GAO-11-88, Recovery Act: FEMA Could Take Steps to Protect Sensitive Port Security Grant Details and Improve Recipient Reporting Instructions


This is the accessible text file for GAO report number GAO-11-88 
entitled 'Recovery Act: FEMA Could Take Steps to Protect Sensitive 
Port Security Grant Details and Improve Recipient Reporting 
Instructions' which was released on November 17, 2010. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Republican Leader, U.S. Senate: 

United States Government Accountability Office:
GAO: 

October 2010: 

Recovery Act: 

FEMA Could Take Steps to Protect Sensitive Port Security Grant Details 
and Improve Recipient Reporting Instructions: 

GAO-11-88: 

GAO Highlights: 

Highlights of GAO-11-88, a report to the Republican Leader, U.S. 
Senate. 

Why GAO Did This Study: 

The American Recovery and Reinvestment Act of 2009 (Recovery Act) 
requires recipients to report, among other things, project 
descriptions on Recovery.gov, the federal Recovery Act Web site. 
Within the Department of Homeland Security, the Federal Emergency 
Management Agency’s (FEMA) Grant Programs Directorate administers the 
Port Security Grant Program (PSGP) to strengthen ports against risks 
from terrorist attacks. FEMA received and obligated $150 million in 
Recovery Act PSGP funds in 2009, and, as of September 2010, recipients 
have drawn down over $10 million. To facilitate recipient reporting, 
FEMA must consider the need both for transparency and for protection 
of Sensitive Security Information (SSI), which could be detrimental to 
transportation security if disclosed. As requested, GAO assessed 
FEMA’s: (1) controls to ensure Recovery Act PSGP staff consistently 
follow SSI policies, and (2) steps to ensure PSGP recipients have not 
disclosed SSI on Recovery.gov. GAO reviewed relevant laws, 
regulations, guidance, and a random sample of PSGP Recovery Act 
recipient reports available as of February 2010, and interviewed 
agency officials. 

What GAO Found: 

FEMA has taken steps to ensure Recovery Act PSGP staff consistently 
follow the Department of Homeland Security’s SSI policies and 
processes, but key actions have not been taken. For instance, FEMA has 
appointed an SSI Program Manager—responsible for FEMA-wide SSI 
oversight—and an SSI Coordinator to facilitate the Grant Programs 
Directorate’s use of SSI. Also, the SSI Program Manager provided SSI 
training to FEMA’s Grant Programs Directorate staff; however, the 
training did not include FEMA-specific examples to illustrate the 
application of SSI, which the staff requested. GAO has previously 
reported that, when assessing training, managers should consider 
whether the training includes both the theoretical basis of the 
material-—such as context and principles-—and the practical 
application of the issues. Including FEMA-specific examples could help 
FEMA ensure Recovery Act PSGP staff have the necessary knowledge to 
handle and safeguard SSI. In addition, the SSI Coordinator has not 
assessed whether SSI documents have been appropriately labeled, in 
accordance with SSI regulations. For example, FEMA has determined that 
certain materials grant recipients submit to FEMA during the 
application process to describe how their projects will address 
current gaps and deficiencies are SSI, but has not marked them as 
such. While these documents have not been posted to Recovery.gov, 
immediately reviewing and marking them as SSI could improve safeguards 
and help prevent the information contained therein from inadvertent 
disclosure. 

FEMA has taken steps to develop a quarterly review process for 
Recovery Act PSGP recipient reports—prior to their public release on 
Recovery.gov—but does not have key controls to help prevent public 
disclosure of SSI. For instance, FEMA staff drafted a procedure for 
reviewing recipient reports, but FEMA management has not approved it 
and the draft does not include a procedure to verify the reviews’ 
accuracy. Further, while GAO found that SSI had not been disclosed in 
Recovery Act recipient reports posted on Recovery.gov for the single 
reporting period GAO reviewed—with data publicly available as of 
February 2010—FEMA lacks a process for comparing recipient reports to 
SSI criteria, and a protocol that informs recipients when FEMA 
determines that their reports contain SSI. Introducing these measures 
could help Grant Programs Directorate staff consistently review 
reports, identify when they contain SSI, reduce the risk of SSI 
disclosure on Recovery.gov, and reinforce recipients’ obligations to 
safeguard SSI. In addition, GAO found wide variation in the level of 
detail about the awards’ descriptions among the recipient reports 
sampled from Recovery.gov as of February 2010, although the majority 
provided minimal detail. According to FEMA, the sensitive nature of 
PSGP information affects the transparency of PSGP recipient reporting. 
By providing instruction to recipients on what should and should not 
be reported due to SSI requirements, FEMA could help recipients report 
project details in a transparent manner on the expenditure of Recovery 
Act funds while protecting information that could otherwise jeopardize 
transportation security if released. 

What GAO Recommends: 

GAO recommends that FEMA improve SSI training, ensure proper marking 
of SSI, enhance recipient report review controls, and instruct 
recipients on safeguarding SSI while reporting on funded activities 
and expected outcomes in a transparent manner. FEMA concurred. 

View [hyperlink, http://www.gao.gov/products/GAO-11-88] or key 
components. For more information, contact David C. Maurer at (202) 512-
9627 or maurerd@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

FEMA Has Taken Steps to Implement DHS' SSI Policies in Administering 
the Recovery Act PSGP, but Further Actions Could Improve Consistency: 

FEMA Has Taken Initial Steps to Develop and Document a Review Process, 
but Additional Controls Could Help Prevent the Unauthorized Disclosure 
of SSI: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Comments from the Department of Homeland Security: 

Appendix II: GAO Contacts and Acknowledgments: 

Figure: 

Figure 1: FEMA's Recipient Review Process for Recovery Act PSGP: 

Abbreviations: 

DHS: Department of Homeland Security: 

FEMA: Federal Emergency Management Agency: 

GPD: Grant Programs Directorate: 

MTSA: Maritime Transportation Security Act of 2002: 

OMB: Office of Management and Budget: 

PSGP: Port Security Grant Program: 

Recovery Act: The American Recovery and Reinvestment Act of 2009: 

Recovery Board: Recovery Accountability and Transparency Board: 

SSI: Sensitive Security Information: 

TSA: Transportation Security Administration: 

TWIC: Transportation Worker Identification Credential program: 

[End of section] 

United States Government Accountability Office:
Washington, DC 20548: 

October 15, 2010: 

The Honorable Mitch McConnell: 
Republican Leader United States Senate: 

Dear Senator McConnell: 

The American Recovery and Reinvestment Act of 2009 (Recovery Act) 
provided $150 million to the Department of Homeland Security's (DHS) 
Port Security Grant Program (PSGP) for awards to states, localities, 
and private port operators to strengthen the nation's ports against 
risks associated with potential terrorist attacks.[Footnote 1] To 
promote transparency and accountability, the Recovery Act includes a 
requirement that recipients report quarterly on a number of measures, 
such as a description of the projects funded,[Footnote 2] and that 
these reports be made available to the public through Recovery.gov, 
the government's Recovery Act Web site.[Footnote 3] 

The transparency that is envisioned for tracking Recovery Act spending 
and results is an extensive undertaking for the federal government. 
Both Congress and the President have emphasized the need for 
accountability, efficiency, and transparency in the expenditure of 
Recovery Act funds and have made it a central principle of the act. 
However, tracking billions of dollars that are being disbursed to 
thousands of recipients is an enormous effort. The administration 
expects that achieving this degree of visibility will be iterative, 
whereby both the reporting process and the information recipients 
provide improve over time and, if successful, could be a model for 
transparency and oversight beyond the Recovery Act. 

To implement Recovery Act reporting requirements, the Office of 
Management and Budget (OMB) provides guidance to federal agencies for 
overseeing recipients' Recovery Act quarterly reporting, which 
includes a requirement that agencies review the overall data quality 
of recipient reports before they are posted on Recovery.gov. While the 
Recovery Act does not specifically define transparency, OMB's guidance 
states that recipients' narrative information, such as their award 
descriptions, must be sufficiently clear to facilitate understanding 
by the general public of how Recovery Act funds are being used. 

In addition, OMB directs federal agencies to consider both 
transparency as well as national security concerns, when applicable, 
when reviewing recipients' quarterly reports in preparation for 
posting on Recovery.gov.[Footnote 4] Among other agencies, this 
directive applies to DHS' Federal Emergency Management Agency (FEMA), 
which operates the Recovery Act PSGP. On the one hand, FEMA must help 
ensure that award and project descriptions publicly available on 
Recovery.gov explain how recipients are using PSGP funds in order to 
promote transparency. On the other hand, FEMA is responsible for 
helping to ensure that specific information about the ports' existing 
vulnerabilities, such as the absence of security systems, is 
safeguarded and not publicly disclosed on Recovery.gov. This is 
particularly important since the disclosure of such information--some 
of which stems from grant recipient documents that contain Sensitive 
Security Information (SSI)--could compromise national security. 
[Footnote 5] 

In response to your request regarding the federal role in reporting on 
the use of Recovery Act funds and the extent to which recipients 
transparently report on their activities, we issued a report in May 
2010 on the extent to which descriptions of awards found on 
Recovery.gov fostered a basic understanding of award activities and 
expected outcomes.[Footnote 6] This report provided information on the 
level of transparency in reporting on Recovery.gov for federal 
agencies administering 11 Recovery Act programs including broadband, 
energy, transportation, infrastructure, and civil works. Our 
assessment of transparency on Recovery.gov included a review of the 
transparency of award descriptions on Recovery.gov for FEMA's Recovery 
Act PSGP. The Recovery Act PSGP recipient reports varied widely in 
level of detail--as we will discuss later in this report--because FEMA 
lacked a process for considering both the need to report on funded 
activities and expected outcomes in a transparent manner and the need 
to safeguard SSI in recipient reports. Therefore, as agreed with your 
office, this report focuses on FEMA's efforts to safeguard sensitive 
information associated with its Recovery Act port security awards. 
Specifically, it addresses: (1) the extent to which FEMA has 
implemented management controls to ensure that DHS' SSI policies and 
processes are consistently followed when administering the Recovery 
Act PSGP, and (2) the steps that FEMA has taken to ensure that 
sensitive information has not been publicly disclosed by PSGP 
recipients on Recovery.gov. 

To conduct our work, we reviewed relevant laws, regulations, and DHS 
guidance on SSI to determine the extent to which FEMA has adopted DHS 
management controls to apply applicable safeguards to SSI contained in 
PSGP grant materials.[Footnote 7] We also attended a new SSI training 
course on July 12, 2010, that FEMA provided to its staff to observe 
the applicability of course material to FEMA grant managers. In 
addition, we reviewed FEMA's draft standard operating procedure for 
reviewing Recovery Act recipient reports prior to their release on 
Recovery.gov and compared it with Standards for Internal Control in 
the Federal Government and DHS' guidance for safeguarding SSI to 
determine the steps FEMA has taken to help prevent public disclosure 
of sensitive Recovery Act PSGP grantee details.[Footnote 8] We 
complemented this review by interviewing FEMA and DHS officials with 
responsibility for ensuring a reasonable degree of quality across PSGP 
recipient reports, as laid out in OMB's Recovery Act reporting 
guidance. 

In addition, we reviewed existing Recovery Act guidance from OMB to 
determine the extent to which instructions are available to agencies 
on handling sensitive information from grant recipients and reviewed 
documentation of FEMA's contact with recipients after reviewing their 
reports to assess the extent to which FEMA consistently attempted to 
prevent disclosure of protected information.[Footnote 9] We also 
selected a representative probability (random) sample of 61 out of the 
total 214 PSGP recipient reports available on Recovery.gov as of 
February, 2010, and reviewed the level of detail they provided. We 
also spoke with DHS officials responsible for assessing whether or not 
documents contain SSI to determine the extent to which recipient award 
descriptions available on Recovery.gov could reveal vulnerabilities at 
the ports and potentially jeopardize port security.[Footnote 10] 

Finally, we interviewed a nonprobability sample of 6 of the 61 
randomly sampled Recovery Act PSGP recipients to determine the extent 
to which FEMA had provided recipients with information related to 
safeguarding sensitive details when submitting Recovery Act reports. 
We selected the 6 recipients based on diversity in geographical 
location; PSGP award size; level of detail included in quarterly 
report submission provided to FEMA; and whether the recipient made 
changes to its entries following FEMA's review. Our interviews 
provided us with an understanding of recipients' experience in 
balancing transparency and the safeguarding of SSI in reporting 
information for ultimate posting on Recovery.gov. However, because we 
used a nonprobability sample, the results cannot be generalized to all 
Recovery Act PSGP recipients. 

We conducted this performance audit from June 2010 through October 
2010 in accordance with generally accepted government auditing 
standards. Those standards require that we plan and perform the audit 
to obtain sufficient, appropriate evidence to provide a reasonable 
basis for our findings and conclusions based on our audit objectives. 
We believe that the evidence obtained provides a reasonable basis for 
our findings and conclusions based on our audit objectives. 

Background: 

Port Security Grant Program Priorities and Management: 

The Recovery Act Port Security Grant Program (PSGP) is based on the 
existing PSGP, which was first established under the Maritime 
Transportation Security Act of 2002 (MTSA).[Footnote 11] Since 2007, 
FEMA has been operating the PSGP to provide grant funding to port 
areas for the protection of critical port infrastructure from 
terrorism.[Footnote 12] When the Recovery Act was enacted in February 
2009, it provided an additional $150 million while preserving the 
funding priorities of the existing PSGP, which emphasize prevention 
and response to threats against the nation's seaports, including 
weapons of mass destruction.[Footnote 13] FEMA had obligated all $150 
million of its Recovery Act PSGP funds as of September 29, 2009. As of 
September 3, 2010, 64 of the 218 PSGP recipients had drawn down funds, 
for a total of $10,002,461. 

The Recovery Act PSGP also placed additional priority on cost-
effective projects that can be started quickly and stimulate the 
economy through jobs creation. PSGP recipients, such as owners and 
operators of MTSA-regulated vessel and facilities, can use their 3 
year grants for, among other things, equipment purchases, such as 
acquiring security cameras and security gates to strengthen access 
controls, as well as card readers and other infrastructure necessary 
to implement DHS' Transportation Worker Identification Credential 
(TWIC) program.[Footnote 14] 

FEMA's Grant Programs Directorate (GPD) is the central unit for grants 
management at FEMA and within DHS, both FEMA's GPD and the U.S. Coast 
Guard (Coast Guard) are involved in managing the Recovery Act PSGP. 
[Footnote 15] FEMA (1) has the lead in creating selection criteria for 
use in the application review process, (2) administers the Recovery 
Act PSGP, (3) provides outreach and support to applicants about 
program requirements, and (4) manages the Recovery Act PSGP to ensure 
compliance with federal grant management requirements. In addition, 
FEMA assigned all Recovery Act PSGP recipients a FEMA program analyst 
to serve as the recipient's "one-stop" account manager, who would meet 
with the recipient as needed and coordinate with other agencies to 
support the recipient. The Coast Guard has the lead in setting port 
security priorities associated with Recovery Act PSGP award selection 
criteria. These priorities are emphasized in the Recovery Act PSGP 
application process, which requires eligible port areas and ferry 
systems to provide, among other things, an investment justification 
describing how the proposed project will help address gaps and 
deficiencies in current programs and capabilities, the length of time 
needed to begin and complete the project, and the number of jobs the 
project would create. 

DHS' Policy for SSI: 

DHS Management Directive 11056.1 establishes the department's policy 
regarding the recognition, identification, and safeguarding of SSI. 
[Footnote 16] In addition to requiring certain actions by specified 
agencies such as Immigration and Customs Enforcement, Customs and 
Border Protection, and the Coast Guard, the directive provides that 
other DHS component heads not specifically identified--where 
appropriate based on the extent of use of SSI--should appoint an 
official to serve as the component's SSI Program Manager, who is to be 
responsible for, among other things, developing component-specific SSI 
identification and procedural guidance as necessary, and conducting 
self-inspections of the component for the effective management and 
practical application of SSI, and consistent and appropriate 
application and use of SSI at least once every 18 months. 

In addition, the directive states that those other component heads not 
specifically identified in the directive, where appropriate, should 
appoint at least one employee in each office that generates or 
accesses SSI to serve as SSI Coordinator and have the authority to 
make determinations on behalf of DHS that records generated by this 
office are appropriately marked SSI. Further, among other 
responsibilities, the SSI Coordinator is to conduct annual self-
inspections of the office for the effective management and practical 
application of SSI, and consistent and appropriate application and use 
of SSI, as well as ensure that office personnel who access SSI receive 
training. 

FEMA considers the narratives within PSGP recipients' investment 
justifications to be SSI, the disclosure of which could compromise 
national security, because information found in the investment 
justifications could reveal current vulnerabilities and present 
opportunities for potential terrorist threats. Therefore, FEMA does 
not permit the investment justifications to be publicly released. In 
addition, under federal SSI regulations, both FEMA's grants management 
staff and PSGP recipients are considered to be "covered persons" 
because, among other things, they access SSI contained in the 
investment justifications.[Footnote 17] Covered persons' 
responsibilities include, among others, taking reasonable steps to 
safeguard SSI in their possession or control from unauthorized 
disclosure, regardless of medium, and marking information as SSI. 
[Footnote 18] 

Recovery Act Recipient Reporting Process: 

To promote transparency and accountability, the Recovery Act requires 
recipients of Recovery Act funds, such as PSGP recipients, to report 
each calendar quarter on the use of funds, and further requires that 
this reporting continue for every quarter in which the recipient 
receives Recovery Act funds from the federal government. Specifically, 
these reports collect numerical information, such as the amount of 
funds obligated--or committed for payment--as well as narrative 
details, such as a description of the activity funded at the port. 
[Footnote 19] To implement Recovery Act reporting requirements, OMB 
has worked with the Recovery Accountability and Transparency Board 
(Recovery Board) to deploy a nationwide data collection system at 
Federalreporting.gov.[Footnote 20] 

OMB set specific time lines for recipients to submit reports and for 
agencies to review the data using this site. Specifically, recipients 
are required to prepare, enter, and validate their information by the 
tenth day following the end of a quarter, after which federal agencies 
perform data quality reviews, in accordance with OMB guidance, to 
identify material omissions and significant reporting errors, and 
notify recipients of the need to make appropriate and timely changes 
to erroneous reports.[Footnote 21] Recipients have the ultimate 
responsibility for responding to the agency's data quality reviews and 
then submitting the final data for posting on Recovery.gov, as 
illustrated in figure 1. Recovery.gov was designed to provide 
transparency of information related to spending on Recovery Act 
programs and is the public's official source of information related to 
the Recovery Act. 

As a federal agency administering Recovery Act funds, FEMA is 
responsible for adhering to OMB guidance and Recovery Act requirements 
and GPD has the lead for executing these responsibilities for the 
Recovery Act PSGP. In addition, DHS officials responsible for 
agencywide Recovery Act implementation also review recipient quarterly 
reports, checking data fields, such as award numbers, for accuracy, 
and informing GPD staff of noncompletion. 

Figure 1: FEMA's Recipient Review Process for Recovery Act PSGP: 

[Refer to PDF for image: illustration] 

The illustration depicts a pyramid as the review process, from bottom 
to top, as follows: 

Recovery Act Port Security Grant Program (PSGP) recipients: 

FederalReporting.gov: 

FEMA (agency review): 

U.S. Department of Homeland Security (departmental review): 

Recovery.gov. 

Source: GAO. 

[End of figure] 

FEMA Has Taken Steps to Implement DHS' SSI Policies in Administering 
the Recovery Act PSGP, but Further Actions Could Improve Consistency: 

FEMA has taken recent steps to adhere to DHS' Management Directive 
when administering the PSGP, such as appointing officials with direct 
responsibility for SSI; however, FEMA has not yet established or put 
in place all of the management controls, or taken all the actions, 
called for in the directive. For example, in January 2010, FEMA 
appointed its first SSI Program Manager, and in July 2010--during the 
course of our review--GPD appointed an SSI Coordinator. Nevertheless, 
GPD's SSI Coordinator has not assessed the extent to which SSI 
documents, including Recovery Act PSGP investment justifications, have 
been marked appropriately, or instilled practices to ensure that GPD 
personnel who access SSI receive appropriate training, as required by 
DHS' directive. 

FEMA Has Taken Some Steps to Adhere to DHS' SSI Policies and 
Procedures: 

FEMA has appointed an SSI Program Manager, GPD has appointed an SSI 
Coordinator, and both individuals are taking steps to adhere to DHS' 
Management Directive, issued in 2005. 

FEMA has appointed an SSI Program Manager. FEMA appointed its first 
SSI Program Manager in January 2010, and this individual has developed 
a standard operating procedure that, in accordance with DHS' 2005 
Management Directive, establishes FEMA's protocols for recognizing, 
identifying, and safeguarding SSI. According to the SSI Program 
Manager, the standard operating procedure was reviewed by 
Transportation Security Administration (TSA) and Coast Guard 
officials, and approved by officials in FEMA's Office of Security 
before distribution to FEMA staff in mid-August. The SSI Program 
Manager also reported that he is planning to develop an SSI 
Instruction Guide for FEMA GPD in November 2010 that will identify the 
types of information in grant documents handled by FEMA GPD staff that 
should and should not be marked and treated as SSI. According to the 
SSI Program Manager, this guide will be completed in collaboration 
with FEMA GPD, TSA, and the Coast Guard, and will be applicable to 
FEMA GPD staff, contractors, and grantees. Further, the SSI Program 
Manager reported to us that he is developing a self-inspection program 
based on an SSI evaluation program that the Coast Guard currently 
uses. This will fulfill the Management Directive's instruction to 
conduct self-inspections for effective management, and consistent and 
appropriate application and use of SSI, at least once every 18 months. 
[Footnote 22] He expects to conduct FEMA's self-inspection in December 
2010. 

In addition, in response to our questions regarding the extent of SSI 
training offered to GPD staff, the Program Manager provided training 
to FEMA's GPD staff in mid-July on identifying, handing, and 
safeguarding SSI. We observed this training, and noted that it 
explained the difference between SSI and classified information, 
defined the 16 categories of SSI in the SSI regulations, and provided 
guidance regarding how to handle SSI. 

FEMA's GPD has appointed an SSI Coordinator. During the course of our 
review, and in response to our questions regarding the status of GPD's 
efforts to appoint an SSI Coordinator within GPD, the GPD Assistant 
Administrator appointed GPD's Director of Internal Controls and Risk 
Management to be GPD's first SSI Coordinator on July 8, 2010. The SSI 
Coordinator told us that she informed all GPD staff of the SSI Program 
Manager's July SSI training and encouraged GPD personnel who access or 
generate SSI to attend. Further, according to the SSI Coordinator, she 
and her staff will reach out to ensure that the remaining staff who 
have not yet received training attend one of the upcoming training 
sessions that the SSI Program Manager is offering throughout the fall 
of 2010. In addition, the SSI Coordinator told us that, once staff are 
trained, she plans to identify and reach out to supervisors in GPD 
branches who will have responsibility for staff managing SSI within 
their units to discuss and delineate their unit's SSI 
responsibilities, including determining whether documents in their 
office are appropriately marked SSI, and reporting back to her. 

Further, the SSI Coordinator told us that she plans to issue a 
bulletin or memorandum to GPD staff and grantees to provide additional 
information beyond that discussed in the initial SSI training, such as 
GPD staff members' specific roles in identifying and handling SSI and 
the relevance of SSI to GPD grants. Before writing the bulletin, the 
SSI Coordinator reported that she planned to talk to GPD staff-- 
including Recovery Act PSGP program officials, as well as the official 
responsible for reviewing Recovery Act PSGP recipient reports--to 
determine the process being used for handling recipient information 
and reporting, and what information related to SSI these officials 
need. According to the SSI Coordinator, she has drafted the bulletin 
but plans to make revisions before issuing it to GPD staff and 
grantees later this fall. Additionally, the SSI Coordinator told us 
she will--while conducting training and working with GPD staff 
responsible for SSI in their branches--assume responsibility for 
conducting GPD's annual self-inspection, in accordance with DHS' 2005 
Management Directive. According to FEMA's SSI Program Manager, he and 
the SSI Coordinator will jointly complete a self-inspection of FEMA 
GPD in December 2010 to identify to the SSI Coordinator what the self- 
inspection program should entail. 

Additional Actions Could Help FEMA Better Ensure That DHS' SSI 
Policies Are Consistently Followed: 

FEMA has established some management controls outlined in DHS' 
Management Directive to help ensure that its staff are better able to 
appropriately identify and handle SSI, but it has not yet taken all 
the actions or fully established all the management controls included 
in the directive. 

Marking of SSI: The SSI Coordinator told us that with respect to 
Management Directive-required oversight of SSI within GPD, she has not 
made any determinations as to whether SSI documents are appropriately 
marked. While FEMA considers all PSGP investment justifications to be 
SSI, our analysis showed that not all Recovery Act PSGP investment 
justifications--documents recipients submit to FEMA when applying for 
the grant and that FEMA keeps on file--have been marked as such, 
pursuant to SSI regulations. Specifically, our sample review of six 
Recovery Act PSGP investment justifications showed that none of the 
materials were marked as SSI, as required by SSI regulations. 
According to one Recovery Act PSGP official, while the investment 
justifications are not labeled SSI, GPD staff convey the sensitive 
nature of the documents to the covered parties involved. 

The SSI Coordinator told us that supervisors she designates throughout 
GPD will be responsible for reviewing their unit's grant file 
documents to determine if they are marked appropriately and report the 
results to her after these supervisors receive SSI training. However--
while FEMA does not publicly release the investment justifications, 
such as on Recovery.gov---some of the Recovery Act PSGP investment 
justifications are currently not marked SSI in accordance with SSI 
regulations. As a result, others who access the information in the 
investment justifications may not be aware that it is SSI and, thus, 
are at a greater risk of inadvertently disclosing such information. 
Reviewing these justifications and marking them immediately as SSI 
could help the SSI Coordinator ensure that GPD personnel are better 
positioned to safeguard them from inadvertent unauthorized disclosure. 

SSI Training: Prior to July 2010, FEMA did not provide specific SSI 
training to its grants management staff, and the FEMA SSI Program 
Manager told us the development of this course stemmed largely from 
our work on the subject. However, based on our observations, the 
course did not include grant-specific examples that could have helped 
facilitate GPD staff's understanding in applying the training concepts 
regarding SSI to their work. 

For instance, GPD officials with whom we spoke were unclear about the 
application of SSI to the Recovery Act PSGP and grant specific 
examples could clarify how to determine if grant information is SSI. 
For instance, according to a TSA SSI official, the information upon 
which the PSGP investment justifications are based--port vulnerability 
assessments--are identified as SSI in the C.F.R. Therefore, the 
investment justifications may contain SSI, but the TSA official told 
us that the investment justifications are not SSI in their entirety 
because information from the vulnerability assessments could be 
removed from the documents. However, the three Recovery Act PSGP 
officials with responsibility for administering the program offered 
conflicting information with regard to the sensitive nature of PSGP 
materials. One official reported that FEMA considers all PSGP 
investment justifications to be SSI because the disclosure of 
activities under the PSGP could demonstrate current vulnerabilities 
and present opportunities for potential terrorist threats. Another 
official told us that he disagrees with the determination that the 
investment justifications are SSI because projects funded under the 
PSGP are visible to the public--for instance, if a port is adding 
lighting, the public can see that the project is being undertaken. 
Moreover, this official noted that information about the Recovery Act 
PSGP projects could easily be obtained from other publicly available 
sources, such as construction permits. A third FEMA official believed 
that certain information in the investment justifications may be SSI, 
but the investment justifications in their entirety are not. 

Moreover, during the training session we observed, numerous GPD staff 
asked for clarification and examples to understand how the SSI 
regulations apply to their day-to-day work. The training did not 
provide this information. The SSI Coordinator acknowledged that the 
training lacked specific examples and told us that GPD staff likely 
will need additional information about the relevance of SSI to FEMA's 
grant management. We have previously reported on a number of factors 
that managers should consider when assessing training. One of these 
factors includes whether the training incorporated a suitable blend of 
content, addressing both the theoretical basis of the material (such 
as an explanation of the context and principles involved) and the 
practical application of the issues (such as agency administrative 
procedures related to the material).[Footnote 23] The initial SSI 
training delineated the context of SSI and the regulations involved, 
but it did not incorporate any GPD-specific examples to illustrate the 
appropriate identification and handling of SSI by GPD personnel. In 
addition, it did not include any reference to the Recovery Act PSGP or 
any other Recovery Act program FEMA administers. Further, it also did 
not address how GPD staff should ensure transparent reporting on 
funded activities and expected outcomes while also safeguarding SSI. 
Given that Recovery Act PSGP staff were unclear about the application 
of SSI to their work and attendees at GPD's initial SSI training 
requested examples to illustrate how SSI pertains to their work, 
providing grant-specific examples in its SSI training could help FEMA 
ensure that all GPD staff, including Recovery Act PSGP staff, are 
better positioned to identify, mark, and safeguard SSI within their 
programs. 

FEMA Has Taken Initial Steps to Develop and Document a Review Process, 
but Additional Controls Could Help Prevent the Unauthorized Disclosure 
of SSI: 

FEMA has implemented an agencywide standard operating procedure 
governing the safeguarding of SSI within FEMA; however, this is a 
broad policy that does not specifically address aspects related to the 
Recovery Act PSGP recipient report review process. Further, while FEMA 
GPD staff have taken steps to outline their recipient review process, 
GPD management has not approved the procedure and the draft does not 
include key controls for reducing the risk of error. Moreover, when 
conducting its data quality review, FEMA does not have a distinct 
process for comparing recipients' quarterly reports against SSI 
criteria to ensure that sensitive information, similar to that which 
is described in the recipients' investment justifications, is not 
included in the Recovery Act reporting and thus made publicly 
available. FEMA also lacks a protocol for informing recipients when 
their draft Recovery Act reports contain sensitive information and 
should be safeguarded appropriately. Finally, FEMA has not provided 
instruction to recipients cautioning them up front against revealing 
SSI in their recipient report submissions and guiding them on what an 
appropriate level of detail would be. 

FEMA's Process for Reviewing Recovery Act PSGP Recipient Reports Is 
Documented but Lacks Key Controls and Has Not Been Approved: 

Two officials within GPD were responsible for performing quality 
reviews on recipients' quarterly submissions to FederalReporting.gov 
before these submissions were posted to Recovery.gov in February 2010, 
the reporting period we reviewed. One official told us that he and his 
former colleague drafted a standard operating procedure after they 
were charged with reviewing recipients' reports in 2009 which 
described the Recovery Act recipient report reviewing process they 
undertook. This draft standard operating procedure included 
descriptions of the reporting cycle, the various elements recipients 
report, sources of the reporting data, the Recovery Act process for 
reviewing recipient information, and directions on how to compile and 
report the required information. However, the draft standard operating 
procedure does not have managerial approval as of September 2010 and 
lacks a discussion of internal controls, including a process to ensure 
that a secondary review of the comments occurs. 

Internal control standards state that transactions and significant 
events--in this case, FEMA's data quality review of Recovery Act 
recipients' reports--should be authorized and the authorization should 
be clearly communicated to employees to assure that only valid 
transactions take place.[Footnote 24] We found that the draft standard 
operating procedure being used was not approved by senior GPD 
management as of September 2010. A former director in GPD with 
oversight of the individuals conducting reviews of recipients' 
submissions did not approve the standard operating procedure before 
she left the agency and, as of September 2010, it has neither been 
approved nor presented to her replacement for approval. Approving a 
standard operating procedure for Recovery Act quarterly recipient 
report reviews could help FEMA management better ensure that the 
Recovery Act PSGP personnel are conducting reviews in a consistent 
manner. 

In addition, internal control standards state that key duties and 
responsibilities need to be divided or segregated among different 
people to reduce the risk of error or fraud, including separating the 
responsibilities for authorizing, processing and recording, and 
reviewing transactions.[Footnote 25] Moreover, internal control 
standards call for internal controls and all transactions and other 
significant events to be clearly documented and appear in management 
directives, administrative policies, or operating manuals. The draft 
standard operating procedure FEMA's Recovery Act staff developed does 
not describe procedures for verifying the accuracy of reviews, such as 
the process whereby one reviewer independently verifies the other's 
work, that its author told us had been occurring. Without determining 
what procedures FEMA will use to verify its reviews of recipient 
reports and documenting those procedures, FEMA management lacks 
reasonable assurance that the reviews are being conducted consistently 
and in accordance with management's direction. For instance, the GPD 
official with responsibility for reviewing quarterly Recovery Act 
recipient reports told us that a former director in GPD completed 
another layer of review before FEMA concluded its data quality review. 
Further, although this official reported that four additional GPD or 
DHS officials verified the accuracy of his initial reviews, three of 
the officials named told us that they have not reviewed recipient 
reports in any manner. The remaining official told us that she reviews 
the numerical fields solely for data accuracy and does not review the 
narrative fields, such as the award description where potential SSI 
may appear. 

FEMA Lacks a Procedure for Comparing Recipient Reports Against SSI 
Criteria: 

FEMA's standard operating procedure does not include a method for its 
Recovery Act PSGP recipient report reviewers to safeguard SSI as 
required of covered persons in SSI regulations. For example, none of 
the FEMA officials with whom we spoke reported that they--or anyone 
else--was responsible for incorporating a sensitivity review into 
their quarterly data quality assessment during which they could 
compare recipients' submissions to FederalReporting.gov against SSI 
standards to determine if the information should be prevented from 
public disclosure on Recovery.gov. 

A Recovery Act PSGP official with whom we spoke reported that it is 
Recovery Act PSGP recipients' responsibility to ensure that they do 
not report SSI in their quarterly reports because it is the recipients 
who initially report the information, not FEMA. However, since FEMA 
treats the investment justifications as SSI, and much of the 
information requested in the reporting fields on FederalReporting.gov 
is similar in nature, conducting such a review would help FEMA ensure 
that nothing from the investment justifications was inadvertently 
copied into the FederalReporting.gov reporting fields and ultimately 
published on Recovery.gov. Further, pertinent SSI regulations require 
that a covered person must take reasonable steps to safeguard SSI in 
that person's possession or control from unauthorized disclosure, 
[Footnote 26] and state that violations of the SSI regulations, such 
as unauthorized disclosure of SSI, is grounds for, among other things, 
a civil penalty and other enforcement or corrective action by DHS. 
[Footnote 27] While recipients initially report the information, FEMA 
accesses this information during its data quality review and, 
therefore, under SSI regulations, Recovery Act PSGP personnel are 
considered to be covered persons and have the accompanying 
responsibility to safeguard any SSI in the recipient reports. 

A TSA security official who reviewed our sample of 61 PSGP recipient 
reports available on Recovery.gov for the reporting period with data 
available as of February 2010, informed us that none contained SSI; 
however, FEMA should consider a cautious approach when reviewing this 
material in advance and inform recipients if their draft submissions 
contain SSI.[Footnote 28] While our review showed that none of the 
Recovery Act PSGP recipient reports for the single reporting period in 
our review contained SSI, developing a management-approved policy for 
reviewing Recovery Act PSGP recipient reports that includes steps to 
compare submissions against SSI criteria and properly safeguard it 
could reduce the risk that SSI is made publicly available on 
Recovery.gov in subsequent reporting periods. Further, such a policy 
could help better position FEMA to ensure that officials responsible 
for Recovery Act recipient reviews take reasonable steps to safeguard 
SSI from unauthorized disclosure, as required by SSI regulations. 

FEMA Lacks a Protocol for Informing Recipients When Their Draft 
Recovery Act Reports Contain SSI and Should Be Safeguarded: 

According to the GPD official responsible for reviewing recipients' 
submissions and performing the data quality review on 
FederalReporting.gov, when the Recovery Act quarterly reporting began, 
the issue of data sensitivity was not discussed in any manner. 
However, the official noted that the GPD Director to whom he reported 
at the time told him to use his judgment and when he thought recipient 
submissions included "too much detail" in the narrative-based fields, 
such as the one for "award description," he should notify recipients. 
Specifically, the director instructed him to use boilerplate language 
when commenting back to the recipients, with the following 
notification statement: "Due to the public nature of this report, 
please adjust the Award Description to: American Recovery and 
Reinvestment Act Port Security Grant Program (ARRA PSGP)."[Footnote 
29] This official stated that he did not develop standard criteria to 
determine what "too much detail" meant, nor does he compare the 
information contained in these quarterly reports against SSI criteria 
while conducting his data quality review. Instead, he explained that 
he used his best judgment and if the details in the narrative field 
appeared similar to the information the recipient reported in its 
investment justification, then he sent the recipient the standard 
notification statement. 

This notification statement did not communicate the rationale for 
change--that the specific information about their use of award funds 
or expected outcomes could disclose SSI, which could document 
vulnerabilities or jeopardize port security--or a reason for 
recipients to take action, even though SSI regulations require covered 
persons to take reasonable steps to safeguard SSI from unauthorized 
disclosure. Moreover, internal control standards call for managers to 
ensure that there are adequate means of communicating with, and 
obtaining information from, external stakeholders that may have a 
significant impact on the agency achieving its goals. Most 
importantly, FEMA's notification statement does not inform recipients 
of their responsibility as covered persons to safeguard SSI. Including 
in its standard operating procedures a process for notifying 
recipients when their reports include SSI and taking steps to inform 
recipients about their responsibilities as covered persons could 
better position FEMA to help prevent the inadvertent release into the 
public domain of information that could potentially compromise 
national security. 

FEMA Has Not Provided Instruction to Recipients on Safeguarding SSI 
While Reporting Project Details in a Transparent Manner for Posting on 
Recovery.gov: 

During the Recovery Act quarterly reporting process, under federal SSI 
regulations, both recipients--who submit the initial information--and 
FEMA personnel--who review the information--are considered to be 
covered persons with a duty to safeguard SSI. In addition, OMB's 
Recovery Act reporting guidance states that recipients' narrative 
information must be sufficiently clear to facilitate understanding by 
the general public of how Recovery Act funds are being used. 

In reviewing the narrative descriptions provided on Recovery.gov for 
the 61 recipients in our sample, we found wide variation in the level 
of detail provided regarding the awards' purposes, scope and nature of 
activities, locations, costs, outcomes, and status of work. In a few 
instances, the reports had clear and complete information across these 
areas. For instance, the description of an award for a Missouri port 
stated that it will be used for surveillance cameras that will allow 
the police department to receive information about potential attacks 
using improvised explosive devices and, as a result, increase the 
likelihood of preemptive action. In the majority of cases, however, 
the reports provided little or none of the information on what funds 
are being spent on and what outcomes are expected. For instance, an 
award description for a port in Washington did not provide the 
location where the award activities are being conducted, what the 
award would fund, or the outcomes expected as a result of the award. 

According to FEMA, the sensitive nature of port security information 
affects the transparency of PSGP recipient reporting. However FEMA's 
GPD has not provided technical assistance or program-specific guidance 
to Recovery Act PSGP recipients on how to report on funded activities 
and expected outcomes in a transparent manner while also safeguarding 
SSI. For example, all of the PSGP recipients with whom we spoke 
reported that FEMA had not instructed them on how to consider 
transparency needs and safeguard SSI in Recovery Act reporting. 
[Footnote 30] 

According to a Coast Guard Recovery Act PSGP official, GPD's SSI 
Coordinator, and three of the five Recovery Act PSGP recipients with 
whom we spoke, Recovery Act PSGP recipients are not always clear 
regarding what information they should report and what information 
they should protect. For instance, GPD's SSI Coordinator told us that 
the recipients may be confused about what they should report in their 
quarterly Recovery Act reports because OMB guidance stresses 
transparency even though SSI regulations stress safeguards. Therefore, 
the SSI Coordinator stated that recipients may be unsure how to comply 
with both because of their seemingly conflicting messages. Moreover, 
the Coast Guard official and four of the five Recovery Act PSGP 
recipients with whom we spoke told us that guidance from FEMA on what 
recipients should and should not report for ultimate posting on 
Recovery.gov would be helpful to recipients and assist them in better 
understanding how to adhere to the requirements in both OMB's existing 
guidance on Recovery Act recipient reporting and those found in the 
SSI-related regulations. 

Recovery Act PSGP officials with whom we spoke cited two reasons why 
FEMA has not issued instructions to recipients on what information to 
include in the narrative fields when completing their quarterly 
reports. First, the officials reported to us that FEMA was concerned 
that issuing instructions to recipients on what to report in the 
narrative fields may conflict with OMB's emphasis on transparency in 
Recovery Act reporting. When we raised this issue with OMB, staff 
there told us that OMB allows agencies discretion with regard to 
balancing transparency with national security concerns and it cannot 
provide guidance that addresses the details of each Recovery Act 
program. OMB staff noted that agencies should be aware of what program 
information may be sensitive and address these concerns directly with 
recipients. Further, according to OMB officials, agencies overseeing 
Recovery Act programs have discretion to provide their recipients with 
technical assistance or supplemental materials to aid recipients in 
reporting. 

In our May 2010 report, we reported that some agencies--unlike FEMA-- 
supplemented OMB's high-level guidance with program-specific technical 
assistance on how to meet OMB's reporting requirements, including 
specific instructions on what to write in the narrative fields. 
[Footnote 31] In addition, OMB's March 2010 Memorandum 10-14 permits 
federal agencies overseeing Recovery Act reporting to provide program-
specific guidance on Recovery Act recipient reporting to recipients as 
long as it does not conflict with OMB guidance and the agency obtains 
OMB approval.[Footnote 32] Two other agencies--the departments of 
Transportation and Education--have obtained OMB approval to issue such 
program-specific guidance to assist recipients with Recovery Act 
reporting. As we reported in May 2010, OMB officials told us that OMB 
created generic reporting guidance because they expected the guidance 
to be a baseline, with agencies providing supplemental guidance that 
was more specific to unique program characteristics and situations 
than OMB's one-size-fits-all guidance was designed to address. We also 
reported that, according to OMB, the agencies would be better sources 
of program specific individualized guidance, tailored to the awards 
made under their programs.[Footnote 33] 

Second, FEMA officials said that even if they were to issue 
instructions to recipients on what to report in the narrative fields 
that ultimately will be posted on Recovery.gov, some recipients might 
not follow them and FEMA cannot require them to do so. However, given 
that under federal SSI regulations Recovery Act PSGP recipients are 
considered to be covered persons, they have a duty under SSI 
regulations to safeguard SSI. 

Taking appropriate measures to provide instruction--which could be in 
the form of technical assistance, supplemental materials, or OMB- 
approved guidance--to Recovery Act PSGP recipients has several 
benefits. Namely, by describing the information to include in 
narrative fields that ultimately will be posted on Recovery.gov and 
informing recipients of their duty to protect SSI as covered persons, 
FEMA could help ensure that recipients consider both the need to 
report on funded activities and expected outcomes in a transparent 
manner while safeguarding SSI when reporting information on issues 
that ultimately will be posted on Recovery.gov. 

With regard to additional controls to prevent unauthorized disclosure 
of Recovery Act PSGP SSI, FEMA officials reported that their ability 
to implement such controls--including their assessments of information 
recipients submit quarterly to FederalReporting.gov--is constrained 
due to the small number of PSGP staff on board, as well as significant 
staff turnover. According to FEMA data, as of July 2010, 10 FEMA 
employees were administering both the Recovery Act PSGP and regular 
PSGP, and GPD's staff turnover rates were 4 percent and 8 percent in 
the 2nd quarter and 3rd quarter of 2010, respectively. Further, 
according to FEMA officials, OMB is primarily concerned with data 
quality surrounding the numerical reporting fields, such as the award 
amount, and is less concerned with the content of the narrative 
reporting fields, such as the award description. In addition, DHS 
officials charged with overall Recovery Act implementation confirmed 
that their review of DHS-wide recipient information focuses on the 
nonnarrative fields--such as jobs created, recipient addresses, or 
recipient Congressional district. As a result, the FEMA official 
charged with conducting the data quality reviews told us his 
priorities have been on numbers rather than narrative. OMB staff with 
whom we spoke told us that agencies are better positioned to review 
narrative information because they have knowledge of the programs and 
OMB staff explained that agencies are expected to use their judgment 
to help ensure that recipients do not disclose SSI in the information 
that ultimately will be posted on Recovery.gov. 

Conclusions: 

Reporting on the funded activities and expected outcomes of Recovery 
Act funds in a transparent manner is vital to ensuring public trust. 
As such, OMB has made transparency a priority in the oversight of 
Recovery Act spending and instructed agencies that when reviewing 
recipients' quarterly reports they should aim to ensure transparency 
while also safeguarding information that is crucial to national 
security. 

FEMA's GPD has taken some recent steps to establish polices and 
procedures to ensure that it appropriately identifies, handles, and 
safeguards any Recovery Act PSGP information that is SSI. However, 
FEMA could do more to ensure that FEMA officials are helping to 
prevent the disclosure of information that ultimately will be posted 
on Recovery.gov and that is otherwise considered SSI. Specifically, 
determining whether Recovery Act PSGP documents, such as investment 
justifications, that contain SSI are appropriately marked as such and 
taking steps to ensure Recovery Act PSGP officials receive FEMA- 
specific SSI training could help better position FEMA to ensure that 
its Recovery Act PSGP staff protect SSI from unauthorized disclosure. 
Further, having an approved policy for reviewing Recovery Act PSGP 
recipient reports could help ensure that initial reviews by different 
FEMA GPD staff will be conducted in a consistent manner to reduce the 
risk of error. Moreover, including in its process a review to identify 
recipient-reported information as SSI, and taking appropriate measures 
to improve recipients' understanding of what information to include in 
the narrative fields that ultimately will be posted on Recovery.gov 
and what information to safeguard as SSI could better position FEMA to 
help prevent the disclosure of sensitive information on Recovery.gov. 

Recommendations for Executive Action: 

To enhance the identification, management, and protection of SSI 
within FEMA in its administration of the Recovery Act PSGP, we 
recommend that the FEMA Administrator take the following four actions: 

* Direct GPD's SSI Coordinator to review Recovery Act PSGP investment 
justifications in FEMA's possession and ensure that they are 
appropriately marked as SSI. 

* Direct GPD's SSI Coordinator, when developing and providing further 
SSI training to GPD staff, to incorporate FEMA-specific examples of 
the application and use of SSI in the training. 

* Direct FEMA's Assistant Administrator for GPD to develop, document, 
and approve a policy that reflects management's intent to implement 
internal controls governing FEMA's review process for Recovery Act 
recipient reports that include appropriate internal controls and a 
procedure both for comparing recipient reports against SSI criteria 
and notifying recipients when their submissions contain SSI. 

* Direct FEMA's Assistant Administrator for GPD to take appropriate 
measures--such as issuing technical assistance, supplemental 
materials, or OMB-approved guidance--to inform Recovery Act PSGP 
recipients of what information they should include in the narrative 
fields that ultimately will be posted on Recovery.gov to foster a 
basic understanding of funded activities and expected outcomes in a 
transparent manner while ensuring that SSI is not disclosed on 
Recovery.gov. 

Agency Comments and Our Evaluation: 

We provided a draft of this report to FEMA for review and comment. 
FEMA provided written comments on the draft report, which are 
reproduced in full in appendix I. FEMA concurred with all four of our 
recommendations, and reported that it plans to take steps to implement 
them. Specifically, FEMA plans to ensure that all Recovery Act PSGP 
grant documents are reviewed and appropriately marked as SSI, which 
would address our first recommendation. Further, FEMA intends to 
enhance its current SSI training to ensure that it is relevant to FEMA 
personnel. If implemented, such training would address our second 
recommendation. In addition, FEMA plans to take steps to incorporate 
appropriate internal controls into its written Recovery Act PSGP 
policies to help ensure consistency in its review of Recovery Act PSGP 
recipient reports. Implementing such controls will address our third 
recommendation. FEMA also agreed with our final recommendation to take 
appropriate measures to inform Recovery Act PSGP recipients of what 
information they should include in their Recovery Act reports. 
However, FEMA did not describe specific actions it planned to take to 
address this recommendation. Nevertheless, FEMA noted that, while no 
SSI was released to the public for the reporting period which we 
reviewed, implementing this recommendation, as well as our others, 
will enhance ongoing review of Recovery Act PSGP recipient reports and 
better enable FEMA to protect SSI from disclosure in the future. FEMA 
also provided technical comments, which we incorporated as appropriate. 

As agreed with your office, unless you publicly announce the contents 
of this report earlier, we plan no further distribution for 30 days 
from the report date. At that time, we will send copies of this report 
to the Secretary of Homeland Security and interested congressional 
committees. In addition, this report will be available at no charge on 
the GAO Web site at [hyperlink, http://www.gao.gov]. 

Should you or your staff have any questions concerning this report, 
please contact David Maurer at 202-512-9627 or by e-mail at 
maurerd@gao.gov. Contact points from our Offices of Congressional 
Relations and Public: 

Affairs may be found on the last page of this report. Key contributors 
to this report are listed in appendix II. 

Sincerely yours, 

Signed by: 

David C. Maurer: 
Director, Homeland Security and Justice Issues: 

[End of section] 

Appendix I: Comments from the Department of Homeland Security: 

U.S. Department of Homeland Security: 
Washington, DC 20528: 

October 12, 2010: 

David Maurer: 
Director, Homeland Security and Justice: 
441 G Street, NW: 
U.S. Government Accountability Office: 
Washington, DC 20548: 

Dear Mr. Maurer: 

RE: Federal Emergency Management Agency's (FEMA) Review of GAO Draft 
Report 10979, "Recovery Act: FEMA Could Take Steps to Protect 
Sensitive Port Security Grant Details and Improve Recipient Reporting 
Instructions. "(440889) 

Thank you for the opportunity to review and comment on the Government 
Accountability Office (GAO) draft report entitled, "RECOVERY ACT: FEMA 
Could Take Steps to Protect Sensitive Port Security Grant Details and 
Improve Recipient Reporting Instructions." 

This report included four recommendations. FEMA concurs with the four 
recommendations addressed to DHS. FEMA appreciates the opportunity to 
highlight current efforts that will not only comply with the 
recommendations, but will also improve our overall operational 
effectiveness. The recommendations and FEMA's corrective actions to 
address the recommendations are described below. 

Recommendation 1: Direct GPD's SSI Coordinator to review Recovery Act 
PSGP investment justifications in FEMA's possession and ensure that 
they are appropriately marked as SSI. 

Response: Concur. FEMA will ensure that all grants are reviewed and 
have appropriate markings. 

Recommendation 2: Direct GPD's SSI Coordinator, when developing and 
providing further SSI training to GPD staff, to incorporate FEMA-
specific examples of the application and use of SSI in the training. 

Response: Concur. FEMA believes that training goals are better 
fulfilled by providing relevance to those impacted by or those who 
impact the outcomes or actions of the subject of the training, and is 
moving beyond the standard training platform currently in place. 

Recommendation 3: Direct FEMA's Assistant Administrator for GPD to 
develop, document, and approve a policy that reflects management's 
intent to implement internal controls governing FEMA's review process 
for Recovery Act recipient reports that includes appropriate internal 
controls and procedures both for comparing recipient reports against 
SSI criteria and notifying recipients when their submissions contain 
SSI. 

Response: Concur. SSI is a matter that is broader than Recovery Act 
awards for FEMA. It was an important consideration before Recovery Act 
funds and will remain beyond this segment of funds. The FEMA Assistant 
Administrator for GPD has documented policies that reflect 
management's intentions and assurances relative to internal controls 
governing many of GPD's management and operational activities. The 
Recovery Act and the transparency requirements through new reporting 
portals introduced a new direction for both the Agency and the 
grantees. In the wake of those new directions, we acknowledge the need 
to ensure that internal controls arc applied consistently in FEMA's 
review process for Recovery Act recipient reports as well as in our 
grants management generally. GPD will take steps to ensure that 
internal controls related to ARRA are added to our existing policies. 

Recovery Act recipients self-report on Recovery.gov. It was understood 
by the agency as well as the grantee community that the intent of the 
Recovery Act reporting was for information to be posted on a public 
website. Staff reviewed the contents of the material and generally 
found that the grantees were reporting appropriate information. It was 
the lack of detail that initiated the inquiry into insufficient 
transparency. In the end, the report found no incidence of SSI 
information being publicly reported. We did find very limited cases in 
which grantees were overzealous in complying with the intentions of 
transparency. Staff asked if they might revise their submission in 
consideration of SSI. 

Recommendation 4: Direct FEMA's Assistant Administrator for GPD to 
take appropriate measures — such as issuing technical assistance, 
supplemental materials, or OMB-approved guidance — to inform Recovery 
Act PSGP recipients of what information they should include in 
Recovery.gov's narrative fields to foster a basic understanding of 
funded activities and expected outcomes in a transparent manner while 
ensuring that SSI is not disclosed on Recovery.gov. 

Response: Concur. It is important to note, as mentioned in the report, 
throughout the implementation of the Recovery Act transparency process 
that FEMA, through timely and diligent attention, has NOT permitted 
the release to the public any SSI with respect to the reviewed 
program. The ongoing reporting process will be enhanced through the 
implementation of the recommendations in this report. FEMA is certain, 
the processes and training currently in place did, in fact, ensure 
that NO SSI was released to the public on Federal Reporting.gov. 

Thank you for the opportunity to comment on this Draft Report. We look 
forward to working with you on future Homeland Security issues. 

Sincerely, 

Signed by: 

Jerald E. Levine: 
Director: 
Departmental Audit Liaison Office: 

[End of section] 

Appendix II: GAO Contacts and Acknowledgments: 

GAO Contacts: 

David C. Maurer, (202) 512-9627 or maurerd@gao.gov: 

Acknowledgments: 

In addition to the contact named above, key contributors to this 
report were Joy Gambino, Assistant Director; Jill Evancho, Analyst-in-
Charge; and Kathryn Crosby. Tom Beall assisted with design and 
methodology; Geoffrey Hamilton provided legal support; Katherine 
Siggerud, Yvonne Jones, and Susan Zimmerman contributed expertise in 
the Recovery Act; George Erhart and Richard Winsor helped with on-site 
record review; and Labony Chakraborty provided assistance in report 
preparation. 

[End of section] 

Footnotes: 

[1] Pub. L. No. 111-5, 123 Stat. 115, 164 (2009). 

[2] Recovery Act, div. A, title XV, § 1512, 123 Stat. 287-88. 

[3] Id. at §§ 1523(b)(4), 1526. 

[4] This guidance provides that, "in general, if a question arises 
about whether to provide public disclosure of information, agencies 
should promote transparency to the maximum extent practicable when 
consistent with national security interests." OMB, Memorandum for the 
Heads of Departments and Agencies: Initial Implementing Guidance for 
the American Recovery and Reinvestment Act of 2009, M-09-10 
(Washington, D.C.: February 2009). 

[5] Under federal regulations, SSI is, in general, information 
obtained or developed in the conduct of security activities, including 
research and development, the disclosure of which the Transportation 
Security Administration (TSA) has determined would, among other 
things, be detrimental to the security of transportation. See 49 
C.F.R. § 1520.5. 

[6] GAO, Recovery Act: Increasing the Public's Understanding of What 
Funds Are Being Spent on and What Outcomes Are Expected, [hyperlink, 
http://www.gao.gov/products/GAO-10-581] (Washington, D.C.: May 27, 
2010). 

[7] Pub. L. No. 111-5, 123 Stat. 115 (2009). 49 C.F.R. Part 1520. DHS, 
Sensitive Security Information (SSI), Management Directive 11056.1 
(Washington, D.C.: November 2006). 

[8] GAO, Standards for Internal Control in the Federal Government, 
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 2009). Internal control 
is an integral component of an organization's management that provides 
reasonable assurance that the following objectives are being achieved: 
effectiveness and efficiency of operations, reliability of financial 
reporting, and compliance with applicable laws and regulations. These 
standards, issued pursuant to the requirements of the Federal 
Managers' Financial Integrity Act of 1982 (FMFIA), provide the overall 
framework for establishing and maintaining internal control in the 
federal government. Also pursuant to FMFIA, the Office of Management 
and Budget issued Circular A-123, revised December 21, 2004, to 
provide the specific requirements for assessing the reporting on 
internal controls. Internal control standards and the definition of 
internal control in Circular A-123 are based on the GAO Standards for 
Internal Control in the Federal Government. 

[9] OMB, Memorandum for the Heads of Departments and Agencies: Initial 
Implementing Guidance for the American Recovery and Reinvestment Act 
of 2009, M-09-10 (Washington, D.C.: February 2009). OMB, Memorandum 
for the Heads of Departments and Agencies: Updated Implementing 
Guidance for the American Recovery and Reinvestment Act of 2009, M-09-
15 (Washington, D.C.: April 2009). OMB, Memorandum for the Heads of 
Departments and Agencies: Implementing Guidance for the Reports on Use 
of Funds Pursuant to the American Recovery and Reinvestment Act of 
2009, M-09-21 (Washington, D.C.: June 2009). OMB, Memorandum for the 
Heads of Departments and Agencies: Updated Guidance on the American 
Recovery and Reinvestment Act - Data Quality, Non-Reporting 
Recipients, and Reporting of Job Estimates, M-10-08 (Washington, D.C.: 
December 2009). OMB, Memorandum for the Heads of Departments and 
Agencies: Updated Guidance for the American Recovery and Reinvestment 
Act, M-10-14 (Washington, D.C.: March 2010). 

[10] While there are 218 total Recovery Act PSGP recipients, we found 
214 Recovery Act PSGP recipient reports available on Recovery.gov as 
of February 10, 2010, when we took our sample. According to FEMA 
officials, reports from 2 of the remaining 4 recipients were not 
available at the time we took our sample because the recipients had 
experienced problems entering information in certain fields in 
Recovery.gov, and the other 2 recipients likely had similar problems. 

[11] Pub. L. No. 107-295, 116 Stat. 2064, 2075-79 (2002). 

[12] Prior to 2007, the PSGP was operated by a number of offices 
within the Department of Transportation and DHS. 

[13] These are (1) enhancing "maritime domain awareness," which 
involves enhancements to intelligence sharing and analysis amongst law 
enforcement and government leaders; (2) enhancing prevention, 
protection, response, and recovery to improvised explosive devices and 
weapons of mass destruction; (3) supporting implementation of DHS' 
Transportation Worker Identification Credential (TWIC) program; and 
(4) completing construction or infrastructure improvement projects 
that align with existing port and vessel risk management and security 
plans. 

[14] Access controls can include security measures such as pedestrian 
and vehicle gates, keypad access codes that use personal 
identification numbers, magnetic stripe cards and readers, fingerprint 
readers, or other biometric technology, turnstiles, locks and keys, 
and security personnel. In general, under the TWIC program, maritime 
workers who require unescorted access to secure areas of MTSA-
regulated port facilities and vessels must obtain a biometric TWIC 
credential to access such secure areas to help ensure appropriate 
security checks of such personnel. 

[15] GPD was formally created on April 1, 2007, pursuant to the Post- 
Katrina Emergency Management Reform Act of 2006 (Pub. L. No. 109-295, 
120 Stat. 1355, 1394 (2006)). GPD consolidated the grant business 
operations, systems, training, policy, and oversight of all FEMA 
grants and the program management of the suite of preparedness grants. 

[16] In 2005, we reported that TSA lacked policies, procedures, and 
internal controls related to the identification and safeguarding of 
SSI. Following our report, DHS issued Management Directive 11056 in 
December 2005. See GAO, Transportation Security Administration: Clear 
Policies and Oversight Needed for Designation of Sensitive Security 
Information, GAO-05-677 (Washington, D.C.: June 2005). We also 
reported that DHS issued a revised management directive, Management 
Directive 11056.1, to address legislative requirements in the DHS 
Appropriations Act of 2007 and our 2005 recommendations. See GAO, 
Transportation Security Administration's Processes for Designating and 
Releasing Sensitive Security Information, GAO-08-232R (Washington, 
D.C.: November 2007). 

[17] The regulatory definition of "covered person" includes, for 
example, DHS, each person who has access to SSI, owners and operators 
of MTSA-regulated vessels and facilities, and each person employed by, 
or contracted to, or acting for a covered person, including a grantee 
of DHS. See 49 C.F.R. § 1520.7. In general, under SSI regulations, 
access to SSI is to be provided only to those covered persons with a 
need to know. The regulations establish the circumstances under which 
a person has a need to know SSI, such as when a person requires access 
to specific SSI to carry out transportation security activities 
approved, accepted, funded, recommended, or directed by DHS or the 
Department of Transportation. 

[18] To mark paper information as SSI, a covered person must place a 
protective marking--Sensitive Security Information--conspicuously at 
the top of the outside of the front and back cover, the title page, 
and each page of the document. In addition, the covered person must 
also include a distribution limitation statement at the bottom of each 
page. The distribution limitation statement is: "WARNING: This record 
contains Sensitive Security Information that is controlled under 49 
CFR parts 15 and 1520. No part of this record may be disclosed to 
persons without a 'need to know,' as defined in 49 CFR parts 15 and 
1520, except with the written permission of the Administrator of the 
Transportation Security Administration or the Secretary of 
Transportation. Unauthorized release may result in civil penalty or 
other action. For U.S. government agencies, public disclosure is 
governed by 5 U.S.C. 552 and 49 CFR parts 15 and 1520." 

[19] The required field "Award Description" asks recipients to 
describe in narrative form "the overall purpose, expected outputs, and 
outcomes or results of the award, including significant deliverables 
and, if appropriate, units of measure." See GAO 10-581. 

[20] The Recovery Act created the Recovery Accountability and 
Transparency Board, which is composed of 12 Inspectors General from 
various federal agencies, who serve with a chairman of the board. 

[21] Material omissions are defined as instances where required data 
are not reported or reported information is not otherwise responsive 
to the data requests resulting in a significant risk that the public 
is not fully informed as to the status of a Recovery Act project or 
activity. Significant reporting errors are defined as those instances 
where required data are not reported and such erroneous reporting 
results in significant risks that the public will be misled or 
confused by the recipient report in question. 

[22] DHS, Sensitive Security Information (SSI), Management Directive 
11056.1. (Washington, D.C.: November 2006). 

[23] GAO, Human Capital: A Guide for Assessing Strategic Training and 
Developing Efforts in the Federal Government, [hyperlink, 
http://www.gao.gov/products/GAO-04-546G] (Washington: D.C.: March 
2004). 

[24] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00.21.3.1]. 

[25] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00.21.3.1]. 

[26] 49 C.F.R. §1520.9(a)(1). 

[27] 49 C.F.R. §1520.17. 

[28] TSA's SSI Branch is the focal point governmentwide for making 
assessments to determine if information is SSI. 

[29] While federal agencies are required under OMB guidance to perform 
data quality reviews of recipient data before they are posted on 
Recovery.gov and notify recipients of the need to make appropriate and 
timely changes to erroneous reports, recipients are ultimately 
responsible for data quality checks and final submission of the data. 

[30] One of the six PSPG recipients in our sample did not respond to 
our inquiries. 

[31] [hyperlink, http://www.gao.gov/products/GAO-10-581]. 

[32] Office of Management and Budget, Memorandum for the Heads of 
Executive Departments and Agencies: Updated Guidance on the American 
Recovery and Reinvestment Act, M-10-14 (Washington, D.C.: March 2010). 

[33] [hyperlink, http://www.gao.gov/products/GAO-10-581]. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: