Skip to main content

Recovery Act: FEMA Could Take Steps to Protect Sensitive Port Security Grant Details and Improve Recipient Reporting Instructions

GAO-11-88 Published: Oct 15, 2010. Publicly Released: Nov 16, 2010.
Jump To:
Skip to Highlights

Highlights

The American Recovery and Reinvestment Act of 2009 (Recovery Act) requires recipients to report, among other things, project descriptions on Recovery.gov, the federal Recovery Act Web site. Within the Department of Homeland Security, the Federal Emergency Management Agency's (FEMA) Grant Programs Directorate administers the Port Security Grant Program (PSGP) to strengthen ports against risks from terrorist attacks. FEMA received and obligated $150 million in Recovery Act PSGP funds in 2009, and, as of September 2010, recipients have drawn down over $10 million. To facilitate recipient reporting, FEMA must consider the need both for transparency and for protection of Sensitive Security Information (SSI), which could be detrimental to transportation security if disclosed. As requested, GAO assessed FEMA's: (1) controls to ensure Recovery Act PSGP staff consistently follow SSI policies, and (2) steps to ensure PSGP recipients have not disclosed SSI on Recovery.gov. GAO reviewed relevant laws, regulations, guidance, and a random sample of PSGP Recovery Act recipient reports available as of February 2010, and interviewed agency officials.

FEMA has taken steps to ensure Recovery Act PSGP staff consistently follow the Department of Homeland Security's SSI policies and processes, but key actions have not been taken. For instance, FEMA has appointed an SSI Program Manager--responsible for FEMA-wide SSI oversight--and an SSI Coordinator to facilitate the Grant Programs Directorate's use of SSI. Also, the SSI Program Manager provided SSI training to FEMA's Grant Programs Directorate staff; however, the training did not include FEMA-specific examples to illustrate the application of SSI, which the staff requested. GAO has previously reported that, when assessing training, managers should consider whether the training includes both the theoretical basis of the material--such as context and principles--and the practical application of the issues. Including FEMA-specific examples could help FEMA ensure Recovery Act PSGP staff have the necessary knowledge to handle and safeguard SSI. In addition, the SSI Coordinator has not assessed whether SSI documents have been appropriately labeled, in accordance with SSI regulations. For example, FEMA has determined that certain materials grant recipients submit to FEMA during the application process to describe how their projects will address current gaps and deficiencies are SSI, but has not marked them as such. While these documents have not been posted to Recovery.gov, immediately reviewing and marking them as SSI could improve safeguards and help prevent the information contained therein from inadvertent disclosure. FEMA has taken steps to develop a quarterly review process for Recovery Act PSGP recipient reports--prior to their public release on Recovery.gov--but does not have key controls to help prevent public disclosure of SSI. For instance, FEMA staff drafted a procedure for reviewing recipient reports, but FEMA management has not approved it and the draft does not include a procedure to verify the reviews' accuracy. Further, while GAO found that SSI had not been disclosed in Recovery Act recipient reports posted on Recovery.gov for the single reporting period GAO reviewed--with data publicly available as of February 2010--FEMA lacks a process for comparing recipient reports to SSI criteria, and a protocol that informs recipients when FEMA determines that their reports contain SSI. Introducing these measures could help Grant Programs Directorate staff consistently review reports, identify when they contain SSI, reduce the risk of SSI disclosure on Recovery.gov, and reinforce recipients' obligations to safeguard SSI. In addition, GAO found wide variation in the level of detail about the awards' descriptions among the recipient reports sampled from Recovery.gov as of February 2010, although the majority provided minimal detail. According to FEMA, the sensitive nature of PSGP information affects the transparency of PSGP recipient reporting. By providing instruction to recipients on what should and should not be reported due to SSI requirements, FEMA could help recipients report project details in a transparent manner on the expenditure of Recovery Act funds while protecting information that could otherwise jeopardize transportation security if released. GAO recommends that FEMA improve SSI training, ensure proper marking of SSI, enhance recipient report review controls, and instruct recipients on safeguarding SSI while reporting on funded activities and expected outcomes in a transparent manner. FEMA concurred.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Federal Emergency Management Agency To enhance the identification, management, and protection of SSI within FEMA in its administration of the Recovery Act PSGP, the FEMA Administrator should direct Grant Programs Directorate (GPD)'s SSI Coordinator to review Recovery Act PSGP investment justifications in FEMA's possession and ensure that they are appropriately marked as SSI.
Closed – Implemented
We found that, although the Federal Emergency Management Agency (FEMA) considers all investment justifications submitted by Port Security Grant Program (PSGP) recipients to FEMA's Grant Programs Directorate (GPD) when applying for the grant to be Sensitive Security Information (SSI), not all Recovery Act PSGP investment justifications in FEMA's possession were appropriately marked as SSI, as required by SSI regulations. Further, GPD's SSI Coordinator had not determined whether SSI documents were appropriately marked. As a result, we recommended that the FEMA Administrator direct GPD's SSI Coordinator to review Recovery Act PSGP investment justifications in FEMA's possession and ensure that they are appropriately marked as SSI. In December 2010, GPD's SSI Coordinator identified investment justifications in FEMA's Grant Management System that contained SSI, coordinated with the Transportation Security Administration's (TSA) SSI Branch--the governmentwide focal point for determining if information is SSI--to determine how best to ensure this information was appropriately marked SSI, outlined steps for employees to follow when printing or downloading these documents from the grants management system, and trained GPD employees on how to appropriately mark the investment justifications as SSI. These actions are consistent with our recommendation.
Federal Emergency Management Agency To enhance the identification, management, and protection of SSI within FEMA in its administration of the Recovery Act PSGP, the FEMA Administrator should direct GPD's SSI Coordinator, when developing and providing further SSI training to GPD staff, to incorporate FEMA-specific examples of the application and use of SSI in the training.
Closed – Implemented
We found that the Sensitive Security Information (SSI) training the Federal Emergency Management Agency (FEMA) provided to staff in its Grant Programs Directorate (GPD) did not incorporate grant-specific examples that could have helped facilitate GPD staff's understanding in applying the SSI concepts to their everyday work, although GPD staff asked for such examples. We previously reported that managers should consider the incorporation of theoretical material and practical application when assessing training. As a result, we recommended that the FEMA Administrator direct GPD's SSI Coordinator, when developing and providing further SSI training to GPD staff, to incorporate FEMA-specific examples of the application and use of SSI in the training. In November 2010 and February 2011, FEMA delivered revised training to GPD staff that included FEMA-specific examples of how SSI applied to staff's work. The revised training is consistent with our recommendation.
Federal Emergency Management Agency To enhance the identification, management, and protection of SSI within FEMA in its administration of the Recovery Act PSGP, the FEMA Administrator should direct FEMA's Assistant Administrator for GPD to develop, document, and approve a policy that reflects management's intent to implement internal controls governing FEMA's review process for Recovery Act recipient reports that include appropriate internal controls and a procedure both for comparing recipient reports against SSI criteria and notifying recipients when their submissions contain SSI.
Closed – Implemented
We found that the Federal Emergency Management Agency (FEMA) did not have a process for comparing information reported quarterly by Recovery Act Port Security Grant Program (PSGP) recipients that would ultimately be published on the publicly available website Recovery.gov against Sensitive Security Information (SSI) criteria to ensure that sensitive information was not made publicly available. Further, FEMA lacked a protocol for informing recipients when their draft Recovery Act reports contained sensitive information and should be safeguarded appropriately. Finally, management in FEMA's Grant Programs Directorate (GPD) had not documented or approved a review procedure for reviewing Recovery Act PSGP recipient reports that included a procedure for verifying the accuracy of reviews, a key internal control that reduces the risk of error. As a result, we recommended that the FEMA Administrator direct GPD's Assistant Administrator to develop, document, and approve a policy that reflects management's intent to implement internal controls governing FEMA's review process for Recovery Act recipient reports that include appropriate controls and a procedure both for comparing recipient reports against SSI criteria and notifying recipients when their submissions contain SSI. In June 2011, FEMA issued an approved standard operating procedure (SOP) detailing the activities associated with reviewing and correcting Recovery Act grantee reports. The SOP includes multiple reviews of grantees reports, which will help verify the accuracy of each reviewer's work. In addition, the SOP includes a procedure by which reviewers identify and request the removal of SSI in grantee submissions, contact grantees who compromise SSI directly by email or phone, and describe the necessary revisions to ensure the protection of SSI in the grantee's report. The approved SOP is consistent with our recommendation.
Federal Emergency Management Agency To enhance the identification, management, and protection of SSI within FEMA in its administration of the Recovery Act PSGP, the FEMA Administrator should direct FEMA's Assistant Administrator for GPD to take appropriate measures--such as issuing technical assistance, supplemental materials, or OMB-approved guidance--to inform Recovery Act PSGP recipients of what information they should include in the narrative fields that ultimately will be posted on Recovery.gov to foster a basic understanding of funded activities and expected outcomes in a transparent manner while ensuring that SSI is not disclosed on Recovery.gov.
Closed – Implemented
We found that the Federal Emergency Management Agency (FEMA) considers certain information related to Recovery Act Port Security Grant Program (PSGP) grants to be Sensitive Security Information (SSI), but that FEMA had not provided assistance or guidance to Recovery Act PSGP recipients on how to report on their activities and outcomes transparently while also safeguarding SSI on the publicly available website Recovery.gov. Under SSI regulations, Recovery Act PSGP recipients are considered to be covered persons with a duty to safeguard SSI, while Office of Management and Budget Recovery Act reporting guidance states that recipients' narrative information must be sufficiently clear to facilitate understanding by the general public of how Recovery Act funds are being used. As a result, we recommended that FEMA's Assistant Administrator for its Grant Programs Directorate (GPD) take appropriate measures to inform Recovery Act PSGP recipients of what information they should include in the narrative fields that will ultimately be posted on Recovery.gov to foster a basic understanding of funded activities and expected outcomes in a transparent manner while ensuring that SSI is not disclosed on Recovery.gov. In April 2011, GPD's Assistant Administrator issued an Information Bulletin to FEMA grant recipients--including Recovery Act PSGP recipients--that informs them of what information they should label and treat as SSI. This information bulletin is consistent with our recommendation.

Full Report

Office of Public Affairs

Topics

Classified informationConfidential informationFederal aid programsFederal fundsFederal grantsGovernment information disseminationGrant administrationHomeland securityInformation classificationInformation disclosureInformation securityInformation security regulationsInternal controlsPort securityReporting requirementsSafeguardsFinancial reportingPolicies and proceduresTransparency