As such, the Attorney General could assign threat levels for the entire nation, for particular geographic areas, or for specific industrial sectors. Upon its issuance, HSPD-3 also assigned responsibility to the Attorney General for establishing a process and a system for conveying relevant threat information expeditiously to federal, state, and local government officials, law enforcement authorities, and the private sector. In November 2002, Congress enacted the Homeland Security Act of 2002, P.L. 107-296, which established the Department of Homeland Security. Under the Homeland Security Act of 2002, the DHS Under Secretary for Information Analysis and Infrastructure Protection (IAIP)is responsible for administering the Homeland Security Advisory System. As such, IAIP is primarily responsible for issuing public threat advisories and providing specific warning information to state and local governments and to the private sector. The act also charges IAIP with providing advice about appropriate protective actions and countermeasures.[Footnote 6] In February 2003, in accordance with the Homeland Security Act, the administration issued Homeland Security Presidential Directive 5 (HSPD- 5), which amended HSPD-3 by transferring authority for assigning threat conditions and conveying relevant information from the Attorney General to the Secretary of Homeland Security. HSPD-5 directs the Secretary of Homeland Security to consult with the Attorney General and other federal agency heads the Secretary deems appropriate, including other members of the Homeland Security Council, when determining the threat level, except in exigent circumstances. The Advisory System Includes Threat Analysis, Notifications, and Ongoing Revisions, but Protocols for Notification Have Not Been Documented: According to DHS officials, the intelligence community continuously gathers and analyzes information regarding potential terrorist activity. This includes information from such agencies as DHS,[Footnote 7] the Central Intelligence Agency, the Federal Bureau of Investigation (FBI), and the Terrorist Threat Integration Center.[Footnote 8] Analyses from these and other agencies are shared with DHS's IAIP, which is engaged in constant communication with intelligence agencies to assess potential homeland security threats. DHS officials told us that when intelligence information provides sufficient indication of a planned terrorist attack, and is determined to be credible, IAIP recommends to the Secretary of Homeland Security that the national threat level should be raised. To decide whether to lower the national threat level, DHS officials told us that the department reviews threat information to determine whether time frames for threats have passed and whether protective measures in place for the code-orange alerts have been effective in mitigating the threats. DHS officials further told us that analysis of the threat information and determination of threat level changes are specific for each time period and situation and include a certain amount of subjectivity. They said no explicit criteria or other quantifiable factors are used to decide whether to raise or lower the national threat level. Based on a review of the threat information and analyses, DHS officials said that the Secretary of Homeland Security consults with the other members of the Homeland Security Council on whether the national threat level should be changed.[Footnote 9] DHS officials told us that if the Homeland Security Council members could not agree on whether to change the national threat level, the president would make the decision. After the determination has been made to raise or lower the national threat level, DHS begins its notification process. DHS used the following methods, among others, to notify entities of changes in the national threat level, according to responses from our federal agency questionnaire and discussions with DHS and other government officials: * Conference calls between the Secretary of Homeland Security and state governors and/or state homeland security officials; * Telephone calls from Federal Protective Service (FPS, a component of DHS) officials to federal agencies; * E-mail or telephone communications from Homeland Security Operations Center (HSOC) representatives to the federal, state, or local agencies they represent; * HSOC electronic systems such as the Joint Regional Information Exchange System; * FBI electronic systems such as the National Law Enforcement Telecommunications System;[Footnote 10] and: * E-mail and/or telephone communications with federal agencies' chief of staff and public affairs offices. Of the 13 federal agencies responding to our questionnaire that received notification from DHS for the code-orange alert period December 21, 2003, to January 9, 2004, 9 reported being notified by more than one method. These agencies most often reported receiving notification of threat level increases via electronic communications systems, such as the Washington Area Warning Alert System. Preliminary questionnaire responses and discussions with federal, state, and local government officials indicate that DHS also used multiple methods to notify federal, state, and local agencies of threat level changes for the other two code-orange alert periods in our review. DHS officials stated in recent congressional testimony that the department's communications of national threat level changes also provide specific information regarding the intelligence supporting the change in the threat condition, and that protective measures are developed and communicated, along with the threat information, prior to a public announcement of the decision. Some federal, state, and local officials indicated in meetings and questionnaire responses that they have not received information on region-, sector-, site-, or event- specific threats in DHS notifications of threat level changes. Some of these officials commented that they would like specific information on threats to determine the most appropriate protective measures for their agencies or localities. Thirteen of the 15 federal agencies responding to our questionnaire reported receiving notification of the threat level change from DHS during the most recent elevation to code-orange. Six of the 13 agencies reported receiving region-or sector-specific threat information; 5 reported receiving information on threat time frames; and 5 reported receiving site-or event-specific information. Two of the 15 federal agencies responding to the questionnaire reported that they did not receive notification from DHS. In addition, for each code-orange alert period, 12 of the 15 federal agencies identified insufficient information on the threat as an impediment to responding to the heightened alert. DHS officials maintain that they provide federal, state, and local officials with specific threat information whenever it is available. We will continue to review DHS's notification methods, including the content of such notifications. We expect to report the results of this work later this year. Some federal agencies, as well as state and local officials we interviewed, reported hearing about notification of national threat level changes from other entities, such as the FBI and media sources, before being notified by DHS. For example, 3 federal agencies and five state and local entities noted learning about national threat level changes via media sources prior to being notified by DHS. This raises questions about whether DHS is always conveying information regarding threat level changes to government entities expeditiously, as required by HSPD-3. Officials from one federal agency, one state, and two localities would prefer to receive notification of threat level changes from DHS prior to hearing about the changes from media sources. These officials told us that after the change is reported via media sources, their agencies receive requests for detailed information on the change from the public and other entities. They noted that their agencies appear ineffective to the public and other entities because, without notification of the national threat level change before it is reported by media sources, they do not have time to prepare informed responses. DHS officials indicated they were aware that the media sometimes reported threat level changes before DHS notified federal, state, and local officials and in the case of the second alert period in our review, before the decision to raise the threat level was even made. In addition, DHS officials told us that they send notifications/advisories to the media to inform them of impending press conferences, and that the media may speculate about announcements of threat level changes that may be made at the press conferences. DHS officials told us that they have not yet formally documented protocols for notifying federal, state, and local government agencies of national threat level changes. They told us that they are working to document their protocols. However, they could not provide us with a specific time frame as to when DHS expects to complete this effort. For an entity to control its operations, it must have relevant, reliable, and timely communications relating to internal as well as external events.[Footnote 11] As we have previously reported, to establish channels that facilitate open and effective communication, agencies should clearly set out procedures, such as communication protocols, that they will consistently follow when doing their work.[Footnote 12] Communications protocols would, among other things, help foster clear understanding and transparency regarding federal agencies' priorities and operations. Moreover, protocols can help ensure that agencies interact with federal, state, local, and other entities using clearly defined and consistently applied policies and procedures. DHS officials told us that the Homeland Security Advisory System is constantly evolving based on their ongoing review of the system. To provide more specific threat information and respond to sector-and location-specific security needs, DHS officials told us they adjust the system based on feedback from federal, state, local and private sector officials; tests of the system; and experience with previous periods of code-orange alert. For example, during the most recent code-orange alert, there was heightened concern about the use of aircraft for potential terrorist attacks and several geographic locations were also reported to be at particularly high risk. In a recent testimony, the Deputy Secretary of Homeland Security noted that DHS provided specific recommendations for protective measures to industry sectors and for geographic areas in response to specific threat information. When the national threat level was lowered to yellow on January 9, 2004, DHS recommended that some sectors, such as the aviation industry, and certain geographic locations continue on a heightened alert status. According to the Deputy Secretary, this was the first time since the creation of the Homeland Security Advisory System that DHS lowered the national threat level but recommended maintaining targeted protections for a particular industry sector or geographic location. DHS officials also told us that the department issues threat advisories and information bulletins for specific threats that do not require changes in the national threat level. Threat advisories contain information about incidents or threats targeting critical national infrastructures or key assets, such as pipelines. Information bulletins communicate information of a less urgent nature to nongovernmental entities and those responsible for the nation's critical infrastructures. The threat advisories and bulletins we reviewed also include advice on protective measures for law enforcement agencies. Federal, State, and Local Agencies Reported Receiving Useful Information and Guidance, but Would Prefer More Specific Information: Federal agencies responding to our questionnaire reported receiving and using guidance and information from various sources to develop plans for responding to each of the five national threat levels. In particular, these federal agencies indicated that they received and used guidance from FEMA, FPS, the Department of Justice (DOJ), and the White House. For example, 6 federal agencies reported using DOJ's Vulnerability Assessment of Federal Facilities.[Footnote 13] This guidance established security levels for different types of federal facilities and minimum-security standards for each level. In addition, 5 federal agencies reported using HSPD-3, which established the Homeland Security Advisory System and suggested general protective measures for each threat level. Twelve federal agencies also reported using their agencies' vulnerability assessments to help them develop appropriate measures to take in responding to national threat levels. In addition to developing response plans for each threat level, federal agencies responding to our questionnaire reported receiving and using both guidance and information and intelligence from various sources to determine additional protective measures to implement in response to the code-orange alerts included in our review. They indicated that the guidance and information was generally useful and timely. For example, as shown in table 1, the 15 federal agencies responding to our questionnaire reported using guidance from a variety of sources to determine actions to take for the most recent code-orange alert period from December 21, 2003, to January 9, 2004. Most federal agencies that reported using guidance from the agencies listed in table 1 noted that the guidance was useful and timely. Table 1: Number of Federal Agencies that Used Guidance and Found It Useful and Timely for the Code-Orange Alert Period December 21, 2003, to January 9, 2004: Source of guidance: DHS; Number of federal agencies: 11; Useful[A]: 10; Timely[B]: 7. Source of guidance: FBI; Number of federal agencies: 5; Useful[A]: 5; Timely[B]: 5. Source of guidance: White House; Number of federal agencies: 4; Useful[A]: 4; Timely[B]: 4. Source of guidance: Local law enforcement; Number of federal agencies: 1; Useful[A]: 1; Timely[B]: 1. Source: GAO analysis of data from the first 15 federal agencies responding to GAO's questionnaire. [A] We asked federal agencies to indicate whether guidance they received was very useful, somewhat useful, or of little or no use. Useful reflects respondent ratings of very useful and somewhat useful. [B] We also asked agencies to indicate whether the guidance they received was timely by responding yes or no. [End of table] Likewise, as shown in table 2, the 15 respondents to the federal agency questionnaire indicated that they used multiple sources of information and intelligence in determining actions for the most recent code-orange alert period. These agencies also generally reported that information and intelligence from the sources listed in table 2 was useful and timely. Table 2: Number of Federal Agencies that Used Information and Intelligence and Found It Useful and Timely for the Code-Orange Alert Period December 21, 2003, to January 9, 2004: Source of information/intelligence: DHS; Number of federal agencies: 9; Useful[A]: 8; Timely[B]: 8. Source of information/intelligence: FBI; Number of federal agencies: 10; Useful[A]: 8; Timely[B]: 8. Source of information/intelligence: White House; Number of federal agencies: 4; Useful[A]: 4; Timely[B]: 4. Source of information/intelligence: National Joint Terrorism Task Force; Number of federal agencies: 5; Useful[A]: 5; Timely[B]: 4. Source of information/intelligence: Agency intelligence sources; Number of federal agencies: 3; Useful[A]: 3; Timely[B]: 2. Source of information/intelligence: Local law enforcement; Number of federal agencies: 2; Useful[A]: 2; Timely[B]: 1. Source: GAO analysis of data from the first 15 federal agencies responding to GAO's questionnaire. [A] We asked federal agencies to indicate whether the information and intelligence they received was very useful, somewhat useful, or of little or no use. Useful reflects respondent ratings of very useful and somewhat useful. [B] We also asked agencies to indicate whether the guidance they received was timely by responding yes or no. [End of table] Results for the other two code-orange alert periods included in our review--March 17 to April 16, 2003, and May 20 to 30, 2003--were consistent with those reported in tables 1 and 2 for the code-orange alert period December 21, 2003, to January 9, 2004. State and local government officials we met with told us that they also used guidance and information from several sources, including DHS, to develop actions to take for the code-orange alert periods. For example, they told us that their agencies used guidance and information from DHS on critical infrastructure assets and airport security. They also indicated that they used information from the FBI and local law enforcement agencies, such as additional intelligence information, to determine areas in which to strengthen protective measures.[Footnote 14] For the most part, federal agencies responding to our questionnaire along with officials we met with from 3 state and 6 local government agencies indicated that receiving information with greater specificity about threats would have been helpful in determining additional actions to take in response to code-orange alerts. For example, 14 of 15 federal agencies responding to our questionnaire indicated that information on region-, sector-, site-, or event-specific threats, if available, would have been helpful. Additionally, all 15 federal agencies reported that information on threat time frames, if available, would have assisted them in determining appropriate actions to take in responding to the code-orange alerts. Fourteen federal agencies also indicated that receiving information on recommended measures for preventing incidents would have been helpful in determining appropriate protective measures to implement or enhance for each code-orange alert period. In addition, one state official noted that receiving more specific information about the type of threat--against bridges and dams, for example--would enable the state to concentrate its response in those areas, a more effective approach than simply blanketing the state with increased general security measures. One local official also noted that specific information about the location of a threat should be provided to law enforcement agencies throughout the nation--not just to localities that are being threatened--thus allowing other local governments to determine whether there would be an indirect impact on them and to respond accordingly. DHS officials indicated that the department works with state and local officials to develop specific protective measures. One official said that DHS communicates regularly with and provides technical advice to state and local officials to assist in the development of specialized and appropriate protective measures. Federal Agencies Reported Enhancing Existing Protective Measures More Often than Implementing New Measures, While State and Local Agencies Reported Implementing Additional Measures: Federal agencies responding to our questionnaire as well as those we visited indicated that they substantially enhanced security following the September 11, 2001, terrorist attacks. Thus, these agencies operate at high security levels regardless of the national threat level. In responding to our questionnaire, most federal agencies noted that they did not significantly increase the number of additional protective measures in response to the code-orange alerts. Federal agencies reported that their primary response for the three code-orange alerts was to enhance or more frequently use measures already in place, such as increasing the frequency of existing facility security patrols. Less often, these agencies indicated that they continued, or did not change, existing protective measures as a result of the code-orange alert periods, such as the use of intrusion detection systems. During the code orange alert period from December 21, 2003, to January 9, 2004, preliminary responses to the federal agency questionnaire indicate that about 49 percent of all protective measures these agencies reported were enhanced in response to the threat level increase. About 37 percent of all protective measures reported for this period were continued at their pre-code-orange alert levels, or not changed, by federal agencies in response to the code-orange alert. About 13 percent of the protective measures federal agencies reported for the December 21, 2003, to January 9, 2004, code-orange alert period were implemented by these agencies solely in response to the code- orange alert.[Footnote 15] For instance, one measure implemented solely in response to the code orange alert period was the extension of shifts for emergency personnel. Preliminary analysis of responses regarding the other two periods of code-orange alert is consistent with those from the December 21, 2003, to January 9, 2004, period. As indicated in table 3, among the most commonly reported protective measures, only one was implemented solely in response to the code- orange alert period December 21, 2003, to January 9, 2004, according to federal agencies' questionnaire responses. Even so, only 2 of the 14 federal agencies that reported having the measure indicated that they implemented the measure solely in response to the code-orange alert, while the other 12 agencies indicated that the measure was already in place. The protective measures most commonly reported by federal agencies for the code-orange alert period were already in place and continued at pre-code-orange alert levels or were enhanced for the code-orange alert period. Preliminary results for the other two code- orange alert periods in our review were similar to those reported in table 3. Table 3: Protective Measures Most Commonly Reported by Federal Agencies for the December 21, 2003, to January 9, 2004, Code-Orange Alert Period: Screen mail; Number of federal agencies that reported measure: 15; Number of agencies that indicated no change in measure that was already in place[A]: 8; Number of agencies that enhanced measure that was already in place[B]: 7; Number of agencies that Implemented measure for code- orange only[C]: 0. Activate monitoring systems; Number of federal agencies that reported measure: 15; Number of agencies that indicated no change in measure that was already in place[A]: 11; Number of agencies that enhanced measure that was already in place[B]: 4; Number of agencies that Implemented measure for code- orange only[C]: 0. Activate intrusion detection systems; Number of federal agencies that reported measure: 15; Number of agencies that indicated no change in measure that was already in place[A]: 14; Number of agencies that enhanced measure that was already in place[B]: 1; Number of agencies that Implemented measure for code- orange only[C]: 0. Implement facility security patrols; Number of federal agencies that reported measure: 15; Number of agencies that indicated no change in measure that was already in place[A]: 2; Number of agencies that enhanced measure that was already in place[B]: 13; Number of agencies that Implemented measure for code- orange only[C]: 0. Inspect visitors; Number of federal agencies that reported measure: 14; Number of agencies that indicated no change in measure that was already in place[A]: 8; Number of agencies that enhanced measure that was already in place[B]: 6; Number of agencies that Implemented measure for code- orange only[C]: 0. Escort visitors; Number of federal agencies that reported measure: 14; Number of agencies that indicated no change in measure that was already in place[A]: 5; Number of agencies that enhanced measure that was already in place[B]: 7; Number of agencies that Implemented measure for code- orange only[C]: 2. Source: GAO analysis of data from the first 15 federal agencies responding to GAO's questionnaire. [A] No change in a protective measure indicates that the measure was already in place prior to the code-orange alert period and continued at the same level of use or frequency during a code-orange alert. [B] The enhancement of a measure that was already in place refers to the increased use of an existing protective measure, such as more frequent facility security patrols or increased volume of mail screened. [C] The implementation of a measure for code-orange only refers to the use of an additional measure that was not already in place solely to respond to a code-orange alert. [End of table] To ensure that protective measures operate as intended and are implemented as planned, federal agencies for which we received questionnaire responses indicated that they conducted tests or exercises on these measures within the past year. These federal agencies also reported receiving confirmation from component entities, offices, or personnel that protective measures were enhanced or implemented during the code-orange alert periods. Fifteen federal agencies responding to our questionnaire reported that they conducted tests or exercises on the functionality and reliability of intrusion detection systems, mail and delivery screening equipment and procedures, monitoring systems, and continuity of operations and emergency response measures. Fourteen of these agencies indicated that they conducted tests or exercises on visitor and employee screening procedures and vehicle inspection equipment and procedures. Furthermore, 12 of these agencies noted that they confirmed that protective measures were enhanced or implemented during each of the three code-orange alert periods. Federal agencies responding to our questionnaire indicated that they benefited in various ways from the protective measures they implemented during code-orange alerts, but also noted that their operations were affected. For example, these federal agencies reported that protective measures enhanced employees' sense of security, promoted staff awareness, and provided visible deterrents to possible threats. On the other hand, they said that their operations were affected by delaying visitors, employees, and vehicles from entering facilities; limiting tours, meetings, and conferences; and shifting resources away from normal daily operations to ensure measures required for code-orange alerts were implemented. Additionally, these federal agencies noted that they faced a number of operational challenges in responding to the code-orange alerts. For example, 12 of the 15 federal agencies indicated that insufficient information on threats was an operational challenge. In particular, 6 federal agencies noted that without specific information on threats, they could not effectively focus resources on protective measures to respond to possible threats. Other operational challenges identified by some federal agencies responding to our questionnaire include insufficient personnel training to implement protective measures, insufficient equipment and materials, and insufficient facilities and space, particularly to screen visitors. Officials from two states and three local governments told us that they responded to code-orange alerts by implementing a variety of protective measures, such as enhanced entry screening, additional law enforcement patrols, and increased surveillance of critical infrastructure. They also told us that, in some cases, their agencies implemented heightened airport security measures and increased coordination with other agencies during the code-orange alert periods. Cost Data Reported by Federal, State, and Local Government Agencies Is Limited: Thirteen federal agencies, one state, and six localities provided information on additional costs, if any, that they incurred during code-orange alert periods. The cost information federal agencies reported in response to our questionnaire were generally estimates; the methods the state and six localities used to develop their information are generally unknown. Thirteen of the 15 federal agencies responding to our questionnaire provided information on whether they incurred additional costs during each of the three code-orange alert periods in our review. Of these 13 federal agencies, 9 noted they had incurred additional costs and provided a dollar amount for those costs; 4 agencies said that they did not incur any additional costs. Eight of the 9 agencies that reported incurring additional costs provided cost estimates. In addition, most of these agencies reported using similar methods to develop their estimates. Based on our preliminary analysis, these methods appear to be reasonable. For example, 5 of these agencies reported using the additional hours accumulated by security personnel during code-orange alerts multiplied by the hourly rates of security personnel to develop estimates for additional personnel costs incurred during code-orange alerts. The 8 agencies' cost estimates do not necessarily include all nonpersonnel costs that may have been incurred during one or more of the three code- orange alert periods included in our survey. One agency tracked additional costs incurred in response to code-orange alerts, and thus was able to provide actual cost information. This agency extracted cost information from its financial accounting system, which was subjected to auditing procedures. However, as reported in the fiscal year 2005 President's Budget, this agency's financial management performance had serious flaws as of December 31, 2003. Thus, we have concerns regarding the reliability of the cost information provided to us. We will continue to assess this issue and expect to report the results of this effort to you later this year. For the 9 agencies that reported incurring additional costs, we calculated the additional average daily costs incurred during each of the three code-orange alert periods. The additional average daily costs for these 9 agencies ranged from $172 to $155,000 for the March 17 to April 16, 2003, period; from $467 to $165,660 for the May 20 to 30, 2003, period; and from $158 to $142,725 for the December 21, 2003, to January 9, 2004, period. For each code-orange alert period, the lowest cost was for a small independent agency and the largest for a cabinet department. We conducted preliminary analysis on the additional average daily costs the 9 federal agencies incurred between the first and second alert periods, and no specific trends emerged. For example, of the 9 agencies that reported incurring additional costs during code-orange alert periods, 5 agencies had an increase in additional average daily costs between the first and second alert periods under review, and 3 agencies had a decrease. One agency's additional costs remained the same for each of the first two code-orange alert periods. For these 9 agencies, the total percentage change between the first and second alert periods ranged from a decrease of approximately 22 percent to an increase of about 179 percent. However, this 179 percent increase, reported by a small independent agency, represented only a difference of about $300. Based on the cost information these agencies reported, 8 of the 9 agencies incurred fewer additional costs during the third code-orange alert period than during the first code-orange alert. Percentage decreases in additional costs between these two periods ranged from about 8 percent to 83 percent. One agency did not experience any difference in additional costs incurred between the first and third code-orange alert periods under review. Even though the percentage decreases are similar for some of the 9 federal agencies, the actual dollar amount of the decreases could vary considerably. For example, while 2 federal agencies experienced an 8 percent decline in additional average daily costs between the first and third alert periods, 1 of these, a small independent agency, had a $14 decline in additional average daily costs, while the other, a larger cabinet level agency, had a $12,275 decline. Currently, we do not have sufficient information to explain the differences in additional costs the 9 federal agencies incurred between the first and second code-orange alert periods and the overall decline in additional costs for 8 of the 9 agencies between the first and third code-orange alert periods. As our analysis of the additional costs incurred by federal agencies continues, we will continue to examine differences in the additional costs individual agencies incurred in each alert period, and, where possible, obtain information about the reasons for these differences. We expect to report the results of this work to you later this year. Two of the 15 federal agencies responding to our questionnaire said that they did not report cost information for any of the three orange alert periods in the survey because they did not track additional code- orange alert costs. These agencies explained that they did not have the capability to separate additional code-orange alert costs from their total annual security-related costs. To date, we have received code-orange alert cost information from one state and six localities. These state and local cost estimates included little or no information on how they were developed or on internal control procedures used to verify the reliability of the costs provided. Therefore, we were unable to verify the comprehensiveness, consistency, reliability, or comparability of the cost estimates they provided. Based on the cost information provided by one state, we calculated the additional average daily cost for 10 of the state's agencies, which amounted to just under $400 for the code-orange alert period from March 17 to April 16, 2003. Five of its agencies collectively incurred an additional average daily cost of just over $90 for the code-orange alert from May 20 to 30, 2003. No cost information was provided for the December 21, 2003, to January 9, 2004, code-orange alert period. We do not yet know how the localities developed their cost information. Thus, we cannot assess the reliability of this information. We calculated additional average daily costs for the six localities based on the cost information they provided to us. Five localities had additional average daily costs for the March 17 to April 16, 2003, period, ranging from a low of about $8,000 to a high of about $68,000. Two localities had average daily costs of about $12,000 or less and two had costs of more than $60,000. For the May 20 to 30, 2003, period, three localities had additional average daily costs of approximately $100, $6,000, and $9,000, respectively. One of the localities provided cost information for all three orange alert periods included in our review--but its information was limited to costs for 3 agencies. That locality had additional average daily costs for 3 agencies of about $12,000 in the March 17 to April 16, 2003, period; approximately $9,000 in the May 20 to 30, 2003, period; and about $11,000 for the December 21, 2003, to January 9, 2004, period. Finally, one locality had about $5,000 per day in police overtime, equipment, and contractual costs for each day the locality was at code-orange during February through May 2003. We sent a questionnaire to 50 states, the District of Columbia, Puerto Rico, and 4 territories to collect a variety of information, including additional costs they incurred during code-orange alerts. However, we did not receive responses from any states and territories in time to include the results in this report. We expect to report any cost information collected through this effort to you later this year. Based on our work to date, states and localities generally may not systematically and uniformly collect the additional costs associated with higher (e.g., code-orange) alert levels; thus, we do not expect to collect reliable, comparable, and comprehensive state and local government costs. For example, one locality we visited told us they had tracked some additional code-orange costs by using a specific job code, but the level of effort involved to get all agencies to comply had been considerable. To the extent that inconsistent methods were used in estimating costs, reasonable comparisons of cost information are limited. Some Federal, State, and Local Government Agencies Have Similar Advisory Systems, but Can Change Threat Levels Independently: Of those agencies and entities that we have met with or contacted, 5 federal agencies, 4 states, and one locality have their own threat advisory systems to ensure that government agencies are notified of impending emergencies, such as natural disasters or terrorist threats, allowing them to prepare a response. These systems were generally in place prior to the establishment of the Homeland Security Advisory System. One federal agency told us that it had developed its own five- level alert system 8 years ago to ensure the protection of critical national security assets. This system and those of the other 9 agencies are similar to the Homeland Security Advisory System or have been modified to conform to it, as required for federal executive agencies by HSPD-3. The systems include varying threat levels with protective measures specified for each. For example, all federal agencies' threat advisory systems we have identified to date have five threat levels that correspond to the five levels of the Homeland Security Advisory System and specify a variety of protective measures for each level. Protective measures specified in these threat advisory systems include the implementation of contingency and emergency response plans; surveillance of critical locations; screening of mail coming into facilities; limitation of facility entry and exit points; and coordination with federal, state, and local law enforcement agencies. Likewise, one state's threat advisory system has five threat levels, while another state's system has four. Again, these threat levels are similar to those of the Homeland Security Advisory System. A third state's threat advisory system has three threat levels that correspond to the Homeland Security Advisory System's yellow, orange, and red threat conditions. Protective measures included in these states' systems include inspection of mail and packages, coordination of emergency response plans, establishment of command centers, and enhanced security at public events. The one locality threat advisory system we have identified to date is also similar to the Homeland Security Advisory System and has four threat levels with specific actions designated for each. Federal, state, and local government agencies we reviewed can raise or lower threat levels for their own advisory systems in response to threats or events that specifically affect their operations. They can make these adjustments regardless of whether the national threat level is raised or lowered at the same time. For instance, for 3 of the federal agencies' threat advisory systems we identified, managers can raise the alert level of their specific facilities to respond to local threat conditions. However, in general, managers cannot lower alert levels for their facilities below the level specified by an agency head or designated authority. States and local governments can also raise or lower their own threat levels based on local threats or events. For example, one state raised its threat level in early February 2003 in response to the crash of the space shuttle Columbia, while one locality raised its threat level for July 4, 2003, due to public events and large crowds in the city, even though the national threat level remained at yellow. Agency Comments: On February 23 and 24, 2004, officials representing the Department of Homeland Security provided oral technical comments on this report, which we incorporated as appropriate. We plan no further distribution of this report until 14 days after the date of this letter. At that time, we will send copies of this report to the Subcommittee on Technology, Terrorism, and Government Information, Senate Committee on the Judiciary; the Subcommittee on National Security, Emerging Threats, and International Relations, House Committee on Government Reform; Senator Joseph Biden; the Secretary of Homeland Security; the Director, Office of Management and Budget; and other interested parties. Copies will be made available to others on request. In addition, this report will be available at no charge on GAO's Web site at http://www.gao.gov. If you or your staff have any questions about this report, please contact me at (202) 512-8777 or by e-mail at jenkinswo@gao.gov. Signed by: William O. Jenkins, Jr. Director, Homeland Security and Justice Issues: Enclosures: 4: Enclosure I: Scope and Methodology: To address the objectives of our review, we met with and received information from 8 federal agencies, three states, the District of Columbia, and seven local governments and obtained information from another state and two local governments. We met with and received documentation from these federal agencies, states, the District of Columbia, and the local governments to obtain preliminary information on the following: how they were notified of national threat level changes for the three most recent periods of code-orange alert from March 17 to April 16, 2003; May 20 to 30, 2003; and December 21, 2003, to January 9, 2004; the guidance and information they reported using to assist in determining protective measures to implement during the three code-orange alerts; the protective measures they reported implementing during those periods; the additional costs they reported incurring as a result of implementing such measures; and any threat advisory systems they indicated were in place before the establishment of the Homeland Security Advisory System. We selected the 8 federal agencies to visit based on the amount of homeland security funding each agency reported to the Office of Management and the Budget for fiscal year 2003.[Footnote 16] We visited the 5 federal agencies that reported receiving the most homeland security funding in fiscal year 2003--the Departments of Energy, Health and Human Services, Homeland Security, Justice, and State. We visited one federal agency that reported receiving a moderate amount of homeland security funding, the National Aeronautics and Space Administration; one federal agency that reported receiving a small amount of homeland security funding, the U.S. Holocaust Memorial Museum; and one federal agency that did not report receiving any homeland security funding in fiscal year 2003, the Department of Education. The three states we visited were Maryland, Texas, and Virginia. We also visited the District of Columbia. The seven local governments we visited were Baltimore, Maryland; Austin, Dallas, and Travis County, Texas; and Alexandria, Arlington County, and Fairfax County, Virginia. We also received information from Montgomery County, Maryland, and Seattle, Washington. We selected Maryland and Virginia because they have critical infrastructure assets such as national landmarks and ports. Moreover, we selected the local governments in these states and the District of Columbia because they are part of the National Capitol Region, which has various important infrastructure assets, including landmarks and federal agency headquarters. We visited Texas, and three local governments in Texas, because it is a large coastal state with a variety of critical infrastructure assets, including national landmarks, ports, and oil pipelines. We also received information from Seattle, Washington, because it is a large city with critical infrastructure assets such as landmarks and ports. We examined documentation provided by the federal agencies, states, and local governments mentioned above to identify the guidance and information they used in determining protective measures for the three code-orange alert periods, the measures they implemented during those periods, the additional costs they incurred as a result of the measures implemented, and the threat advisory systems they had in place prior to the establishment of the Homeland Security Advisory System. We also obtained information from Georgia on its threat advisory system. To obtain more detailed information on federal and state agencies' guidance, measures, and additional costs for the three code-orange alert periods, we developed and sent a questionnaire to 28 federal agencies and another to the 50 states and the District of Columbia, four U.S. territories[Footnote 17] and Puerto Rico. We received comments on draft versions of the federal questionnaire from the 8 federal agencies we visited, and we pre-tested the federal questionnaire with 4 of those agencies--the Departments of Energy and Homeland Security, the National Aeronautics and Space Administration, and the U.S. Holocaust Memorial Museum. To develop a questionnaire to use in surveying states and territories, we adapted the final version of the federal questionnaire to correspond with information gathered during our preliminary visits to the 3 states, the District of Columbia, and the seven local governments and information provided to us by 1 state and two local governments. We then pre-tested this questionnaire with 3 states--Delaware, Pennsylvania, and West Virginia. We sent the questionnaire to the 25 federal agencies that reported homeland security funding for fiscal year 2003 to the Office of Management and Budget.[Footnote 18] In addition, we sent the questionnaire to 3 federal agencies that are Chief Financial Officers Act[Footnote 19] agencies but did not report homeland security funding for fiscal year 2003. Thus, we included all Chief Financial Officers Act agencies in our review, except the Department of Defense. Although the Department of Defense is a Chief Financial Officers Act agency and, along with the Army Corps of Engineers-Civil Works, reported homeland security funding for fiscal year 2003, we excluded these agencies from our review because these agencies and their component entities did not follow the Homeland Security Advisory System. We conducted preliminary analysis on the questionnaire responses received from 15 federal agencies for this report. While we received questionnaire responses from additional federal agencies, we did not receive the responses in time to incorporate the results into this report. We did not receive responses from any states or territories to our questionnaire in time to include the results in this report. For the 15 federal agencies' questionnaire responses, we analyzed the responses to determine the most commonly reported ways in which these federal agencies were notified of changes in the Homeland Security Advisory System national threat level, the types of information included in the notifications, the methods through which these federal agencies would like to be notified of national threat level changes, and the types of information they would like to have included in the notifications. In addition, we analyzed the questionnaire responses to determine the most commonly reported types of guidance and information received by these federal agencies in determining protective measures for the code- orange alerts and federal agencies' perspectives on the usefulness and timeliness of the guidance and information. We also reviewed the questionnaire responses to identify agency perspectives on the types of additional information that would have been helpful in determining protective measures. We evaluated the questionnaire responses to identify the most commonly reported types of measures that the 15 federal agencies implemented during the three code-orange alert periods, the extent to which these federal agencies conducted tests on protective measures and received confirmation on the implementation of measures, the benefits to these federal agencies from the implementation of measures, and the most commonly reported operational challenges faced by the 15 federal agencies in implementing measures. Furthermore, we analyzed cost data reported by these federal agencies in the questionnaire responses to determine the average daily additional costs incurred by federal agencies during the code-orange alert periods. We analyzed the federal agencies' cost data to determine the percentage change in additional average daily costs across the three code-orange alert periods. We evaluated the questionnaire responses to identify methods used by these federal agencies to determine their actual or estimated additional costs for each of the code-orange alert periods and their actual or estimated total costs for each code-yellow alert that preceded the code-orange alert periods. We reviewed these methods to assess the level of consistency in the ways that these federal agencies collected actual cost data or developed costs estimates and also reviewed procedures reported by federal agencies for reviewing and certifying the reliability of cost data. To obtain information on these federal agencies' threat advisory systems, we analyzed questionnaire responses to determine the number of federal agencies that had their own threat advisory systems in place prior to the establishment of the Homeland Security Advisory System as well as the number of agencies that follow their own threat advisory systems and the Homeland Security Advisory System. We reviewed documentation of the threat advisory systems that these federal agencies provided with their questionnaire responses to identify the characteristics of the systems, including the systems' threat levels and protective measures and the systems' conformance to the Homeland Security Advisory System. On the basis of our work to date, we collected detailed information on the experiences of Atlanta and Fulton County, Georgia, during the code- orange alert periods through visits with local government officials. We plan to collect detailed information from seven additional cities and four additional counties. We selected locations based on the following criteria: the local governments' receipt of urban area grants[Footnote 20] from DHS, geographic location, topography (e.g., inland or border/ seaport), and type of locality (e.g., metropolitan or nonmetropolitan area). We selected some cities and counties that received grants from DHS and some that did not. We also selected cities and counties from different geographic regions and with different topographic characteristics, as well as cities and counties that are in both metropolitan and nonmetropolitan areas. Enclosure II: Federal Agencies Surveyed: Department of Agriculture: Department of Commerce: Department of Education: Department of Energy: Department of Health and Human Services: Department of Homeland Security: Department of Housing and Urban Development: Department of the Interior: Department of Justice: Department of Labor: Department of State: Department of Transportation: Department of the Treasury: Department of Veterans Affairs: Agency for International Development: Corporation for National and Community Service: Environmental Protection Agency: Federal Communications Commission: General Services Administration: National Aeronautics and Space Administration: National Archives and Records Administration: National Science Foundation: Nuclear Regulatory Commission: Office of Personnel Management: Small Business Administration: Smithsonian Institution: Social Security Administration: United States Holocaust Memorial Museum: Enclosure III: Survey of Federal Agencies' Protective Measures, Guidance. and Costs for Elevated Threat Alerts: [See PDF for image] [End of figure] Enclosure III: Federal Questionnaire: [See PDF for image] [End of figure] Enclosure IV: GAO Contacts and Staff Acknowledgments: GAO Contacts: William O. Jenkins, Jr. (202) 512-8777: Debra B. Sebastian (202) 512-9385: Acknowledgments: In addition to the individuals named above, David P. Alexander, Fredrick D. Berry, Nancy A. Briggs, Kristy N. Brown, Philip D. Caramia, Christine F. Davis, Michele Fejfar, Rebecca Gambler, Gladys Toro, Jonathan R. Tumin, and Kathryn G. Young made key contributions to this report. (440290): FOOTNOTES [1] For this review, we analyzed information from the District of Columbia with information from states. [2] Office of Management and Budget, 2003 Report to Congress on Combating Terrorism (Washington, D.C.: September 2003). [3] Members of the Homeland Security Council include the President; the Vice President; the Secretaries of Defense, Health and Human Services, Homeland Security, Transportation, and the Treasury; the Attorney General; the Director of the Federal Emergency Management Agency; the Director of the Federal Bureau of Investigation; the Director of Central Intelligence; and the Assistant to the President for Homeland Security. [4] The Federal Emergency Management Agency was incorporated into the Emergency Preparedness and Response Directorate at the Department of Homeland Security upon the department's creation in March 2003. [5] The Homeland Security Advisory System does not directly apply to the armed forces, including their military facilities. Rather, the Department of Defense's Force Protection Condition system rates threats and sets specific measures for military facilities. [6] P.L. 107-296, Sec. 201(d)(7). [7] DHS's Homeland Security Operations Center (HSOC) and its IAIP Directorate monitor threats and conduct information assessments on a daily basis. The HSOC is comprised of representatives from DHS component entities, other federal agencies, and local law enforcement agencies. [8] The Terrorist Threat Integration Center is responsible for analyzing and sharing terrorist-related information that is collected domestically and abroad. It is an interagency joint venture that is comprised of elements of DHS, the FBI's Counterterrorism Division, the Director of Central Intelligence Counterterrorist Center, the Department of Defense, and other agencies. [9] Under HSPD-5, the Secretary can change the national threat level without consulting other Homeland Security Council members in exigent circumstances. However, DHS officials told us that this did not occur for any of the three most recent code-orange alerts. [10] We will continue to assess the various communication systems DHS utilizes to notify entities of threat level changes, including their relationship with one another. We expect to report the results of this work to you later this year. [11] U.S. General Accounting Office, Standards for Internal Control in the Federal Government, GAO/AIMD-00.21.3.1 (Washington, D.C.: November 1999). [12] U.S. General Accounting Office, Office of Compliance: Status of Management Control Efforts to Improve Effectiveness, GAO-04-400 (Washington, D.C.: Feb. 3, 2004). See also, GAO Green book…. [13] Department of Justice, Vulnerability Assessment of Federal Facilities (Washington, D.C.: June 28, 1995). [14] We expect to learn more about the guidance used by states and localities as we receive responses from our state questionnaire and will continue to develop this information through our site visits with various local officials. We expect to report the results from this work to you later in this year. [15] Percentages do not total to 100 percent due to rounding. [16] Office of Management and Budget, 2003 Report to Congress on Combating Terrorism. [17] The four U.S. territories include American Samoa, Guam, the Northern Mariana Islands, and the U.S. Virgin Islands. [18] Office of Management and Budget, 2003 Report to Congress on Combating Terrorism. Of the 25 federal agencies that reported homeland security funding in fiscal year 2003, 22 are Chief Financial Officers Act agencies. [19] P.L. 101-576 (Nov. 15, 1990). [20] The Urban Area Security Initiative grants are awarded based on a combination of current threat estimates, critical assets within the urban area, and population density.