Homeland Security Advisory System
Preliminary Observations Regarding Threat Level Increases from Yellow to Orange Gao ID: GAO-04-453R February 26, 2004Established in March 2002, the Homeland Security Advisory System was designed to disseminate information regarding the risk of terrorist acts to federal, state, and local government agencies and the public. However, this system generated concern among federal, state, and local government agencies regarding whether they are receiving the necessary information to respond appropriately to heightened alerts and about the amount of additional costs protective measures entail. Congress requested that we review (1) the operations of the Homeland Security Advisory System, including the decision making process for changing the national threat level, notifications to federal, state, and local government agencies of changes in the threat level, and ongoing revisions to the system; (2) guidance and information that federal, state, and local government agencies reportedly used to determine any protective measures to implement when the threat level is raised to high--or code-orange--alert; (3) any protective measures these agencies implemented during code-orange alert periods; (4) any additional costs these agencies reported incurring to implement such measures; and (5) any threat advisory systems that federal, state, or local government agencies had in place before the creation of the Homeland Security Advisory System.
Based on analyses of intelligence, the Secretary of Homeland Security, in consultation with members of the Homeland Security Council, determines whether the national threat level should be elevated or lowered. Once the Secretary makes this decision, DHS and others begin the process of notifying federal, state and local government agencies, through various means, such as conference calls. The department has not yet documented its protocols for executing notification. DHS officials told us they are working to develop such documentation. However, they could not provide us with a specific time frame as to when they expect to complete this effort. Federal, state, and local government agencies we met with expressed concern about hearing of threat level changes from media and other sources prior to receiving notification from DHS. DHS officials maintain that the Homeland Security Advisory System is evolving and that they are continually adjusting it to provide additional information regarding specific threats. Various sources, including the Federal Emergency Management Agency (FEMA), provided guidance and information to federal, state, and local government agencies to assist them in developing plans for responding to each of the advisory system's five threat levels following establishment of the system in March 2002. Additionally, DHS and others provided federal, state, and local government agencies with guidance and information to assist them in determining actions to take in response to each codeorange alert occurrence. Federal agencies responding to our questionnaire indicated that they maintain a high security posture and, as a result, did not need to implement a substantial number of additional protective measures to respond to code-orange alerts. For the most part, these 15 federal agencies reported enhancing protective measures they already had in place to respond to the code-orange alerts, such as increasing the frequency of facility security patrols. To a lesser degree, these federal agencies indicated that they continued existing protective measures at their pre-code orange alert levels, such as the use of intrusion detection systems. To ensure that protective measures operate as intended, federal agencies for which we received questionnaire responses reported conducting tests on the functionality and reliability of protective measures. They also reported receiving confirmation of the enhancement or implementation of measures from component entities, offices, or personnel. Thirteen federal agencies, one state, and six localities provided information on the additional costs incurred during at least two of the three orange alert periods in our review. The cost information the federal agencies provided was generally estimates. Some federal, state, and local government agencies we contacted reported that they have threat advisory systems in place to ensure government agencies are notified of impending emergencies such as natural disasters or terrorist threats, allowing them to prepare a response. These systems, which were generally in place before the creation of the Homeland Security Advisory System, are similar to the Homeland Security Advisory System or have been revised to conform to it and include threat levels with associated protective measures. For example, one federal agency told us that it had developed its own five-level alert system 8 years ago to ensure protection of critical national security assets. While federal, state, and local government agencies said they raise or lower their systems' threat levels to correspond to changes in the national threat level, they also independently change threat levels to respond to specific threats or for large public events.
GAO-04-453R, Homeland Security Advisory System: Preliminary Observations Regarding Threat Level Increases from Yellow to Orange
This is the accessible text file for GAO report number GAO-04-453R
entitled 'Homeland Security Advisory System: Preliminary Observations
Regarding Threat Level Increases from Yellow to Orange' which was
released on March 11, 2004.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
February 26, 2004:
The Honorable Christopher Cox:
Chairman:
The Honorable Jim Turner:
Ranking Minority Member:
House Select Committee on Homeland Security:
House of Representatives:
Subject: Homeland Security Advisory System: Preliminary Observations
Regarding Threat Level Increases from Yellow to Orange:
Established in March 2002, the Homeland Security Advisory System was
designed to disseminate information regarding the risk of terrorist
acts to federal, state, and local government agencies and the public.
However, this system generated concern among federal, state, and local
government agencies regarding whether they are receiving the necessary
information to respond appropriately to heightened alerts and about the
amount of additional costs protective measures entail.
You requested that we review (1) the operations of the Homeland
Security Advisory System, including the decision making process for
changing the national threat level, notifications to federal, state,
and local government agencies of changes in the threat level, and
ongoing revisions to the system; (2) guidance and information that
federal, state, and local government agencies reportedly used to
determine any protective measures to implement when the threat level is
raised to high--or code-orange--alert; (3) any protective measures
these agencies implemented during code-orange alert periods; (4) any
additional costs these agencies reported incurring to implement such
measures; and (5) any threat advisory systems that federal, state, or
local government agencies had in place before the creation of the
Homeland Security Advisory System.
This report summarizes our preliminary observations on each of these
objectives. The code-orange alert periods covered in this preliminary
report and our ongoing work are March 17 to April 16, 2003; May 20 to
30, 2003; and December 21, 2003, to January 9, 2004.
The preliminary observations in this report are based on information
obtained as of February 9, 2004. This includes responses from 15 of the
28 federal agencies to which we sent a questionnaire regarding the
Homeland Security Advisory System and code-orange alert periods, and
information from 8 federal agencies, four states, the District of
Columbia,[Footnote 1] and nine local governments that we contacted
during the design of our methodology. We selected the 8 federal
agencies using agencies' reports to the Office of Management and Budget
on the amount of homeland security funding they received for fiscal
year 2003.[Footnote 2] Five of the 8 selected agencies reported
receiving the most homeland security funding. We selected the four
states, the District of Columbia, and nine local governments on the
basis of their critical infrastructure assets, such as national
landmarks, ports, and oil pipelines. The Department of Homeland
Security (DHS) generally has not documented the policies and procedures
it has used for assessing intelligence information, determining whether
to raise or lower the threat level, and notifying federal, state, and
local government agencies about changes in threat levels. Thus, our
findings about the operations of the Homeland Security Advisory System
are principally based on interviews with DHS officials. We will
continue to assess the Homeland Security Advisory System and related
guidance, measures implemented during code-orange periods, and the
costs incurred during code-orange alerts. We expect to issue a final
report later this year. On February 23 and 24, 2004, officials
representing the Department of Homeland Security provided oral
technical comments on this report, which we incorporated as
appropriate. We conducted our work from July 2003 to February 2004 in
accordance with generally accepted government auditing standards. For
more detailed information on our scope and methodology, see enclosure
I.
Results in Brief:
Based on analyses of intelligence, the Secretary of Homeland Security,
in consultation with members of the Homeland Security Council,[Footnote
3] determines whether the national threat level should be elevated or
lowered. Once the Secretary makes this decision, DHS and others begin
the process of notifying federal, state and local government agencies,
through various means, such as conference calls. The department has not
yet documented its protocols for executing notification. DHS officials
told us they are working to develop such documentation. However, they
could not provide us with a specific time frame as to when they expect
to complete this effort. Federal, state, and local government agencies
we met with expressed concern about hearing of threat level changes
from media and other sources prior to receiving notification from DHS.
DHS officials maintain that the Homeland Security Advisory System is
evolving and that they are continually adjusting it to provide
additional information regarding specific threats.
Various sources, including the Federal Emergency Management Agency
(FEMA),[Footnote 4] provided guidance and information to federal,
state, and local government agencies to assist them in developing plans
for responding to each of the advisory system's five threat levels
following establishment of the system in March 2002. Additionally, DHS
and others provided federal, state, and local government agencies with
guidance and information to assist them in determining actions to take
in response to each code-orange alert occurrence. For the most part,
the 15 federal agencies responding to our questionnaire noted that the
guidance and information they received was useful and timely. However,
14 of these 15 federal agencies, along with officials from three states
and six local governments we met with, noted that they would have
benefited by receiving additional information on region-, sector-,
site-, and event-specific threats when deciding additional actions to
take for the three most recent code-orange alerts. We will continue to
assess this guidance and information to determine its consistency and
the extent to which the entities that provided the guidance and
information coordinated with other agencies providing similar
information.
Federal agencies responding to our questionnaire indicated that they
maintain a high security posture and, as a result, did not need to
implement a substantial number of additional protective measures to
respond to code-orange alerts. For the most part, these 15 federal
agencies reported enhancing protective measures they already had in
place to respond to the code-orange alerts, such as increasing the
frequency of facility security patrols. To a lesser degree, these
federal agencies indicated that they continued existing protective
measures at their pre-code-orange alert levels, such as the use of
intrusion detection systems. To ensure that protective measures operate
as intended, federal agencies for which we received questionnaire
responses reported conducting tests on the functionality and
reliability of protective measures. They also reported receiving
confirmation of the enhancement or implementation of measures from
component entities, offices, or personnel. Protective measures
benefited federal agencies in various ways, but also affected agency
operations, according to the agencies responding to our questionnaire.
For example, while actions taken during code-orange alerts promoted
employees' sense of security, they also resulted in delays for
employees entering facilities. State and local government officials we
met with noted that their agencies implemented various protective
measures for code-orange alerts, including additional law enforcement
patrols.
Thirteen federal agencies, one state, and six localities provided
information on the additional costs incurred during at least two of the
three orange alert periods in our review. The cost information the
federal agencies provided was generally estimates. Nine agencies
reported incurring additional costs while 4 stated that they did not
incur any additional costs. Eight of the 9 agencies provided cost
estimates, whereas the ninth provided actual costs extracted from its
financial accounting system. For the 9 agencies that reported incurring
additional costs, we calculated the additional average daily costs
incurred during each of the three orange alert periods. The additional
average daily costs varied by alert period and ranged from as little as
about $160 dollars for a small independent agency to more than $165,000
for a cabinet department. For 8 of the 9 agencies, the additional
average daily costs were lower for the third alert period than the
first alert period. Cost information for the one state and six
localities was limited, and we have little or no information on how
those costs were determined. Thus, we cannot assess the reliability and
comparability of these costs.
Some federal, state, and local government agencies we contacted
reported that they have threat advisory systems in place to ensure
government agencies are notified of impending emergencies such as
natural disasters or terrorist threats, allowing them to prepare a
response. These systems, which were generally in place before the
creation of the Homeland Security Advisory System, are similar to the
Homeland Security Advisory System or have been revised to conform to it
and include threat levels with associated protective measures. For
example, one federal agency told us that it had developed its own five-
level alert system 8 years ago to ensure protection of critical
national security assets. While federal, state, and local government
agencies said they raise or lower their systems' threat levels to
correspond to changes in the national threat level, they also
independently change threat levels to respond to specific threats or
for large public events.
Background:
Homeland Security Presidential Directive 3 (HSPD-3) established the
Homeland Security Advisory System in March 2002. Through the creation
of the Homeland Security Advisory System, HSPD-3 sought to produce a
common vocabulary, context, and structure for an ongoing discussion
about the nature of threats that confront the nation and the
appropriate measures that should be taken in response to those threats.
Additionally, HSPD-3 established the Homeland Security Advisory System
as a mechanism to inform and facilitate decisions related to securing
the homeland among various levels of government, the private sector,
and American citizens.
The Homeland Security Advisory System, as shown in figure 1, is
comprised of five color-coded threat conditions, which represent levels
of risk related to potential terror attack. As defined in HSPD-3, risk
includes both the probability of an attack occurring and its potential
gravity.
Figure 1: Homeland Security Advisory System:
[See PDF for image]
[End of figure]
Since its establishment in March 2002, the Homeland Security Advisory
System national threat level has remained at elevated alert--code-
yellow--except for five periods during which the administration raised
it to high alert--code-orange. The periods of code-orange alert follow:
* September 10 to 24, 2002;
* February 7 to 27, 2003;
* March 17 to April 16, 2003;
* May 20 to 30, 2003; and:
* December 21, 2003, to January 9, 2004.
The Homeland Security Advisory System is binding on the executive
branch. HSPD-3 directs all federal departments, agencies, and offices,
other than military facilities,[Footnote 5] to conform their existing
threat advisory systems to the Homeland Security Advisory System. These
agencies are responsible for ensuring their systems are consistently
implemented in accordance with national threat levels as defined by the
Homeland Security Advisory System. Additionally, federal departments
and agency heads are responsible for developing protective measures and
other antiterrorism or self-protection and continuity plans in response
to the various threat levels and operating and maintaining these plans.
While HSPD-3 encourages other levels of government and the private
sector to conform to the system, their compliance is voluntary.
When HSPD-3 first established the Homeland Security Advisory System, it
provided the Attorney General with responsibility for administering the
Homeland Security Advisory System, including assigning threat
conditions in consultation with members of the Homeland Security
Council, except in exigent circumstances. As such, the Attorney General
could assign threat levels for the entire nation, for particular
geographic areas, or for specific industrial sectors. Upon its
issuance, HSPD-3 also assigned responsibility to the Attorney General
for establishing a process and a system for conveying relevant threat
information expeditiously to federal, state, and local government
officials, law enforcement authorities, and the private sector.
In November 2002, Congress enacted the Homeland Security Act of 2002,
P.L. 107-296, which established the Department of Homeland Security.
Under the Homeland Security Act of 2002, the DHS Under Secretary for
Information Analysis and Infrastructure Protection (IAIP)is
responsible for administering the Homeland Security Advisory System. As
such, IAIP is primarily responsible for issuing public threat
advisories and providing specific warning information to state and
local governments and to the private sector. The act also charges IAIP
with providing advice about appropriate protective actions and
countermeasures.[Footnote 6]
In February 2003, in accordance with the Homeland Security Act, the
administration issued Homeland Security Presidential Directive 5 (HSPD-
5), which amended HSPD-3 by transferring authority for assigning threat
conditions and conveying relevant information from the Attorney General
to the Secretary of Homeland Security. HSPD-5 directs the Secretary of
Homeland Security to consult with the Attorney General and other
federal agency heads the Secretary deems appropriate, including other
members of the Homeland Security Council, when determining the threat
level, except in exigent circumstances.
The Advisory System Includes Threat Analysis, Notifications, and
Ongoing Revisions, but Protocols for Notification Have Not Been
Documented:
According to DHS officials, the intelligence community continuously
gathers and analyzes information regarding potential terrorist
activity. This includes information from such agencies as DHS,[Footnote
7] the Central Intelligence Agency, the Federal Bureau of Investigation
(FBI), and the Terrorist Threat Integration Center.[Footnote 8]
Analyses from these and other agencies are shared with DHS's IAIP,
which is engaged in constant communication with intelligence agencies
to assess potential homeland security threats.
DHS officials told us that when intelligence information provides
sufficient indication of a planned terrorist attack, and is determined
to be credible, IAIP recommends to the Secretary of Homeland Security
that the national threat level should be raised. To decide whether to
lower the national threat level, DHS officials told us that the
department reviews threat information to determine whether time frames
for threats have passed and whether protective measures in place for
the code-orange alerts have been effective in mitigating the threats.
DHS officials further told us that analysis of the threat information
and determination of threat level changes are specific for each time
period and situation and include a certain amount of subjectivity. They
said no explicit criteria or other quantifiable factors are used to
decide whether to raise or lower the national threat level.
Based on a review of the threat information and analyses, DHS officials
said that the Secretary of Homeland Security consults with the other
members of the Homeland Security Council on whether the national threat
level should be changed.[Footnote 9] DHS officials told us that if the
Homeland Security Council members could not agree on whether to change
the national threat level, the president would make the decision. After
the determination has been made to raise or lower the national threat
level, DHS begins its notification process.
DHS used the following methods, among others, to notify entities of
changes in the national threat level, according to responses from our
federal agency questionnaire and discussions with DHS and other
government officials:
* Conference calls between the Secretary of Homeland Security and state
governors and/or state homeland security officials;
* Telephone calls from Federal Protective Service (FPS, a component of
DHS) officials to federal agencies;
* E-mail or telephone communications from Homeland Security Operations
Center (HSOC) representatives to the federal, state, or local agencies
they represent;
* HSOC electronic systems such as the Joint Regional Information
Exchange System;
* FBI electronic systems such as the National Law Enforcement
Telecommunications System;[Footnote 10] and:
* E-mail and/or telephone communications with federal agencies' chief
of staff and public affairs offices.
Of the 13 federal agencies responding to our questionnaire that
received notification from DHS for the code-orange alert period
December 21, 2003, to January 9, 2004, 9 reported being notified by
more than one method. These agencies most often reported receiving
notification of threat level increases via electronic communications
systems, such as the Washington Area Warning Alert System. Preliminary
questionnaire responses and discussions with federal, state, and local
government officials indicate that DHS also used multiple methods to
notify federal, state, and local agencies of threat level changes for
the other two code-orange alert periods in our review.
DHS officials stated in recent congressional testimony that the
department's communications of national threat level changes also
provide specific information regarding the intelligence supporting the
change in the threat condition, and that protective measures are
developed and communicated, along with the threat information, prior to
a public announcement of the decision. Some federal, state, and local
officials indicated in meetings and questionnaire responses that they
have not received information on region-, sector-, site-, or event-
specific threats in DHS notifications of threat level changes. Some of
these officials commented that they would like specific information on
threats to determine the most appropriate protective measures for their
agencies or localities. Thirteen of the 15 federal agencies responding
to our questionnaire reported receiving notification of the threat
level change from DHS during the most recent elevation to code-orange.
Six of the 13 agencies reported receiving region-or sector-specific
threat information; 5 reported receiving information on threat time
frames; and 5 reported receiving site-or event-specific information.
Two of the 15 federal agencies responding to the questionnaire reported
that they did not receive notification from DHS. In addition, for each
code-orange alert period, 12 of the 15 federal agencies identified
insufficient information on the threat as an impediment to responding
to the heightened alert. DHS officials maintain that they provide
federal, state, and local officials with specific threat information
whenever it is available. We will continue to review DHS's notification
methods, including the content of such notifications. We expect to
report the results of this work later this year.
Some federal agencies, as well as state and local officials we
interviewed, reported hearing about notification of national threat
level changes from other entities, such as the FBI and media sources,
before being notified by DHS. For example, 3 federal agencies and five
state and local entities noted learning about national threat level
changes via media sources prior to being notified by DHS. This raises
questions about whether DHS is always conveying information regarding
threat level changes to government entities expeditiously, as required
by HSPD-3.
Officials from one federal agency, one state, and two localities would
prefer to receive notification of threat level changes from DHS prior
to hearing about the changes from media sources. These officials told
us that after the change is reported via media sources, their agencies
receive requests for detailed information on the change from the public
and other entities. They noted that their agencies appear ineffective
to the public and other entities because, without notification of the
national threat level change before it is reported by media sources,
they do not have time to prepare informed responses. DHS officials
indicated they were aware that the media sometimes reported threat
level changes before DHS notified federal, state, and local officials
and in the case of the second alert period in our review, before the
decision to raise the threat level was even made. In addition, DHS
officials told us that they send notifications/advisories to the media
to inform them of impending press conferences, and that the media may
speculate about announcements of threat level changes that may be made
at the press conferences.
DHS officials told us that they have not yet formally documented
protocols for notifying federal, state, and local government agencies
of national threat level changes. They told us that they are working to
document their protocols. However, they could not provide us with a
specific time frame as to when DHS expects to complete this effort. For
an entity to control its operations, it must have relevant, reliable,
and timely communications relating to internal as well as external
events.[Footnote 11] As we have previously reported, to establish
channels that facilitate open and effective communication, agencies
should clearly set out procedures, such as communication protocols,
that they will consistently follow when doing their work.[Footnote 12]
Communications protocols would, among other things, help foster clear
understanding and transparency regarding federal agencies' priorities
and operations. Moreover, protocols can help ensure that agencies
interact with federal, state, local, and other entities using clearly
defined and consistently applied policies and procedures.
DHS officials told us that the Homeland Security Advisory System is
constantly evolving based on their ongoing review of the system. To
provide more specific threat information and respond to sector-and
location-specific security needs, DHS officials told us they adjust the
system based on feedback from federal, state, local and private sector
officials; tests of the system; and experience with previous periods of
code-orange alert. For example, during the most recent code-orange
alert, there was heightened concern about the use of aircraft for
potential terrorist attacks and several geographic locations were also
reported to be at particularly high risk. In a recent testimony, the
Deputy Secretary of Homeland Security noted that DHS provided specific
recommendations for protective measures to industry sectors and for
geographic areas in response to specific threat information. When the
national threat level was lowered to yellow on January 9, 2004, DHS
recommended that some sectors, such as the aviation industry, and
certain geographic locations continue on a heightened alert status.
According to the Deputy Secretary, this was the first time since the
creation of the Homeland Security Advisory System that DHS lowered the
national threat level but recommended maintaining targeted protections
for a particular industry sector or geographic location.
DHS officials also told us that the department issues threat advisories
and information bulletins for specific threats that do not require
changes in the national threat level. Threat advisories contain
information about incidents or threats targeting critical national
infrastructures or key assets, such as pipelines. Information bulletins
communicate information of a less urgent nature to nongovernmental
entities and those responsible for the nation's critical
infrastructures. The threat advisories and bulletins we reviewed also
include advice on protective measures for law enforcement agencies.
Federal, State, and Local Agencies Reported Receiving Useful
Information and Guidance, but Would Prefer More Specific Information:
Federal agencies responding to our questionnaire reported receiving and
using guidance and information from various sources to develop plans
for responding to each of the five national threat levels. In
particular, these federal agencies indicated that they received and
used guidance from FEMA, FPS, the Department of Justice (DOJ), and the
White House. For example, 6 federal agencies reported using DOJ's
Vulnerability Assessment of Federal Facilities.[Footnote 13] This
guidance established security levels for different types of federal
facilities and minimum-security standards for each level. In addition,
5 federal agencies reported using HSPD-3, which established the
Homeland Security Advisory System and suggested general protective
measures for each threat level. Twelve federal agencies also reported
using their agencies' vulnerability assessments to help them develop
appropriate measures to take in responding to national threat levels.
In addition to developing response plans for each threat level, federal
agencies responding to our questionnaire reported receiving and using
both guidance and information and intelligence from various sources to
determine additional protective measures to implement in response to
the code-orange alerts included in our review. They indicated that the
guidance and information was generally useful and timely. For example,
as shown in table 1, the 15 federal agencies responding to our
questionnaire reported using guidance from a variety of sources to
determine actions to take for the most recent code-orange alert period
from December 21, 2003, to January 9, 2004. Most federal agencies that
reported using guidance from the agencies listed in table 1 noted that
the guidance was useful and timely.
Table 1: Number of Federal Agencies that Used Guidance and Found It
Useful and Timely for the Code-Orange Alert Period December 21, 2003,
to January 9, 2004:
Source of guidance: DHS;
Number of federal agencies: 11;
Useful[A]: 10;
Timely[B]: 7.
Source of guidance: FBI;
Number of federal agencies: 5;
Useful[A]: 5;
Timely[B]: 5.
Source of guidance: White House;
Number of federal agencies: 4;
Useful[A]: 4;
Timely[B]: 4.
Source of guidance: Local law enforcement;
Number of federal agencies: 1;
Useful[A]: 1;
Timely[B]: 1.
Source: GAO analysis of data from the first 15 federal agencies
responding to GAO's questionnaire.
[A] We asked federal agencies to indicate whether guidance they
received was very useful, somewhat useful, or of little or no use.
Useful reflects respondent ratings of very useful and somewhat useful.
[B] We also asked agencies to indicate whether the guidance they
received was timely by responding yes or no.
[End of table]
Likewise, as shown in table 2, the 15 respondents to the federal agency
questionnaire indicated that they used multiple sources of information
and intelligence in determining actions for the most recent code-orange
alert period. These agencies also generally reported that information
and intelligence from the sources listed in table 2 was useful and
timely.
Table 2: Number of Federal Agencies that Used Information and
Intelligence and Found It Useful and Timely for the Code-Orange Alert
Period December 21, 2003, to January 9, 2004:
Source of information/intelligence: DHS;
Number of federal agencies: 9;
Useful[A]: 8;
Timely[B]: 8.
Source of information/intelligence: FBI;
Number of federal agencies: 10;
Useful[A]: 8;
Timely[B]: 8.
Source of information/intelligence: White House;
Number of federal agencies: 4;
Useful[A]: 4;
Timely[B]: 4.
Source of information/intelligence: National Joint Terrorism Task
Force;
Number of federal agencies: 5;
Useful[A]: 5;
Timely[B]: 4.
Source of information/intelligence: Agency intelligence sources;
Number of federal agencies: 3;
Useful[A]: 3;
Timely[B]: 2.
Source of information/intelligence: Local law enforcement;
Number of federal agencies: 2;
Useful[A]: 2;
Timely[B]: 1.
Source: GAO analysis of data from the first 15 federal agencies
responding to GAO's questionnaire.
[A] We asked federal agencies to indicate whether the information and
intelligence they received was very useful, somewhat useful, or of
little or no use. Useful reflects respondent ratings of very useful and
somewhat useful.
[B] We also asked agencies to indicate whether the guidance they
received was timely by responding yes or no.
[End of table]
Results for the other two code-orange alert periods included in our
review--March 17 to April 16, 2003, and May 20 to 30, 2003--were
consistent with those reported in tables 1 and 2 for the code-orange
alert period December 21, 2003, to January 9, 2004.
State and local government officials we met with told us that they also
used guidance and information from several sources, including DHS, to
develop actions to take for the code-orange alert periods. For example,
they told us that their agencies used guidance and information from DHS
on critical infrastructure assets and airport security. They also
indicated that they used information from the FBI and local law
enforcement agencies, such as additional intelligence information, to
determine areas in which to strengthen protective measures.[Footnote
14]
For the most part, federal agencies responding to our questionnaire
along with officials we met with from 3 state and 6 local government
agencies indicated that receiving information with greater specificity
about threats would have been helpful in determining additional actions
to take in response to code-orange alerts. For example, 14 of 15
federal agencies responding to our questionnaire indicated that
information on region-, sector-, site-, or event-specific threats, if
available, would have been helpful. Additionally, all 15 federal
agencies reported that information on threat time frames, if available,
would have assisted them in determining appropriate actions to take in
responding to the code-orange alerts. Fourteen federal agencies also
indicated that receiving information on recommended measures for
preventing incidents would have been helpful in determining appropriate
protective measures to implement or enhance for each code-orange alert
period.
In addition, one state official noted that receiving more specific
information about the type of threat--against bridges and dams, for
example--would enable the state to concentrate its response in those
areas, a more effective approach than simply blanketing the state with
increased general security measures. One local official also noted that
specific information about the location of a threat should be provided
to law enforcement agencies throughout the nation--not just to
localities that are being threatened--thus allowing other local
governments to determine whether there would be an indirect impact on
them and to respond accordingly. DHS officials indicated that the
department works with state and local officials to develop specific
protective measures. One official said that DHS communicates regularly
with and provides technical advice to state and local officials to
assist in the development of specialized and appropriate protective
measures.
Federal Agencies Reported Enhancing Existing Protective Measures More
Often than Implementing New Measures, While State and Local Agencies
Reported Implementing Additional Measures:
Federal agencies responding to our questionnaire as well as those we
visited indicated that they substantially enhanced security following
the September 11, 2001, terrorist attacks. Thus, these agencies operate
at high security levels regardless of the national threat level. In
responding to our questionnaire, most federal agencies noted that they
did not significantly increase the number of additional protective
measures in response to the code-orange alerts. Federal agencies
reported that their primary response for the three code-orange alerts
was to enhance or more frequently use measures already in place, such
as increasing the frequency of existing facility security patrols. Less
often, these agencies indicated that they continued, or did not change,
existing protective measures as a result of the code-orange alert
periods, such as the use of intrusion detection systems.
During the code orange alert period from December 21, 2003, to January
9, 2004, preliminary responses to the federal agency questionnaire
indicate that about 49 percent of all protective measures these
agencies reported were enhanced in response to the threat level
increase. About 37 percent of all protective measures reported for this
period were continued at their pre-code-orange alert levels, or not
changed, by federal agencies in response to the code-orange alert.
About 13 percent of the protective measures federal agencies reported
for the December 21, 2003, to January 9, 2004, code-orange alert period
were implemented by these agencies solely in response to the code-
orange alert.[Footnote 15] For instance, one measure implemented solely
in response to the code orange alert period was the extension of shifts
for emergency personnel. Preliminary analysis of responses regarding
the other two periods of code-orange alert is consistent with those
from the December 21, 2003, to January 9, 2004, period.
As indicated in table 3, among the most commonly reported protective
measures, only one was implemented solely in response to the code-
orange alert period December 21, 2003, to January 9, 2004, according to
federal agencies' questionnaire responses. Even so, only 2 of the 14
federal agencies that reported having the measure indicated that they
implemented the measure solely in response to the code-orange alert,
while the other 12 agencies indicated that the measure was already in
place. The protective measures most commonly reported by federal
agencies for the code-orange alert period were already in place and
continued at pre-code-orange alert levels or were enhanced for the
code-orange alert period. Preliminary results for the other two code-
orange alert periods in our review were similar to those reported in
table 3.
Table 3: Protective Measures Most Commonly Reported by Federal Agencies for the December 21, 2003, to January 9, 2004, Code-Orange Alert Period:
Screen mail;
Number of federal agencies that reported measure: 15;
Number of agencies that indicated no change in measure that was already
in place[A]: 8;
Number of agencies that enhanced measure that was already in place[B]:
7;
Number of agencies that Implemented measure for code- orange only[C]:
0.
Activate monitoring systems;
Number of federal agencies that reported measure: 15;
Number of agencies that indicated no change in measure that was already
in place[A]: 11;
Number of agencies that enhanced measure that was already in place[B]:
4;
Number of agencies that Implemented measure for code- orange only[C]:
0.
Activate intrusion detection systems;
Number of federal agencies that reported measure: 15;
Number of agencies that indicated no change in measure that was already
in place[A]: 14;
Number of agencies that enhanced measure that was already in place[B]:
1;
Number of agencies that Implemented measure for code- orange only[C]:
0.
Implement facility security patrols;
Number of federal agencies that reported measure: 15;
Number of agencies that indicated no change in measure that was already
in place[A]: 2;
Number of agencies that enhanced measure that was already in place[B]:
13;
Number of agencies that Implemented measure for code- orange only[C]:
0.
Inspect visitors;
Number of federal agencies that reported measure: 14;
Number of agencies that indicated no change in measure that was already
in place[A]: 8;
Number of agencies that enhanced measure that was already in place[B]:
6;
Number of agencies that Implemented measure for code- orange only[C]:
0.
Escort visitors;
Number of federal agencies that reported measure: 14;
Number of agencies that indicated no change in measure that was already
in place[A]: 5;
Number of agencies that enhanced measure that was already in place[B]:
7;
Number of agencies that Implemented measure for code- orange only[C]:
2.
Source: GAO analysis of data from the first 15 federal agencies
responding to GAO's questionnaire.
[A] No change in a protective measure indicates that the measure was
already in place prior to the code-orange alert period and continued at
the same level of use or frequency during a code-orange alert.
[B] The enhancement of a measure that was already in place refers to
the increased use of an existing protective measure, such as more
frequent facility security patrols or increased volume of mail
screened.
[C] The implementation of a measure for code-orange only refers to the
use of an additional measure that was not already in place solely to
respond to a code-orange alert.
[End of table]
To ensure that protective measures operate as intended and are
implemented as planned, federal agencies for which we received
questionnaire responses indicated that they conducted tests or
exercises on these measures within the past year. These federal
agencies also reported receiving confirmation from component entities,
offices, or personnel that protective measures were enhanced or
implemented during the code-orange alert periods. Fifteen federal
agencies responding to our questionnaire reported that they conducted
tests or exercises on the functionality and reliability of intrusion
detection systems, mail and delivery screening equipment and
procedures, monitoring systems, and continuity of operations and
emergency response measures. Fourteen of these agencies indicated that
they conducted tests or exercises on visitor and employee screening
procedures and vehicle inspection equipment and procedures.
Furthermore, 12 of these agencies noted that they confirmed that
protective measures were enhanced or implemented during each of the
three code-orange alert periods.
Federal agencies responding to our questionnaire indicated that they
benefited in various ways from the protective measures they implemented
during code-orange alerts, but also noted that their operations were
affected. For example, these federal agencies reported that protective
measures enhanced employees' sense of security, promoted staff
awareness, and provided visible deterrents to possible threats. On the
other hand, they said that their operations were affected by delaying
visitors, employees, and vehicles from entering facilities; limiting
tours, meetings, and conferences; and shifting resources away from
normal daily operations to ensure measures required for code-orange
alerts were implemented.
Additionally, these federal agencies noted that they faced a number of
operational challenges in responding to the code-orange alerts. For
example, 12 of the 15 federal agencies indicated that insufficient
information on threats was an operational challenge. In particular, 6
federal agencies noted that without specific information on threats,
they could not effectively focus resources on protective measures to
respond to possible threats. Other operational challenges identified by
some federal agencies responding to our questionnaire include
insufficient personnel training to implement protective measures,
insufficient equipment and materials, and insufficient facilities and
space, particularly to screen visitors.
Officials from two states and three local governments told us that they
responded to code-orange alerts by implementing a variety of protective
measures, such as enhanced entry screening, additional law enforcement
patrols, and increased surveillance of critical infrastructure. They
also told us that, in some cases, their agencies implemented heightened
airport security measures and increased coordination with other
agencies during the code-orange alert periods.
Cost Data Reported by Federal, State, and Local Government Agencies Is
Limited:
Thirteen federal agencies, one state, and six localities provided
information on additional costs, if any, that they incurred during
code-orange alert periods. The cost information federal agencies
reported in response to our questionnaire were generally estimates; the
methods the state and six localities used to develop their information
are generally unknown.
Thirteen of the 15 federal agencies responding to our questionnaire
provided information on whether they incurred additional costs during
each of the three code-orange alert periods in our review. Of these 13
federal agencies, 9 noted they had incurred additional costs and
provided a dollar amount for those costs; 4 agencies said that they did
not incur any additional costs.
Eight of the 9 agencies that reported incurring additional costs
provided cost estimates. In addition, most of these agencies reported
using similar methods to develop their estimates. Based on our
preliminary analysis, these methods appear to be reasonable. For
example, 5 of these agencies reported using the additional hours
accumulated by security personnel during code-orange alerts multiplied
by the hourly rates of security personnel to develop estimates for
additional personnel costs incurred during code-orange alerts. The 8
agencies' cost estimates do not necessarily include all nonpersonnel
costs that may have been incurred during one or more of the three code-
orange alert periods included in our survey.
One agency tracked additional costs incurred in response to code-orange
alerts, and thus was able to provide actual cost information. This
agency extracted cost information from its financial accounting system,
which was subjected to auditing procedures. However, as reported in the
fiscal year 2005 President's Budget, this agency's financial management
performance had serious flaws as of December 31, 2003. Thus, we have
concerns regarding the reliability of the cost information provided to
us. We will continue to assess this issue and expect to report the
results of this effort to you later this year.
For the 9 agencies that reported incurring additional costs, we
calculated the additional average daily costs incurred during each of
the three code-orange alert periods. The additional average daily costs
for these 9 agencies ranged from $172 to $155,000 for the March 17 to
April 16, 2003, period; from $467 to $165,660 for the May 20 to 30,
2003, period; and from $158 to $142,725 for the December 21, 2003, to
January 9, 2004, period. For each code-orange alert period, the lowest
cost was for a small independent agency and the largest for a cabinet
department.
We conducted preliminary analysis on the additional average daily costs
the 9 federal agencies incurred between the first and second alert
periods, and no specific trends emerged. For example, of the 9 agencies
that reported incurring additional costs during code-orange alert
periods, 5 agencies had an increase in additional average daily costs
between the first and second alert periods under review, and 3 agencies
had a decrease. One agency's additional costs remained the same for
each of the first two code-orange alert periods. For these 9 agencies,
the total percentage change between the first and second alert periods
ranged from a decrease of approximately 22 percent to an increase of
about 179 percent. However, this 179 percent increase, reported by a
small independent agency, represented only a difference of about $300.
Based on the cost information these agencies reported, 8 of the 9
agencies incurred fewer additional costs during the third code-orange
alert period than during the first code-orange alert. Percentage
decreases in additional costs between these two periods ranged from
about 8 percent to 83 percent. One agency did not experience any
difference in additional costs incurred between the first and third
code-orange alert periods under review.
Even though the percentage decreases are similar for some of the 9
federal agencies, the actual dollar amount of the decreases could vary
considerably. For example, while 2 federal agencies experienced an 8
percent decline in additional average daily costs between the first and
third alert periods, 1 of these, a small independent agency, had a $14
decline in additional average daily costs, while the other, a larger
cabinet level agency, had a $12,275 decline.
Currently, we do not have sufficient information to explain the
differences in additional costs the 9 federal agencies incurred between
the first and second code-orange alert periods and the overall decline
in additional costs for 8 of the 9 agencies between the first and third
code-orange alert periods. As our analysis of the additional costs
incurred by federal agencies continues, we will continue to examine
differences in the additional costs individual agencies incurred in
each alert period, and, where possible, obtain information about the
reasons for these differences. We expect to report the results of this
work to you later this year.
Two of the 15 federal agencies responding to our questionnaire said
that they did not report cost information for any of the three orange
alert periods in the survey because they did not track additional code-
orange alert costs. These agencies explained that they did not have the
capability to separate additional code-orange alert costs from their
total annual security-related costs.
To date, we have received code-orange alert cost information from one
state and six localities. These state and local cost estimates included
little or no information on how they were developed or on internal
control procedures used to verify the reliability of the costs
provided. Therefore, we were unable to verify the comprehensiveness,
consistency, reliability, or comparability of the cost estimates they
provided. Based on the cost information provided by one state, we
calculated the additional average daily cost for 10 of the state's
agencies, which amounted to just under $400 for the code-orange alert
period from March 17 to April 16, 2003. Five of its agencies
collectively incurred an additional average daily cost of just over $90
for the code-orange alert from May 20 to 30, 2003. No cost information
was provided for the December 21, 2003, to January 9, 2004, code-orange
alert period.
We do not yet know how the localities developed their cost information.
Thus, we cannot assess the reliability of this information. We
calculated additional average daily costs for the six localities based
on the cost information they provided to us. Five localities had
additional average daily costs for the March 17 to April 16, 2003,
period, ranging from a low of about $8,000 to a high of about $68,000.
Two localities had average daily costs of about $12,000 or less and two
had costs of more than $60,000. For the May 20 to 30, 2003, period,
three localities had additional average daily costs of approximately
$100, $6,000, and $9,000, respectively. One of the localities provided
cost information for all three orange alert periods included in our
review--but its information was limited to costs for 3 agencies. That
locality had additional average daily costs for 3 agencies of about
$12,000 in the March 17 to April 16, 2003, period; approximately $9,000
in the May 20 to 30, 2003, period; and about $11,000 for the December
21, 2003, to January 9, 2004, period. Finally, one locality had about
$5,000 per day in police overtime, equipment, and contractual costs for
each day the locality was at code-orange during February through May
2003.
We sent a questionnaire to 50 states, the District of Columbia, Puerto
Rico, and 4 territories to collect a variety of information, including
additional costs they incurred during code-orange alerts. However, we
did not receive responses from any states and territories in time to
include the results in this report. We expect to report any cost
information collected through this effort to you later this year. Based
on our work to date, states and localities generally may not
systematically and uniformly collect the additional costs associated
with higher (e.g., code-orange) alert levels; thus, we do not expect to
collect reliable, comparable, and comprehensive state and local
government costs. For example, one locality we visited told us they had
tracked some additional code-orange costs by using a specific job code,
but the level of effort involved to get all agencies to comply had been
considerable. To the extent that inconsistent methods were used in
estimating costs, reasonable comparisons of cost information are
limited.
Some Federal, State, and Local Government Agencies Have Similar
Advisory Systems, but Can Change Threat Levels Independently:
Of those agencies and entities that we have met with or contacted, 5
federal agencies, 4 states, and one locality have their own threat
advisory systems to ensure that government agencies are notified of
impending emergencies, such as natural disasters or terrorist threats,
allowing them to prepare a response. These systems were generally in
place prior to the establishment of the Homeland Security Advisory
System. One federal agency told us that it had developed its own five-
level alert system 8 years ago to ensure the protection of critical
national security assets. This system and those of the other 9 agencies
are similar to the Homeland Security Advisory System or have been
modified to conform to it, as required for federal executive agencies
by HSPD-3. The systems include varying threat levels with protective
measures specified for each. For example, all federal agencies' threat
advisory systems we have identified to date have five threat levels
that correspond to the five levels of the Homeland Security Advisory
System and specify a variety of protective measures for each level.
Protective measures specified in these threat advisory systems include
the implementation of contingency and emergency response plans;
surveillance of critical locations; screening of mail coming into
facilities; limitation of facility entry and exit points; and
coordination with federal, state, and local law enforcement agencies.
Likewise, one state's threat advisory system has five threat levels,
while another state's system has four. Again, these threat levels are
similar to those of the Homeland Security Advisory System. A third
state's threat advisory system has three threat levels that correspond
to the Homeland Security Advisory System's yellow, orange, and red
threat conditions. Protective measures included in these states'
systems include inspection of mail and packages, coordination of
emergency response plans, establishment of command centers, and
enhanced security at public events. The one locality threat advisory
system we have identified to date is also similar to the Homeland
Security Advisory System and has four threat levels with specific
actions designated for each.
Federal, state, and local government agencies we reviewed can raise or
lower threat levels for their own advisory systems in response to
threats or events that specifically affect their operations. They can
make these adjustments regardless of whether the national threat level
is raised or lowered at the same time. For instance, for 3 of the
federal agencies' threat advisory systems we identified, managers can
raise the alert level of their specific facilities to respond to local
threat conditions. However, in general, managers cannot lower alert
levels for their facilities below the level specified by an agency head
or designated authority. States and local governments can also raise or
lower their own threat levels based on local threats or events. For
example, one state raised its threat level in early February 2003 in
response to the crash of the space shuttle Columbia, while one locality
raised its threat level for July 4, 2003, due to public events and
large crowds in the city, even though the national threat level
remained at yellow.
Agency Comments:
On February 23 and 24, 2004, officials representing the Department of
Homeland Security provided oral technical comments on this report,
which we incorporated as appropriate.
We plan no further distribution of this report until 14 days after the
date of this letter. At that time, we will send copies of this report
to the Subcommittee on Technology, Terrorism, and Government
Information, Senate Committee on the Judiciary; the Subcommittee on
National Security, Emerging Threats, and International Relations, House
Committee on Government Reform; Senator Joseph Biden; the Secretary of
Homeland Security; the Director, Office of Management and Budget; and
other interested parties. Copies will be made available to others on
request. In addition, this report will be available at no charge on
GAO's Web site at http://www.gao.gov. If you or your staff have any
questions about this report, please contact me at (202) 512-8777 or by
e-mail at jenkinswo@gao.gov.
Signed by:
William O. Jenkins, Jr.
Director, Homeland Security and Justice Issues:
Enclosures: 4:
Enclosure I:
Scope and Methodology:
To address the objectives of our review, we met with and received
information from 8 federal agencies, three states, the District of
Columbia, and seven local governments and obtained information from
another state and two local governments. We met with and received
documentation from these federal agencies, states, the District of
Columbia, and the local governments to obtain preliminary information
on the following: how they were notified of national threat level
changes for the three most recent periods of code-orange alert from
March 17 to April 16, 2003; May 20 to 30, 2003; and December 21, 2003,
to January 9, 2004; the guidance and information they reported using to
assist in determining protective measures to implement during the three
code-orange alerts; the protective measures they reported implementing
during those periods; the additional costs they reported incurring as a
result of implementing such measures; and any threat advisory systems
they indicated were in place before the establishment of the Homeland
Security Advisory System.
We selected the 8 federal agencies to visit based on the amount of
homeland security funding each agency reported to the Office of
Management and the Budget for fiscal year 2003.[Footnote 16] We visited
the 5 federal agencies that reported receiving the most homeland
security funding in fiscal year 2003--the Departments of Energy, Health
and Human Services, Homeland Security, Justice, and State. We visited
one federal agency that reported receiving a moderate amount of
homeland security funding, the National Aeronautics and Space
Administration; one federal agency that reported receiving a small
amount of homeland security funding, the U.S. Holocaust Memorial
Museum; and one federal agency that did not report receiving any
homeland security funding in fiscal year 2003, the Department of
Education.
The three states we visited were Maryland, Texas, and Virginia. We also
visited the District of Columbia. The seven local governments we
visited were Baltimore, Maryland; Austin, Dallas, and Travis County,
Texas; and Alexandria, Arlington County, and Fairfax County, Virginia.
We also received information from Montgomery County, Maryland, and
Seattle, Washington. We selected Maryland and Virginia because they
have critical infrastructure assets such as national landmarks and
ports. Moreover, we selected the local governments in these states and
the District of Columbia because they are part of the National Capitol
Region, which has various important infrastructure assets, including
landmarks and federal agency headquarters. We visited Texas, and three
local governments in Texas, because it is a large coastal state with a
variety of critical infrastructure assets, including national
landmarks, ports, and oil pipelines. We also received information from
Seattle, Washington, because it is a large city with critical
infrastructure assets such as landmarks and ports.
We examined documentation provided by the federal agencies, states, and
local governments mentioned above to identify the guidance and
information they used in determining protective measures for the three
code-orange alert periods, the measures they implemented during those
periods, the additional costs they incurred as a result of the measures
implemented, and the threat advisory systems they had in place prior to
the establishment of the Homeland Security Advisory System. We also
obtained information from Georgia on its threat advisory system.
To obtain more detailed information on federal and state agencies'
guidance, measures, and additional costs for the three code-orange
alert periods, we developed and sent a questionnaire to 28 federal
agencies and another to the 50 states and the District of Columbia,
four U.S. territories[Footnote 17] and Puerto Rico. We received
comments on draft versions of the federal questionnaire from the 8
federal agencies we visited, and we pre-tested the federal
questionnaire with 4 of those agencies--the Departments of Energy and
Homeland Security, the National Aeronautics and Space Administration,
and the U.S. Holocaust Memorial Museum. To develop a questionnaire to
use in surveying states and territories, we adapted the final version
of the federal questionnaire to correspond with information gathered
during our preliminary visits to the 3 states, the District of
Columbia, and the seven local governments and information provided to
us by 1 state and two local governments. We then pre-tested this
questionnaire with 3 states--Delaware, Pennsylvania, and West Virginia.
We sent the questionnaire to the 25 federal agencies that reported
homeland security funding for fiscal year 2003 to the Office of
Management and Budget.[Footnote 18] In addition, we sent the
questionnaire to 3 federal agencies that are Chief Financial Officers
Act[Footnote 19] agencies but did not report homeland security funding
for fiscal year 2003. Thus, we included all Chief Financial Officers
Act agencies in our review, except the Department of Defense. Although
the Department of Defense is a Chief Financial Officers Act agency and,
along with the Army Corps of Engineers-Civil Works, reported homeland
security funding for fiscal year 2003, we excluded these agencies from
our review because these agencies and their component entities did not
follow the Homeland Security Advisory System.
We conducted preliminary analysis on the questionnaire responses
received from 15 federal agencies for this report. While we received
questionnaire responses from additional federal agencies, we did not
receive the responses in time to incorporate the results into this
report. We did not receive responses from any states or territories to
our questionnaire in time to include the results in this report.
For the 15 federal agencies' questionnaire responses, we analyzed the
responses to determine the most commonly reported ways in which these
federal agencies were notified of changes in the Homeland Security
Advisory System national threat level, the types of information
included in the notifications, the methods through which these federal
agencies would like to be notified of national threat level changes,
and the types of information they would like to have included in the
notifications.
In addition, we analyzed the questionnaire responses to determine the
most commonly reported types of guidance and information received by
these federal agencies in determining protective measures for the code-
orange alerts and federal agencies' perspectives on the usefulness and
timeliness of the guidance and information. We also reviewed the
questionnaire responses to identify agency perspectives on the types of
additional information that would have been helpful in determining
protective measures.
We evaluated the questionnaire responses to identify the most commonly
reported types of measures that the 15 federal agencies implemented
during the three code-orange alert periods, the extent to which these
federal agencies conducted tests on protective measures and received
confirmation on the implementation of measures, the benefits to these
federal agencies from the implementation of measures, and the most
commonly reported operational challenges faced by the 15 federal
agencies in implementing measures.
Furthermore, we analyzed cost data reported by these federal agencies
in the questionnaire responses to determine the average daily
additional costs incurred by federal agencies during the code-orange
alert periods. We analyzed the federal agencies' cost data to determine
the percentage change in additional average daily costs across the
three code-orange alert periods. We evaluated the questionnaire
responses to identify methods used by these federal agencies to
determine their actual or estimated additional costs for each of the
code-orange alert periods and their actual or estimated total costs for
each code-yellow alert that preceded the code-orange alert periods. We
reviewed these methods to assess the level of consistency in the ways
that these federal agencies collected actual cost data or developed
costs estimates and also reviewed procedures reported by federal
agencies for reviewing and certifying the reliability of cost data.
To obtain information on these federal agencies' threat advisory
systems, we analyzed questionnaire responses to determine the number of
federal agencies that had their own threat advisory systems in place
prior to the establishment of the Homeland Security Advisory System as
well as the number of agencies that follow their own threat advisory
systems and the Homeland Security Advisory System. We reviewed
documentation of the threat advisory systems that these federal
agencies provided with their questionnaire responses to identify the
characteristics of the systems, including the systems' threat levels
and protective measures and the systems' conformance to the Homeland
Security Advisory System.
On the basis of our work to date, we collected detailed information on
the experiences of Atlanta and Fulton County, Georgia, during the code-
orange alert periods through visits with local government officials. We
plan to collect detailed information from seven additional cities and
four additional counties. We selected locations based on the following
criteria: the local governments' receipt of urban area grants[Footnote
20] from DHS, geographic location, topography (e.g., inland or border/
seaport), and type of locality (e.g., metropolitan or nonmetropolitan
area). We selected some cities and counties that received grants from
DHS and some that did not. We also selected cities and counties from
different geographic regions and with different topographic
characteristics, as well as cities and counties that are in both
metropolitan and nonmetropolitan areas.
Enclosure II:
Federal Agencies Surveyed:
Department of Agriculture:
Department of Commerce:
Department of Education:
Department of Energy:
Department of Health and Human Services:
Department of Homeland Security:
Department of Housing and Urban Development:
Department of the Interior:
Department of Justice:
Department of Labor:
Department of State:
Department of Transportation:
Department of the Treasury:
Department of Veterans Affairs:
Agency for International Development:
Corporation for National and Community Service:
Environmental Protection Agency:
Federal Communications Commission:
General Services Administration:
National Aeronautics and Space Administration:
National Archives and Records Administration:
National Science Foundation:
Nuclear Regulatory Commission:
Office of Personnel Management:
Small Business Administration:
Smithsonian Institution:
Social Security Administration:
United States Holocaust Memorial Museum:
Enclosure III: Survey of Federal Agencies' Protective Measures,
Guidance. and Costs for Elevated Threat Alerts:
[See PDF for image]
[End of figure]
Enclosure III: Federal Questionnaire:
[See PDF for image]
[End of figure]
Enclosure IV:
GAO Contacts and Staff Acknowledgments:
GAO Contacts:
William O. Jenkins, Jr. (202) 512-8777:
Debra B. Sebastian (202) 512-9385:
Acknowledgments:
In addition to the individuals named above, David P. Alexander,
Fredrick D. Berry, Nancy A. Briggs, Kristy N. Brown, Philip D. Caramia,
Christine F. Davis, Michele Fejfar, Rebecca Gambler, Gladys Toro,
Jonathan R. Tumin, and Kathryn G. Young made key contributions to this
report.
(440290):
FOOTNOTES
[1] For this review, we analyzed information from the District of
Columbia with information from states.
[2] Office of Management and Budget, 2003 Report to Congress on
Combating Terrorism (Washington, D.C.: September 2003).
[3] Members of the Homeland Security Council include the President; the
Vice President; the Secretaries of Defense, Health and Human Services,
Homeland Security, Transportation, and the Treasury; the Attorney
General; the Director of the Federal Emergency Management Agency; the
Director of the Federal Bureau of Investigation; the Director of
Central Intelligence; and the Assistant to the President for Homeland
Security.
[4] The Federal Emergency Management Agency was incorporated into the
Emergency Preparedness and Response Directorate at the Department of
Homeland Security upon the department's creation in March 2003.
[5] The Homeland Security Advisory System does not directly apply to
the armed forces, including their military facilities. Rather, the
Department of Defense's Force Protection Condition system rates threats
and sets specific measures for military facilities.
[6] P.L. 107-296, Sec. 201(d)(7).
[7] DHS's Homeland Security Operations Center (HSOC) and its IAIP
Directorate monitor threats and conduct information assessments on a
daily basis. The HSOC is comprised of representatives from DHS
component entities, other federal agencies, and local law enforcement
agencies.
[8] The Terrorist Threat Integration Center is responsible for
analyzing and sharing terrorist-related information that is collected
domestically and abroad. It is an interagency joint venture that is
comprised of elements of DHS, the FBI's Counterterrorism Division, the
Director of Central Intelligence Counterterrorist Center, the
Department of Defense, and other agencies.
[9] Under HSPD-5, the Secretary can change the national threat level
without consulting other Homeland Security Council members in exigent
circumstances. However, DHS officials told us that this did not occur
for any of the three most recent code-orange alerts.
[10] We will continue to assess the various communication systems DHS
utilizes to notify entities of threat level changes, including their
relationship with one another. We expect to report the results of this
work to you later this year.
[11] U.S. General Accounting Office, Standards for Internal Control in
the Federal Government, GAO/AIMD-00.21.3.1 (Washington, D.C.: November
1999).
[12] U.S. General Accounting Office, Office of Compliance: Status of
Management Control Efforts to Improve Effectiveness, GAO-04-400
(Washington, D.C.: Feb. 3, 2004). See also, GAO Green book—.
[13] Department of Justice, Vulnerability Assessment of Federal
Facilities (Washington, D.C.: June 28, 1995).
[14] We expect to learn more about the guidance used by states and
localities as we receive responses from our state questionnaire and
will continue to develop this information through our site visits with
various local officials. We expect to report the results from this work
to you later in this year.
[15] Percentages do not total to 100 percent due to rounding.
[16] Office of Management and Budget, 2003 Report to Congress on
Combating Terrorism.
[17] The four U.S. territories include American Samoa, Guam, the
Northern Mariana Islands, and the U.S. Virgin Islands.
[18] Office of Management and Budget, 2003 Report to Congress on
Combating Terrorism. Of the 25 federal agencies that reported homeland
security funding in fiscal year 2003, 22 are Chief Financial Officers
Act agencies.
[19] P.L. 101-576 (Nov. 15, 1990).
[20] The Urban Area Security Initiative grants are awarded based on a
combination of current threat estimates, critical assets within the
urban area, and population density.
