This is the accessible text file for GAO report number GAO-08-637T entitled 'Information Sharing: Definition of the Results to Be Achieved in Terrorism-Related Information Sharing Is Needed to Guide Implementation and Assess Progress' which was released on July 23, 2008. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Testimony: Before the Committee on Homeland Security and Governmental Affairs, U.S. Senate: United States Government Accountability Office: GAO: For Release on Delivery: Expected at 10:00 a.m. EDT: Wednesday, July 23, 2008: Information Sharing: Definition of the Results to Be Achieved in Terrorism-Related Information Sharing Is Needed to Guide Implementation and Assess Progress: Statement of Eileen R. Larence, Director: Homeland Security and Justice Issues: GAO-08-637T: GAO Highlights: Highlights of GAO-08-637T, a testimony before the Committee on Homeland Security and Governmental Affairs, U.S. Senate. Why GAO Did This Study: In 2005, GAO placed the issue of information sharing for homeland security on its high-risk list of federal functions needing broad-based transformation and since then has monitored the government’s progress in resolving barriers to sharing. This testimony discusses three key information sharing efforts: (1) the actions that have been taken to guide the design and implementation of the Information Sharing Environment (ISE) and to report on its progress, (2) the characteristics of state and local fusion centers and the extent to which federal efforts are helping to address some of the challenges centers reported, and (3) the progress made in developing streamlined policies and procedures for designating, marking, safeguarding, and disseminating sensitive but unclassified information. This testimony is based on GAO’s products issued from March 2006 through July 2008 and selected updates conducted in July 2008. What GAO Found: In a report being released today, GAO concludes that the ISE, under the leadership of a designated Program Manager, has had a measure of success, but lacks a road map for guiding the ISE, ensuring accountability, and assessing progress. The Program Manager’s Office issued an implementation plan in November 2006 to guide the design of the ISE, has carried out a number of steps in that plan, and has leveraged existing efforts and resources agencies independently pursued for improving information sharing. However, this plan lacks important elements essential to effectively implement the ISE. Gaps exist in (1) defining the ISE’s scope, such as determining all the terrorism-related information that should be part of the ISE; (2) clearly communicating and distinguishing the role of the Program Manager and other stakeholders; and (3) determining the results to be achieved by the ISE (that is, how information sharing is improved) along with associated milestones, performance measures, and the individual projects. Two annual reports on progress have been issued. Each identifies annual goals and individual ISE efforts, but neither reports on the extent to which the ISE has improved information sharing. GAO reported in October 2007 that fusion centers, established by states and localities to collaborate with federal agencies to improve information sharing, vary widely but face similar challenges—especially related to funding and sustaining operations—that the federal government is helping to address but are not yet resolved. While the centers varied in their level of maturity, capability, and characteristics, most fusion centers focused on processing information on crimes and hazards, as well as terrorism-related information. Fusion center officials reported facing challenges such as obtaining specific, clear guidance and training; obtaining and retaining qualified personnel; and securing funding for center operations over the long term. The Department of Homeland Security and the Federal Bureau of Investigation were helping to address these challenges by, for example, providing technical assistance and training, personnel, and grant funding. Also, legislation has been proposed to clarify how funding may be used to hire and retain intelligence analysts. Although the myriad of sensitive but unclassified designations has been a long-standing problem, progress has been made in establishing processes for designating, marking, safeguarding, and disseminating this information. In March 2006, GAO reported that each federal agency determined sometimes inconsistent designations to apply to its sensitive but unclassified information and this could lead to challenges in information sharing, such as confusion on how to protect the information. Thus, GAO recommended that the Directors of National Intelligence and the Office of Management and Budget issue a policy that consolidates sensitive but unclassified designations. In a May 2008 memorandum, the President adopted “controlled unclassified information” (CUI) to be the single categorical designation for sensitive but unclassified information throughout the executive branch and provided a framework for designating, marking, safeguarding, and disseminating CUI. What GAO Recommends: GAO is recommending that the ISE Program Manager more fully define the ISE’s scope, results to be achieved, and stakeholders’ roles and responsibilities, including the development of performance measures and defining the federal government’s long-term role in relation to fusion centers, including the provision of resources. The ISE Program Manager generally agreed with these recommendations. To view the full product, including the scope and methodology, click on [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-637T]. For more information, contact Eileen Larence at (202) 512-8777 or larencee@gao.gov. [End of section] Mr. Chairman and Members of the Committee: Thank you for the opportunity to summarize the results of our recent reviews of the government's efforts to better share information about possible terrorist threats to protect the homeland. As you know, in 2005, GAO placed the issue of information sharing for homeland security on its high-risk list of federal programs or functions needing broad- based transformation and since then has conducted work to monitor the government's progress in resolving barriers to sharing. What we found is that in the wake of 9/11 and the passage of the Intelligence Reform and Terrorism Prevention Act of 2004 (Intelligence Reform Act) and Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Commission Act), agencies at the federal, state, and local levels are taking steps to better share information about possible terrorist threats.[Footnote 1] New organizations whose mission is information sharing and fusion have been created. New processes, information systems, and networks have evolved to handle the sharing and to encourage communication among the partners who must analyze and act on this information. And Congress and the administration have enacted new laws and issued new policies, guidance, and standards to promote better sharing. But there is still important and critical work left to do. This includes better integrating all of these changes and initiatives into a set of functioning policies, processes, and procedures for sharing; continuing to break down agency stovepipes and cultures that promoted protection over sharing; monitoring and measuring progress; and maintaining momentum. Among the many efforts begun to improve information sharing is the creation of the Information Sharing Environment (ISE), a governmentwide "approach that facilitates the sharing of terrorism and homeland security information, which may include any method determined necessary and appropriate.[Footnote 2]" In implementing this initiative, the Program Manager for the ISE--appointed by the President and responsible for planning, overseeing, and managing this new approach with participation of other federal departments and agencies, such as the Departments of Defense, Justice, and Homeland Security--envisions an ISE that will be comprised of policies, procedures, and technologies that link people, systems, and information among all critical stakeholders. In addition, most states and some local areas have created fusion centers to address gaps in homeland security and law enforcement information sharing by the federal government and to provide a conduit for this information within each state. While they vary--reflecting differences in state and local needs--a fusion center is generally a "collaborative effort of two or more federal, state, local, or tribal government agencies that combines resources, expertise, or information with the goal of maximizing the ability of such agencies to detect, prevent, investigate, apprehend, and respond to criminal or terrorist activity." One of the barriers to information sharing with these entities was the many different and sometimes confusing and contradictory ways that agencies were identifying and protecting sensitive but unclassified information. This information encompasses a large but unquantifiable amount of information--for example, sensitive law enforcement information, information about a narcotics-smuggling ring, and terrorism financing information--that does not meet the standards established by executive order for classified national security information, but that an agency nonetheless considers sufficiently sensitive to warrant restricted dissemination. My testimony today summarizes the findings of our work on the following three information sharing initiatives: (1) the actions that have been taken to guide the design and implementation of the ISE and to report on its progress, (2) the characteristics of state and local fusion centers and the extent to which federal efforts are helping to address some of the challenges centers reported, and (3) the progress made in developing streamlined policies and procedures for designating, marking, safeguarding, and disseminating sensitive but unclassified information. The information in this testimony is based on GAO reports and testimonies issued from March 2006 through June 2008 addressing these three terrorism-related information sharing issues.[Footnote 3] We also conducted selected updates in July 2008 by obtaining and reviewing the Annual Report to the Congress on the Information Sharing Environment, dated June 30, 2008, released after our report on the ISE was issued, and the May 2008 Memorandum for the Heads of Executive Departments and Agencies: Designation and Sharing Controlled Unclassified Information, released since our work on that issue. We conducted this work according to generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Summary: In a report we are releasing today, we conclude that one of the primary ways in which Congress and the administration intended to promote sharing--through the ISE under the leadership of a designated Program Manager--has had a measure of success, but lacks a road map that defines the scope of the ISE, roles and responsibilities and the desired results to be achieved (i.e., how information sharing should be improved), and measures for assessing progress. The Program Manager's Office issued an implementation plan in November 2006 to guide the design of the ISE, has achieved a number of steps in that plan, has incorporated into the ISE a number of initiatives that agencies independently pursued to leverage resources, and has issued two annual reports on its progress. However, this progress is tempered by several gaps to be filled, such as: * The Program Manger and participating agencies have not yet fully defined the scope of the ISE--or what the ISE is and is not to include- -and completely answered fundamental questions, such as what information should be shared, where does the information reside, and what systems and networks will be integrated into the ISE. Addressing these gaps is important and necessary to establish a clear road map to guide implementation for all entities involved, ensure that progress is made based on needs, and facilitate future measurement of progress in information sharing. * The role and responsibilities of the Program Manager versus those of the key agencies involved were not clearly distinguished and communicated, slowing progress. Delineating clear roles and responsibilities will minimize confusion over what each stakeholder is accountable for in implementing and operating the ISE and help minimize unnecessary delays that result. * The Program Manager and stakeholders have yet to fully define the results to be achieved and milestones, performance measures, and individual projects for assessing progress. Linking measurable long- term and interim goals and clearly defining measurable results to be achieved can help the Program Manager and stakeholders track progress of implementation and improved sharing as well as hold stakeholders accountable for meeting their responsibilities and contributions in ensuring the ISE's success. The ISE and information sharing for protecting the homeland against terrorism is a complex and ever-evolving challenge. Addressing these gaps, while difficult, is nevertheless necessary to provide Congress and the public reassurance that the flaws leading to 9/11 have been or are being corrected. Therefore, to address these gaps and help ensure that the ISE is on a measurable track to success, we recommended that the Program Manager, with full participation of relevant stakeholders (e.g., agencies and departments on the ISE), (1) more fully define the scope and specific results to be achieved by the ISE along with the key milestones and individual projects or initiatives needed to achieve these results, and (2) develop a set of performance measures that show the extent to which the ISE has been implemented and sharing has been improved--including, at a minimum, what has been and remains to be accomplished--so as to more effectively account for and communicate progress and results. The Program Manager generally agreed with these recommendations. The recently issued 2008 annual report comes closer to addressing these gaps, but acknowledges that work remains to be done to move from measuring individual agency actions and progress to measuring the overall performance of the ISE and the results and outcomes achieved.[Footnote 4] But our work shows that there are still important questions for the administration and Congress to answer: Does the federal government know where it is going and what it is trying to achieve in the end? How far has it come and how much is left to do? Is this progress good enough? How much better is the sharing and what difference has it made? What will it cost? Finding these answers will be challenging but critical for ensuring homeland security. With respect to our work on information fusion centers, we reported in October 2007 that these centers vary widely and that a number of them face several similar challenges--especially related to funding and sustaining operations--that the federal government is helping to address but that are not yet resolved. More specifically, our work showed that states and localities generally created these centers to improve information sharing across levels of government and to prevent terrorism or other threats. At the time of our review, the centers varied in level of maturity and capability, but most focused on processing information related to crimes or hazards, not just terrorism- related information. As we reported, most were led by law enforcement entities; had a variety of partnerships with other federal, state, and local agencies; and had federal personnel assigned. Among the challenges fusion center officials reported that they faced were managing a high volume of information from multiple systems, obtaining specific and clear guidance and training on operational issues, obtaining and retaining qualified personnel, and securing federal grant or state and local funding for center operations over the long term. We reported in October 2007 that the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) were helping to address these challenges by, among other things, providing access to information systems and networks as well as technical assistance and training, deploying personnel to centers, and providing grant funding. However, to improve efforts to create a national network of fusion centers as envisioned for the ISE, we recommended that the federal government determine and articulate its long-term fusion center role and whether it expects to provide resources to centers to help ensure their sustainability. To some extent, the administration did so in the National Strategy for Information Sharing: Success and Challenges in Improving Terrorism-Related Information, issued in October 2007, by stating that the federal government will support the establishment of fusion centers and help sustain them. The 9/11 Commission Act further reflects this and legislation has been proposed to clarify how Homeland Security Grant Program funding may be used to hire and retain intelligence analysts. Finally, as to the barriers to sharing posed by agency practices in protecting sensitive information, we found that although the myriad of sensitive but unclassified designations has been a long-standing problem, a recently issued policy should help to streamline and standardize the process for designating, marking, safeguarding, and disseminating this information. In March 2006, we reported that U.S. government agencies had varying and disparate designations--such as law enforcement sensitive, for official use only, and unclassified controlled nuclear information--for identifying sensitive but unclassified information. At that time, there were no governmentwide policies or procedures that described the basis on which agencies should designate, mark, and handle this type of unclassified information, resulting in each agency deciding how to do this on its own. We reported that such inconsistency could lead to challenges in information sharing, such as confusing those receiving the information- -including local and state law enforcement agencies--who in turn must understand and safeguard the information according to each federal agency's rules. Consequently, we recommended the issuance of a policy that consolidates sensitive but unclassified designations where possible and addresses their consistent application across agencies, as well as a directive requiring that agencies have in place internal controls for the designation and use of this information. To address this concern and in line with our recommendations, in a May 2008 memorandum, the President adopted "controlled unclassified information" (CUI) to be the single categorical designation for sensitive but unclassified information throughout the executive branch; outlined a framework for identifying, marking, safeguarding, and disseminating this information; and made the National Archives and Records Administration (NARA) responsible, through its new CUI Office, for implementation and oversight. While the new policy is a good start, our work has demonstrated that monitoring agencies' compliance to ensure that they implement guidelines, training, and internal controls will help ensure that the policy is employed consistently across the federal government. The Transportation Security Administration's (TSA) program on managing information it designates as sensitive security information could serve as a model to guide other agencies' implementation of CUI. We found that the program institutes many of these key components, such as employee training on how to decide what information to designate as sensitive security information, and internal controls, such as supervisory review to ensure that employees are appropriately making these designations. Stakeholders Are Taking Steps to Improve Terrorism-Related Information Sharing, but Existing Gaps Present Challenges for Implementing the ISE and Measuring Its Progress: ISE stakeholders are taking steps to improve terrorism-related information sharing, but work remains to define the scope of the ISE, roles and responsibilities, the desired results to be achieved--that is, how information sharing should be improved--and measures for assessing progress, all elements in establishing a road map for meeting information sharing needs and implementing the ISE. For example, because these gaps, such as the need to better define roles and responsibilities, have not been fully addressed, additional effort has been spent reinforcing that all stakeholders are accountable for defining the ISE, not just the Program Manager. For example, in response to the Intelligence Reform Act, the President appointed a Program Manager for the ISE and on December 16, 2005, issued a memorandum to implement guiding principles--the presidential guidelines--consistent with establishing and supporting the ISE. [Footnote 5] In addition, an Information Sharing Council (ISC), chaired by the Program Manager and currently composed of 16 other members-- including designees of the Departments of State, Justice, and Homeland Security--has been established to provide interagency support and advice to the Program Manager on the development of the ISE. A step in planning for the ISE and putting it into operation included the issuance of the Information Sharing Environment Implementation Plan in November 2006. This plan provides an initial structure and approach for designing and implementing the ISE and addresses ways to meet the ISE requirements set forth in the Intelligence Reform Act as well as the presidential guidelines. For example: * The plan includes steps toward standardizing procedures for protecting information privacy. One such activity identified in the plan includes having the Program Manager and key stakeholders establish a process for ensuring that nonfederal organizations participating in the ISE implement appropriate policies and procedures for providing protections. * The plan maps out a timeline for further defining what information, processes, and technologies are to be included in the ISE and exploring approaches for implementing these processes and technologies. The plan consists of a two-phased approach for implementing the ISE by June 2009. Phase 1, originally scheduled to be completed by June 2007, generally covers setup activities such as investigating existing or emerging search technologies for use in the ISE, and relationship building among stakeholders through participation on the ISC. Phase 2, that was to commence in July 2007, covers design as well as implementation of the ISE. The two phases are comprised of 89 total action items organized by priority areas, such as improved terrorism information handling. While 48 action items were to be completed by June 2007, by the end of Phase 1, only 18 were completed. Completed activities include development of proposed common terrorism information sharing standards--a set of standard operating procedures intended to govern how information is to be acquired, accessed, shared, and used within the ISE--and implementation of electronic directory services pages to help identify sources where terrorism information may be located within the federal government and whom to contact to access it. * Design and implementation also incorporate independent initiatives that federal, state, and local agencies had under way to enhance information sharing across the government. This is in accordance with the Intelligence Reform Act's call to build upon existing systems capabilities in use across the government. These initiatives include the fusion centers state and local governments created and plans to develop a national network of these centers to improve sharing among federal, state, and local entities. They also include the FBI's Terrorist Screening Center, which consolidates information on known or suspected terrorists who operate within the United States for dissemination to federal agencies that use the information to screen individuals for possible terrorist links. The plan also includes several gaps, however, which have tempered progress in implementing the ISE. Components needed to remediate these gaps include more fully defining the scope of the ISE, clarifying stakeholder roles and responsibilities (i.e., that of the Program Manager as distinguished from those of the departments and agencies that own and must share terrorism-related information), and defining the results to be achieved by the ISE as well as the associated milestones, performance measures, and projects needed for effective program planning and performance measurement. These are all important elements for establishing a road map for and ensuring stakeholders are held accountable in meeting information sharing needs, implementing the ISE, and measuring progress. To expand on each of these three points, first, the Program Manager and the federal agencies that are key to making the ISE work--such as the Departments of Defense, Homeland Security, Justice, and State--still have work to do to define the scope of the ISE, or what is and is not to be included in it. For instance, the Program Manager and stakeholders are still addressing fundamental questions, such as what information should be shared, where the information resides, how the information will be shared yet protected, how to provide access to information yet respect privacy, and what systems and networks will be used as part of the ISE. We recognize that the ISE will evolve over time and that these questions will need to be revisited and the answers updated and incorporated into the ISE. Answering these questions, at least for the near term, is important and necessary because it helps determine the elements critical for conveying what the ISE is to include and identifying available stakeholder resources--all components needed to establish a clear road map to successfully implement the ISE. Second, the implementation plan did not clearly communicate and distinguish the role and responsibilities of the Program Manager from those of the key agencies in implementing the ISE and improving information sharing. This has ultimately led to confusion over what each stakeholder will be held accountable for in implementing and operating the ISE. In describing the role of the Program Manager, officials at the Office of the Program Manager noted that his role is primarily as a facilitator and, for example, one who focuses on improving existing business processes or remaining barriers that affect information sharing among two or more of the five ISE communities [Footnote 6] that make up the ISE. However, the Program Manager does not focus on processes that are internal to ISE members unless they directly impact the wider ISE. Agencies, on the other hand, are accountable for identifying and sharing the terrorism information they own if the ISE is to succeed. However, at the time of our review agencies reported that they were unclear about the Program Manager's role or what their agencies were to provide in support of the ISE. Meanwhile, program officials reported that agencies were not participating consistently and effectively. As a result, this conflict has slowed progress in implementing the ISE, as evidenced by the fact that 30 of 48 Phase 1 implementing action items remained incomplete at the end of the phase in June 2007. To address these concerns, the President in October 2007 released the National Strategy for Information Sharing[Footnote 7] that reaffirmed that stakeholders at all levels of government, the private sector, and foreign allies play a role in the ISE and further defined the role of the Program Manager as also assisting in the development of ISE standards and practices. However, the strategy did not further clarify the parameters of the Program Manager's role and what is within the scope of his responsibilities in "managing" the ISE versus other ISE stakeholders. In November 2007, the Program Manager held a first-time, off-site meeting with ISC members to focus on ISE priorities, clarify responsibilities, and emphasize the importance of everyone's active participation and leadership--with the intent of rectifying any misperceptions and reinforcing that all ISE stakeholders are responsible for the ISE. Further delineating clear roles and responsibilities will minimize confusion over what each stakeholder is accountable for in implementing and operating the ISE and help minimize unnecessary delays that result. Finally, work also remains in further defining the results to be achieved by the ISE, the projects needed for implementing the ISE, and the milestones to be attained--all important elements for effective program planning and performance measurement. Existing federal guidance as well as our work and the work of others indicates that programs should have overarching strategic goals that state the program's aim or purpose, that define how it will be carried out over a period of time, are outcome oriented, and that are expressed so that progress in achieving the goals can be tracked and measured.[Footnote 8] Moreover, these longer-term strategic goals should be supported by interim performance goals (e.g., annual performance goals) that are also measurable, define the results to be achieved within specified time frames, and provide for a way to track annual and overall progress (e.g., through measures and metrics). Following these practices can help the Program Manager and stakeholders track progress and hold stakeholders accountable for meeting their responsibilities and contributions in ensuring the ISE's success. The Program Manager and stakeholders have taken action in accordance with these program management principles, but gaps remain. For example, the implementation plan identifies six longer-term strategic ISE goals. For example, one of these goals is that to the maximum extent possible, the ISE is to function in a decentralized, distributed, and coordinated manner. However, the plan does not define what this goal means or set up interim or annual goals and associated time-sensitive milestones to be built upon to achieve the overall goal. Furthermore, the plan does not define how agencies will measure and ensure progress in meeting the strategic goal in the interim or overall. Instead, the plan notes that performance measures will be developed at a later date. Moreover, with regard to identifying the steps to be taken in implementing the ISE, the plan does not present the projects and the sequence in which they need to be implemented to achieve this strategic goal in the near term or in the future, or the specific resources needed and stakeholder responsibilities. Therefore, work remains in developing the road map for achieving this strategic goal. Since the issuance of the implementation plan, the Program Manager and participating agencies have taken steps to assess progress and improve the ISE's road map by issuing two annual reports and defining annual goals and performance measures, in part consistent with federal guidance for program planning and performance measurement. But taken together, these efforts do not yet provide methods to hold agencies accountable for ensuring that the necessary sharing of terrorism information is under way and effective. More specifically, the first annual report issued by the Program Manager in September 2007 describes overall progress by citing advancements in implementing individual initiatives that contribute to the ISE. Some of these were accomplished under the implementation plan--such as the formation of the electronic directory services--and others were achieved prior to or separate from efforts to create the ISE--such as the establishment of the FBI's Terrorist Screening Center. However, the report does not show how much measurable progress has been made toward implementing the ISE, how much remains to be done, or a road map for completion. For example, the only means to track progress that was set up in the implementation plan was the two-phased approach and the 89 action items. But the progress report did not provide an accounting of the status of these action items or identify how much of the implementation had been completed. Moreover, while the 2007 annual report identifies four performance goals for 2008, information necessary for assessing progress in meeting these goals--such as a defined starting point or baseline against which to assess progress, targets to be reached, or supporting performance measures and interim milestones to be achieved in implementing the ISE- -is not identified. In the fall of 2007 the Program Manger, with input from ISE participating agencies, developed performance measures in support of the four performance goals identified in the annual report. These measures are intended to improve reporting on progress in implementing the ISE and represent an important first step in providing quantitative data for assessing progress made in information sharing and in helping to inform Congress and other stakeholders of specific information sharing improvements. However, there are several gaps in these measures. For instance, they focus on counting activities accomplished rather than results achieved to show the extent to which ISE strategic goals and implementation have been attained. The performance measures include, for example, the number of ISE organizations with a procedure in place for acquiring and processing reports on suspicious activities potentially related to terrorism, but not how the reports are used and what difference they are making in sharing to help prevent terrorist attacks. Similarly, the measures attempt to assess the creation of a culture of sharing by tabulating the percentage of relevant ISE organizations that have an information sharing governance body or process in place, but not by measuring the outcome--such as how and to what extent cultural change is being achieved. Taking the next step-- from counting activities to measuring results or outcomes--will be difficult, particularly since the program is still being designed, but critical for accurately providing Congress and policymakers with the information they need to assess the amount and rate of progress, remaining gaps, and the need for any intervening strategies. Though issued after we completed our June 2008 report,[Footnote 9] we subsequently reviewed the second ISE annual report dated June 30, 2008 and determined that the Program Manager has taken steps to improve assessments of progress in the ISE as program officials noted they would during our review. However, gaps still remain in defining key aspects of a road map--such as its scope, roles and responsibilities, and results to be achieved. One improvement, for instance, is that the Program Manager tried to better align agency activities according to the five guidelines and two requirements presented by the President in his 2005 memorandum[Footnote 10] rather than listing them independently. For example, toward addressing guideline 2--"Develop common standards for the sharing of information between and among executive departments and agencies and state, local, and tribal governments, law enforcement agencies, and the private sector"--the 2008 annual report identifies the status of efforts to generate, disseminate, and receive terrorism-related alerts, warnings, and notifications between the federal government and state, local, and tribal stakeholders. Also, the Program Manager laid out annual performance goals that list specific and measurable activities to be accomplished in 2009, such as completing initial efforts to implement the new suspicious activity reporting process--an initiative for streamlining the process for sharing information on suspicious activities or incident information with a potential terrorism nexus between federal, state, local, and tribal partners. Nevertheless, while the performance goals incorporate some quantitative data for assessing progress, they continue to focus on counting activities rather than measuring outcomes. For example, one performance goal states that agencies will increase fusion centers' access to terrorism-related information and ISE capabilities but does not define what this goal means and provide information on how it will be measured. Such information might include identifying the level of access centers currently have to information for use as a baseline from which to measure progress, the target increase agencies are expected to achieve, and how much achieving this goal is expected to improve sharing. While the activities identified in the performance goals and the information provided through the performance measures will likely enhance the fabric of what will ultimately be the ISE, they do not yet identify the overall road map for the ISE and provide answers to key questions regarding what the ISE will include and will not include and how the ISE will function in, for example, the next 3 years. We appreciate that the ISE and information sharing for protecting the homeland against terrorism is a complex and ever-evolving challenge, making development of a road map for the ISE with which to assess progress, hold stakeholders accountable, and provide Congress and the public with assurance that efforts are being taken to strengthen information sharing ever more important. Therefore, to help ensure that the ISE is on a measurable track to success, we recommended that the Program Manager, with full participation of relevant stakeholders (e.g., agencies and departments on the ISE), (1) more fully define the scope and specific results to be achieved by the ISE along with the key milestones and individual projects or initiatives needed to achieve these results; and (2) develop a set of performance measures that show the extent to which the ISE has been implemented and sharing improved- -including, at a minimum, what has been and remains to be accomplished- -so as to more effectively account for and communicate progress and results. The Program Manager generally agreed with these recommendations. In an effort to address these concerns, the Program Manager recently noted in the 2008 annual report that as the ISE matures, he expects the performance management approach will itself mature to move from measuring individual agency progress to measuring the overall performance of the ISE. Fusion Centers Vary in Their Characteristics, and Federal Efforts Are Under Way That Address Many of the Challenges That Centers Reported Encountering: After September 2001, state and local governments began to establish fusion centers to improve information sharing across levels of government and varying disciplines and to prevent terrorism or other threats. By September 2007, almost all states and several local governments had established, or were in the process of establishing, fusion centers. As we reported in October 2007, these centers varied in their level of maturity, capability, and characteristics. For example, while some centers were just starting out, officials in many (43 of the 58) fusion centers we contacted described their centers as operational. Of these operational centers, 9 opened in the couple of years after September 2001, while 34 opened since January 2004. In terms of capability, we reported that these centers ranged from a center with analysts and access to networks and systems from DHS, FBI, and state and local entities operating at a Top Secret level to a center that had just appointed an officer in charge and lacked access to any of these federal networks and systems. However, our work showed that most of the operational fusion centers we contacted had adopted scopes of operations and missions that included more than just counterterrorism- related activities. For instance, officials in just over half of the operational centers we contacted said that their scopes of operations included all-crimes or all-crimes and terrorism, and several noted the link between crimes and terrorism as a rationale for adopting a broader scope of operations. Officials in about half of the operational centers said that their centers included all-hazards information, such as that related to public health and safety or emergency response. Overall, center officials we contacted during our review told us that adopting a broader focus than counterterrorism helped provide information about all threats, and including additional stakeholders that could provide staff and support could help increase the centers' sustainability. In terms of organization and partnerships, law enforcement entities, such as state police, were the lead or managing agencies in the majority of the centers we contacted. While the centers varied in their staff sizes and partnerships with other agencies, the majority of the operational fusion centers we contacted had federal personnel, including staff from DHS's Office of Intelligence and Analysis or the FBI, assigned to them as of September 2007. In our October 2007 report, we identified a variety of challenges--many of which were related to information sharing--that fusion center officials reported encountering in establishing and operating their centers. Among these challenges were managing the high volume of information and the multiple systems and networks, obtaining specific and clear guidance and training on operational issues, obtaining and retaining qualified personnel, and securing federal grant or state and local funding for center operations over the long term. We also reported that to help address these challenges, the Program Manager for the ISE, DHS, and the Department of Justice (DOJ) had several efforts under way, and as we reported in April 2008,[Footnote 11] many of these efforts were ongoing. * The Program Manager for the ISE along with DHS and DOJ have efforts under way to streamline systems, including reviewing the most commonly used sensitive but unclassified systems to examine users' needs to identify potential areas in which to streamline system access.[Footnote 12] In addition, these agencies are taking steps to improve the quality and flow of information through the establishment of the Interagency Threat Assessment and Coordination Group, which became a statutorily mandated body by the 9/11 Commission Act.[Footnote 13] The group is to include state, local, and tribal representative detailees who are to provide a nonfederal perspective to the intelligence community to produce clear, relevant, federally coordinated terrorism-related information products intended for dissemination to state, local, and tribal officials and to the private sector. In April 2008, we reported that four state and local law enforcement representatives had been detailed to this group. Further, the group's advisory council has been focusing on recruitment for next year's detailees and determining a concept of operations for a detailee fellowship program, according to the ISE 2008 annual report. * The Program Manager, DHS, and DOJ have taken steps to develop specific, clear guidance and provide technical assistance and training. For example, they have outlined federal and fusion center roles and responsibilities in the National Strategy for Information Sharing: Success and Challenges in Improving Terrorism-Related Information, which the administration issued in October 2007. They have also disseminated specific guidance in the form of baseline capabilities that outline minimum operational standards for centers to ensure that they have the necessary structures, procedures, and tools in place to support gathering, processing, analysis, and dissemination of terrorism- related information. In addition, DHS and DOJ's technical assistance program for fusion centers offers training and guidance on, among other things, operational issues such as establishing a privacy and civil liberties policy. These agencies along with the Program Manager for the ISE and others have also sponsored regional and national conferences designed to support fusion centers and provide information about ongoing federal efforts. * To facilitate information sharing and support fusion centers, DHS and the FBI have deployed personnel, including intelligence officers and special agents. We reported in April 2008 that according to these agencies, DHS had deployed 23 officers to fusion centers and had plans to place officers in as many as 35 centers by the end of fiscal year 2008, and the FBI had assigned about 200 personnel to 44 fusion centers.[Footnote 14] * In terms of funding, DHS reported that from fiscal years 2004 through 2007, about $257 million in DHS grant funds supported information sharing and intelligence activities,[Footnote 15] including 415 projects designated by states and territories for intelligence and fusion center initiatives. Despite DHS and FBI efforts to deploy personnel to fusion centers and DHS's grant funding, fusion center officials were concerned about long- term sustainability--both the extent of federal support they could expect as well as the roles of their state or local jurisdictions. For example, we reported in October 2007 that challenges for fusion centers included uncertain or declining federal funding, finding adequate funding for specific components of their centers' operations, and obtaining state or local funding. One of the specific funding challenges fusion center officials cited was time limits on the use of grant funds for personnel. Some officials expressed concerns about maintaining their personnel levels, such as the 2-year limit on the use of fiscal year 2007 DHS grant funds for personnel. This limit made retaining personnel challenging because state and local agencies may lack the resources to continue funding the position, which could affect the centers' ability to continue to operate. In our October 2007 report, we recommended that the federal government determine and articulate its long-term fusion center role and whether it expects to provide resources to help ensure their sustainability. The National Strategy for Information Sharing stated that the federal government will support the establishment of fusion centers and help sustain them through grant funding, technical assistance, and training to achieve a baseline level of capability. Similarly, the 9/11 Commission Act includes provisions for allowing grant funding through the State Homeland Security and Urban Areas Security Initiative grant programs to be used for a variety of fusion-related activities, including paying salaries for personnel. However, we reported in April 2008 that there was still uncertainty among fusion center officials about how specifically the federal government was planning to assist state and local governments in sustaining their fusion centers, in particular with respect to grant funding for intelligence analysts. Specifically, under the fiscal year 2008 Homeland Security Grant Program guidance, costs associated with hiring intelligence analysts were allowable for 2 years but were limited to the hiring of new analysts. After 2 years, states and urban areas are responsible for supporting the sustainment costs of those intelligence analysts. Legislation introduced in May 2008, and reported by the House Committee on Homeland Security July 10, 2008, seeks to clarify what constitutes allowable costs under these grants.[Footnote 16] The committee found that the federal government has placed restrictions on the use of these funds that make long-term planning for fusion centers unmanageable. The proposed legislation would, among other things, permit states and localities receiving funds under either the State Homeland Security Program or the Urban Areas Security Initiative program to use grant funds toward salaries for analysts regardless of whether the analysts are current or new full- time employees or contract employees and without limitations on the period of time that these analysts can serve under the awarded grants. In addition, to support the establishment and sustainment of a national integrated network of fusion centers, among the federal government's planned activities, the ISE 2008 annual report includes the development of a national investment strategy to sustain fusion center operations, including a delineation of current and recommended future federal and nonfederal costs. A New Policy Is Intended to Streamline Processes for Sharing Sensitive but Unclassified Information: In March 2006, we reported on a survey of 26 federal agencies[Footnote 17] that showed they were using more than 50 different designations to protect information that they deem critical to their missions--such as law enforcement sensitive, for official use only, and unclassified controlled nuclear information. At that time, there were no governmentwide policies or procedures that described the basis on which agencies should designate, mark, and handle this information. In this absence, each agency determined what designations to apply. We reported that such inconsistency can lead to challenges in information sharing. In fact, more than half of the agencies reported encountering challenges in sharing sensitive but unclassified information. For example, 11 of the 26 agencies reported concerns about the ability of other parties to protect sensitive but unclassified information, while another 6 of these agencies said that the lack of standardized criteria for defining what constitutes sensitive but unclassified information was a challenge in their sharing efforts. In addition, we found that the prevalence of designations can confuse those receiving the information, such as local and state law enforcement agencies, which in turn must understand and safeguard the information according to each federal agency's rules. This is problematic because, as we found, most agencies did not determine who and how many employees could make sensitive but unclassified designations, provide them training on how to do so, or perform periodic reviews of how well their practices are working. Moreover there were no governmentwide policies that required such internal control practices.[Footnote 18] We reported that if guidance and monitoring is not provided, there is a probability that the designation will be misapplied, potentially restricting material unnecessarily or resulting in dissemination of information that should be restricted. Therefore, we recommended the issuance of a policy that consolidates sensitive but unclassified designations where possible and addresses their consistent application across agencies, as well as a directive requiring that agencies have in place internal controls that meet our Standards for Internal Control in the Federal Government-- including implementing guidance, training, and review processes. [Footnote 19] Consistent with our recommendations and the President's December 2005 mandates calling for standardization of sensitive but unclassified information designations, on May 9, 2008, the President issued a memorandum that adopted CUI as the single categorical designation used for sensitive but unclassified information throughout the executive branch.[Footnote 20] Specifically, CUI refers to information that is outside the standard National Security Classification system (e.g., Secret, Top Secret, etc.) but that is (1) pertinent to the national interests of the United States or to the important interests of entities outside the federal government and (2) under law or policy requires protection from unauthorized disclosure, special handling safeguards, or set limits on exchange or dissemination. Furthermore, the memo outlined a framework for designating, marking, safeguarding, and disseminating information identified as CUI. In doing so, the memo outlines the following three markings: * Controlled with standard dissemination, meaning the information requires standard safeguarding measures that reduce the risks of unauthorized or inadvertent disclosure. Dissemination is permitted to the extent that it is reasonably believed that it would further the execution of a lawful or official purpose. * Controlled with specific dissemination, meaning the information requires safeguarding measures that reduce the risks of unauthorized or inadvertent disclosure. Material contains additional instructions on what dissemination is permitted. * Controlled enhanced with specified dissemination, meaning the information requires safeguarding measures more stringent than those normally required since the inadvertent or unauthorized disclosure would create the risk of substantial harm. Material contains additional instructions on what dissemination is permitted. The memo made NARA responsible for overseeing and managing the implementation of the CUI framework. In response, NARA established the CUI Office to accomplish the new tasks associated with implementing the CUI policy. The new office is to undertake nine steps for the implementation and standardization governing CUI policy. Chief among these are (1) establishing new safeguards and dissemination controls, (2) publishing standards in a new official CUI Registry, (3) monitoring department and agency compliance with CUI policy and standards, (4) establishing required training and an associated training program for departments and agencies, and (5) providing appropriate documentation regarding the CUI framework to Congress; state, local, tribal, and private entities; and foreign partners. Issuing the new policy and laying out responsibilities is a good first step. Our work has demonstrated that monitoring agencies' compliance with CUI policies and standards to ensure that they implement guidelines, training, and internal controls will help ensure that the policy is employed consistently across the federal government and facilitate the sharing of terrorism-related information. Our November 2007 review of TSA's program on managing sensitive security information[Footnote 21] showed that in response to our prior recommendations on establishing guidance and procedures for using TSA regulations to determine what constitutes sensitive security information, TSA's program had instituted key components critical for the sharing of unclassified sensitive information and could serve as a model to guide other agencies' implementation of CUI. TSA has also shared its criteria and examples used to help employees determine what is sensitive security information with other DHS components. Representatives we interviewed from these other DHS components have recognized opportunities to adapt TSA's criteria to their offices' unique needs. Furthermore, TSA has appointed sensitive security information coordinators at all program offices, such as the Office of Law Enforcement/Federal Air Marshal Service, among other things, to implement sensitive security information determination policies. TSA's Office for Sensitive Security Information is in the process of providing training to all TSA employees and contractors on how to handle sensitive security information in accordance with its newly adopted policies and procedures. The office has a "train the trainer" program that instructs sensitive security information program managers and coordinators who are then expected to train appropriate staff in their respective agencies and programs. Several aspects of the sensitive security information training program that we evaluated are consistent with GAO-identified components of a strategic training program.[Footnote 22] Within this effort, TSA also has processes for responding to requests for sensitive security information from federal, state, local, and tribal government entities. Furthermore, TSA's sensitive security information program has internal controls in place that are consistent with governmentwide requirements and respond to our recommendation. For example, TSA is in the process of conducting an audit to identify existing sensitive security information and its use, as well as evaluating a portion of records marked as containing such information. Mr. Chairman, this concludes my statement. I would be pleased to answer any questions that you or other members of the committee may have at this time. Contacts and Acknowledgments: For further information on this testimony, please contact Eileen Larence at (202) 512-8777 or larencee@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this statement. Individuals making key contributions to this testimony include Susan Quinlan, Assistant Director; Mary Catherine Hult, Assistant Director; Joseph Cruz; and Anish R. Bhatt. [End of section] Footnotes: [1] See Pub. L. No. 110-53, 121 Stat. 266 (2007); Pub. L. No. 108-458, 118 Stat. 3638 (2004). See also Pub. L. No. 107-296, 116 Stat. 2135 (2002). [2] See Pub. L. No. 108-458, § 1016, 118 Stat. at 3664-70, amended by Pub. L. No. 110-53 § 504, 121 Stat. at 313-17. [3] See GAO, Information Sharing Environment: Definition of the Results to Be Achieved in Improving Terrorism-Related Information Sharing Is Needed to Guide Implementation and Assess Progress, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-492] (Washington, D.C.: June 25, 2008); Homeland Security: Federal Efforts Are Helping to Alleviate Some Challenges Encountered by State and Local Information Fusion Centers, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-35] (Washington, D.C.: Oct. 30, 2007); Homeland Security: Federal Efforts Are Helping to Address Some Challenges Faced by State and Local Fusion Centers, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-636T] (Washington, D.C.: Apr. 17, 2008); Transportation Security Administration's Processes for Designating and Releasing Sensitive Security Information, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO- 08-232R] (Washington, D.C.: Nov. 30, 2007); and Information Sharing: The Federal Government Needs to Establish Policies and Processes for Sharing Terrorism-Related and Sensitive but Unclassified Information, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-385] (Washington, D.C.: Mar. 17, 2006). [4] Program Manager, Information Sharing Environment, Annual Report to the Congress on the Information Sharing Environment (Washington, D.C.: June 30, 2008). [5] See Presidential Memorandum, Memorandum from the President for the Heads of Executive Departments and Agencies, Subject: Guidelines and Requirements in Support of the Information Sharing Environment (ISE) (Dec. 16, 2005). [6] As described in the ISE implementation plan, the ISE is comprised of five "communities of interest," encompassing intelligence, law enforcement, defense, homeland security, and foreign affairs. Each community may comprise multiple federal organizations and other stakeholders; information is to be shared across these communities. [7] The White House, National Strategy For Information Sharing: Successes and Challenges in Improving Terrorism-Related Information Sharing (Washington, D.C.: Oct. 31, 2007). [8] See, for example, GAO, Results-Oriented Government: GPRA Has Established a Solid Foundation for Achieving Greater Results, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-38] (Washington, D.C.: Mar. 10, 2004); GAO, Executive Guide: Effectively Implementing the Government Performance and Results Act, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/GGD-96-118] (Washington, D.C.: June 1996); Office of Management and Budget, Circular A-11, Preparation, Submission, and Execution of the Budget (July 2007); and The Project Management Institute, The Standard for Program Management© (2006). [9] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-492]. [10] See Presidential Memorandum, Memorandum from the President for the Heads of Executive Departments and Agencies, Subject: Guidelines and Requirements in Support of the Information Sharing Environment (ISE) (Dec. 16, 2005). [11] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-636T]. [12] These systems include DHS's Homeland Security Information Network, DOJ's Law Enforcement Online, and the Regional Information Sharing Systems, which is a nationwide initiative to share sensitive but unclassified criminal intelligence among law enforcement, first responders, and private sector stakeholders. [13] See Pub. L. No. 110-53, § 521, 121 Stat. at 328-32 (adding section 210D to subtitle A, title II of the Homeland Security Act, Pub. L. No. 107-296, 116 Stat. 2135). [14] These deployments may be to fusion centers other than the 58 centers that were included in our October 2007 report. [15] This includes State Homeland Security Program, Urban Areas Security Initiative, Urban Area Security Initiative Transit Security Program, Law Enforcement Terrorism Prevention Program, Citizen Corps Program, Emergency Management Performance Grants, Metropolitan Medical Response System, Buffer Zone Protection Program, Trucking Security Grant Program, and Transit Security Program grant funding. [16] Personal Reimbursement for Intelligence Cooperation and Enhancement of Homeland Security Act, H.R. 6098, 110th Cong. (2008) (proposing amendments to the Homeland Security Act of 2002, Pub. L. No. 107-296, 116 Stat. 2135, to improve the financial assistance provided to state, local, and tribal governments for information sharing activities). See also H.R. Rep. No. 110-752 (July 10, 2008). [17] As identified in our March 2006 report (see [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-385]), these federal agencies were generally selected because they are defined as those subject to the Chief Financial Officers Act. In addition, we also included the Federal Energy Regulatory Commission and the U.S. Postal Service because our previous experience with these agencies indicated that they used sensitive but unclassified designations. [18] Internal controls are an integral component of an organization's management that provides reasonable assurance that the following objectives are achieved: (1) effectiveness and efficiency of operations, (2) reliability of financial reporting, and (3) compliance with applicable laws and regulations. See GAO, Standards for Internal Controls in Federal Government, [hyperlink, http://www.gao.gov/cgi- bin/getrpt?GAO/AIMD-00-21.3.1] (Washington, D.C.: Nov. 1999). [19] [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-385]. [20] See Presidential Memorandum, Memorandum for the Heads of Executive Departments and Agencies: Designation and Sharing Controlled Unclassified Information (May 9, 2008). [21] Sensitive security information is a statutorily established category of sensitive but unclassified information that includes information obtained or developed in the conduct of security activities that, for example, would be detrimental to transportation security. See 49 U.S.C. § 114(s); see also 49 C.F.R. pt. 1520. Sensitive security information is not subject to the CUI requirements. [22] GAO, A Guide for Assessing Strategic Training and Development Efforts in the Federal Government, [hyperlink, http://www.gao.gov/cgi- bin/getrpt?GAO-04-546G] (Washington, D.C.: Mar. 2004). [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office: 441 G Street NW, Room LM: Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: