This is the accessible text file for GAO report number GAO-10-895 
entitled 'Public Transit Security Information Sharing: DHS Could 
Improve Information Sharing through Streamlining and Increased 
Outreach' which was released on September 22, 2010. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Committees: 

United States Government Accountability Office:
GAO: 

September 2010: 

Public Transit Security Information Sharing: 

DHS Could Improve Information Sharing through Streamlining and 
Increased Outreach: 

GAO-10-895: 

GAO Highlights: 

Highlights of GAO-10-895, a report to congressional committees. 

Why GAO Did This Study: 

The Transportation Security Administration (TSA), in the Department of 
Homeland Security (DHS), is committed to sharing information with 
public transit agencies. The Implementing Recommendations of the 9/11 
Commission Act directed GAO to report on public transit information 
sharing. This report describes (1) the primary mechanisms used to 
share security information with public transit agencies; and evaluates 
(2) public transit agencies’ satisfaction with federal efforts to 
share security-related information (e.g., security threats) and 
opportunities to improve these efforts; and (3) the extent to which 
DHS has identified goals and measures for sharing information. GAO 
surveyed 96 of the 694 U.S. public transit agencies based on 2008 
ridership and received 80 responses. The 96 public transit agencies 
surveyed represent about 91 percent of total 2008 ridership. GAO also 
reviewed documents, such as DHS’s Information Sharing Strategy, and 
interviewed agency officials. 

What GAO Found: 

According to the American Public Transportation Association (APTA)—
which represents the public transit industry—and TSA officials, the 
Public Transportation Information Sharing and Analysis Center (PT-
ISAC) and the public transit subportal on DHS’s Homeland Security 
Information Network (HSIN-PT) were established as primary mechanisms 
for sharing security-related information with public transit agencies. 
The public transit agencies GAO surveyed also cited additional 
mechanisms for obtaining such information, including other public 
transit agencies. Further, in March 2010 TSA introduced the 
Transportation Security Information Sharing and Analysis Center (TS-
ISAC), which is a subportal on HSIN focused on sharing security-
related information with transportation stakeholders. 

Seventy-five percent of the public transit agencies GAO surveyed 
reported being generally satisfied with the security-related 
information they received; however, federal efforts to share security-
related information could be improved. Specifically, three-fourths of 
public transit agencies reported being either very satisfied or 
somewhat satisfied with the information they received. Public transit 
agencies also reported that among the 12 most frequently cited 
mechanisms, they were the least satisfied with HSIN in terms of 
general satisfaction (19 of 33) and for each of six dimensions of 
quality—relevance, validity, timeliness, completeness, actionability, 
and ease of use. Twenty-four survey respondents also cited the need to 
streamline the information they received. GAO identified the potential 
for overlap between the PT-ISAC, the HSIN-PT, and the TS-ISAC, which 
all communicate similar unclassified and security-related information 
to public transit agencies. Federal and transit industry officials 
that GAO interviewed reported the need to streamline information 
sharing. Moreover, a greater proportion of survey respondents who were 
unaware of the PT-ISAC or HSIN were from midsize agencies, nonrail 
agencies, and those without their own police department. Federal and 
industry officials formed a working group to assess the effectiveness 
of information-sharing mechanisms, including developing options for 
streamlining these mechanisms. TSA officials stated that these options 
will also impact future outreach activities; however, no time frame 
has been established for completing this effort. Establishing such a 
time frame could help to ensure that this effort is completed. 

DHS and TSA have established goals and performance measures for some 
of their information-sharing activities to help gauge the 
effectiveness of their overall information-sharing efforts; however, 
they have not developed goals and outcome-oriented measures of results 
of activities for the mechanisms established as primary information 
sources for the public transit industry. TSA officials acknowledged 
the importance of establishing such goals and measures, but were 
unable to provide time frames for doing so. Establishing time frames 
for developing goals and outcome measures, once the working group 
effort is complete, could assist TSA in gauging the effectiveness of 
its efforts to share information with public transit agencies. 

What GAO Recommends: 

GAO recommends that DHS, among other things, (1) establish time frames 
for its working group to develop options for improving information 
sharing, including assessing opportunities to streamline mechanisms 
and conducting targeted outreach; and (2) establish time frames for 
developing goals and outcome-oriented measures of results. DHS 
concurred. GAO is issuing an electronic supplement with this report-—
GAO-10-896SP-—which provides survey results. 

View [hyperlink, http://www.gao.gov/products/GAO-10-895] or key 
components. For more information, contact Stephen M. Lord at (202) 512-
4379 or LordS@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

PT-ISAC and HSIN-PT Were Established to Serve as the Primary Security 
Information-Sharing Mechanisms for Public Transit Agencies: 

Public Transit Agencies We Surveyed Were Generally Satisfied with 
Federal Efforts to Share Security-Related Information, but 
Opportunities Exist to Improve These Efforts: 

DHS's Information-Sharing Efforts Could be Enhanced by Developing More 
Specific Goals and Measures and Obtaining Additional Industry Feedback: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: National Strategies, Plans, and Reports Designed to 
Enhance Information Sharing: 

Appendix III: Public Transit Agencies' General Satisfaction with the 
12 Most Frequently-Cited Information-Sharing Mechanisms: 

Appendix IV: Comments from the Department of Homeland Security: 

Appendix V: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: Entities Involved in Sharing Security-Related Information 
with Public Transit Agencies: 

Table 2: Additional Details on the Mechanisms Most Frequently Cited by 
Surveyed Public Transit Agencies as Sources for Obtaining Security- 
Related Information: 

Table 3: Public Transit Agencies' Overall Satisfaction with Security- 
Related Information: 

Table 4: Public Transit Agencies' Survey Responses on Cross-Sector 
Information: 

Table 5: Awareness and Use of PT-ISAC for Different Categories of 
Public Transit Agencies: 

Table 6: Awareness of and Access to HSIN for Different Categories of 
Public Transit Agencies: 

Table 7: DHS and TSA Performance Goals and Measures for Information- 
Sharing Activities: 

Table 8: Public Transit Agencies Interviewed: 

Table 9: Public Transit Agencies' Survey Responses Regarding 
Satisfaction with 12 Information-Sharing Mechanisms Along 6 Dimensions 
of Quality: 

Figure: 

Figure 1: Mechanisms Cited Most Frequently by the Public Transit 
Agencies Surveyed as Sources for Security-Related Information: 

Abbreviations: 

APTA: American Public Transportation Association: 

DHS: Department of Homeland Security: 

DOJ: Department of Justice: 

DOT: Department of Transportation: 

FBI: Federal Bureau of Investigation: 

FOUO: For Official Use Only: 

FTA: Federal Transit Administration: 

GCC: Government Coordinating Council: 

HSIN: Homeland Security Information Network: 

HSIN-CS: Homeland Security Information Network Critical Sectors portal: 

HSIN-PT: Homeland Security Information Network public transit 
subportal: 

I&A: Office of Intelligence and Analysis: 

IP: Office of Infrastructure Protection: 

JTTF: Joint Terrorism Task Force: 

NIPP: National Infrastructure Protection Plan: 

NPPD: National Protection and Programs Directorate: 

PT-ISAC: Public Transportation Information Sharing and Analysis Center: 

SBU: Sensitive but Unclassified: 

SCC: Sector Coordinating Council: 

TSA: Transportation Security Administration: 

TSA-OI: Transportation Security Administration Office of Intelligence: 

TS-ISAC: Transportation Security Information Sharing and Analysis 
Center: 

TSISP: Transportation Security Information Sharing Plan: 

TSOC: Transportation Security Operations Center: 

TSNM: Transportation Sector Network Management: 

[End of section] 

United States Government Accountability Office:
Washington, DC 20548: 

September 22, 2010: 

Congressional Committees: 

Public transit systems provided 10.2 billion passenger trips in the 
United States in calendar year 2009.[Footnote 1] To date, U.S. public 
transit systems have not been successfully attacked by terrorists. 
However, the February 2010 guilty plea by Najibullah Zazi for, among 
other things, conspiring to detonate explosives in the New York City 
subway system highlighted the vulnerability of public transit agencies 
and the importance of the federal government to share quality security-
related information with the public transit industry.[Footnote 2] The 
Homeland Security Act of 2002 and the Implementing Recommendations of 
the 9/11 Commission Act of 2007 (9/11 Commission Act)--assigned the 
Department of Homeland Security (DHS) responsibility for sharing 
information related to terrorism and homeland security with its 
federal, state, tribal, local, and private sector homeland security 
partners.[Footnote 3] 

Since the terrorist attacks of September 11, 2001, the federal 
government, including DHS, has taken a number of actions to enhance 
the security of transportation systems. These actions include 
improving information sharing with its critical sector stakeholders, 
which is highlighted in the 2008 Department of Homeland Security 
Information Sharing Strategy, as well as the 2009 National 
Infrastructure Protection Plan (NIPP).[Footnote 4] To help facilitate 
information sharing with the public transit industry, DHS and the 
Transportation Security Administration (TSA) have created and funded a 
number of mechanisms, including the Public Transportation Information 
Sharing and Analysis Center (PT-ISAC), which is administered by the 
American Public Transportation Association (APTA).[Footnote 5] The PT-
ISAC was created under the direction of the Department of 
Transportation (DOT) in 2003 and is currently funded by TSA via DOT's 
Federal Transit Administration (FTA).[Footnote 6] In addition to DHS, 
other federal agencies, such as the Department of Justice's (DOJ) 
Federal Bureau of Investigation (FBI) and FTA, have also taken action 
to enhance their efforts to share security-related information with 
public and private stakeholders, including public transit agencies. 

Our prior work on information sharing with private and public security 
stakeholders has shown that information sharing continues to be a 
challenge for the federal government.[Footnote 7] In January 2005, we 
designated establishing effective mechanisms for sharing terrorism- 
related information to protect the homeland a high-risk area because 
the government had continued to face challenges in analyzing and 
disseminating this information in a timely, accurate, and useful 
manner. We reported that information is a crucial tool in fighting 
terrorism and that its timely dissemination is critical to maintaining 
the security of our nation. This area remains on our high-risk list. 
[Footnote 8] 

As mandated by section 1410 of the 9/11 Commission Act, this review 
assesses the role of the PT-ISAC and other related federal mechanisms 
for sharing security-related information within the public transit 
industry.[Footnote 9] Specifically, our report addresses the following 
questions: 

* What are the primary mechanisms established or funded by the federal 
government to share security-related information with public transit 
agencies? 

* To what extent are public transit agencies satisfied with federal 
efforts to share security-related information, and how, if at all, can 
these efforts be improved? 

* To what extent has DHS identified goals for sharing security-related 
information with public transit agencies and developed measures to 
gauge its progress in meeting those goals? 

To identify the mechanisms established or funded by the federal 
government to serve as primary information sources for public transit 
agencies, we reviewed and assessed relevant documentation, such as the 
Homeland Security Information Network (HSIN) Program Management Plan 
and DHS's Information Sharing Strategy. We interviewed officials from 
DHS components including the Office of Infrastructure Protection (IP) 
within the National Protection and Programs Directorate (NPPD), the 
Office of Intelligence and Analysis (I&A), the U.S. Coast Guard, and 
TSA, as well as officials from FTA and the FBI to discuss the 
mechanisms they use to share security-related information with public 
transit agencies.[Footnote 10] We also conducted site visits, or held 
teleconferences, with security and management officials from a 
nonprobability sample of 27 public transit agencies across the nation 
to determine which mechanisms are most routinely used by these 
agencies to obtain security-related information. These transit 
agencies were selected to reflect broad representation in size, 
location, transportation mode, and law enforcement presence and 
represent about 63 percent of the nation's total public transit 
ridership based on information we obtained from FTA's National Transit 
Database. Because we selected a nonprobability sample of transit 
agencies to interview, the information obtained cannot be generalized 
to all transit agencies. However, the interviews provided illustrative 
examples of the perspectives of various transit agencies about federal 
government information-sharing mechanisms and corroborated information 
we gathered through other means. 

To assess the extent to which public transit agencies are satisfied 
with federal efforts to share quality security-related information and 
related opportunities for improvement, in March and April 2010, we 
surveyed 96 of the 694 U.S. public transit agencies on their 
satisfaction with information-sharing efforts.[Footnote 11] The 96 
public transit agencies surveyed represent about 91 percent of total 
2008 ridership. For the purposes of this survey, we defined the six 
aspects of quality security-related information as (1) relevance 
(i.e., is the information sufficiently relevant to be of value to a 
public transit agency?); (2) validity (i.e., is the information 
accurate?); (3) timeliness (i.e., is information received in a timely 
manner?); (4) completeness (i.e., does the information contain all the 
necessary details?); (5) actionability (i.e., would the information 
allow a public transit agency to change its security posture, if such 
a change was warranted?); and (6) access/ease of use (i.e., is 
information available through this mechanism easy to 
obtain?).[Footnote 12] Out of the original population of 96 transit 
agencies, we received completed questionnaires from 80 respondents--a 
response rate of 83 percent; however, not all respondents provided 
answers to every question. To develop the survey instrument, we 
conducted pretest interviews with four public transit agencies and 
obtained input from our survey experts. However, since we surveyed a 
non-probability sample of public transit agencies, the results cannot 
be used to make inferences about the entire population of public 
transit agencies, but provided us with additional insights. The survey 
document and counts of responses received for each question are 
reproduced in an electronic supplement we are issuing concurrent with 
this report--GAO-10-896SP. To further address this question, we 
assessed relevant documentation, including interagency agreements 
between TSA and FTA, as well as marketing materials on the 
Transportation Security Information Sharing and Analysis Center (TS-
ISAC). We also interviewed APTA, PT-ISAC, TSA, FBI, FTA, and DHS 
Office of Operations, Coordination, and Planning officials to discuss 
efforts to streamline existing information-sharing mechanisms, oversee 
the results of the PT-ISAC, and conduct outreach on various 
information-sharing mechanisms. We compared these efforts to internal 
control standards, as well as our previous work on the need to 
consolidate redundant information systems and target outreach efforts. 
In addition, we interviewed select public transit agencies and 
included questions in our Web-based survey of public transit agencies 
on the various information-sharing mechanisms available to them. 

To assess the extent to which DHS has identified goals for sharing 
information with public transit agencies and developed measures to 
gauge its progress in meeting those goals, we reviewed the DHS Annual 
Performance Report, Fiscal Years 2008 through 2010, TSA's 
Transportation Security Information Sharing Plan (TSISP), and 
available performance measures for fiscal years 2007 through 2010 
related to information-sharing efforts with public transit agencies 
and compared them to leading management practices and our previous 
work on program assessments.[Footnote 13] We also interviewed relevant 
DHS and TSA officials to obtain information on their efforts to revise 
and develop performance measures and goals for this area of 
information sharing and to obtain feedback from public transit 
agencies on their satisfaction with the security-related information 
they receive. In addition, we compared TSA's efforts to evaluate their 
information-sharing efforts with guidance on performance measurement 
contained in our previous reports.[Footnote 14] Appendix I provides 
more details about our objectives, scope, and methodology. 

We conducted this performance audit from August 2009 through September 
2010 in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. 
We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objectives. 

Background: 

Overview of the U.S. Public Transit Systems: 

The nation's transportation system is a vast, interconnected network 
of diverse modes. Key modes of transportation include aviation, 
freight rail, highway, maritime, transit, and pipeline. The nation's 
public transit system includes multiple-occupancy vehicle services 
designed to provide regular and continuing general or special 
transportation to the public, such as transit buses, light rail, 
commuter rail, subways, and waterborne passenger ferries. According to 
APTA, buses are the most widely used form of transit, providing almost 
two-thirds of all passenger trips. Light rail systems are typically 
characterized by lightweight passenger rail cars that operate on track 
that is not separated from vehicular traffic. Commuter rail systems 
typically operate on railroad tracks and provide regional service 
(e.g., between a city and adjacent suburbs). Subway systems, like the 
Metropolitan Transportation Authority's New York City Transit, 
typically operate on fixed heavy lines within a metropolitan area and 
have the capacity for a heavy volume of traffic. Waterborne passenger 
ferries provide a link across many of the nation's waterways and, in 
some cases, present drivers with an alternative travel option. Public 
transit systems in the United States are typically owned and operated 
by public sector entities, such as state and regional transportation 
authorities. In addition, while some transit agencies rely on their 
local police department to secure their systems, others, such as the 
Bay Area Rapid Transit system in San Francisco, have established their 
own dedicated police department. 

Mass transit and passenger rail systems carry a high number of 
passengers every day and are open and fully accessible. Multiple stops 
and transfers lead to high passenger turnover, which is difficult to 
monitor effectively, and a terrorist attack on public transit systems 
could result in a large number of casualties. While there have been no 
successful terrorist attacks against U.S. public transit systems to 
date, terrorist attacks on public transit systems around the world, 
such as the March 2010 subway bombings in Moscow, Russia, and the 
recent plot to detonate explosives on the New York City subway system, 
illustrate the potential threat to public transit systems. 

Multiple Stakeholders Have Responsibility for Sharing Security-Related 
Information with Public Transit Agencies: 

Securing the nation's public transit systems is a shared 
responsibility requiring coordinated action on the part of federal, 
state, and local governments; the private sector; and passengers who 
ride these systems. A component of this shared responsibility is 
ensuring that those within the private and public sector have access 
to quality security-related information to enhance prevention and 
protection efforts. DHS is the lead department involved in securing 
the nation's homeland. As required by the Homeland Security Act of 
2002, the department is responsible for coordinating homeland security 
efforts across all levels of government and throughout the nation, 
including with federal, state, tribal, local, and private sector 
homeland security stakeholders.[Footnote 15] 

The Aviation and Transportation Security Act established TSA as the 
federal agency with primary responsibility for securing the nation's 
transportation systems.[Footnote 16] As part of this responsibility, 
TSA serves as the lead DHS component responsible for assessing 
intelligence and other information to identify individuals who pose a 
threat specifically to transportation security and to coordinate 
countermeasures with other federal agencies to address such threats. 
TSA is also charged with serving as the sector-specific agency for the 
transportation community.[Footnote 17] Within TSA, several offices, 
including the Office of Transportation Sector Network Management and 
the Office of Intelligence, play a role in sharing security-related 
information with transportation stakeholders. In addition to TSA, a 
number of other entities are responsible for sharing security-related 
information with internal and external stakeholders, including public 
transit agencies. Table 1 below provides details on roles and 
responsibilities of some of the various entities involved in sharing 
security-related information with public transit agencies. 

Table 1: Entities Involved in Sharing Security-Related Information 
with Public Transit Agencies: 

Entity: TSA-Office of Transportation Sector Network Management (TSNM); 
Information sharing role: Leads federal efforts to protect and secure 
the nation's transportation systems, with divisions dedicated to each 
transportation mode, including public transit.[A]. 

Entity: TSA Office of Intelligence; (TSA-OI); 
Information sharing role: Responsible for collecting and analyzing 
threat information related to the transportation network, which 
includes all modes of transportation. TSA-OI is also responsible for 
overseeing the content on the Transportation Security Information 
Sharing and Analysis Center (TS-ISAC), implemented in March 2010.[B] 

Entity: DHS Office of Intelligence and Analysis (I&A); 
Information sharing role: A member of the national intelligence 
community, DHS I&A is responsible for collecting, analyzing, and 
disseminating information related to homeland security threats to 
homeland security stakeholders, including those within the private and 
public sectors. 

Entity: DHS Office of Infrastructure Protection (IP); 
Information sharing role: Within IP, several divisions play a role in 
sharing security-related information with public transit agencies, 
including the Homeland Infrastructure Threat and Risk Analysis Center 
which has analysts dedicated to identifying the risk associated with 
the transportation sector and sharing that information via associated 
information products. 

Entity: DOT's Federal Transit Administration (FTA); 
Information sharing role: FTA disseminates transit security and threat 
reports to other federal agencies, including DHS, and transit 
agencies' representatives. In a 2004 memorandum of understanding (MOU) 
and a 2005 annex to the MOU, TSA and FTA agreed to coordinate their 
efforts to share threat information with public transportation 
stakeholders. 

Entity: DOT's S-60; 
Information sharing role: DOT's Office of Intelligence, Security and 
Emergency Response, referred to as S-60, collects, analyzes, and 
provides security information to both internal DOT and other federal 
agencies, who in turn share this information with other security 
stakeholders, including public transit agencies. 

Entity: FBI; 
Information sharing role: Responsible for protecting and defending the 
United States from terrorist threats and serving as the nation's 
principal counterterrorism investigative agency, among other 
responsibilities. The FBI's Rail Liaison Agents filter and distribute 
the relevant security-related information to rail transit agencies 
that they receive from their local Joint Terrorism Task Force 
(JTTF).[C] 

Entity: APTA; 
Information sharing role: As the sponsor of the PT-ISAC and the 
secretary of the Mass Transit Sector Coordinating Council (SCC), APTA 
plays a key role in sharing security-related information with public 
transit agencies.[D] APTA also manages the PT-ISAC under a cooperative 
agreement with FTA.[E] 

Source: GAO analysis of DHS, DOT, DOJ, and APTA information. 

[A] TSA's TSNM coordinates with the U.S. Coast Guard to secure the 
maritime sector. 

[B] See the Senate committee report accompanying the proposed bill for 
the fiscal year 2009 DHS appropriations act--S. Rep. No. 110-396, at 
66 (2008). In this report, the committee directed TSA to implement the 
TS-ISAC. Hosted on HSIN, the TS-ISAC contains unclassified Sensitive 
but Unclassified (SBU) intelligence products and other security-
related documents available to vetted transportation security 
stakeholders. 

[C] JTTFs are investigative units consisting of law enforcement and 
other specialists from federal, state, and local law enforcement and 
intelligence agencies, led by DOJ and the FBI. JTTFs are located in 
100 cities nationwide, including at least one in each of the FBI's 56 
main field offices. The National Joint Terrorism Task Force oversees 
the local JTTFs across the country. 

[D] According to TSA, the Long-Distance Rail Government Coordinating 
Council (GCC) and SCC serve as coordinating bodies to discuss, 
develop, and refine positions on all matters in transit security. In 
addition, they streamline the coordination process between government 
and the transit industry, helping to advance a partnership in 
developing and implementing security programs. 

[E] To carry out the day-to-day operations of the PT-ISAC, APTA 
contracted with Electronic Warfare Associates - Information and 
Infrastructure Technologies, Inc., to obtain and analyze primarily 
open source security information and distribute it to PT-ISAC members 
on a daily basis. 

[End of table] 

PT-ISAC and HSIN-PT Were Established to Serve as the Primary Security 
Information-Sharing Mechanisms for Public Transit Agencies: 

According to APTA and TSA officials, the PT-ISAC and the public 
transit subportal on DHS's HSIN (HSIN-PT) were designed to serve as 
the primary mechanisms for sharing security-related information with 
public transit agencies. The PT-ISAC, which is implemented by APTA 
under a cooperative agreement with FTA, was designed to serve as the 
one stop shop for public transit agencies seeking to obtain security-
related information. The PT-ISAC collects, analyzes, and distributes 
security and threat information from the federal government and open 
sources on a 24/7 basis. It provides public transit agencies with 
unclassified and open-source documents obtained from numerous sources, 
including DOT, DHS, and DOJ. According to PT-ISAC officials, this 
mechanism disseminates this information through daily E-mails with 
attachments summarizing and analyzing recent security and 
cybersecurity information, news, threats, and vulnerabilities within 
the transportation sector. In addition, the PT-ISAC has a searchable 
library of government and private security documents, and PT-ISAC 
analysts hold top secret security clearances. HSIN-PT is also focused 
on providing security-related information pertaining to the public 
transit industry. According to DHS officials, HSIN was designed to 
serve as the department's primary information-sharing mechanism for 
the larger homeland security community engaged in preventing, 
protecting from, responding to, and recovering from all threats, 
hazards, and incidents under DHS jurisdiction.[Footnote 18] HSIN is 
comprised of a network of communities, referred to as communities of 
interest, such as Intelligence and Analysis, Law Enforcement, 
Emergency Management, and Critical Sectors (CS).[Footnote 19] Within 
HSIN-CS, each of the 18 critical sectors maintains its own site. Under 
the transportation sector, the public transit mode maintains its own 
subportal on HSIN.[Footnote 20] According to TSA officials, HSIN-PT is 
maintained and populated by mass transit and passenger rail private 
and government stakeholders. HSIN, including its public transit 
subportal, is accessible via the Internet, but users must first be 
vetted against established criteria to obtain a user name and password 
from DHS to access the network and retrieve information. As an 
additional feature, HSIN users may elect to receive E-mail alerts that 
include notices of ongoing events or direct the user to a particular 
location within HSIN to obtain additional information. 

While the PT-ISAC and HSIN-PT are focused on providing security-
related information to public transit agencies, the agencies we 
surveyed did not rely solely on these two mechanisms for their 
information needs. Figure 1 below illustrates the 12 key information-
sharing mechanisms, identified by the agencies we surveyed, that 
disseminate security-related information to public transit 
agencies.[Footnote 21] These mechanisms were cited as sources of 
security-related information by more than 40 percent of the public 
transit agencies we surveyed.[Footnote 22] 

Figure 1: Mechanisms Cited Most Frequently by the Public Transit 
Agencies Surveyed as Sources for Security-Related Information: 

[Refer to PDF for image: interactive illustration] 

Interactive features: Roll your mouse over the name of each 
information-sharing mechanism for more information. A brief definition 
of the selected mechanism will appear. To see the full text, see Table 
2. 

DHS: 
Homeland Security Information Network (HSIN); 
Transportation Security Administration (TSA) E-mail Alerts; 
Transportation Security Operations Center (TSOC). 

DOT: 
Federal Transit Administration (FTA) E-mail Alerts. 

DOJ: 
Joint Terrorism Task Forces (JTTF). 

Joint federal initiative: 
Transit Security and Safety Roundtables. 

Other initiatives: 
Public Transportation Information Sharing and Analysis Center (PT-
ISAC); 
Fusion centers; 
Regional/State/Local Information Sharing Mechanisms and Emergency 
Operations Centers; 
Other public transit agencies; 
Industry organizations. 

Source: GAO analysis of information from DHS, DOJ, DOT and public 
transit agencies; PhotoDisc (photo). 

Note: In figure 1, we combine "regional/state/local information-
sharing mechanisms" and "regional/state/local emergency operations 
centers." Both types of mechanisms were identified as sources of 
security-related information by over 40 percent of survey respondents. 

[End of figure] 

The information-sharing mechanisms described in figure 1 vary by 
intended users of the mechanism, the type and source of information 
offered, and how the information is distributed. Table 2 provides 
additional details on the 12 information-sharing mechanisms public 
transit agencies cited most frequently as sources for security-related 
information. 

Table 2: Additional Details on the Mechanisms Most Frequently Cited by 
Surveyed Public Transit Agencies as Sources for Obtaining Security- 
Related Information: 

Information sharing mechanism (number of users)[A]: PT-ISAC; (49); 
Mechanism: description: A 24/7 mechanism with a threat and incident 
reporting focus. The PT-ISAC collects, analyzes, and distributes 
security and threat information from the federal government and open 
sources. It also disseminates information from other industries 
through its relationship with other ISACs; 
Mechanism operator/intended users: This mechanism is administered by 
APTA and operated by Electronic Warfare Associates - Information and 
Infrastructure Technologies, Inc. The PT-ISAC is intended to serve the 
public transit industry; 
Type/source of information offered: Unclassified and open source 
documents including law enforcement bulletins obtained from numerous 
sources, including federal agencies such as DOT, DHS, and DOJ; 
How information is distributed: (push versus pull system)[B]: A push 
system. Daily unclassified E-mails are sent with attachments 
summarizing and analyzing recent security and cybersecurity 
information, news, threats, and cited vulnerabilities within the 
transportation sector. 

Information sharing mechanism (number of users)[A]: HSIN; (34); 
Mechanism: description: A secure Web-based platform able to facilitate 
SBU information sharing and collaboration between federal, state, 
local, tribal, private sector, and international partners; 
Mechanism operator/intended users: DHS Office of Operations 
Coordination and Planning operates this mechanism intended to serve 
federal, state, local, tribal, private sector, and international 
partners; 
Type/source of information offered: Unclassified and SBU products 
focused on threats stemming from suicide bombers, suspicious packages, 
and international security events; 
How information is distributed: (push versus pull system)[B]: A pull 
system. Users must log on to the secure network to access information. 

Information sharing mechanism (number of users)[A]: FTA E-mail Alerts; 
(65); 
Mechanism: description: The lead emergency coordinator at FTA 
maintains contact with public transit and law enforcement agencies 
that mitigate and respond to hazards. The emergency coordinator's 
network now includes roughly 500 individuals and organizations; 
Mechanism operator/intended users: FTA operates this mechanism 
intended to serve organizations and officials from public transit 
agencies, federal, state, and local agencies, fusion centers, and law 
enforcement; 
Type/source of information offered: Open source and SBU information 
sent via daily E-mails that includes breaking news alerts, updates on 
incidents affecting or disrupting transit operations, police lookouts, 
counter terrorism information, intelligence bulletins, training and 
exercise announcements; 
How information is distributed: (push versus pull system)[B]: A push 
system. E-mails are provided to public transit officials, 
organizations, and other individuals within the public transit 
industry. 

Information sharing mechanism (number of users)[A]: TSA E-mail; 
Alerts; (56); 
Mechanism: description: As a part of its information-sharing efforts, 
TSA occasionally disseminates E-mails to public transit agencies that 
include unclassified and SBU security-related information; 
Mechanism operator/intended users: TSA operates this mechanism 
intended to serve the public transit industry; 
Type/source of information offered: Unclassified and SBU information 
such as suspicious incident and situational awareness reports; 
How information is distributed: (push versus pull system)[B]: A push 
system. Information is provided via E-mail. 

Information sharing mechanism (number of users)[A]: Transportation 
Security Operations Center (TSOC); (41); 
Mechanism: description: Also known as the Freedom Center, TSOC is a 
24/7 operations center that serves as the main point of contact for 
security-related incidents or crises in all modes of transportation; 
Mechanism operator/intended users: TSA operates this mechanism 
intended to serve all modes of transportation; 
Type/source of information offered: SBU information on security-
related incidents or crises in all modes of transportation; 
How information is distributed: (push versus pull system)[B]: A push 
system. Information is shared with federal TSA stakeholders who, in 
turn, can choose to share TSOC reports with public transit agencies. 

Information sharing mechanism (number of users)[A]: Transit Security 
and Safety Roundtables; (44); 
Mechanism: description: TSA and FTA host roundtables specifically 
tailored for the nation's largest mass transit and passenger rail 
agencies to discuss security challenges. These roundtables were 
formerly held twice a year, but will now be held annually; 
Mechanism operator/intended users: FTA and TSA cosponsor these events 
intended to serve law enforcement police, security chiefs, and safety 
directors from the nation's largest mass transit and passenger rail 
agencies; 
Type/source of information offered: SBU and open source information 
shared during presentations and discussions on specific terrorism 
prevention, response challenges and efforts to develop effective risk 
mitigation and security enhancements; 
How information is distributed: (push versus pull system)[B]: A push 
system. Information is shared during these meetings with public 
transit officials. A CD with information presented at the roundtables 
is also distributed to roundtable participants. 

Information sharing mechanism (number of users)[A]: Joint Terrorism 
Task Forces (JTTF); (53); 
Mechanism: description: Small groups of trained, locally based 
investigators, analysts, linguists, and other specialists from U.S. 
law enforcement and intelligence agencies. JTTFs are led by the FBI 
and are designed to combine the resources of federal, state, and local 
law enforcement; 
Mechanism operator/intended users: The FBI operates this mechanism 
intended to serve all law enforcement critical sectors, including 
public transit; 
Type/source of information offered: SBU and classified information 
related to counterterrorism, current relevant investigations, 
suspicious activities, significant events, and threats; 
How information is distributed: (push versus pull system)[B]: Push 
systems. Information is shared via secure telephones, E-mail, in 
person, and secure video teleconferences. 

Information sharing mechanism (number of users)[A]: Fusion Centers; 
(39); 
Mechanism: description: A collaborative effort of two or more federal 
agencies that provide resources, expertise, and information to the 
center to improve the ability to detect, prevent, and respond to 
criminal and terrorist activity. DHS provides support to fusion 
centers through grant funding, technical assistance, training, and 
data access; 
Mechanism operator/intended users: State and local law enforcement or 
governments operate these mechanisms intended to serve federal, state, 
and local governments, law enforcement, and the private sector; 
Type/source of information offered: SBU and classified information 
related to homeland security, terrorism, threats, all crimes, and all 
hazards (such as public health, safety issues or emergencies). DHS and 
DOJ provide many fusion centers access to their information systems; 
How information is distributed: (push versus pull system)[B]: Push 
systems. Information is provided via E-mail, telephone, or in-person. 

Information sharing mechanism (number of users)[A]: Other Public 
Transit Agencies; (48); 
Mechanism: description: Public transit agencies may receive 
unclassified security-related information from other public transit 
agencies on an ad-hoc basis. For example, a large public transit 
agency may pass along security-related information to a smaller agency 
in the same geographic region, or security officials at one agency may 
receive information from officials at other agencies around the 
country through informal networks; 
Mechanism operator/intended users: Public transit industry operates 
and uses this type of mechanism; 
Type/source of information offered: Unclassified information such as 
suspicious incidents, alerts, and other security information specific 
to public transit agencies; 
How information is distributed: (push versus pull system)[B]: Push 
systems. Informal communication via E-mail, in-person, or 
teleconference. 

Information sharing mechanism (number of users)[A]: Regional/State/; 
Local Information Sharing Mechanisms and Emergency Operations 
Centers[C]; (47); 
Mechanism: description: In addition to federal information-sharing 
mechanisms, public transit agencies also reported using regional or 
local information-sharing mechanisms. These mechanisms were 
established either individually or in coordination with other local or 
state entities, such as offices of emergency management, local law 
enforcement, and other public transit agencies; 
Mechanism operator/intended users: Local law enforcement agencies, 
emergency management agencies or regional working groups operate this 
type of mechanism intended to serve federal, state, local law 
enforcement and public transit industry; 
Type/source of information offered: Unclassified information on 
security incidents, alerts, threats, vulnerabilities, and grants; 
How information is distributed: (push versus pull system)[B]: Although 
these mechanisms vary by region, the mechanisms described by officials 
from the 27 public transit agencies we interviewed were push systems 
that provided information via E-mail, telephone, or in person. 

Information sharing mechanism (number of users)[A]: Industry 
organizations (e.g., APTA); (44); 
Mechanism: description: Industry organizations such as APTA may share 
security-related information directly with public transit agencies. 
This information may include, among other things, guidance on 
improving security and emergency response plans, as well as training 
opportunities; 
Mechanism operator/intended users: Private industry operates this type 
of mechanism intended to serve the public transit industry; 
Type/source of information offered: Unclassified guidance, situational 
awareness, security alerts, as well as all hazards and safety 
information; 
How information is distributed: (push versus pull system)[B]: Push 
systems. Information is shared during industry conferences, via E-
mail, in-person, and teleconferences. 

Source: GAO analysis of DHS, DOT, DOJ, PT-ISAC, APTA, and public 
transit agency information. 

[A] The number of users equals the total number of agencies that 
reported using this mechanism based on survey data. For HSIN, the 
number in parentheses represents the 34 agencies that indicated they 
had log-in access to HSIN and had not lost or forgotten their password. 

[B] For the purposes of this report, we define a push system as a 
system that automatically distributes information to users. We define 
a pull system as a system that requires a user to log on to obtain 
information. 

[CI] n table 2, we combined "regional/state/local information-sharing 
mechanism" and "regional/state/local emergency operations center," 
although both mechanisms were identified as sources of security-
related information by over 40 percent of survey respondents. 
Specifically, according to our survey results, 47 agencies reported 
using regional/local information-sharing mechanisms and 38 agencies 
reported using regional emergency operations centers to receive 
security-related information. 

[End of table] 

Although all of these mechanisms are used by some segment of the 
public transit agencies we surveyed to obtain security-related 
information, access to the information disseminated through the 
mechanisms illustrated in table 2 may vary by, among other factors, 
whether the transit agencies have a dedicated police department, the 
size of transit agency, and accessibility of the information. For 
example, some public transit agencies with a dedicated police 
department receive security-related information through their law 
enforcement representative on the local JTTF.[Footnote 23] According 
to FBI officials, public transit agencies that do not have a dedicated 
police department are less likely to receive information from the 
JTTF. In addition, the Transit Security and Safety Roundtables are 
specifically tailored for the nation's largest mass transit and 
passenger rail agencies, typically those ranked within the top 50 or 
60 by ridership. Smaller transit agencies are less likely to receive 
information disseminated through this mechanism since they are 
typically not invited to participate in these roundtables. Also, of 
the mechanisms identified by the public transit agencies we 
interviewed and surveyed, all but one send information directly to 
transit agencies instead of requiring users to log on to a system to 
retrieve information ("push" vs. "pull"). 

In addition to the information-sharing mechanisms identified in table 
2, TSA-OI implemented its TS-ISAC in March 2010 as another means for 
sharing security-related information with the transportation industry, 
including public transit agencies.[Footnote 24] Specifically, TSA's 
vision for the TS-ISAC is to serve as the one stop shop to obtain TSA- 
OI reports and documentation, such as SBU intelligence products and 
other documents from other transportation security partners and 
stakeholders. The TS-ISAC aims to enhance collaboration between 
operators, law enforcement personnel, and security directors from all 
transportation modes. Similar to HSIN-PT, the TS-ISAC is a subportal 
of HSIN-CS, and therefore users must have a HSIN password to access 
it.[Footnote 25] Once access is obtained, TS-ISAC users can set up 
alerts to be notified when a new document has been posted to the site. 

Public Transit Agencies We Surveyed Were Generally Satisfied with 
Federal Efforts to Share Security-Related Information, but 
Opportunities Exist to Improve These Efforts: 

Large Transit Agencies and Rail Agencies Were Generally More Satisfied 
with Information-Sharing Efforts Than Midsized Agencies and Non-Rail 
Agencies: 

Our survey results indicate that public transit agencies' satisfaction 
with the security-related information they received varied with the 
type of transportation service provided and whether the agency was 
large or midsized. As highlighted in table 3 below, three-fourths of 
public transit agencies that responded to this question in our survey 
(57 of 76) were generally satisfied with the security-related 
information they received, while less than one-sixth (11 of 76) were 
generally dissatisfied.[Footnote 26] The agencies that provide heavy 
rail, light rail, or commuter rail service (rail agencies) were 
generally more satisfied with the information they received than the 
agencies that provide bus or ferry service, but not rail service (non- 
rail agencies). Specifically, most rail agencies (30 of 36) were 
generally satisfied with the security-related information they 
received, as opposed to approximately two-thirds (27 of 40) of non-
rail agencies. 

In addition, the larger agencies we surveyed were generally more 
satisfied with security-related information-sharing than the midsized 
agencies[Footnote 27]. Specifically, nearly all of the large agencies 
that responded to the survey (14 of 15) were generally satisfied with 
the security-related information they received, and nearly half (7 of 
15) were "very satisfied." By contrast, 43 of 61 midsized agencies 
were generally satisfied with the information they received, and less 
than one-sixth (10 of 61) were "very satisfied." Table 3 illustrates 
public transit agencies' overall satisfaction with the security-
related information they received. 

Table 3: Public Transit Agencies' Overall Satisfaction with Security- 
Related Information: 

Overall satisfaction with security-related information? Very satisfied; 
Type of public transit agency (number of agencies): 
All agencies: 17; 
Type of service: Rail agencies: 12; 
Type of service: Non-rail agencies: 5; 
Size of agency: Large agencies: 7; 
Size of agency: Midsized agencies: 10. 

Overall satisfaction with security-related information? Somewhat 
satisfied; 
Type of public transit agency (number of agencies): 
All agencies: 40; 
Type of service: Rail agencies: 18; 
Type of service: Non-rail agencies: 22; 
Size of agency: Large agencies: 7; 
Size of agency: Midsized agencies: 33. 

Overall satisfaction with security-related information? Neither 
satisfied nor dissatisfied; 
Type of public transit agency (number of agencies): 
All agencies: 7; 
Type of service: Rail agencies: 1; 
Type of service: Non-rail agencies: 6; 
Size of agency: Large agencies: [Empty]; 
Size of agency: Midsized agencies: 7. 

Overall satisfaction with security-related information?: Somewhat 
dissatisfied; 
Type of public transit agency (number of agencies) 
All agencies: 9; 
Type of service: Rail agencies: 4; 
Type of service: Non-rail agencies: 5; 
Size of agency: Large agencies: 1; 
Size of agency: Midsized agencies: 8. 

Overall satisfaction with security-related information? Very 
dissatisfied; 
Type of public transit agency (number of agencies): 
All agencies: 2; 
Type of service: Rail agencies: 1; 
Type of service: Non-rail agencies: 1; 
Size of agency: Large agencies: [Empty]; 
Size of agency: Midsized agencies: 2. 

Overall satisfaction with security-related information? No opinion/do 
not know; 
Type of public transit agency (number of agencies): 
All agencies: 1; 
Type of service: Rail agencies: [Empty]; 
Type of service: Non-rail agencies: 1; 
Size of agency: Large agencies: [Empty]; 
Size of agency: Midsized agencies: 1. 

Overall satisfaction with security-related information? Subtotal; 
Type of public transit agency (number of agencies): 
All agencies: 76; 
Type of service: Rail agencies: 36; 
Type of service: Non-rail agencies: 40; 
Size of agency: Large agencies: 15; 
Size of agency: Midsized agencies: 61. 

Overall satisfaction with security-related information? No response; 
Type of public transit agency (number of agencies): 
All agencies: 4; 
Type of service: Rail agencies: 3; 
Type of service: Non-rail agencies: 1; 
Size of agency: Large agencies: [Empty]; 
Size of agency: Midsized agencies: 4. 

Overall satisfaction with security-related information? Total; 
Type of public transit agency (number of agencies): 
All agencies: 80; 
Type of service: Rail agencies: 39; 
Type of service: Non-rail agencies: 41; 
Size of agency: Large agencies: 15; 
Size of agency: Midsized agencies: 65. 

Source: GAO analysis of survey responses. 

[End of table] 

The agencies we surveyed reported using several different mechanisms 
to receive security-related information, and in general they were 
satisfied with the information they received through these mechanisms. 
Of the mechanisms included in the survey, 12 were used by or 
accessible to at least 40 percent of the agencies that responded to 
the survey. The two mechanisms most often cited were E-mail alerts 
from FTA officials (65 of 76) and E-mail alerts from TSA officials (56 
of 76); overall general satisfaction with these two mechanisms was 86 
percent and 74 percent, respectively. Transit Security and Safety 
Roundtables were the highest-rated mechanism for overall general 
satisfaction, with 33 of 36 agencies generally satisfied.[Footnote 28] 
With respect to information relevance, validity, and timeliness--three 
of the six dimensions of quality we included in the survey--regional 
emergency operations centers received the highest general satisfaction 
ratings. For actionable information, respondents rated the information 
they received from other public transportation systems the highest for 
general satisfaction (28 of 33). Among the 12 most frequently cited 
mechanisms, public transit agencies were the least satisfied with 
HSIN, both in terms of overall general satisfaction (19 of 33) and for 
each of the six dimensions of quality. Public transit agencies in our 
survey viewed the PT-ISAC more favorably than HSIN; approximately 
three-fourths (37 of 49) of PT-ISAC users indicated they were 
generally satisfied with the security-related information they 
received from this mechanism. See appendix III for additional data on 
public transit agencies' satisfaction with individual information-
sharing mechanisms. 

Public transit agencies also expressed their views on the "cross- 
sector" information they receive.[Footnote 29] Most agencies that 
responded to our survey indicated that receiving cross-sector 
information is important or very important (63 of 78), and this view 
was shared by both rail and non-rail agencies. However, these two 
groups characterized differently the amount of cross-sector 
information they received. Specifically, approximately half of 
responding rail agencies indicated that they received "about the right 
amount" of cross-sector information (18 of 37). The remaining rail 
agencies either wanted to receive additional cross-sector information 
(7 of 37) or felt that they already received too much (10 of 37). 
[Footnote 30] Conversely, about half of non-rail agencies (22 of 41) 
reported receiving "too little" or "far too little" cross-sector 
information. Rail and non-rail agencies also differed with respect to 
their satisfaction with cross-sector information. Approximately two-
thirds of rail agencies that responded to this question (24 of 37) 
were generally satisfied with cross-sector information, whereas less 
than half of non-rail agencies (16 of 41) were generally satisfied. 
See table 4 for public transit agencies' views on cross-sector 
security information sharing. 

Table 4: Public Transit Agencies' Survey Responses on Cross-Sector 
Information: 

Type of service provided by public transit agency: 

Amount of cross-sector security information? Far too much; 
All agencies: 2; 
Rail agencies: 2; 
Non-rail agencies: [Empty]. 

Amount of cross-sector security information? Too much; 
All agencies: 10; 
Rail agencies: 8; 
Non-rail agencies: 2. 

Amount of cross-sector security information? About the right amount; 
All agencies: 35; 
Rail agencies: 18; 
Non-rail agencies: 17. 

Amount of cross-sector security information? Too little; 
All agencies: 21; 
Rail agencies: 6; 
Non-rail agencies: 15. 

Amount of cross-sector security information? Far too little; 
All agencies: 8; 
Rail agencies: 1; 
Non-rail agencies: 7. 

Amount of cross-sector security information? No opinion/don't know; 
All agencies: 2; 
Rail agencies: 2; 
Non-rail agencies: [Empty]. 

Amount of cross-sector security information? Subtotal; 
All agencies: 78; 
Rail agencies: 37; 
Non-rail agencies: 41. 

Amount of cross-sector security information?: No response; 
All agencies: 2; 
Rail agencies: 2; 
Non-rail agencies: [Empty]. 

Satisfaction with cross-sector security information? Very satisfied; 
All agencies: 14; 
Rail agencies: 11; 
Non-rail agencies: 3. 

Satisfaction with cross-sector security information? Somewhat 
satisfied; 
All agencies: 26; 
Rail agencies: 13; 
Non-rail agencies: 13. 

Satisfaction with cross-sector security information? Neither satisfied 
nor dissatisfied; 
All agencies: 15; 
Rail agencies: 4; 
Non-rail agencies: 11. 

Satisfaction with cross-sector security information? Somewhat 
dissatisfied; 
All agencies: 13; 
Rail agencies: 7; 
Non-rail agencies: 6. 

Satisfaction with cross-sector security information? Very dissatisfied; 
All agencies: 5; 
Rail agencies: 1; 
Non-rail agencies: 4. 

Satisfaction with cross-sector security information? No opinion/do not 
know; 
All agencies: 5; 
Rail agencies: 1; 
Non-rail agencies: 4. 

Satisfaction with cross-sector security information? Subtotal; 
All agencies: 78; 
Rail agencies: 37; 
Non-rail agencies: 41. 

Satisfaction with cross-sector security information? No response; 
All agencies: 2; 
Rail agencies: 2; 
Non-rail agencies: [Empty]. 

Satisfaction with cross-sector security information? Total; 
All agencies: 80; 
Rail agencies: 39; 
Non-rail agencies: 41. 

Source: GAO analysis of survey responses. 

[End of table] 

Opportunities Exist to Streamline Security Information-Sharing Efforts: 

According to TSA's 2007 Transportation Systems Sector-Specific Plan 
Mass Transit Modal Annex, a streamlined and effective system to share 
mass transit and passenger rail information is needed to facilitate 
information sharing among the federal government and public and 
private stakeholders.[Footnote 31] Additionally, in September 2009, we 
reported that multiple information systems can create redundancies 
that make it difficult for end users to discern what is relevant and 
can overwhelm users with duplicative information from multiple 
sources.[Footnote 32] 

Public transit agencies currently receive similar security-related 
information from a variety of sources. In addition to identifying the 
12 key mechanisms most frequently used by public transit agencies to 
obtain security-related information, our survey also identified that 
nearly 80 percent of respondents (63 of 80) used 5 mechanisms or more 
to receive security information. Further, through interviews with 
public transit agencies of various sizes around the country, we 
identified at least 21 mechanisms through which these agencies receive 
security-related information. Moreover, the Mass Transit SCC/Transit, 
Commuter, and Long-Distance Rail Government Coordinating Council (GCC) 
joint Information Sharing Working Group (SCC/GCC Information Sharing 
Working Group)--which is cochaired by TSA and comprised of federal and 
industry stakeholders and was formed to improve information sharing 
with public transit agencies--compiled a list that includes 59 
different information products distributed to public transit agencies 
by 17 different sources.[Footnote 33] 

We identified the potential for overlap between three mechanisms that 
are each designed to communicate similar unclassified and SBU security-
related information to public transit agencies: the PT-ISAC, the HSIN- 
PT subportal, and the newly-formed TS-ISAC. According to APTA, the PT- 
ISAC is intended to be a one stop shop for public transit agencies' 
information needs. However, according to DHS, the HSIN platform is 
intended to serve as the agency's primary mechanism for sharing 
unclassified and SBU information with homeland security stakeholders, 
and TSA officials stated that the agency intends for the HSIN-PT 
subportal to be the primary mechanism for sharing such information 
with public transit agencies. Moreover, the TS-ISAC--which is hosted 
on HSIN-CS and is intended to serve as a collaborative information-
sharing platform for the public transit and other transportation 
modes--includes unclassified and SBU transportation-related 
information products produced by TSA-OI. According to TSA officials, 
the TS-ISAC, which services the larger transportation community, is 
not intended to compete with or replace HSIN-PT or the PT-ISAC, but in 
the future it may include a separate Web page that is specific to 
public transit. 

FTA, TSA, APTA, and public transit agency officials we interviewed 
expressed the desire to streamline information sharing to reduce the 
volume of overlapping information public transit agencies receive. For 
example, the then-Acting Manager of TSA's Mass Transit Division stated 
that the current number of sources available to public transit 
agencies to receive security-related information is "overwhelming." 
Additionally, officials from 16 of 27 agencies we interviewed also 
suggested that information sharing could be improved by reducing 
redundancies and consolidating existing mechanisms. Our survey of 
public transit agencies also indicated a desire for a more streamlined 
approach to information sharing. In an open-ended question asking how 
information sharing could be improved, 24 of 80 agencies provided 
comments in favor of consolidating existing information-sharing 
mechanisms. For example, according to one respondent who favored 
streamlining the existing mechanisms, "there are so many purported 
analysis centers pushing out redundant information that an inordinate 
amount of my time is spent filtering these many reports to find the 
high-value nuggets." Our interviews and survey data are consistent 
with the Administration's March 2010 Surface Transportation Security 
Priority Assessment, which recommended, among other things, that TSA 
implement an approach for sharing transportation security information 
that provides all relevant threat information and improves the 
effectiveness of information flow. 

Federal and industry stakeholders have efforts under way intended to 
improve the efficiency of information sharing with public transit 
agencies and reduce the volume of overlapping information public 
transit agencies receive. Specifically, TSA, FTA, APTA, and other 
government and private sector stakeholders are participating in the 
SCC/GCC Information Sharing Working Group, which is reviewing how the 
PT-ISAC, the HSIN-PT subportal, the TS-ISAC, and other related 
information-sharing mechanisms (including direct E-mails from FTA and 
TSA officials) might be streamlined or consolidated to better serve 
the public transit industry. This working group is considering, among 
other things, whether the PT-ISAC could produce a daily (or twice 
daily) 2 to 3 page unclassified/For Official Use Only (FOUO) 
information product using open-source information as well as 
intelligence products from TSA, DHS, and other entities. This would 
mark a shift in the PT-ISAC's activities, as it would replace a longer 
information product (10 to 15 pages) the PT-ISAC prepares using 
primarily open-source information.[Footnote 34] Working group 
participants are still debating how this new information product would 
be disseminated to the public transit industry (e.g., through direct E-
mails to public transit agencies, through HSIN-PT, or both), and 
whether products could be archived on HSIN-PT or another system to 
facilitate later viewing. In addition, the working group is 
considering ways to scale back the number of direct E-mails public 
transit agencies receive, while still maintaining the capability to 
disseminate information in this manner when necessary. 

Participants in this working group have not yet agreed on a path 
forward to improve information sharing with public transit agencies. 
As of July 2010, TSA officials stated that the working group had not 
yet (1) drafted options for improving information sharing with public 
transit agencies, (2) documented the group's current working proposal, 
or (3) established a time frame for completing either of these 
activities. Additionally, the working group has not yet determined how 
it will incorporate the TS-ISAC into its proposed options. While TSA, 
through the working group, is assessing, among other things, the 
extent to which information-sharing mechanisms can be streamlined, 
there are no time frames established for completing these efforts. 
Developing such time frames to guide the working group's activities--
including its assessment of opportunities to streamline existing 
information-sharing mechanisms that target similar user groups with 
similar information--could assist TSA in completing this important 
effort.[Footnote 35] 

The PT-ISAC Is Not Completing Agreed-Upon Responsibilities and Tasks: 

Standards for Internal Control in the Federal Government provide that 
internal controls should be designed to assure that ongoing monitoring 
occurs in the course of normal operations.[Footnote 36] The 
cooperative agreement between FTA and APTA that provides funding for 
the PT-ISAC specifies that the ISAC perform several functions related 
to the HSIN-PT subportal.[Footnote 37] For example, the agreement 
states that the PT-ISAC is to control access to the HSIN-PT subportal, 
manage the information that is available on the subportal, and take 
steps to enhance its user-friendliness. As specified in the 
cooperative agreement, TSA and FTA monitor the PT-ISAC's expenditures 
and activities through quarterly financial and operational reports to 
help ensure the PT-ISAC fulfills these tasks.[Footnote 38] 

However, while TSA and FTA oversee PT-ISAC expenditures, they are not 
currently taking steps to ensure that the PT-ISAC performs all of the 
activities that are specified under the cooperative agreement. For 
example, the PT-ISAC does not post its analytical products (or other 
security-related information) to the HSIN-PT subportal, nor has it 
organized and archived HSIN-PT content to facilitate better access to 
information, as specified by the agreement. As a result, HSIN-PT is 
not regularly updated with security-related information, including PT-
ISAC analytical products, which could be beneficial to public transit 
agencies. TSA, FTA, APTA, and PT-ISAC officials agree that the PT-ISAC 
is not performing the HSIN-related functions specified in the FTA/APTA 
cooperative agreement. These officials told us that through the 
SCC/GCC Information Sharing Working Group, they are reviewing the 
specific roles and responsibilities of the PT-ISAC--including 
activities related to the HSIN-PT subportal. However, regardless of 
whether the working group redefines the PT-ISAC's roles and 
responsibilities, it is important to ensure that the activities 
specified in the cooperative agreement are carried out. Taking steps 
to ensure the PT-ISAC fulfills its responsibilities and completes 
agreed-upon tasks could help assure TSA and FTA that this mechanism 
meets the security information needs of public transit agencies. 

Awareness and Use of PT-ISAC and HSIN among Some Public Transit 
Agencies Could Be Increased: 

In March 2004, we recommended that agencies take actions to better 
target federal outreach efforts, and internal control standards call 
for management to ensure adequate means of communicating with external 
stakeholders who may have a significant impact on agency goals. 
[Footnote 39] Security officials at the public transit agencies we 
surveyed were not always aware of the existence of the PT-ISAC and 
HSIN, particularly non-rail agencies, midsized agencies, and agencies 
that do not have their own dedicated police department. For example, 
of the 80 agencies we surveyed, 23 indicated they did not receive 
security information from the PT-ISAC and 8 did not know whether they 
used this mechanism. Moreover, 15 of the 23 agencies that did not 
receive information from the PT-ISAC had never heard of it (see table 
5).[Footnote 40] 

Table 5: Awareness and Use of PT-ISAC for Different Categories of 
Public Transit Agencies: 

Does your agency currently receive security-related information from 
the PT-ISAC? 

Type of agency: All agencies; 
Yes: 49; 
No[A]: 23; 
Do not know: 8; 
Total: 80. 

Type of agency: Dedicated police department; 
Yes: 24; 
No[A]: 4; 
Do not know: 1; 
Total: 29. 

Type of agency: No dedicated police department; 
Yes: 25; 
No[A]: 19; 
Do not know: 7; 
Total: 51. 

Type of agency: Rail agencies; 
Yes: 30; 
No[A]: 5; 
Do not know: 4; 
Total: 39. 

Type of agency: Non-rail agencies; 
Yes: 19; 
No[A]: 18; 
Do not know: 4; 
Total: 41. 

Type of agency: Large agencies; 
Yes: 14; 
No[A]: 1; 
Do not know: 0; 
Total: 15. 

Type of agency: Mid-sized agencies; 
Yes: 35; 
No[A]: 22; 
Do not know: 8; 
Total: 65. 

Source: GAO analysis of survey responses. 

[A] Of the 23 agencies that indicated they did not use the PT-ISAC, 15 
had never heard of it. 

[End of table] 

According to FTA officials, the PT-ISAC is meant to serve as a 
valuable resource for midsized and smaller public transit agencies. 
However, our survey results indicate that fewer non-rail and midsized 
agencies received information from the PT-ISAC than rail and large 
agencies (19 of 41 non-rail and 35 of 65 midsized agencies, as opposed 
to 30 of 39 rail agencies and 14 of 15 large agencies, respectively). 
Moreover, nearly all of the agencies we surveyed that had not heard of 
the PT-ISAC were non-rail agencies (14 of 15), midsized agencies (15 
of 15), or agencies without their own dedicated police department (14 
of 15). 

APTA conducts some PT-ISAC outreach through E-mails and newsletters to 
its members and other stakeholders, and FTA officials stated that they 
promote the PT-ISAC at Transit Security and Safety Roundtables. Both 
APTA and FTA officials agreed, however, on the need for additional 
outreach to public transit agencies to increase awareness and use of 
the PT-ISAC. TSA did not provide information on any existing PT-ISAC 
outreach efforts, but officials stated that the agency's future 
actions with respect to the PT-ISAC, including outreach activities, 
will depend on the proposed options that arise from the SCC/GCC 
Information Sharing Working Group. However, as noted above, there are 
no time frames for this working group to draft or finalize its 
proposals for improving information sharing, including who will be 
responsible for conducting outreach activities for the PT-ISAC or what 
these activities will entail. Conducting targeted outreach to agencies 
that are not currently using the PT-ISAC--particularly non-rail 
agencies, midsized agencies, and agencies that do not have their own 
dedicated police department--could help to increase awareness and use 
of this mechanism. 

TSA and APTA officials also stated that not all public transit 
agencies are aware of HSIN and those that are may not view the system 
as a valuable resource. The results of our survey are consistent with 
this view and illustrate that public transit agencies' awareness of 
HSIN could be increased. For example, less than half of public transit 
agencies (34 of 77) reported that they had log-in access to HSIN and 
had not lost or forgotten their log-in information (see table 6). 

Table 6: Awareness of and Access to HSIN for Different Categories of 
Public Transit Agencies: 

Does your agency currently have log-in access to HSIN? 

Type of agency: All agencies; 
Yes: 34; 
Yes, but lost/forgot log-in information: 13; 
No[A]: 19; 
Do not know: 11; 
Subtotal: 77; 
No response: 3; 
Total: 80. 

Type of agency: Dedicated police department; 
Yes: 17; 
Yes, but lost/forgot log-in information: 7; 
No[A]: 1; 
Do not know: 2; 
Subtotal: 27; 
No response: 2; 
Total: 29. 

Type of agency: No dedicated police department; 
Yes: 17; 
Yes, but lost/forgot log-in information: 6; 
No[A]: 18; 
Do not know: 9; 
Subtotal: 50; 
No response: 1; 
Total: 51. 

Type of agency: Rail agencies; 
Yes: 20; 
Yes, but lost/forgot log-in information: 8; 
No[A]: 6; 
Do not know: 3; 
Subtotal: 37; 
No response: 2; 
Total: 39. 

Type of agency: Non-rail agencies; 
Yes: 14; 
Yes, but lost/forgot log-in information: 5; 
No[A]: 13; 
Do not know: 8; 
Subtotal: 40; 
No response: 1; 
Total: 41. 

Type of agency: Large agencies; 
Yes: 9; 
Yes, but lost/forgot log-in information: 4; 
No[A]: 1; 
Do not know: 1; 
Subtotal: 15; 
No response: 0; 
Total: 15. 

Type of agency: Midsized agencies; 
Yes: 25; 
Yes, but lost/forgot log-in information: 9; 
No[A]: 18; 
Do not know: 10; 
Subtotal: 62; 
No response: 3; 
Total: 65. 

Source: GAO analysis of survey responses. 

[A] Of the 19 agencies that indicated they do not have log-in access 
to HSIN, 12 reported they had never heard of it. 

[End of table] 

As with PT-ISAC usage, a greater proportion of large agencies, rail 
agencies, and agencies that maintain their own dedicated police 
departments indicated they had log-in access to HSIN and had not lost 
or forgotten their log-in information (9 of 15 large agencies, 20 of 
39 rail agencies, and 17 of 29 agencies with dedicated police 
departments, as opposed to 25 of 65 midsized agencies, 14 of 41 non-
rail agencies, and 17 of 51 agencies without dedicated police 
departments, respectively). Moreover, our survey also identified that, 
of the 19 agencies that do not have HSIN access, 12 had never heard of 
the mechanism, and an additional 11 agencies did not know whether they 
had access to HSIN. Of the 12 agencies that had never heard of HSIN, 
nearly all were non-rail agencies (10 of 12), midsized agencies (12 of 
12), or agencies without their own dedicated police department (12 of 
12). 

Multiple entities have a role in conducting outreach to public transit 
agencies about HSIN. DHS's Office of Operations, Coordination, and 
Planning is generally responsible for conducting HSIN outreach, but 
DHS officials from this office told us that outreach efforts for HSIN-
CS, including the HSIN-PT subportal, are under the purview of DHS IP. 
However, DHS IP officials told us that they are deferring to APTA and 
TSA (the sector coordinator and sector-specific agency for mass 
transit, respectively), as described in the NIPP, to conduct outreach 
to public transit agencies on the HSIN-PT subportal. TSA has conducted 
some outreach to the public transit industry about HSIN by including 
HSIN reminders when it distributes security information via E-mail to 
public transit agencies. However, as table 6 illustrates, past 
outreach efforts have not resulted in widespread HSIN awareness and 
use among public transit agencies that we surveyed (particularly 
midsized agencies, non-rail agencies, and agencies without a dedicated 
police department), and our survey results suggest that access to HSIN 
remains a concern.[Footnote 41] TSA officials stated that the agency 
recognizes the need for additional outreach to increase public transit 
agencies' awareness and use of the HSIN-PT subportal and added that 
future outreach efforts will depend on the proposed options that arise 
from the SCC/GCC Information Sharing Working Group. However, there are 
no time frames for this working group to draft or finalize its 
proposals for improving information sharing.[Footnote 42] Conducting 
targeted outreach to agencies that are not currently using HSIN--
particularly non-rail agencies, midsized agencies, and agencies that 
do not have their own dedicated police department--could help to 
increase awareness and use of this mechanism. 

Regarding the newly-formed TS-ISAC, TSA has conducted initial outreach 
to increase public transit agencies' awareness. For example, TSA 
distributed a TS-ISAC marketing package via E-mail to transportation 
stakeholders, and TSA officials stated that the agency is outreaching 
to other DHS components, state and local stakeholders, and other ISACs 
(in addition to the PT-ISAC). According to TSA data from April 2010, 
officials from 46 public transit agencies had been granted access to 
the public transit Web page of the TS-ISAC within the first 4 weeks of 
its operation. However, we did not collect data from public transit 
agencies on their awareness or use of the TS-ISAC because it was not 
implemented until March 2010, after we developed our survey. As a 
result, we could not determine the extent to which outreach efforts 
have increased awareness and use of the TS-ISAC in the public transit 
industry. 

Concerns with Accessibility, User-Friendliness, and Information Value 
May Hinder HSIN from Meeting the Security Information Needs of Public 
Transit Agencies: 

Standards for Internal Control in the Federal Government call for 
agencies to ensure adequate means of communicating with external 
stakeholders that may have a significant impact on agency goals, and 
effective information technology management is critical to achieving 
useful, reliable, and continuous communication of 
information.[Footnote 43] However, concerns among public transit 
agencies about HSIN's accessibility may reduce its value as a source 
of security-related information. Industry officials characterized HSIN 
as a "pull" system that requires users to log in and extract what is 
relevant to their agency. Security officials at 11 of 27 public 
transit agencies we interviewed told us they prefer security 
information to be "pushed" out to them (e.g., through E-mails, phone 
calls) instead of having to log into a system to retrieve it 
themselves. APTA officials stated that public transit security 
personnel do not have time to log into a "pull" system, such as HSIN, 
every day and sift through excess information to extract what is 
relevant to their agency. In addition, when a HSIN password expires 
(which occurs after 90 days for security reasons) users must call the 
HSIN help desk to obtain a new one. However, the contact information 
for the HSIN help desk is not located on the main HSIN log-in page, so 
users may not know how to get help if they experience log-in 
challenges. Of the 27 agencies we interviewed, 8 indicated they had 
experienced problems accessing HSIN.[Footnote 44] In June 2010, DHS 
implemented a new agency policy to identify HSIN users that have not 
accessed the system in 180 days and notify them via E-mail every 3 
months instructing them to contact the HSIN help desk to obtain a new 
password. DHS officials also told us that the phone number for the 
HSIN help desk would be added to the HSIN log-in page, but the agency 
had not done so as of August 2010. 

In addition to accessibility concerns, certain aspects of HSIN are not 
user-friendly, and the security-related information available on the 
HSIN-PT subportal is not always valuable to public transit agencies. 
Of the 11 agencies we interviewed that had access to HSIN and used it 
to receive security-related information, 5 reported problems with 
using the system once they logged in. These problems included 
configuring E-mail alerts to notify them when information is 
discovered or changed in a particular area of HSIN (e.g., the HSIN-PT 
subportal). We experienced similar problems using these E-mail alerts. 
After setting up alerts to notify us when documents are discovered or 
changed on the HSIN-PT subportal, we received multiple notifications 
on a near-daily basis with links to outdated documents, such as job 
announcements last modified in 2007, a threat advisory for the New 
York City subway system last modified in 2006, and a map of power 
outages caused by Hurricane Wilma in 2005. Further, we found that 
security-related information on HSIN that could be useful to public 
transit agencies was not always posted to the HSIN-PT subportal. For 
example, in the days following the Moscow subway bombings in March 
2010, certain documents pertaining to the attack were available on the 
HSIN-CS portal, but did not appear on HSIN-PT, despite their direct 
relevance to public transit agency users. The E-mail alerts we had set 
up for HSIN-PT did not notify us of any of this information, which 
included a document describing heightened security measures a large 
U.S. public transit agency took in response to the Moscow attack. This 
information could have been of interest to other public transit 
agencies, but HSIN-PT users would not have known about it unless they 
logged into the system without an E-mail prompt, navigated to the HSIN-
CS portal, and found the information themselves. Based on our survey 
results--which indicate that only 3 of 77 agencies use HSIN daily--
agencies may not have known that information pertaining to the Moscow 
bombings was available to them on HSIN[Footnote 45].: 

DHS and TSA agree that the HSIN-PT subportal is not widely used by the 
public transit industry and that improvements are needed. One such 
improvement is related to DHS's efforts to develop a replacement 
system for the HSIN platform, known as HSIN Next Generation. This new 
system, which DHS began to develop in 2008, is intended to provide 
increased security and access to SBU information for public transit 
agencies and other user communities, including law enforcement, 
intelligence, immigration, and emergency and disaster management. 
According to DHS officials, the agency intends to move the subportals 
on HSIN-CS, including HSIN-PT, to the new HSIN Next Generation 
platform during the last quarter of calendar year 2010.[Footnote 46] 
Taking steps to ensure public transit agencies can access and readily 
use HSIN--and ensuring the HSIN-PT subportal contains security-related 
information that is of value to these agencies--could help DHS improve 
HSIN's capacity to meet public transit agencies' security-related 
information needs. 

DHS's Information-Sharing Efforts Could be Enhanced by Developing More 
Specific Goals and Measures and Obtaining Additional Industry Feedback: 

DHS and TSA Have Established Goals and Measures Related to Information 
Sharing, but Their Goals Are Not Specific to Public Transit and 
Existing Measures May Limit Program Assessment: 

DHS and TSA have established goals and output-oriented performance 
measures for their information-sharing activities to help gauge the 
effectiveness of their overall information-sharing efforts with 
security stakeholders.[Footnote 47] However, they have not developed 
performance goals and outcome-oriented measures to gauge the 
effectiveness of their information-sharing efforts specific to public 
transit agencies. Specifically, DHS and TSA have not developed such 
goals and measures for HSIN-PT and the PT-ISAC--mechanisms designed to 
serve as the primary information sources for the public transit 
agencies--or the recently established TS-ISAC. As a result, DHS and 
TSA may not be fully informed of the effectiveness of their 
information-sharing activities for the public transit industry. TSA 
officials recognize the importance of establishing specific goals and 
developing outcome-oriented measures, but they are in the beginning 
stages of doing so and could not provide time frames for when they 
plan to complete these efforts. Table 7, below, details DHS's current 
goals and performance measures related to information sharing. 

Table 7: DHS and TSA Performance Goals and Measures for Information- 
Sharing Activities: 

Agency: DHS; 
Goal: Detect, deter, and prevent terrorist incidents by sharing 
domestic situational awareness through national operational 
communications and intelligence analysis; 
Measure: (1) Number of Homeland Intelligence Reports disseminated[A]; 
(2) Percentage of breaking homeland security situations disseminated 
to designated partners within targeted time frames; 
Focus: Homeland security stakeholders; 
Source: DHS Annual Performance Report Fiscal Years 2008-2010. 

Agency: DHS; 
Goal: Provide, build, and support a robust information-sharing 
capability among and between federal and state, local, and tribal 
partners; 
Measure: None; 
Focus: Homeland security stakeholders; 
Source: I&A 2009 Strategy. 

Agency: TSA; 
Goal: Prevent or deter acts of terrorism using or against the 
transportation system; 
Measure: None; 
Focus: Transportation industry, including mass transit; 
Source: TSA Transportation Systems Sector Specific Plan and 
accompanying Mass Transit Modal Annex. 

Agency: TSA; 
Goal: Improve the timely and secure exchange of transportation 
security information; 
Measure: None; 
Focus: Homeland security stakeholders; 
Source: TSISP 2009 Update. 

Agency: TSA; 
Goal: Establish a framework enabling secure, multidirectional 
transportation security information between government and industry; 
Measure: None; 
Focus: Homeland security stakeholders; 
Source: TSISP 2009 Update. 

Source: GAO analysis of DHS and TSA information. 

Note: "None" as used in the performance measures column refers to the 
lack of performance measures identified by DHS and TSA in writing or 
orally. 

[A] Homeland Intelligence Reports provide emergent intelligence 
information to security stakeholders. The DHS Annual Performance 
Report Fiscal Years 2007-2009 also measured the percentage of active 
HSIN users. However, this measure has been temporarily discontinued 
due to account verification process issues. This measure was not 
included in the DHS Annual Performance Report Fiscal Years 2008-2010. 

[End of table] 

The performance goals and measures established by DHS and TSA are 
primarily focused on information-sharing efforts with homeland 
security stakeholders and the transportation community as a whole, and 
are not specific to their efforts to share security-related 
information with the public transit industry.[Footnote 48] TSA has 
developed some output-oriented performance measures specifically for 
assessing its efforts to share security-related information with 
public transit agencies. According to TSA officials, the agency 
currently tracks: (1) the number of meetings held between the GCC and 
the Mass Transit SCC and the number of Transit Security and Safety 
Roundtables; (2) the number of teleconferences it conducts with the 
peer advisory group and the number of intelligence/information 
products it releases; and (3) the usage of the public transit 
subportal on HSIN as an indicator of stakeholders' interest in the 
information provided. TSA-OI is also collecting output data to measure 
the performance of the TS-ISAC, such as the number of users, the 
length of time each user is logged-on to the site, and the number of 
times users access information from the Web site. 

We have previously reported that decision makers use performance 
measurement information, including output measures and information on 
program operations, to help identify problems in individual programs, 
identify causes of the problems, and modify services or processes to 
address problems.[Footnote 49] However, leading management practices 
emphasize that successful performance measurement focuses on assessing 
the results of individual programs and activities.[Footnote 50] We 
have also previously reported that without effective performance 
measurement, especially data on program outcomes, decision makers may 
have insufficient information to evaluate the cost-effectiveness of 
their activities.[Footnote 51] While output measures, such as those 
developed by TSA, are useful because they indicate the quantity of 
direct services a program delivers, they do not reflect the overall 
effectiveness of their activities. We recognize and have previously 
reported on the challenge of assessing the effectiveness of security- 
related activities such as information sharing and developing outcome- 
oriented measures, but have called on agencies to take steps towards 
establishing such measures to hold them accountable for the 
investments they make. Furthermore, developing such measures provides 
agencies with valuable information for evaluating the effectiveness of 
their programs and the extent to which they are meeting their goals. 

Furthermore, TSA has not developed specific performance goals or 
outcome-oriented measures for the PT-ISAC or HSIN-PT, which were both 
established as primary information-sharing mechanisms for public 
transit agencies. According to TSA and APTA officials, they plan to 
develop specific goals and measures for the PT-ISAC through the 
GCC/SCC Information Sharing Working Group. However, the working group 
is still finalizing its options for enhancing information-sharing 
efforts with public transit agencies, including assessing 
opportunities to streamline existing information-sharing mechanisms, 
and TSA officials were unable to provide us with time frames 
concerning the completion of these efforts.[Footnote 52] In regard to 
HSIN-PT, TSA has developed an output-oriented performance measure 
which tracks the number of users of this mechanism; however, this 
measure provides limited information on which the agency can assess 
the results and progress of this information-sharing mechanism. TSA-
OI, however, has not developed specific goals or outcome-oriented 
performance measures for HSIN-PT. Moreover, TSA-OI officials reported 
that for the newly established TS-ISAC, they are focusing on providing 
security-related products to 100 percent of homeland security 
stakeholders, including public transit agencies. However, TSA has not 
developed goals or related performance measures for this mechanism and 
could not provide time frames for doing so.[Footnote 53] Once the 
SCC/GCC Information Sharing Working Group has developed options for 
improving information sharing with public transit agencies, 
establishing time frames for developing goals and related, outcome-
oriented measures for the PT-ISAC, HSIN-PT, and TS-ISAC could assist 
TSA in obtaining more meaningful information from which to gauge the 
effectiveness of these information-sharing mechanisms. 

DHS Has Taken Steps to Gather Feedback on Public Transit Agencies' 
Satisfaction with the Security-Related Information They Receive, but 
Has Not Established a Systematic Process for Collecting Such 
Information: 

DHS and TSA have taken some steps to gather feedback on public transit 
agencies' satisfaction with the security-related information they 
receive. For example, DHS and TSA developed forms to periodically 
gather feedback on security-related products from their customers, 
including public transit agencies. TSA officials also reported that 
they informally gather feedback during the Transit Security and Safety 
Roundtables. However, a systematic process for obtaining feedback on 
the usefulness of the PT-ISAC and HSIN-PT does not currently exist. We 
have previously reported that agencies with a systematic process for 
gathering feedback use surveys and other methods to identify the 
importance or depth of customers' issues in a single, centralized 
framework, and integrate the feedback information obtained in a 
standard and consistent manner.[Footnote 54] In December 2009, we 
reported that additional DHS actions to obtain feedback on the utility 
and quality of information shared could strengthen the department's 
efforts in this area.[Footnote 55] Research of best practices for 
customer satisfaction suggests that multiple approaches to customer 
feedback, such as focus groups and complaint programs that provide 
qualitative and quantitative data, and the integration of feedback 
data, are needed to effectively listen and understand customers' needs 
and to take appropriate action to meet those needs.[Footnote 56] 

In March 2010, DHS I&A began attaching a survey to each of its FOUO 
intelligence products that are disseminated to all its customers, 
including state and local partners, who receive FOUO products, to 
better understand customer information needs. Public transit agencies 
that receive I&A's FOUO intelligence products will therefore have an 
opportunity to provide feedback on the information provided. I&A 
officials stated that they plan to use these results to better inform 
them of product usefulness and the security information needs of their 
customers. In addition, TSA-OI posted a feedback form on the TS-ISAC 
to gather users' views, including public transit agencies, on TSA-OI 
products. However, TSA-OI's marketing materials on the TS-ISAC did not 
reference this feedback survey, nor has the agency informed users of 
this survey's existence through any other method. In addition, 
according to TSA-OI officials, this survey was posted shortly after 
the TS-ISAC was implemented in March 2010, but as of May 27, 2010, TSA-
OI had not received any feedback through this survey. Due to the 
recent timing of these survey efforts, it may be too early to assess 
the insights that will be provided through this mechanism. 

Although TSA officials have established a process to gather user 
views, including public transit agencies, on TSA-OI products, TSA has 
not established a systematic process to obtain public transit 
agencies' feedback on information shared through the PT-ISAC and 
through HSIN-PT--the primary mechanisms designed to share security-
related information with public transit agencies. Also, as of July 
2010, TSA officials stated that they are uncertain about whether or 
not they will continue to use the TS-ISAC feedback form as a mechanism 
to gather public transit agency feedback. However, they stated that 
the agency does not have a systematic process in place to request, 
collect, and analyze feedback in order to gauge public transit 
agencies' overall satisfaction with its information-sharing 
activities, and that such a process is needed. TSA officials could 
consider using various survey tools and other methods to assist them 
in collecting public transit agency feedback, which could better 
inform them of the effectiveness of their information-sharing efforts. 
For example, through our survey, we were able to assess the extent to 
which these public transit agencies used and were satisfied with a 
variety of information-sharing mechanisms, including TSA mechanisms. 
DHS's and TSA's efforts to share security-related information with 
public transit agencies could be enhanced by developing a systematic 
process for gathering feedback on these agencies' satisfaction with 
the information they receive. 

Conclusions: 

The recent bombings on the Moscow subway and planned attempts to 
detonate explosives in the New York City subway system have 
highlighted the continued threat to public transit systems in foreign 
countries and in the United States. While the SCC/GCC Information 
Sharing Working Group's efforts to enhance information sharing with 
public transit agencies reflects the joint stakeholder commitment to 
this area, opportunities for strengthening information sharing exist. 
Until TSA establishes time frames for the SCC/GCC Information Sharing 
Working Group to complete its efforts, including assessing 
opportunities to streamline existing information-sharing mechanisms 
and conducting targeted outreach efforts to increase awareness of the 
PT-ISAC and HSIN, the agency is limited in its ability to take further 
action to strengthen information sharing. In addition, without taking 
steps to ensure that the PT-ISAC fulfills its responsibilities and 
completes agreed-upon tasks, TSA and FTA cannot be assured that this 
mechanism meets the security information needs of public transit 
agencies. Further, while DHS and TSA are taking steps to improve 
information sharing with public transit agencies, this effort will not 
be complete until the accessibility and user-friendliness of HSIN are 
addressed. Moreover, the HSIN-PT subportal will likely continue to be 
underutilized until DHS takes steps to ensure that this mechanism 
contains security-related information that is of value to public 
transit agencies. 

Once the SCC/GCC Information Sharing Working Group develops options 
for improving information sharing with public transit agencies, it 
will be important for DHS and TSA to continue with other efforts to 
strengthen this area of information sharing. Specifically, until DHS 
establishes time frames for developing goals and related outcome-
oriented performance measures for the PT-ISAC, HSIN-PT, and TS-ISAC, 
the department will be limited in its ability to gauge the 
effectiveness of its information-sharing efforts with the public 
transit industry. Finally, while we are encouraged by the department's 
efforts to gather feedback on public transit agencies' satisfaction 
with the security-related information they receive, a systematic 
process for obtaining such feedback on the PT-ISAC and HSIN-PT is 
lacking. Such a process could help DHS and TSA assess the 
effectiveness of their efforts to share security-related information 
with public transit agencies. 

Recommendations for Executive Action: 

To help strengthen information sharing with public transit agencies, 
we recommend that the Secretary of Homeland Security direct the 
Assistant Secretary for the Transportation Security Administration to 
take the following action in coordination with FTA and public transit 
agencies: 

* Establish time frames for the SCC/GCC Information Sharing Working 
Group to develop options for improving information sharing to public 
transit agencies and complete this effort, including the Working 
Group's efforts to: 

- assess opportunities to streamline existing information-sharing 
mechanisms that target similar user groups with similar information to 
reduce overlap, where appropriate; and: 

- conduct targeted outreach efforts to increase awareness of the PT- 
ISAC and HSIN among agencies that are not currently using or aware of 
these systems. 

To help ensure that the PT-ISAC is meeting its objectives for sharing 
security-related information with public transit agencies, we 
recommend that the Secretaries of Homeland Security and Transportation 
direct the Assistant Secretary of the Transportation Security 
Administration and Administrator of the Federal Transit Administration 
to take the following action: 

* Take steps to ensure the PT-ISAC fulfills its responsibilities and 
completes agreed-upon tasks. 

To help strengthen DHS's efforts to share security-related information 
with public transit agencies, we recommend that the Secretary of 
Homeland Security take the following three actions: 

* Take steps to ensure that public transit agencies can access and 
readily utilize HSIN and that the HSIN-PT subportal contains security- 
related information that is of value to public transit agencies. 

* Once the SCC/GCC Information Sharing Working Group has developed 
options for improving information sharing with public transit 
agencies, establish time frames for developing goals and related 
outcome-oriented performance measures specific to the PT-ISAC, HSIN-
PT, and TS-ISAC. 

* Develop a process for systematically gathering feedback on public 
transit agencies' satisfaction with the PT-ISAC and HSIN-PT. 

Agency Comments and Our Evaluation: 

We provided a draft of this report and its accompanying e-supplement 
(GAO-10-896SP) to DHS, DOJ, and DOT for review and comments. We 
received written comments from DHS on the draft report, which are 
summarized below and reproduced in full in appendix IV. DHS concurred 
with the report and recommendations and indicated that it is taking 
steps to address the recommendations. DHS also provided technical 
comments that we incorporated where appropriate. In an E-mail received 
September 7, 2010, the FBI liaison stated that the Bureau had no 
comments on the draft report. DOT did not provide comments on the 
findings and recommendations but did provide technical comments to the 
draft report, which we have incorporated where appropriate. DHS, DOJ, 
and DOT did not provide comments on the e-supplement. 

In commenting on the draft report, DHS described the efforts the 
department has underway or planned to address our recommendations. 
These efforts are intended to improve information sharing with public 
transit agencies. However, although the actions DHS reported are 
important first steps, additional efforts are needed to help ensure 
that our recommendations are fully implemented, as discussed below. 

With regard to our first recommendation that TSA coordinate with FTA 
and public transit agencies to establish time frames for the SCC/GCC 
Information Sharing Working Group for completing efforts to develop 
options for improving information sharing to public transit agencies, 
including assessing opportunities for streamlining existing mechanisms 
and conducting targeted outreach, DHS stated that TSA is continuing to 
work with members of the working group to identify options on how to 
streamline the flow of information and described one such option. 
According to DHS, the working group has identified at least one 
product option for streamlining information sharing that would match 
the needs of stakeholders. This product would be "pushed" out to 
stakeholders and also be posted on appropriate websites. DHS also 
stated that TSA is taking steps to improve targeted outreach through 
collaboration of the Surface Transportation Information Sharing and 
Analysis Center and the PT-ISAC in the development of periodic 
intelligence summaries and plans to work with both ISACs, as well as 
DHS to ensure further outreach is conducted with stakeholders. TSA's 
efforts to streamline information sharing with public transit agencies 
and improve its outreach are important first steps toward improving 
the information provided to the public transit industry. In order to 
meet the full intent of our recommendation, TSA should establish time 
frames for completing these efforts. In addition, TSA did not indicate 
whether it has identified other options or is considering taking 
additional steps to streamline existing information sharing mechanisms 
or how its outreach to public transit agencies will be targeted to 
those agencies not currently using or aware of these systems. Taking 
such actions would be necessary to fully address the intent of this 
recommendation. 

Regarding our second recommendation that TSA and FTA take steps to 
ensure the PT-ISAC fulfills its responsibilities and completes agreed- 
upon tasks, DHS stated that the purpose for including HSIN-PT content 
management and other elements currently in the cooperative agreement 
with APTA/PT-ISAC was to fill gaps in the information sharing process 
used by the mass transit and passenger rail community. DHS also stated 
that TSA intends to ensure compliance with the contract elements by 
"phasing in PT-ISAC contributions and requirements to achieve maximum 
effectiveness." TSA's stated plan for ensuring compliance with 
contract elements appears to be a positive step. However, DHS's 
response did not indicate the specific steps that will be taken to 
ensure that the PT-ISAC fulfills its responsibilities and completes 
agreed-upon tasks. Taking such action would more fully address our 
recommendation. 

In regards to our third recommendation that DHS take steps to ensure 
that public transit agencies can access and readily utilize HSIN and 
that the HSIN-PT subportal contains security-related information that 
is of value to public transit agencies, DHS stated that it supports 
changes to HSIN and the intensification of efforts to expand its use 
for the broader range of transit and passenger rail agencies. DHS also 
stated that in fiscal year 2010, the HSIN program increased its 
efforts to raise the awareness of HSIN through a targeted marketing 
strategy. DHS also stated that the HSIN program's requirements 
management process and operator representation on the HSIN Mission 
Operators Committee governance board will ensure that public transit 
sector requirements are assessed, prioritized, and implemented. While 
DHS's reported efforts to expand HSIN use with the public transit 
community are noteworthy, in order to meet the full intent of our 
recommendation, DHS should also take steps to ensure that public 
transit agencies can readily access and use HSIN, as we recommended. 
Additionally, DHS did not clearly identify the actions it will take to 
ensure that the HSIN-PT subportal contains security-related 
information that is of value to public transit agencies. Identifying 
and implementing such steps would be necessary to fully address the 
intent of our recommendation. 

With regard to our fourth recommendation that DHS establish time 
frames for developing goals and related outcome-oriented performance 
measures specific to the PT-ISAC, HSIN-PT, and TS-ISAC, DHS agreed 
that developing outcome-oriented measures for information sharing is 
important. Specifically, DHS stated that TSA will work with DHS, APTA, 
and the PT-ISAC to develop a series of goals and measures to assess 
the effectiveness of its information-sharing efforts. DHS added that 
these measures, once developed, can be expected to evolve and improve 
over time as systematic improvements are made. DHS plans to share the 
developed measures with its stakeholders to obtain their comments. In 
order to meet the full intent of our recommendation, DHS should 
establish time frames for developing such goals and measures. 

Concerning our fifth recommendation that DHS develop a process for 
systematically gathering feedback on public transit agencies' 
satisfaction with the PT-ISAC and HSIN-PT, DHS stated that updates to 
HSIN will enable the department to efficiently capture user feedback. 
DHS also stated that it would need to collaborate with TSA and DOT as 
well as industry stakeholders to develop additional stakeholder 
feedback mechanisms. DHS also noted that is will continue to obtain 
stakeholder feedback through its survey on the TS-ISAC subportal. 
While the development of the customer survey on the TS-ISAC is an 
important step in obtaining feedback on the satisfaction of this 
mechanism, DHS should ensure that its process for gathering feedback 
on public transit agencies' satisfaction with the PT-ISAC and HSIN-PT 
is systematic, as we recommended. Taking such action is necessary to 
fully address this recommendation. 

We are sending copies of this report to the Secretaries of Homeland 
Security and Transportation, and the Attorney General. The report is 
also available at no charge on GAO's Web site at [hyperlink, 
http://www.gao.gov]. If you or your staff have any questions about 
this report, please contact me at (202) 512-4379 or lords@gao.gov. 
Contact points for our Offices of Congressional Relations and Public 
Affairs may be found on the last page of this report. GAO staff who 
made major contributions to this report are listed in appendix V. 

Signed by: 

Stephen M. Lord: 
Director, Homeland Security and Justice Issues: 

List of Committees: 

The Honorable Joseph I. Lieberman 
Chairman 
The Honorable Susan M. Collins 
Ranking Member 
Committee on Homeland Security and Governmental Affairs 
United States Senate: 

The Honorable Christopher J. Dodd: 
Chairman: 
The Honorable Richard C. Shelby: 
Ranking Member: 
Committee on Banking, Housing, and Urban Affairs: 
United States Senate: 

The Honorable Bennie G. Thompson: 
Chairman: 
The Honorable Peter T. King: 
Ranking Member: 
Committee on Homeland Security: 
House of Representatives: 

The Honorable James L. Oberstar: 
Chairman: 
The Honorable John L. Mica: 
Ranking Member: 
Committee on Transportation and Infrastructure: 
House of Representatives: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

This report addresses the following questions: (1) What mechanisms has 
the federal government established or funded as primary information- 
sharing sources for public transit agencies? (2) To what extent are 
public transit agencies satisfied with federal efforts to share 
security-related information, and how, if at all, can these efforts be 
improved? (3) To what extent has the Department of Homeland Security 
(DHS) identified goals for sharing security-related information with 
public transit agencies and developed measures to gauge its progress 
in meeting those goals? 

To identify the mechanisms established or funded by the federal 
government to serve as primary information sources for public transit 
agencies, we reviewed and assessed relevant documentation, such as the 
Homeland Security Information Network (HSIN) Program Management Plan, 
and interviewed officials from DHS components including the Office of 
Infrastructure Protection (IP) within the National Protection and 
Programs Directorate (NPPD), the Office of Intelligence and Analysis 
(I&A), the U.S. Coast Guard, and the Transportation Security 
Administration (TSA), as well as officials from the Federal Transit 
Administration (FTA) and the Federal Bureau of Investigation (FBI) to 
discuss the mechanisms they use to share security-related information 
with public transit agencies.[Footnote 57] We also conducted site 
visits, or held teleconferences, with security and management 
officials from a nonprobability sample of 27 public transit agencies 
across the nation to determine which mechanisms are most routinely 
used by these agencies to obtain security-related information. These 
transit agencies were selected to generally reflect the variety of 
transit agencies in terms of size, location, transportation mode, and 
law enforcement presence and represent about 63 percent of the 
nation's total public transit ridership based on information we 
obtained from FTA's National Transit Database. Because we selected a 
nonprobability sample of transit agencies to interview, the 
information obtained cannot be generalized to the overall population 
of transit agencies. However, the interviews provided illustrative 
examples of the perspectives of various transit agencies about federal 
government information-sharing mechanisms and corroborated information 
we gathered through other means. Table 8 lists the public transit 
agencies we interviewed. 

Table 8: Public Transit Agencies Interviewed: 

Public transit agency: Alameda-Contra Costra Transit District (AC 
Transit); 
Urban area served[A]: Oakland, California. 

Public transit agency: Bay Area Rapid Transit; 
Urban area served[A]: San Francisco, California. 

Public transit agency: Chicago Transit Authority; 
Urban area served[A]: Chicago, Illinois. 

Public transit agency: Fairfax Connector Bus System; 
Urban area served[A]: Fairfax, Virginia. 

Public transit agency: City of Tempe Transportation Planning and 
Transit Division-Valley Metro; 
Urban area served[A]: Phoenix-Mesa, Arizona. 

Public transit agency: Greater Richmond Transit Company; 
Urban area served[A]: Richmond, Virginia. 

Public transit agency: Golden Gate Bridge, Highway and Transportation 
District; 
Urban area served[A]: San Francisco, California. 

Public transit agency: Gwinnett County Transit; 
Urban area served[A]: Atlanta, Georgia. 

Public transit agency: Long Beach Transit; 
Urban area served[A]: Los Angeles-Long Beach-Santa Ana, California. 

Public transit agency: Los Angeles County Metropolitan Transportation 
Authority; 
Urban area served[A]: Los Angeles, California. 

Public transit agency: Maryland Transit Administration; 
Urban area served[A]: Baltimore, Maryland. 

Public transit agency: Metropolitan Atlanta Rapid Transit Authority; 
Urban area served[A]: Atlanta, Georgia. 

Public transit agency: Metro-North Commuter Railroad Company; 
Urban area served[A]: New York, New York-Newark, New Jersey-
Connecticut. 

Public transit agency: Metropolitan Transportation Authority Bus; 
Urban area served[A]: New York, New York-Newark, New Jersey-
Connecticut. 

Public transit agency: Metropolitan Transportation Authority Long 
Island Railroad; 
Urban area served[A]: New York, New York-Newark, New Jersey-
Connecticut. 

Public transit agency: Metropolitan Transportation Authority New York 
City Transit; 
Urban area served[A]: New York, New York-Newark, New Jersey-
Connecticut. 

Public transit agency: Montgomery County Transit; 
Urban area served[A]: Washington, D.C., Virginia, Maryland. 

Public transit agency: New Jersey Transit; 
Urban area served[A]: Newark, New Jersey-New York, New York. 

Public transit agency: New York Department of Transportation-Staten 
Island Ferry; 
Urban area served[A]: New York, New York-Newark, New Jersey-
Connecticut. 

Public transit agency: Northeast Illinois Regional Commuter Railroad 
Corporation-METRA; 
Urban area served[A]: Chicago, Illinois-Indiana. 

Public transit agency: Northern Indiana Commuter Transportation 
District; 
Urban area served[A]: Chicago, Illinois-Indiana. 

Public transit agency: Orange County Transportation Authority; 
Urban area served[A]: Los Angeles-Long Beach-Santa Ana, California. 

Public transit agency: Pace - Suburban Bus Division; 
Urban area served[A]: Chicago, Illinois-Indiana. 

Public transit agency: Port Authority Trans-Hudson Corporation-PATH; 
Urban area served[A]: New York, New York-New Jersey. 

Public transit agency: San Francisco Municipal Railway-MUNI; 
Urban area served[A]: San Francisco-Oakland, California. 

Public transit agency: Southern California Regional Rail Authority- 
Metrolink; 
Urban area served[A]: Los Angeles-Long Beach-Santa Ana, California. 

Public transit agency: Washington Metropolitan Area Transit Authority; 
Urban area served[A]: Washington, D.C., Virginia, Maryland. 

Source: GAO: 

[A] The urban area served is consistent with the information contained 
in the National Transit Database. 

[End of table] 

To assess the satisfaction of public transit agencies with federal 
security-related information-sharing efforts and related opportunities 
for improvement, in March and April 2010, we surveyed 96 of the of the 
694 U.S. public transit agencies as of 2008, by ridership statistics, 
on their satisfaction with information-sharing efforts.[Footnote 58] 
The 96 public transit agencies surveyed represent about 91 percent of 
total 2008 ridership. For the purposes of this survey, we defined the 
six aspects of quality security-related information as (1) relevance 
(i.e., is the information sufficiently relevant to be of value to a 
public transit agency?); (2) validity (i.e., is the information 
accurate?); (3) timeliness (i.e., is information received in a timely 
manner?); (4) completeness (i.e., does the information contain all the 
necessary details?); (5) actionability (i.e., would the information 
allow a public transit agency to change its security posture, if such 
a change was warranted?); and (6) access/ease of use (i.e., is 
information available through this mechanism easy to obtain?). To 
develop the survey instrument, we conducted pretest interviews with 
four public transit agencies and obtained input from GAO experts. Out 
of the original population of 96 transit agencies, we received 
completed questionnaires from 80 respondents--a response rate of 83 
percent; however, not all respondents provided answers to every 
question. 

The final instrument, reproduced in an e-supplement we are issuing 
concurrent with this report--GAO-10-896SP--displays the counts of 
responses received for each question. The questionnaire asked those 
public transit officials responsible for security operations to 
identify the modes of transportation they provide, the extent to which 
they house their own law enforcement component, the mechanisms they 
use to obtain security information, and their satisfaction with each 
of these mechanisms. 

While we surveyed 96 agencies of the largest U.S. public transit 
agencies, and thus our data are not subject to sampling error, the 
practical difficulties of conducting any survey may introduce other 
errors in our findings. We took steps to minimize errors of 
measurement, nonresponse, and data processing. In addition to the 
questionnaire development and testing activities described above, we 
made multiple follow-up attempts by E-mail and telephone to reduce the 
level of nonresponse throughout the survey period. Finally, analysis 
programs and other data analyses were independently verified. 

To further address this question, we assessed relevant documentation, 
including interagency agreements between TSA and FTA, as well as 
marketing materials on the Transportation Security Information Sharing 
and Analysis Center (TS-ISAC). We also interviewed American Public 
Transportation Association (APTA), Public Transportation Information 
Sharing and Analysis Center (PT-ISAC), TSA, FBI, FTA, and DHS 
Operations, Coordination, and Planning Directorate officials to 
discuss efforts to streamline existing information-sharing mechanisms, 
oversee the results of the PT-ISAC, and conduct outreach on various 
information-sharing mechanisms. We compared these efforts to internal 
control standards, as well as our previous work on the need to 
consolidate redundant information systems and target outreach efforts. 
In addition, we interviewed select public transit agencies and 
included questions in our Web-based survey of public transit agencies 
on the various information-sharing mechanisms available to them. 

To assess the extent to which DHS has identified goals for sharing 
information with public transit agencies and developed measures to 
gauge its progress in meeting those goals, we reviewed DHS's Annual 
Performance Report, TSA's Transportation Security Information Sharing 
Plan (TSISP), and available performance data and measures for fiscal 
years 2007 through 2010 related to information-sharing efforts with 
public transit agencies and compared them to leading management 
practices and our previous work on program assessments. We also 
interviewed relevant DHS and TSA officials to obtain information on 
their efforts to revise and develop performance measures and goals for 
this area of information sharing, as well as their efforts to obtain 
feedback from public transit agencies on their satisfaction with the 
security-related information they receive. In addition, we compared 
TSA's efforts to evaluate their information-sharing efforts with 
guidance on performance measurement contained in our previous reports. 

We conducted this performance audit from August 2009 through September 
2010 in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. 
We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objectives. 

[End of section] 

Appendix II: National Strategies, Plans, and Reports Designed to 
Enhance Information Sharing: 

Since the terrorist attacks on September 11, 2001, the federal 
government has developed strategies to enhance the sharing of 
terrorism-related information among federal, state, local, and tribal 
agencies, and the private sector. These strategies include the 
following: 

* National Strategy for Information Sharing: Issued in October 2007, 
this strategy identifies the federal government's information sharing 
responsibilities. These responsibilities include gathering and 
documenting the information that state, local, and tribal agencies 
need to enhance their situational awareness of terrorist threats. The 
strategy also calls for authorities at all levels of government to 
work together to obtain a common understanding of the information 
needed to prevent, deter, and respond to terrorist attacks. 
Specifically, the strategy discusses the need to improve the two-way 
sharing of terrorism-related information on incidents, threats, 
consequences, and vulnerabilities, including enhancing the quantity 
and quality of specific, timely, and actionable information provided 
by the federal government to critical infrastructure sectors.[Footnote 
59] 

* DHS Information Sharing Strategy: Issued in April 2008, this 
strategy describes the guiding principles for DHS's efforts to share 
information within the department, across the federal government, and 
with state, local, tribal, territorial, private sector, and 
international partners. Among other things, the strategy notes that 
DHS must take steps to ensure that the right information gets to the 
right people at the right time. The strategy also discusses the 
department's need to institute performance measures to provide an 
accurate assessment of the department's progress towards meeting its 
information-sharing goals. 

* The National Infrastructure Protection Plan (NIPP): Updated in 2009, 
the NIPP is intended to provide the framework for a coordinated 
national approach to address the full range of physical, cyber, and 
human threats and vulnerabilities that pose risks to the nation's 
critical infrastructure.[Footnote 60] Among other things, the NIPP 
names TSA as the primary federal agency responsible for coordinating 
critical infrastructure protection efforts within the transportation 
sector and emphasizes the importance and benefits of sharing security- 
related information with critical sector partners. 

* Transportation Security Information Sharing Plan (TSISP): 
Established by TSA in July 2008 pursuant to the 9/11 Commission Act 
and subsequently updated in December 2009.[Footnote 61] The stated 
purpose of the TSISP is to establish a foundation for sharing 
transportation security information between all entities that have a 
stake in protecting the nation's transportation system, including 
federal, state, local, and tribal agencies and governments, the 
private sector, and foreign partners. 

* Surface Transportation Security Priority Assessment: Issued in March 
2010 by the Administration's Transborder Security Interagency Policy 
Committee, Surface Transportation Subcommittee. The study identified 
10 issue areas to examine, obtained input from surface transportation 
sector stakeholders, and analyzed the responses to reach a consensus 
set of priorities and recommendations related to surface 
transportation. Among other things, the assessment included a 
recommendation that TSA collaborate with DHS and the Department of 
Transportation (DOT) to more effectively share transportation security 
information. 

[End of section] 

Appendix III: Public Transit Agencies' General Satisfaction with the 
12 Most Frequently-Cited Information-Sharing Mechanisms: 

The table below illustrates, for the public transit agencies we 
surveyed, the general satisfaction along 6 quality dimensions with the 
12 most frequently-cited information-sharing mechanisms.[Footnote 62] 
The quality dimensions rated for level of satisfaction were: relevance 
(i.e., is the information sufficiently relevant to be of value to a 
public transit agency?); validity (i.e., is the information 
accurate?); timeliness (i.e., is information received in a timely 
manner?); completeness (i.e., does the information contain all the 
necessary details?); actionability (i.e., would the information allow 
a public transit agency to change its security posture, if such a 
change was warranted?); and access/ease of use (i.e., is information 
available through this mechanism easy to obtain?). The numbers in 
parentheses below each mechanism represent the number of agencies in 
our survey that indicated they use this mechanism to receive security-
related information. For each mechanism and quality dimension, the 
table indicates (1) the number of agencies that indicated they were 
either "very satisfied" or "somewhat satisfied" with the information 
they receive through the mechanism (or, in the case of "access/ease of 
use," the mechanism itself); (2) the total number of agencies that 
provided a response to the question; and (3) the percentage of 
responding agencies that were generally satisfied. The mechanisms are 
organized in the order they were presented in the survey. 

Table 9: Public Transit Agencies' Survey Responses Regarding 
Satisfaction with 12 Information-Sharing Mechanisms Along 6 Dimensions 
of Quality: 

Number and percentage of public transit agencies indicating general 
satisfaction along 6 quality dimensions[A]: 

Mechanism (number of agencies that use mechanism): PT-ISAC (49); 
Relevance: 37/49; (76%); 
Validity: 40/49; (82%); 
Timeliness: 36/49; (73%); 
Completeness: 35/49; (71%); 
Actionability: 30/49; (61%); 
Access/ease of use: 38/49; (78%); 
Overall general satisfaction: 37/49; (76%). 

Mechanism (number of agencies that use mechanism): HSIN (34)[B]; 
Relevance: 19/34; (56%); 
Validity: 19/34; (56%); 
Timeliness: 18/33; (55%); 
Completeness: 15/34; (44%); 
Actionability: 15/34; (44%); 
Access/ease of use: 16/34; (47%); 
Overall general satisfaction: 19/33; 
(58%). 

Mechanism (number of agencies that use mechanism): JTTF (53); 
Relevance: 38/45; (84%); 
Validity: 34/45 (76%); 
Timeliness: 32/45; (71%); 
Completeness: 34/45; (76%); 
Actionability: 30/44; (68%); 
Access/ease of use: 34/45; (76%); 
Overall general satisfaction: 34/44; (77%). 

Mechanism (number of agencies that use mechanism): Fusion Centers (39); 
Relevance: 30/34; (88%); 
Validity: 29/34; (85%); 
Timeliness: 27/34; (79%); 
Completeness: 26/34; (76%); 
Actionability: 23/34; (68%); 
Access/ease of use: 26/33; (79%); 
Overall general satisfaction: 27/34; (79%). 

Mechanism (number of agencies that use mechanism): Transportation 
Security Operations Center (TSOC) (41); 
Relevance: 27/36; (75%); 
Validity: 26/36; (72%); 
Timeliness: 21/36; (58%); 
Completeness: 21/36; (58%); 
Actionability: 22/35; (63%); 
Access/ease of use: 23/36; (64%); 
Overall general satisfaction: 22/36; (61%). 

Mechanism (number of agencies that use mechanism): Transit Security & 
Safety Roundtables (44); 
Relevance: 32/36; (89%); 
Validity: 32/36; (89%); 
Timeliness: 28/36; (78%); 
Completeness: 29/35; (83%); 
Actionability: 28/36; (78%); 
Access/ease of use: 31/35; (89%); 
Overall general satisfaction: 33/36; (92%). 

Mechanism (number of agencies that use mechanism): Other public 
transit systems (48); 
Relevance: 31/35; (89%); 
Validity: 31/35; (89%); 
Timeliness: 26/35; (74%); 
Completeness: 27/35; (77%); 
Actionability: 28/33; (85%); 
Access/ease of use: 26/34; (76%); 
Overall general satisfaction: 28/35; (80%). 

Mechanism (number of agencies that use mechanism): FTA E-mails (65); 
Relevance: 47/53; (89%); 
Validity: 48/53; (91%); 
Timeliness: 44/50; (88%); 
Completeness: 45/52; (87%); 
Actionability: 42/53; (79%); 
Access/ease of use: 44/52; (85%); 
Overall general satisfaction: 42/51; (82%). 

Mechanism (number of agencies that use mechanism): TSA E-mails (56); 
Relevance: 41/46; (89%); 
Validity: 40/45; (89%); 
Timeliness: 39/45; (87%); 
Completeness: 38/44; (86%); 
Actionability: 39/46; (85%); 
Access/ease of use: 38/45; (84%); 
Overall general satisfaction: 38/46; (83%). 

Mechanism (number of agencies that use mechanism): Industry 
association (e.g., APTA) (44); 
Relevance: 23/30; (77%); 
Validity: 23/30; (77%); 
Timeliness: 19/30; (63%); 
Completeness: 22/30; (73%); 
Actionability: 16/30; (53%); 
Access/ease of use: 21/30; (70%); 
Overall general satisfaction: 21/30; (70%). 

Mechanism (number of agencies that use mechanism): Regional 
information sharing mechanism (47); 
Relevance: 28/34; (82%); 
Validity: 29/34; (85%); 
Timeliness: 27/33; (82%); 
Completeness: 28/34; (82%); 
Actionability: 24/34; (71%); 
Access/ease of use: 30/34; (88%); 
Overall general satisfaction: 27/34; (79%). 

Mechanism (number of agencies that use mechanism): Regional emergency 
operations center (38); 
Relevance: 25/28; (89%); 
Validity: 25/27; (93%); 
Timeliness: 26/28; (93%); 
Completeness: 21/27; (78%); 
Actionability: 20/28; (71%); 
Access/ease of use: 23/28; (82%); 
Overall general satisfaction: 22/28; (79%). 

Source: GAO analysis of survey results. 

[A] We use the term generally satisfied to describe agencies that 
indicated they were either "very satisfied" or "somewhat satisfied" 
with the information they receive. Similarly, we use the term 
generally dissatisfied to describe agencies that indicated they were 
either "very dissatisfied" or "somewhat dissatisfied" with the 
information they receive. 

[B] For HSIN, the number in parentheses represents the 34 agencies 
that indicated they had log-in access to HSIN and had not lost or 
forgotten their password. Of these 34 agencies, 17 indicated they 
access the system less than once a month to obtain security-related 
information. 

[End of table] 

[End of section] 

Appendix IV: Comments from the Department of Homeland Security: 

U.S. Department of Homeland Security: 
Washington, DC 20528: 

September 15, 2010: 

Stephen M. Lord: 
Director, Homeland Security and Justice: 
441 G Street, NW: 
U.S. Government Accountability Office: 
Washington, DC 20548: 

Dear Mr. Lord: 

RE: Response to Draft Report GAO-10-895, Public Security Information 
Sharing: DHS Could Improve Information Sharing Through Streamlining 
and Increased Outreach: 

Thank you for the opportunity to review and comment on the Government 
Accountability Office's (GAO) draft report referenced above (Job Code 
440815). The Department of Homeland Security (DHS) concurs with the 
five recommendations in the draft report. 

DHS and the Transportation Security Administration (TSA) value GAO's 
comprehensive review of efforts in addressing transit and passenger 
rail security, and we intend to immediately implement its 
recommendations. We appreciate the professionalism demonstrated by 
GAO's team members in conducting this review. 

TSA and DHS also appreciate GAO's finding that our stakeholders are 
generally satisfied with the existing information sharing efforts. The 
Implementing Recommendations of the 9/11 Commission Act of 2007 
highlighted the importance of improving information sharing efforts 
and provided additional tools to achieve this. TSA funding for the 
Public Transportation Information Sharing and Analysis Center (PT-
ISAC) will allow for broader use of the ISAC in this effort and will 
provide the Sector Coordinating Council (SCC)/Government Coordinating 
Council (GCC) Information Sharing Working Group an opportunity to 
shape a more effective program and outcome-oriented metrics. 

The progress of the existing information sharing program to date has 
been achieved through effective public-private partnerships in the 
mass transit and passenger rail mode and TSA's close coordination with 
other Federal agencies, particularly the Department of 
Transportation/Federal Transit Authority and the Department of 
Homeland Security —Infrastructure Protection. The Mass Transit SCC has 
also played a significant role in strengthening information sharing, 
and we believe the SCC will continue its efforts. The combined efforts 
of these organizations will produce an enhanced information sharing 
program. TSA looks forward to implementing plans developed with its 
partners to further integrate intelligence information and to conduct 
operational pilots of a daily intelligence summary. 

We offer the following responses to the recommendations: 

Recommendation I: To help strengthen information sharing with public 
transit agencies, GAO recommends that the Secretary of Homeland 
Security direct the Assistant Secretary for the Transportation 
Security Administration in coordination with FTA and public transit 
agencies establish timeframes for the GCC/SCC Information Sharing 
Working Group to develop options for improving information sharing to 
public transit agencies and complete this effort, including the 
Working Group's efforts to: 

* Assess opportunities to streamline existing information sharing 
mechanisms that target similar user groups with similar information to 
reduce overlap, where appropriate; and; 

* Conduct targeted outreach efforts to increase awareness of the PT-
ISAC and HSIN among agencies that are not currently using or aware of 
these systems. 

Response: DHS concurs with this recommendation. 

TSA continues to work with members of the Information Sharing Working 
Group to identify options on how best to streamline information flow. 
The working group has identified at least one operating model that 
appears to match the needs of both the stakeholders and those who 
produce these products. This particular model would "push out" 
periodic two page summaries to the stakeholders and also post them on 
appropriate websites. A library would house the principle documents 
from which the summaries are taken. 

TSA is currently taking steps to improve targeted outreach through 
collaboration of the Surface Transportation ISAC (ST-ISAC) and the PT-
ISAC in the development of periodic intelligence summaries. ST-ISAC 
information on the freight rail community's threat posture will be 
provided to both the mass transit and passenger rail communities 
through these intelligence summaries. As passenger trains run on 
freight rail tracks, this represents a significant security 
information sharing expansion. 

TSA will work with both ISACs as well as with DHS to ensure further 
outreach is conducted to these stakeholder communities and that 
additional capabilities are approved and incorporated into the 
Homeland Security Information Network (HSIN) portal. TSA Mass Transit 
and Passenger Rail Division will also designate a specific point of 
contact to oversee this activity. 

In the end, it is the stakeholders who will determine which 
information system fits their needs. Therefore, it is incumbent upon 
the government entities to stay connected to the stakeholders and 
their concerns. The Transit Policing and Security Peer Advisory Group 
(PAG) and the Mass Transit and Passenger Rail GCCISCC components of 
the mode will play critical roles in this effort. 

Recommendation 2: To help ensure that the PT-ISAC is meeting its 
objectives for sharing security-related information with public 
transit agencies, GAO recommends that the Secretaries of Homeland 
Security and Transportation direct the Assistant Secretary of 
Transportation Security Administration and Administrator of the 
Federal Transit Administration to take the following action: 

* Take steps to ensure the PT-ISAC fulfills its responsibilities and 
completes agreed-upon responsibilities and tasks. 

Response: DHS concurs with this recommendation. 

The purpose for including HSIN-PT content management and the other 
elements currently in the contract with APTA/PT-ISAC was to fill gaps 
in the information sharing process used by the mass transit and 
passenger rail community. TSA's intention in doing this was to use all 
the tools available to establish an effective information sharing 
regime and organize the flow of information in such a way as to 
maximize the overall efficiency.TSA intends to ensure
compliance with the contract elements by phasing in PT-ISAC 
contributions and requirements to achieve maximum effectiveness. Our 
goal is to maximize the PT-ISAC's role in information sharing and make 
them an integral part of this program. The elements contained in the 
PT-ISAC contract were designed to support this development and long-
term vision. 

Recommendation 3: To help strengthen DHS's efforts to share security-
related information with public transit agencies, GAO recommends that 
the Secretary of Homeland Security take the following action: 

* Take steps to ensure that public transit agencies can access and 
readily utilize HSIN and that the HSIN-PT sub-portal contains security-
related information that is of value to public transit agencies. 

Response: DHS concurs with this recommendation. 

The HSIN website contains important information for all critical 
sectors. An effective, easy to use, well populated HSIN-PT sub portal 
enhances the amount of critical information that is shared (and can be 
shared) with the transit and passenger rail stakeholder community. We 
support changes to the HSIN website and intensification of efforts to 
expand use of this important Government site for the broader range of 
transit and passenger rail agencies. In Fiscal Year 2010, the HSIN 
Program increased Outreach efforts five-fold to raise the awareness of 
HSIN through a targeted marketing strategy. The Outreach Team 
implemented a HSIN State and Local Mission Integration program by 
placing team members in key regional locations throughout the country 
and arranging speaking engagements for key HSIN leadership members at 
national and regional conferences. 

The HSIN Program's refined requirements management process and 
operator representation on the HSIN Mission Operators Committee (MOC) 
governance board will ensure that Public Transit Sector requirements 
are assessed, prioritized, and implemented. 

Stakeholders provided generally positive responses regarding overall 
information sharing in the mass transit and passenger rail area, and 
DHS and TSA support further improvements to inform public transit 
agencies regarding the threats that exist and mitigation measures to 
take to protect the traveling public. 

According to the DHS Office of Infrastructure Protection, July 2010 
HSIN-CS User Statistics data sheet, Mass Transit and Passenger Rail is 
one of the most active users of HSIN among the transportation modes 
and that use appears to be expanding. 

Recommendation 4: To help strengthen DIFIS's efforts to share security-
related information with public transit agencies, GAO recommends that 
the Secretary of Homeland Security take the following action: 

* Once the SCC/GCC Information Sharing Working Group has developed 
options for improving information sharing with public transit 
agencies, establish timeframe for developing goals and related outcome-
oriented measures specific to the PT-ISAC, HSIN-PT, and TS-ISAC. 

Response: DHS concurs with this recommendation. 

Developing outcome-oriented metrics for information sharing is an 
important element in establishing a program that has continuous 
improvement as one of its goals. TSA will work with DHS, APTA and the 
PT-ISAC to develop a series of goals and measures to assess 
effectiveness. Such metrics can be expected to evolve and improve over 
time as systematic improvements are made. Feedback will be an 
important part of this effort. Updates to the HSIN platform will 
enable DHS to efficiently capture usage measures. 

Once we have developed a set of measures, we will share them with our 
stakeholder groups such as the PAG and the Mass Transit SCC to obtain 
their comments. 

Recommendation 5: To help strengthen DHS's efforts to share security-
related information with public transit agencies, GAO recommends that 
the Secretary of Homeland Security take the following action: 

* Develop a process for systematically gathering feedback on public 
transit agencies' satisfaction with the PT-ISAC and HSIN-PT. 

Response: DHS concurs with this recommendation. 

The TS-ISAC currently includes a survey on the materials posted and 
distributed. This survey will continue to be used with the 
stakeholders. The Mass Transit and Passenger Rail Security Awareness 
Messages also contain information about HSIN-PT access and will 
incorporate a feedback mechanism similar to that of the TS-ISACs. 

Designing additional stakeholder feedback mechanisms will require 
collaboration between TSA, DHS, and DOT as well as with the transit 
industry stakeholders. The positive stakeholder feedback provided by 
GAO for this report has set a standard that we will strive to 
continue. TSA will do its part in ensuring stakeholder feedback 
mechanisms are in place to collect the important thoughts and comments 
of those we serve. Updates to the HSIN platform will enable DHS to 
efficiently capture user feedback. 

Once again, thank you for the opportunity to comment on this draft 
report. We look forward to working with you on future homeland 
security issues. 

Sincerely, 

Signed by: 

Jerald E. Levine: 
Director: 
Departmental GAO/OIG Liaison Office: 

[End of section] 

Appendix V: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Stephen M. Lord, (202) 512-4379: 

Acknowledgments: 

In addition to the contact named above, Jessica Lucas-Judy, Assistant 
Director, managed this assignment. Vanessa Dillard, Jeff C. Jensen, 
Nancy Meyer, Octavia Parks, and Meg Ullengren made significant 
contributions to the work. Tracey King provided significant legal 
support and analysis. Stanley J. Kostyla assisted with design and 
methodology. Carl Ramirez and Joanna Chan assisted with the survey 
design, implementation, and data analysis. Christopher Currie, Lara 
Miklozek, and Debbie Sebastian provided assistance in report 
preparation. Tina Cheng and Robert Robinson developed the report 
graphic. 

[End of section] 

Footnotes: 

[1] A passenger trip is defined as the number of passengers who board 
public transportation vehicles. Passengers are counted each time they 
board vehicles no matter how many vehicles they use to travel from 
their origin to their destination. Ridership data were reported by the 
American Public Transportation Association (APTA) for calendar year 
2009. This figure does not include those passengers who rode passenger 
ferries during calendar year 2009. 

[2] For the purposes of this report, we define security-related 
information as information that provides: (1) details on various 
security threats, including a terrorist attack; terrorist, cyber, and 
technical threats, or other security incident or suspicious activity 
pertaining to a specific entity or industry; (2) analysis of the 
threat and instructions and recommendations on security measures an 
entity should take to protect its people and resources from a 
terrorist attack, threat, or other security incident; (3) awareness of 
the threat environment, notably capabilities, tactics, and techniques; 
(4) awareness of system vulnerabilities and consequences of a 
terrorist attack or other security incident; or (5) U.S. and 
international security practices and lessons learned. TSA and APTA 
both agreed with this definition. 

[3] See Pub. L. No. 107-296, § 201, 116 Stat. 2135, 2145-49 (2002); 
Pub. L. No. 110-53, title V, 121 Stat. 266, 306-35 (2007). Among other 
things, the 9/11 Commission Act mandates that DHS require all public 
transit agencies considered to be high risk to participate in the PT- 
ISAC and encourage all other transit agencies to use it. 

[4] For additional information on the strategies, plans, and reports 
designed to enhance the sharing of terrorism-related information among 
federal, state, local, and tribal agencies, and the private sector, 
see appendix II. 

[5] APTA's members serve more than 90 percent of persons using public 
transportation in the United States and Canada. APTA is also 
responsible for setting policy, directing activity, validating 
membership, and advocating for the value of the PT-ISAC. 

[6] The PT-ISAC is funded by the federal government through a 
cooperative agreement with APTA. The 9/11 Commission Act requires DHS 
to fund the PT-ISAC. However, because FTA already had a process in 
place to provide funds to the PT-ISAC, TSA signed an interagency 
agreement with FTA to reimburse its PT-ISAC expenses. The TSA/FTA 
interagency agreement also contained several tasks for the PT-ISAC, 
including managing the content, controlling access, enhancing the user-
friendliness of the public transit subportal on the Homeland Security 
Information Network (HSIN-PT), and providing TSA with quarterly 
operational and financial reports. APTA agreed to fulfill these 
additional responsibilities by signing its cooperative agreement with 
FTA. In 2009, DHS provided $600,000 for the PT-ISAC to operate for a 
period of 18 months. 

[7] See, for example, GAO, Information Sharing: Federal Agencies Are 
Sharing Border and Terrorism Information with Local and Tribal Law 
Enforcement Agencies, but Additional Efforts Are Needed, [hyperlink, 
http://www.gao.gov/products/GAO-10-41] (Washington, D.C: Dec. 2009), 
Information Sharing: The Federal Government Needs to Establish 
Policies and Processes for Sharing Terrorism-Related and Sensitive but 
Unclassified Information, [hyperlink, 
http://www.gao.gov/products/GAO-06-385] (Washington, D.C.: Mar. 2006), 
and Information Sharing Environment: Definition of the Results to Be 
Achieved in Improving Terrorism-Related Information Sharing Is Needed 
to Guide Implementation and Assess Progress, [hyperlink, 
http://www.gao.gov/products/GAO-08-492] (Washington, D.C.: June 2008). 

[8] GAO, High Risk Series: An Update, [hyperlink, 
http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: Jan. 2009). 

[9] Pub. L. No. 110-53, § 1410(c), 121 Stat. 266, 413 (2007). 

[10] We did not include Amtrak in the scope of this review because 
federal transportation law excludes Amtrak in its definition of public 
transportation. 49 U.S.C. § 5302. 

[11] The total number of public transit agencies reflects those 
agencies that reported data to the National Transit Database in 2008. 
We surveyed 96 of the top 100 agencies as measured by fiscal year 2008 
ridership. We omitted two agencies after learning these two entities 
are each comprised of multiple smaller transit agencies that, for ease 
of reporting, consolidate their annual ridership totals in the 
National Transit Database. In addition, we omitted two other agencies 
after learning that the security points-of-contact at these two 
agencies were also responsible for security at two other top-100 
agencies and consequently already received our survey. 

[12] We developed these six dimensions of quality in consultation with 
GAO methodologists as well as public transit agency officials during 
survey pretests. 

[13] See GAO, Executive Guide: Effectively Implementing the Government 
Performance and Results Act, [hyperlink, 
http://www.gao.gov/products/GAO/GGD-96-118] (Washington, D.C.: June 
1996). 

[14] GAO, Highway Infrastructure: Federal Efforts to Strengthen 
Security Should Be Better Coordinated and Targeted on the Nation's 
Most Critical Highway Infrastructure, [hyperlink, 
http://www.gao.gov/products/GAO-09-57] (Washington, D.C.: Jan. 2009), 
Defense Logistics: Improving Customer Feedback Program Could Enhance 
DLA's Delivery of Services, [hyperlink, 
http://www.gao.gov/products/GAO-02-776] (Washington, D.C.: Sept. 2002). 

[15] See Pub. L. No. 107-296, § 102(c), 116 Stat. 2135, 2143 (2002). 
The Homeland Security Act also transferred TSA from DOT to DHS. 

[16] Aviation and Transportation Security Act, Pub. L. No. 107-71, § 
101(a), 115 Stat. 597 (2001). 

[17] Sector-specific agencies are the federal departments or agencies 
responsible for infrastructure protection activities in a designated 
critical infrastructure sector or key resources category. 

[18] According to DHS, HSIN offers a number of capabilities, including 
24/7 access, document libraries, incident reporting, situational 
awareness and analysis, and discussion boards. 

[19] Other HSIN communities of interest include, but are not limited 
to: Continuity of Operations, Federal Department Agency Planning, and 
International. 

[20] There are 18 critical infrastructure sectors, including 
Agriculture and Food; Banking and Finance; Chemical; Commercial 
Facilities; Communications; Critical Manufacturing; Dams; Defense 
Industrial Base; Emergency Services; Energy; Government Facilities; 
Information Technology; National Monuments and Icons; Nuclear 
Reactors, Materials and Waste; Postal and Shipping; Public Health and 
Healthcare; Transportation Systems; and Water. The HSIN-CS portal 
contains subportals, including the TS-ISAC and HSIN-PT. 

[21] In figure 1, the category "regional/local information sharing 
mechanisms" includes both "regional/state/local information sharing 
mechanism" and "regional/state/local emergency operations center," as 
each was identified as a source of security-related information by 
over 40 percent of survey respondents. 

[22] We included six other mechanisms in our survey that were used by 
less than 40 percent of public transit agencies. These mechanisms were 
Law Enforcement Online, DHS Protective Security Advisors, the National 
Open Source Center, the Federal Protective Service portal, the 
Regional Information Sharing System-Automated Trusted Information 
Exchange, and the Transportation Information Sharing System. 

[23] JTTFs are small groups of trained, locally based investigators, 
analysts, linguists, and other specialists from U.S. law enforcement 
and intelligence agencies. 

[24] According to TSA, the major functions of the TS-ISAC include: (1) 
dissemination of TSA-OI products; (2) e-mail alerts when new 
information is available on the site; (3) repository of transportation 
security information; and (4) collaboration with stakeholders. The TS- 
ISAC was not fully implemented when we conducted our electronic survey 
of public transit agencies, and therefore data were not collected on 
this mechanism. 

[25] According to DHS IP, HSIN-PT users are automatically users of the 
TS-ISAC, as well as HSIN-CS. 

[26] Although 80 public transit agencies responded to our survey, not 
all respondents provided answers to every question. We use the term 
generally satisfied to describe agencies that indicated they were 
either "very satisfied" or "somewhat satisfied" with the information 
they receive. Similarly, we use the term generally dissatisfied to 
describe agencies that indicated they were either "very dissatisfied" 
or "somewhat dissatisfied" with the information they receive. 

[27] For the purpose of this report, large agencies are defined as 
agencies in our survey sample that had at least 99 million riders in 
fiscal year 2008. Large agencies had a mean ridership of 400 million 
in fiscal year 2008, with a range of 99.6 million to 3.34 billion. 
Midsized agencies are defined as agencies in our survey sample for 
which fiscal year 2008 ridership was less than 99 million. Midsized 
agencies had a mean ridership of 29.0 million in fiscal year 2008, 
with a range of 9.85 million to 87.2 million. We did not survey small 
agencies (i.e., agencies with less than 9.85 million riders in fiscal 
year 2008), so they are not included in our analysis. 

[28] Transit Security and Safety Roundtables are generally open to the 
nation's largest mass transit and passenger rail agencies. As such, 
not all of the agencies we surveyed had access to these meetings. 

[29] "Cross-sector information" is information that directly pertains 
to (1) critical infrastructure sectors outside of the transportation 
sector, or (2) other transportation modes within the transportation 
sector that also could be relevant to public transit agencies. 

[30] Two rail agencies did not provide a response to this question. 

[31] TSA developed the Transportation Systems Sector-Specific Plan in 
2007 to document the process to be used in carrying out the national 
strategic priorities outlined in the NIPP and the National Strategy 
for Transportation Security, which outlines the federal government 
approach to secure the U.S. transportation system from terrorist 
threats and attacks. The Transportation Systems Sector-Specific Plan 
contains supporting modal implementation plans for each transportation 
mode--including mass transit and passenger rail, which provides 
information on current efforts to secure mass transit and passenger 
rail--as well as TSA's overall goals and objectives related to mass 
transit and passenger rail security. 

[32] GAO, Interagency Collaboration: Key Issues for Congressional 
Oversight of National Security Strategies, Organizations, Workforce, 
and Information Sharing, [hyperlink, 
http://www.gao.gov/products/GAO-09-904SP] (Washington, D.C.: Sept. 
2009). 

[33] Formed in 2009, the SCC/GCC Information Sharing Working Group is 
focused on determining the security-related information needs of 
public transit agencies, reviewing the current information sharing 
mechanisms available to these agencies, and identifying services and a 
format to share information that would best serve their needs. This 
working group is to develop options for a security-related information 
sharing system that would be of value to public transit agencies. 

[34] The PT-ISAC also distributes other information products, 
including a 3 to 4 page cybersecurity information product based on 
open-source information and the DHS Daily Open-Source Infrastructure 
Report (which is also available through DHS's Web site). In addition, 
according to PT-ISAC officials, the PT-ISAC also offers its members a 
searchable library of government and private security documents, as 
well as access to a consolidated database of information and guidance 
pertaining to security technology products that are applicable to the 
public transit industry. 

[35] We will continue to review these information sharing mechanisms 
as part of our efforts to address a statutory mandate to identify 
federal programs and initiatives with duplicative goals and 
activities. We expect to issue the results of this additional work 
early in calendar year 2011. See Pub. L. No. 111-139, § 21, 124 Stat. 
8, 29-30 (2010). 

[36] GAO, Standards for Internal Control in the Federal Government, 
[hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] 
(Washington, D.C.: Nov. 1999). 

[37] The PT-ISAC's HSIN-related responsibilities are described in a 
TSA/FTA interagency agreement. APTA agreed to fulfill these 
requirements by signing its cooperative agreement with FTA. 

[38] The PT-ISAC's reporting requirements are described in a TSA/FTA 
interagency agreement. As noted above, APTA agreed to fulfill these 
requirements by signing its cooperative agreement with FTA. 

[39] GAO, Food Stamp Program: Steps Have Been Taken to Increase 
Participation of Working Families, but Better Tracking of Efforts Is 
Needed, [hyperlink, http://www.gao.gov/products/GAO-04-346] 
(Washington, D.C.: March 2004); [hyperlink, 
http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[40] Our survey results are consistent with the information we 
obtained through interviews with public transit agencies. Although the 
majority of the 27 agencies we interviewed receive information from 
the PT-ISAC, 8 agencies said they do not receive information from this 
mechanism, and 5 had never heard of it. 

[41] According to DHS officials, some critical infrastructure sectors 
are more active on the HSIN platform than others, but the 
transportation sector, which includes public transit, historically has 
not been an active user of HSIN. These officials added that enhancing 
HSIN's value to transportation users by posting useful content and 
improving accessibility is necessary before outreach efforts can 
succeed. 

[42] DHS officials told us that if APTA and TSA do not increase their 
outreach efforts for the HSIN-PT subportal, the Office of 
Infrastructure Protection would assume this responsibility for them. 

[43] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. 

[44] Although the majority of agencies we interviewed (19 of 27) did 
not indicate they had experienced problems accessing HSIN, this is in 
part because less than half (11 of 27) indicated they use the system 
to receive security-related information. 

[45] In our survey, 34 public transit agencies indicated they (1) have 
access to HSIN and (2) have not lost or forgotten their passwords. Of 
these 34 agencies, half (17) use the system less than once a month or 
never. 

[46] In October 2008, we reported that DHS needed to strengthen 
program management controls for HSIN Next Generation and recommended 
that the agency should, among other activities, staff the program 
office appropriately; ensure user requirements are gathered, analyzed, 
and validated; and identify key project risks and develop risk 
mitigation plans. We further recommended that DHS implement these 
controls before it moves HSIN users (such as public transit agencies) 
to HSIN Next Generation. As of July 2010, DHS had fully implemented 
one of our six recommendations (identifying staff roles and 
responsibilities) and had taken some action to implement the others. 
See GAO, Information Technology: Management Improvements Needed on the 
Department of Homeland Security's Next Generation Information Sharing 
System, [hyperlink, http://www.gao.gov/products/GAO-09-40], 
(Washington, D.C.: Oct. 2008). 

[47] Performance measures can be classified as output, process/input, 
or outcome oriented. Output measures focus on the quantity of direct 
products and services a program delivers. Process/input measures 
address the type or level of program activity an organization conducts 
and the resources used by the program. Outcome measures offer 
information on the results of the direct products and services a 
program has delivered. 

[48] As of July 2010, DHS I&A officials reported that they have 
updated their performance measures related to information sharing. 
However, I&A did not provide us with any additional details on these 
measures. 

[49] GAO, Aviation Security: A National Strategy and Other Actions 
Would Strengthen TSA's Efforts to Secure Commercial Airport Perimeters 
and Access Controls, [hyperlink, 
http://www.gao.gov/products/GAO-09-399] (Washington, D.C.: Sept. 2009). 

[50] For example, see GAO, Managing for Results: Enhancing Agency Use 
of Performance Information for Management Decision Making, [hyperlink, 
http://www.gao.gov/products/GAO-05-927] (Washington, D.C.: Sept. 
2005); Program Evaluation: Studies Helped Agencies Measure or Explain 
Program Performance, [hyperlink, http://www.gao.gov/products/GAO/GGD-
00-204] (Washington, D.C.: Sept. 2000); Agency Performance Plans: 
Examples of Practices That Can Improve Usefulness to Decisionmakers, 
[hyperlink, http://www.gao.gov/products/GAO/GGD/AIMD-99-69] 
(Washington, D.C.: Feb. 1999); and Managing for Results: Strengthening 
Regulatory Agencies' Performance Management Practices, [hyperlink, 
http://www.gao.gov/products/GAO/GGD-00-10] (Washington, D.C.: Oct. 
1999). 

[51] GAO, Homeland Security: Guidance and Standards Are Needed for 
Measuring Effectiveness of Agencies' Facility Protection Efforts, 
[hyperlink, http://www.gao.gov/products/GAO-06-612] (Washington, D.C.: 
May 2006). 

[52] According to APTA officials, the Information Sharing Working 
Group has focused its current efforts on improving the PT-ISAC's 
transportation security products, and, to date, has not focused on 
developing a performance measurement system for this mechanism. 

[53] TSA-OI officials stated that the focus of their information- 
sharing activities for the TS-ISAC is based on the information-sharing 
requirements in the 9/11 Commission Act. 

[54] [hyperlink, http://www.gao.gov/products/GAO-02-776]. 

[55] GAO, Information Sharing: Federal Agencies Are Sharing Border and 
Terrorism Information with Local and Tribal Law Enforcement Agencies, 
but Additional Efforts Are Needed, [hyperlink, 
http://www.gao.gov/products/GAO-10-41] (Washington, D.C.: Dec. 2009). 

[56] [hyperlink, http://www.gao.gov/products/GAO-02-776]. 

[57] We did not include Amtrak in the scope of this review because 
federal transportation law excludes Amtrak in its definition of public 
transportation. 49 U.S.C. § 5302. 

[58] The total number of public transit agencies reflects those 
agencies that reported data to the National Transit Database in 2008. 
We surveyed 96 of the top 100 agencies as measured by fiscal year 2008 
ridership. We omitted two agencies after learning these two entities 
are each comprised of multiple smaller transit agencies that, for ease 
of reporting, consolidate their annual ridership totals in the 
National Transit Database. In addition, we omitted two other agencies 
after learning that the security points-of-contact at these two 
agencies were also responsible for security at two other top-100 
agencies and consequently already received our survey. 

[59] There are 18 critical infrastructure sectors, including 
Agriculture and Food; Banking and Finance; Chemical; Commercial 
Facilities; Communications; Critical Manufacturing; Dams; Defense 
Industrial Base; Emergency Services; Energy; Government Facilities; 
Information Technology; National Monuments and Icons; Nuclear 
Reactors, Materials and Waste; Postal and Shipping; Public Health and 
Healthcare; Transportation Systems; and Water. 

[60] The first version of the NIPP was issued in June 2006. 

[61] The TSISP was established in accordance with section 1203 of the 
9/11 Commission Act. Pub. L. No. 110-53, § 1203(a), 121 Stat. 266, 383-
85 (2007). According to the Transportation Security Administration 
Office of Intelligence (TSA-OI), the TSISP will be updated again by 
October 2010. 

[62] We use the term generally satisfied to describe agencies that 
indicated they were either "very satisfied" or "somewhat satisfied" 
with the information they receive. Similarly, we use the term 
generally dissatisfied to describe agencies that indicated they were 
either "very dissatisfied" or "somewhat dissatisfied" with the 
information they receive. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: