Homeland Security
Communication Protocols and Risk Communication Principles Can Assist in Refining the Advisory System
Gao ID: GAO-04-682 June 25, 2004
Established in March 2002, the Homeland Security Advisory System was designed to disseminate information on the risk of terrorist acts to federal agencies, states, localities, and the public. However, these entities have raised questions about the threat information they receive from the Department of Homeland Security (DHS) and the costs they incurred as a result of responding to heightened alerts. This report examines (1) the decision making process for changing the advisory system national threat level; (2) information sharing with federal agencies, states, and localities, including the applicability of risk communication principles; (3) protective measures federal agencies, states, and localities implemented during high (codeorange) alert periods; (4) costs federal agencies reported for those periods; and (5) state and local cost information collected by DHS.
DHS assigns threat levels for the entire nation and assesses threat conditions for geographic regions and industrial sectors based on analyses of threat information and vulnerability of potential terrorist targets. DHS has not yet officially documented its protocols for communicating threat level changes and related threat information to federal agencies and states. Such protocols could assist DHS to better manage these entities' expectations about the methods, timing, and content of information received from DHS. To ensure early, open, and comprehensive information dissemination and allow for informed decisionmaking, risk communication experts suggest that warnings should include (1) multiple communication methods, (2) timely notification, and (3) specific threat information and guidance on actions to take. Federal agencies and states responding to GAO's questionnaires sent to 28 federal agencies and 56 states and territories generally indicated that they did not receive specific threat information and guidance, which they believe hindered their ability to determine and implement protective measures. The majority of federal agencies reported operating at heightened security levels regardless of the threat level, and thus, did not need to implement a substantial number of additional measures to respond to code-orange alerts. States reported that they varied in their actions during code-orange alerts. The costs reported by federal agencies, states, and selected localities are imprecise and may be incomplete, but provide a general indication of costs that may have been incurred. Additional costs reported by federal agencies responding to GAO's questionnaire were generally less than 1 percent of the agencies' fiscal year 2003 homeland security funding. DHS collected information on costs incurred by states and localities for critical infrastructure protection during periods of code-orange alert. However, this information does not represent all additional costs incurred by these entities during the code-orange alert periods.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-04-682, Homeland Security: Communication Protocols and Risk Communication Principles Can Assist in Refining the Advisory System
This is the accessible text file for GAO report number GAO-04-682
entitled 'Homeland Security: Communication Protocols and Risk
Communication Principles Can Assist in Refining the Advisory System'
which was released on July 13, 2004.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
June 2004:
HOMELAND SECURITY:
Communication Protocols and Risk Communication Principles Can Assist in
Refining the Advisory System:
GAO-04-682:
GAO Highlights:
Highlights of GAO-04-682, a report to congressional requesters
Why GAO Did This Study:
Established in March 2002, the Homeland Security Advisory System was
designed to disseminate information on the risk of terrorist acts to
federal agencies, states, localities, and the public. However, these
entities have raised questions about the threat information they
receive from the Department of Homeland Security (DHS) and the costs
they incurred as a result of responding to heightened alerts. This
report examines (1) the decision making process for changing the
advisory system national threat level; (2) information sharing with
federal agencies, states, and localities, including the applicability
of risk communication principles; (3) protective measures federal
agencies, states, and localities implemented during high (code-orange)
alert periods; (4) costs federal agencies reported for those periods;
and (5) state and local cost information collected by DHS.
What GAO Found:
DHS assigns threat levels for the entire nation and assesses threat
conditions for geographic regions and industrial sectors based on
analyses of threat information and vulnerability of potential terrorist
targets.
DHS has not yet officially documented its protocols for communicating
threat level changes and related threat information to federal agencies
and states. Such protocols could assist DHS to better manage these
entities‘ expectations about the methods, timing, and content of
information received from DHS. To ensure early, open, and comprehensive
information dissemination and allow for informed decisionmaking, risk
communication experts suggest that warnings should include (1) multiple
communication methods, (2) timely notification, and (3) specific threat
information and guidance on actions to take. Federal agencies and
states responding to GAO‘s questionnaires sent to 28 federal agencies
and 56 states and territories generally indicated that they did not
receive specific threat information and guidance, which they believe
hindered their ability to determine and implement protective measures.
The majority of federal agencies reported operating at heightened
security levels regardless of the threat level, and thus, did not need
to implement a substantial number of additional measures to respond to
code-orange alerts. States reported that they varied in their actions
during code-orange alerts.
The costs reported by federal agencies, states, and selected localities
are imprecise and may be incomplete, but provide a general indication
of costs that may have been incurred. Additional costs reported by
federal agencies responding to GAO‘s questionnaire were generally less
than 1 percent of the agencies‘ fiscal year 2003 homeland security
funding. DHS collected information on costs incurred by states and
localities for critical infrastructure protection during periods of
code-orange alert. However, this information does not represent all
additional costs incurred by these entities during the code-orange
alert periods.
Homeland Security Advisory System:
[See PDF for image]
[End of figure]
What GAO Recommends:
The Under Secretary for Information Analysis and Infrastructure
Protection in DHS should (1) document communication protocols for
sharing threat information and (2) incorporate risk communication
principles into the Homeland Security Advisory System to assist in
determining and documenting information to provide to federal agencies
and states. We provided a draft copy of this report to DHS for
comment. DHS generally concurred with the findings and recommendations
in the report.
www.gao.gov/cgi-bin/getrpt? GAO-04-682
To view the full product, including the scope and methodology, click on
the link above. For more information, contact William Jenkins at (202)
512-8777 or jenkinswo@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
Threat Information and Vulnerability of Potential Targets Inform
National and Sector-or Location-Specific Threat Level Decisions:
Risk Communication Principles Can Be Useful in Communicating Threat
Information and Guidance to Federal Agencies and States:
Federal Agencies Reported Implementing Few New Protective Measures for
Code-Orange Alerts because They Always Operate at High Security Levels,
While States Varied Their Responses:
Costs Reported by Federal Agencies, though Limited, Suggest a Decline
in Additional Costs:
Cost Data Collected by DHS and Data Reported by Others Cannot be
Generalized:
Conclusions:
Recommendations for Executive Action:
Agency Comments:
Appendixes:
Appendix I: Federal Agencies', States', Localities', and Foreign
Countries' Threat Advisory Systems:
Federal Agencies' Threat Advisory Systems:
States' and Localities' Threat Advisory Systems:
Foreign Countries' Systems:
Appendix II: Scope and Methodology:
Appendix III: Guidance and Information Federal Agencies and States
Reported Using to Determine Protective Measures:
Appendix IV: Most Commonly Implemented Protective Measures, Measures
Tested, and Methods of Confirmation:
Appendix V: Cost Information Provided by Federal Agencies, States, and
Localities:
Cost Information Provided by Federal Agencies:
Cost Information Provided by States:
Cost Information Provided by Localities:
Appendix VI: Acknowledgment of Agency and Government Contributors:
Federal Agencies:
States and Territories:
Localities:
Appendix VII: Federal Agency Questionnaire:
Appendix VIII: State and Territory Questionnaire:
Appendix IX: Agency Comments:
Appendix X: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Staff Acknowledgments:
Bibliography:
Tables:
Table 1: Number of Federal Agencies and States Responding to Our
Questionnaires that Reported Receiving Direct Notification from DHS and
Reported Being Notified through Multiple Methods for the Three Code-
Orange Alert Periods:
Table 2: Number of Federal Agencies and States That Reported Receiving
Types of Information with Notification from DHS for the Three Code-
Orange Alert Periods:
Table 3: Number of Federal Agencies That Indicated Specific Types of
Information That Would Have Been Helpful to Determine Measures to Take
for the Code-Orange Alert Period from December 21, 2003, to January 9,
2004:
Table 4: Number of States That Indicated Specific Types of Information
That Would Have Been Helpful to Determine Measures to Take for the
Code-Orange Alert Period from December 21, 2003, to January 9, 2004:
Table 5: Number of States That Indicated DHS Requested Information on
Protective Measures Taken by the State in Response to the Three Code-
Orange Alert Periods:
Table 6: Number of Federal Agencies That Used Guidance from Sources and
Found It Useful and Timely for the Code-Orange Alert Period December
21, 2003, to January 9, 2004:
Table 7: Number of Federal Agencies That Used Information and
Intelligence from Sources and Found It Useful and Timely for the Code-
Orange Alert Period December 21, 2003, to January 9, 2004:
Table 8: Number of States That Used Guidance from Sources and Found It
Useful and Timely for the Code-Orange Alert Period December 21, 2003,
to January 9, 2004:
Table 9: Number of States That Used Information and Intelligence from
Sources and Found It Useful and Timely for the Code-Orange Alert Period
December 21, 2003, to January 9, 2004:
Table 10: Protective Measures Most Commonly Reported by Federal
Agencies Responding to Our Questionnaire for the December 21, 2003, to
January 9, 2004, Code-Orange Alert Period:
Table 11: Protective Measures Most Commonly Reported by States
Responding to Our Questionnaire for the December 21, 2003, to January
9, 2004, Code-Orange Alert Period:
Table 12: Number of Federal Agencies and States That Reported
Conducting Tests or Exercises on the Functionality and Reliability of
Protective Measures:
Table 13: Number of Federal Agencies and States That Reported Receiving
Confirmation on the Implementation of Protective Measures through
Various Methods for the Code-Orange Alert Period from December 21,
2003, to January 9, 2004:
Table 14: Number of Federal Agencies That Provided Cost Information and
the Type of Cost Information They Provided for Each Code-Orange Alert
Period under Review:
Figure:
Figure 1: London Metropolitan Police Antiterror Alert Poster:
Abbreviations:
CDC: Centers for Disease Control:
DHS: Department of Homeland Security:
DOD: Department of Defense:
FBI: Federal Bureau of Investigation:
FEMA: Federal Emergency Management Agency:
FPS: Federal Protective Service:
HSOC: Homeland Security Operations Center:
HSPD: Homeland Security Presidential Directive:
IAIP: Information Analysis and Infrastructure Protection:
ODP: Office of Domestic Preparedness:
OMB: Office of Management and Budget:
SHSGP: State Homeland Security Grant Program:
UASI: Urban Areas Security Initiative:
Letter June 25, 2004:
The Honorable Christopher Cox:
Chairman:
The Honorable Jim Turner:
Ranking Minority Member:
Select Committee on Homeland Security:
House of Representatives:
The Honorable Joseph R. Biden, Jr.:
United States Senate:
The Homeland Security Advisory System was established in March 2002 to
disseminate information regarding the risk of terrorist acts to federal
agencies, states and localities, and the public utilizing five color-
coded threat levels. Implementation of this system generated questions
among government agencies regarding whether they were receiving the
information necessary to respond appropriately when the national threat
level was raised and about the costs resulting from additional
protective measures implemented during periods of heightened alert.
You asked us to review several aspects about how the Department of
Homeland Security (DHS) was operating the Homeland Security Advisory
System including federal, state, and local responses to heightened
alerts. This report discusses (1) the decision-making process for
changing the national threat level; (2) guidance and other information
provided to federal agencies, states, and localities, including the
applicability of risk communication[Footnote 1] principles to
information sharing;[Footnote 2] (3) protective measures federal
agencies, states, and localities implemented during high--code-orange-
-alert periods; (4) additional costs federal agencies reported for
implementing such measures; and (5) information DHS collected on costs
states and localities reported for periods of code-orange alert. In
addition, this report provides information on other threat advisory
systems used by federal agencies, states, localities, and other
countries. (See app. I.)
To respond to your request, we met with and obtained information from
DHS officials on the decision-making process for changing the national
threat level; guidance and threat information the department provides
to federal agencies, states, and localities; and information on
protective measures and costs that the department collected from states
and localities. We also examined literature on risk communication
principles to identify the applicability of such principles to the
Homeland Security Advisory System. In addition, we sent questionnaires
to 28 federal agencies and the homeland security or emergency
management offices in 50 states, the District of Columbia, American
Samoa, Guam, the Northern Mariana Islands, Puerto Rico, and the U.S.
Virgin Islands, regarding the notification and information these
entities received, the protective measures they took, and the costs
they reported for the three code-orange alert periods from March 17 to
April 16, 2003; May 20 to 30, 2003; and December 21, 2003, to January
9, 2004. Although some federal agencies and states did not respond to
every question in our questionnaires, we received responses from 26
federal agencies, which account for about 99 percent of total fiscal
year 2003 nondefense homeland security funding as reported to the
Office of Management and Budget (OMB),[Footnote 3] and 43
states,[Footnote 4] for a 77 percent response rate. We selected the 28
federal agencies because they reported receiving homeland security
funding for fiscal year 2003 to OMB and are Chief Financial Officers
Act agencies.[Footnote 5] For this review, we analyzed information from
the District of Columbia, American Samoa, Guam, the Northern Mariana
Islands, Puerto Rico, and the U.S. Virgin Islands along with
information from states, and we refer to all of these throughout the
report as states.
To obtain information on localities' experiences during code-orange
alerts, we conducted site visits with officials from 12 localities (8
cities and 4 counties).[Footnote 6] We selected the 12 localities to
visit based on the following criteria: (1) their receipt of grants from
DHS; (2) their geographic location and topography (e.g., inland,
border, or seaport); and (3) the type of locality (e.g., metropolitan
and nonmetropolitan areas).[Footnote 7] We also sent a questionnaire to
8 additional localities,[Footnote 8] selecting them based on population
and geographic location. We received questionnaire responses from 4 of
these localities.[Footnote 9] We used information obtained from the 16
localities we visited or from which we received questionnaire responses
only as anecdotal examples, as information from these localities cannot
be generalized across all localities in the United States.
DHS has not documented the policies and procedures it has used for
assessing intelligence information, determining whether to raise or
lower the threat level, and notifying federal agencies, states, and
localities about changes in threat levels. Thus, the information
provided about the operations of the Homeland Security Advisory System
is principally based on interviews with DHS officials and questionnaire
responses. We conducted our work from July 2003 to May 2004 in
accordance with generally accepted government auditing standards. For
more detailed information on our scope and methodology, see appendix
II.
Results in Brief:
In administering the Homeland Security Advisory System, DHS assigns
national threat levels and assesses threat conditions for specific
geographic locations and industrial sectors. The national threat level
is assigned by the Secretary of Homeland Security, in consultation with
members of the Homeland Security Council,[Footnote 10] based on
analysis of intelligence information and assessment of the
vulnerability of potential terrorist targets. DHS also uses analysis of
threat information and assessments of the vulnerability of terrorist
targets to determine whether specific industrial sectors or geographic
regions should operate at heightened levels of security. DHS may
encourage sectors or geographic regions to operate at heightened levels
of security, without publicly announcing a threat.
DHS has not yet officially documented communication protocols for
providing threat information and guidance to federal agencies and
states. According to DHS officials, it has been difficult to develop
protocols for notifying federal agencies and states of changes in the
national threat level that provide sufficient flexibility for sharing
information in a variety of situations. Communication protocols can
assist DHS in better managing the expectations of federal agencies and
states regarding the guidance and threat information they receive from
the department. Risk communication experts suggest that threat warnings
should include the following principles to ensure early, open, and
comprehensive information dissemination and to allow for informed
decisionmaking: (1) communication through multiple methods, (2) timely
notification, and (3) specific threat information and guidance on
actions to take. These principles have primarily been used in public
warning contexts, but they are also applicable for communicating
terrorist threat information to federal agencies and states through the
Homeland Security Advisory System. DHS used multiple methods to
communicate threat information to federal agencies and states when the
national threat level was raised to code-orange. However, many federal
agencies and states responding to our questionnaires reported first
learning about changes in the national threat level from media sources.
As a result, some of these states indicated that their ability to
provide credible information to state and local agencies and the public
was hampered. Moreover, federal agencies and states responding to our
questionnaires indicated that they generally did not receive specific
threat information and guidance, which they believed hindered their
ability to determine whether they were at risk as well as their ability
to determine and implement appropriate protective measures.
The majority of federal agencies responding to our questions regarding
protective measures reported that they regularly operate at high levels
of security and did not have to implement a substantial number of
additional measures to respond to code-orange alerts. For the most
part, these federal agencies reported that their most common response
to code-orange alert periods was to enhance existing protective
measures, for example, an increase in the frequency of facility
security patrols. To a lesser extent, federal agencies reported they
maintained the use of existing protective measures without enhancement,
for example, continuing the use of intrusion detection systems during
code-orange alerts. However, based on responses to our questionnaire,
states varied in the extent to which they enhanced or maintained
protective measures already in place, or implemented measures solely in
response to the three code-orange alert periods. States indicated that
various factors, such as specific threat information received by the
state, influenced the extent to which they implemented protective
measures. While federal agencies and states responding to our
questionnaires reported benefiting by implementing various protective
measures during code-orange alerts, they also indicated that taking
such actions adversely affected their operations, and they identified
several operational challenges. For example, while these federal
agencies and states reported that protective measures taken during
code-orange alerts promoted employees' sense of security, they also
said that the lack of federal governmentwide coordination, such as
multiple government agencies providing conflicting information to
states regarding protective measures, limited their ability to
effectively coordinate and, therefore, implement measures.
Code-orange alert cost data provided by federal agencies responding to
our questionnaire are not precise, may not include all additional costs
incurred by agencies, and, in some cases, we have concerns about the
reliability of the cost data source within particular agencies. Despite
these limitations, we believe the cost data to be sufficiently reliable
as indicators of general ranges of cost and overall trends. However,
the data should not be used to determine the cumulative costs incurred
across all federal agencies. The total additional costs reported by
federal agencies responding to our questionnaire for the March 17 to
April 16, 2003, and May 20 to 30, 2003, code-orange alert periods were
less than 1 percent of these agencies' fiscal year 2003 homeland
security funding, as reported by agencies to OMB.[Footnote 11] On the
basis of cost information reported by these federal agencies for the
three code-orange alert periods in our review, we calculated additional
average daily costs ranging from about $190 to about $3.7 million.
Independent federal agencies typically reported the least amount of
additional costs, while larger cabinet level agencies with
responsibility for protecting critical national infrastructure
reported the most additional costs. The majority of federal agencies
responding to our questionnaire experienced a decline in additional
average daily costs between the March 17 to April 16, 2003, and the
December 21, 2003, to January 9, 2004, code-orange alert periods, which
some of these agencies attributed to continued enhancement of standard
levels of security. Some federal agencies responding to our
questionnaire reported that they did not incur any additional costs
during code-orange alert periods, because they did not implement any
additional protective measures or they redirected already existing
resources to implement additional code-orange alert measures rather
than employ additional resources.[Footnote 12] Although some federal
agencies reported not incurring additional costs directly as a result
of implementing protective measures for code-orange alerts, actions
taken such as redirecting resources from normal operations may have
resulted in indirect costs.
DHS collected information on critical infrastructure protection costs
states and localities reported incurring during the March 17 to April
16, 2003, May 20 to 30, 2003, and December 21, 2003, to January 9,
2004, code-orange alert periods through its State Homeland Security
Grant Program - Part II and the Urban Areas Security Initiative - Part
II. However, this cost information does not represent all additional
costs incurred by states and their localities during code-orange alert
periods. The U.S. Conference of Mayors also collected and reported
estimates of costs localities incurred in response to code-orange
alerts. Additionally, a Director with the Center for Strategic and
International Studies estimated and reported costs incurred by federal
agencies during code-orange alerts. However, because of limitations in
the scope and methodologies used in these estimates, the cost
information reported may not be adequate for making generalizations
regarding additional costs federal agencies, states and localities
incurred in response to code-orange alerts.
In this report, we make specific recommendations to the Secretary of
Homeland Security regarding documentation of communication protocols to
assist DHS in better managing federal agencies' and states'
expectations regarding the methods, timing, and content of threat
information and guidance provided to these entities and to ensure that
DHS follows clear and consistent policies and procedures when
interacting with these entities through the Homeland Security Advisory
System. We also make a recommendation to the Secretary to incorporate
risk communication principles into the Homeland Security Advisory
System, including information on the nature, location, and time periods
of threats and guidance on protective measures to take.
Background:
Homeland Security Presidential Directive 3 (HSPD-3) established the
Homeland Security Advisory System in March 2002. Through the creation
of the Homeland Security Advisory System, HSPD-3 sought to produce a
common vocabulary, context, and structure for an ongoing discussion
about the nature of threats that confront the nation and the
appropriate measures that should be taken in response to those threats.
Additionally, HSPD-3 established the Homeland Security Advisory System
as a mechanism to inform and facilitate decisions related to securing
the homeland among various levels of government, the private sector,
and American citizens.
The Homeland Security Advisory System is comprised of five color-coded
threat conditions as described below, which represent levels of risk
related to potential terror attack.
* Code-red or severe alert--severe risk of terrorist attacks.
* Code-orange or high alert--high risk of terrorist attacks.
* Code-yellow or elevated alert--significant risk of terrorist attacks.
* Code-blue or guarded alert--general risk of terrorist attacks.
* Code-green or low alert--low risk of terrorist attacks.
As defined in HSPD-3, risk includes both the probability of an attack
occurring and its potential gravity.
Since its establishment in March 2002, the Homeland Security Advisory
System national threat level has remained at elevated alert--code-
yellow--except for five periods during which the administration raised
it to high alert--code-orange. The periods of code-orange alert follow:
* September 10 to 24, 2002;
* February 7 to 27, 2003;
* March 17 to April 16, 2003;
* May 20 to 30, 2003; and:
* December 21, 2003, to January 9, 2004.
The Homeland Security Advisory System is binding on the executive
branch. HSPD-3 directs all federal departments, agencies, and offices,
other than military facilities,[Footnote 13] to conform their existing
threat advisory systems to the Homeland Security Advisory System. These
agencies are responsible for ensuring their systems are consistently
implemented in accordance with national threat levels as defined by the
Homeland Security Advisory System. Additionally, federal departments
and agency heads are responsible for developing protective measures and
other antiterrorism or self-protection and continuity plans in response
to the various threat levels and operating and maintaining these plans.
While HSPD-3 encourages other levels of government and the private
sector to conform to the system, their compliance is voluntary.
When HSPD-3 first established the Homeland Security Advisory System, it
provided the Attorney General with responsibility for administering the
Homeland Security Advisory System, including assigning threat
conditions in consultation with members of the Homeland Security
Council, except in exigent circumstances. As such, the Attorney General
could assign threat levels for the entire nation, for particular
geographic areas, or for specific industrial sectors. Upon its
issuance, HSPD-3 also assigned responsibility to the Attorney General
for establishing a process and a system for conveying relevant threat
information expeditiously to federal, state, and local government
officials, law enforcement authorities, and the private sector.
In November 2002, Congress passed the Homeland Security Act of 2002,
P.L. 107-296, which established the Department of Homeland Security.
Under the Homeland Security Act of 2002, the DHS Under Secretary for
Information Analysis and Infrastructure Protection (IAIP) is
responsible for administering the Homeland Security Advisory System. As
such, the Under Secretary for IAIP is primarily responsible for issuing
public threat advisories and providing specific warning information to
state and local governments and to the private sector.[Footnote 14] The
act also charges the Under Secretary for IAIP with providing advice
about appropriate protective actions and countermeasures.[Footnote 15]
In February 2003, in accordance with the Homeland Security Act, the
administration issued Homeland Security Presidential Directive 5 (HSPD-
5), which amended HSPD-3 by transferring authority for assigning threat
conditions and conveying relevant information from the Attorney General
to the Secretary of Homeland Security. HSPD-5 directs the Secretary of
Homeland Security to consult with the Attorney General and other
federal agency heads the Secretary deems appropriate, including other
members of the Homeland Security Council, when determining the threat
level, except in exigent circumstances.
Threat Information and Vulnerability of Potential Targets Inform
National and Sector-or Location-Specific Threat Level Decisions:
In implementing the Homeland Security Advisory System, DHS assigns
national threat levels and assesses the threat condition of specific
geographic locations and industrial sectors. While the national threat
level has been raised and lowered for five periods, DHS officials told
us that the department has not yet assigned a threat level for an
industrial sector or geographic location.[Footnote 16] However, DHS
officials said that the department has encouraged specific sectors and
regions to operate at heightened levels of security. According to DHS
officials, decisions to change the national threat level and to
encourage specific sectors and regions to operate at heightened levels
of security involve both analysis and sharing of threat information, as
well as an assessment of the vulnerability of national critical
infrastructure assets that are potential targets of terrorist threats.
DHS officials told us they use the criteria in HSPD-3 in determining
whether to raise the national threat level or whether to suggest that
certain regions or sectors operate at heightened security levels. These
criteria include:
* the credibility of threat information;
* whether threat information is corroborated;
* the degree to which the threat is specific and/or imminent; and:
* the gravity of the potential consequences of the threat.
In determining whether these criteria are met and whether to raise the
national threat level, DHS considers intelligence information and the
vulnerability of potential targets, among other things. DHS officials
told us that they use a flexible, "all relevant factors" approach to
decide whether to raise or lower the national threat level or whether
to suggest that certain regions or sectors operate at heightened
security levels. They said that analysis of available threat
information and determination of national threat levels and regional
and sector threat conditions are specific for each time period and
situation. According to these officials, given the nature of the data
available for analysis, the process and analyses used to determine
whether to raise or lower the national threat level or suggest that
specific regions or sectors heighten their protective measures are
inherently judgmental and subjective.
DHS officials said that the intelligence community continuously gathers
and analyzes information regarding potential terrorist activity. This
includes information from such agencies as DHS,[Footnote 17] the
Central Intelligence Agency, the Federal Bureau of Investigation (FBI),
and the Terrorist Threat Integration Center,[Footnote 18] as well as
from state and local law enforcement officials. DHS officials also
noted that analyses from these and other agencies are shared with DHS's
IAIP, which is engaged in constant communication with intelligence
agencies to assess potential homeland security threats.
DHS also considers the vulnerability of potential targets when
determining the national threat level. For example, DHS officials
explained that they hold discussions with state and local officials to
determine whether potential targets specified by threat information
require additional security to prevent a terrorist attack or minimize
the potential gravity of an attack. According to these officials, if
the target is determined to be vulnerable, then DHS will consider
raising the threat level. Last, DHS determines whether there is a
nationwide threat of terrorist attack or if the threat is limited to a
specific geographic location or a specific industrial sector. DHS
officials said that, in general, upon assessment of the above criteria,
if there appears to be a threat of terrorist attack nationwide, then
IAIP recommends to the Secretary of Homeland Security that the national
threat level should be raised. The Secretary of Homeland Security then
consults with the other members of the Homeland Security Council on
whether the national threat level should be changed.[Footnote 19] DHS
officials told us that if the Homeland Security Council members could
not agree on whether to change the national threat level, the President
would make the decision. DHS officials also told us that when deciding
whether to lower the national threat level, they consider whether the
time period in which the potential threat was to occur has passed and
whether protective measures in place for the code-orange alerts have
been effective in mitigating the threats.
DHS officials told us that if a credible threat against specific
industrial sectors or geographic locations exists, DHS may suggest that
these sectors or locations operate at a heightened level of security,
rather than raising the national threat level. For example, for the
third code-orange alert period in our review from December 31, 2003, to
January 9, 2004, threat information raised concerns of potential
terrorist activity for specific industrial sectors and geographic
locations. In response, DHS officials said that they encouraged those
responsible for securing chemical and nuclear power plants, transit
systems, and aircraft, as well as certain cities, to maintain a
heightened level of security, even after the national threat level was
lowered to code-yellow. However, DHS officials noted that they did not
assign a threat level to these sectors and regions at that time. DHS
officials further indicated that these sectors and locations were not
operating at code-orange alert levels. Rather, they operated at
heightened levels of security. According to DHS officials, when
encouraging specific sectors or regions to continue to operate at
heightened levels of security, DHS may suggest that these sectors or
regions (1) implement security measures that are in addition to those
implemented during a code-orange alert period, (2) continue the
measures implemented during the code-orange alert period, or (3)
continue selected measures implemented during a code-orange alert
period.
DHS officials told us that not all threats to specific regions or
sectors are communicated to the public or to officials in all regions
or sectors. Rather, if intelligence information suggests a targeted
threat to specific regions or industrial sectors, DHS officials said
that they inform officials in the specific regions or sectors that are
responsible for implementing protective measures to mitigate the
terrorist threat. To inform these officials, DHS issues threat
advisories or information bulletins. The threat advisories we reviewed
contained actionable information about threats targeting critical
national networks, infrastructures, or key assets such as transit
systems. These products may suggest a change in readiness posture,
protective actions, or response that should be implemented in a timely
manner. If the threat is less urgent, DHS may issue information
bulletins, which communicate risk and vulnerabilities of potential
targets. In a February 2004 testimony, the Deputy Secretary of Homeland
Security said that because threat advisories and information bulletins
are derived from intelligence, they are generally communicated on a
need-to-know basis to a targeted audience.[Footnote 20] The threat
advisories and bulletins we reviewed also included advice on protective
measures to be implemented by law enforcement agencies or the owners
and operators of national critical infrastructure assets in response to
the specific threat.
Risk Communication Principles Can Be Useful in Communicating Threat
Information and Guidance to Federal Agencies and States:
DHS officials told us that they have not yet officially documented
protocols for communicating information about changes in the national
threat level to federal agencies and states. To ensure early and
comprehensive information sharing and allow for informed decision
making, risk communication experts suggest that threat warnings should
include the following principles: (1) communication through multiple
methods, (2) timely notification, and (3) specific information on the
nature, location, and timing of threats as well as guidance on actions
to take in response to threats. These principles can be applied to
threat information shared with federal agencies and states through the
Homeland Security Advisory System. DHS used multiple methods to notify
federal agencies and states of changes in the national threat level.
However, many federal agencies and states responding to our
questionnaires indicated that they heard about threat level changes
from media sources before being notified by DHS. Federal agencies and
states also reported that they did not receive specific threat
information and guidance for the three code-orange alert periods from
March 17 to April 16, 2003; May 20 to 30, 2003; and December 21, 2003,
to January 9, 2004.
DHS Has Not Documented Communication Protocols Regarding Threat Level
Changes Including the Methods, Timing, and Content of Guidance and
Threat Information to Be Shared:
Documentation of communication protocols can assist DHS in better
managing the expectations of federal agencies and states regarding the
methods, timing, and content of guidance and threat information they
receive when the national threat level is raised to code-orange. DHS
officials told us that they have not yet officially documented
protocols for notifying federal agencies and states of changes in the
national threat level, but are working to do so. They noted that it is
has been difficult to develop protocols that provide sufficient
flexibility for sharing information in a variety of situations. Thus,
while attempts have been made to officially document protocols for
notifying federal agencies and states of national threat level changes,
DHS officials said that they have not made much progress in doing so
and could not provide a specific target date for completing this
effort. Without documented communication protocols, recipients of
threat level notifications are uncertain as to how, when, and from what
entity, such as which DHS agency, they will be notified of threat level
changes and the content and extent of guidance and threat information
they may receive. Communication protocols would, among other things,
help foster clear understanding and transparency regarding DHS's
priorities and operations.[Footnote 21] Moreover, protocols could help
ensure that DHS interacts with federal, state, local, and other
entities using clearly defined and consistently applied policies and
procedures.
Risk Communication Experts Suggest Warnings Should Be Communicated via
Multiple Methods, Be Timely, and Include Specific Threat Information
and Guidance on Protective Measures:
Risk communication is the exchange of information among individuals and
groups regarding the nature of risk, reactions to risk messages, and
legal and institutional approaches to risk management. Risk
communication experts have identified the following as important
principles for communicating risks to individuals and groups:
* Threat information should be consistent, accurate, clear, and
provided repeatedly through multiple methods.
* Threat information should be provided in a timely fashion.
* To the greatest extent possible, threat information should be
specific about the potential threat, including:
* the nature of the threat,
* when and where it is likely to occur, and:
* guidance on protective measures to take to prevent or respond to the
threat.
These risk communication principles have been used in a variety of
warning contexts, from alerting the public about severe weather or
providing traffic advisories, to less commonplace warnings of
infectious disease outbreaks or potential dangers from hazardous
materials or toxic contamination.[Footnote 22] However, warnings about
terrorist threats differ from these relatively more familiar
warnings.[Footnote 23] For example, specific terrorist threat warnings
to the public may allow terrorists to alter tactics or targets in
response to the issuance of warnings. Warnings of terrorist threats may
also increase general anxiety for populations clearly not at risk.
Moreover, government agencies may not always have specific information
on terrorist threats, or may not be able to publicly share specific
information in threat warnings. Yet, despite these differences, the
purpose of warnings, regardless of the threat, is to provide
information to citizens and groups that allows them to make informed
decisions about actions to take to prevent and respond to threats.
Thus, risk communication principles should be applicable to
communicating terrorist threat information to federal agencies, states,
and localities through the Homeland Security Advisory System.
DHS Used Multiple Methods to Notify Federal Agencies and States of
Threat Level Changes:
According to risk communication principles, threat information should
be provided through multiple methods to ensure that dissemination of
the information is comprehensive and that people receive the
information regardless of their level of access to information. In
addition, HSPD-3 states that the Homeland Security Advisory System
should provide a comprehensive and effective means to disseminate
information regarding the risk of terrorist acts to federal, state, and
local authorities. One means of disseminating threat information is
through notifications to federal agencies and states of changes in the
national threat level. DHS officials told us that with each increase in
the national threat level, they apply lessons learned from previous
alerts to improve their notification and information sharing processes
regarding threat level changes. Based on federal agencies' and states'
responses to our questionnaires, it appears that DHS is making progress
in expanding the scope of its notification process, which is consistent
with HSPD-3. As shown in table 1, more federal agencies reported
receiving direct notification from DHS for the third code-orange alert
period than for the other two code-orange alert periods in our review.
Similarly, more federal agencies reported receiving notification from
DHS via multiple methods for the third code-orange alert period than
for the other two code-orange alert periods.
Table 1: Number of Federal Agencies and States Responding to Our
Questionnaires that Reported Receiving Direct Notification from DHS and
Reported Being Notified through Multiple Methods for the Three Code-
Orange Alert Periods:
DHS notification: Reported receiving direct notification from DHS;
Number of federal agencies n = 25[A]: March 17 to April 16, 2003: 17;
Number of federal agencies n = 25[A]: May 20 to 30, 2003: 19;
Number of federal agencies n = 25[A]: December 21, 2003, to January 9,
2004: 20;
Number of states n = 41[B]: March 17 to April 16, 2003: 35;
Number of states n = 41[B]: May 20 to 30, 2003: 33;
Number of states n = 41[B]: December 21, 2003, to January 9, 2004: 39.
DHS notification: Reported receiving notification from DHS by more
than one method;
Number of federal agencies n = 25[A]: March 17 to April 16, 2003: 8;
Number of federal agencies n = 25[A]: May 20 to 30, 2003: 10;
Number of federal agencies n = 25[A]: December 21, 2003, to January 9,
2004: 14;
Number of states n = 41[B]: March 17 to April 16, 2003: 25;
Number of states n = 41[B]: May 20 to 30, 2003: 24;
Number of states n = 41[B]: December 21, 2003, to January 9, 2004: 31.
Source: GAO analysis of questionnaire data.
[A] In the questionnaire we sent to DHS, we did not include questions
on how DHS was notified of changes in the national threat level. Thus,
this agency is not included in our analysis of code-orange alert
notifications.
[B] One state responding to our questionnaire did not provide responses
on how it was notified of changes in the national threat level.
Additionally, 1 state reported that it did not follow the Homeland
Security Advisory System. Thus, these 2 states are not included in our
analysis of code-orange alert notifications.
[End of table]
DHS used the following methods, among others, to notify entities of
changes in the national threat level, according to federal agencies'
and states' responses to our questionnaires and discussions with DHS
and local government officials:
* Conference calls between the Secretary of Homeland Security and state
governors and/or state homeland security officials.
* Telephone calls from Federal Protective Service[Footnote 24] (FPS)
officials to federal agencies.
* E-mail, telephone, or electronic communications from Homeland
Security Operations Center (HSOC) representatives to the federal,
state, or local agencies they represent.
* FBI electronic systems, such as the National Law Enforcement
Telecommunications System.
* E-mail and/or telephone communications with federal agencies' chief
of staff and public affairs offices.
* E-mail and/or telephone communications to local government
associations such as the National Governors Association and the U.S.
Conference of Mayors.
Federal Agencies and States Reported Hearing about Threat Level Changes
from Media Sources before Receiving Notification from DHS:
Risk communication experts suggest that threat information should be
provided in a timely fashion to prevent unofficial sources, such as the
media, from reporting information before official sources, including
government agencies, do so. These principles suggest that lack of early
and open information sharing from official entities can undermine these
entities' credibility. HSPD-3, as amended by HSPD-5, states that the
Secretary of Homeland Security should establish a process and a system
for conveying relevant information regarding terrorist threats
expeditiously. In addition, for an entity to control its operations, it
must have relevant, reliable, and timely communications relating to
internal and external events.
Many federal agencies and some states responding to our questionnaires
expressed concerns that they learned about national threat level
changes from media sources before being notified by DHS. Specifically,
16 of 24 federal agencies[Footnote 25] indicated that they learned
about threat level changes via media sources prior to being notified by
DHS for at least one of the three code-orange alert periods. Likewise,
15 of 40 states[Footnote 26] reported learning about national threat
level changes via media sources prior to being notified by DHS for at
least one of the three code-orange alert periods. This raises questions
about whether DHS is always conveying information regarding threat
level changes to government entities expeditiously, as required by
HSPD-3.
Moreover, some states reported that their ability to provide credible
information to state and local agencies and the public was hindered
because they did not receive notification from DHS before the media
reported on the threat level changes. For example, 6 states noted that
when media sources reported national threat level changes before state
and local emergency response officials were directly notified by DHS,
these officials did not have sufficient time to prepare their response
to the threat level change, including how they would respond to
requests from the public for additional information on the threat level
change. One other state reported that it would prefer to first learn
about changes in the national threat level from DHS so that it has
sufficient time to notify state agencies and localities of the change
and so that these entities can prepare their responses before the
public is notified of the change. Additionally, 8 localities from which
we obtained information indicated that they first learned of threat
level changes from media sources, and 4 of these localities would
prefer to be notified of threat level changes prior to the public.
Officials from some of these localities told us that after media
sources reported the change, their agencies received requests for
detailed information on the change from the public and other entities.
They noted that their agencies appeared ineffective to the public and
other entities because, without notification of the national threat
level change before it was reported by media sources, they did not have
time to prepare informed responses.
DHS officials told us that they attempt to notify federal agencies and
states of threat level changes before the media report on the changes.
However, they noted that DHS has not established target time periods in
which to notify these entities of the threat level changes.
Furthermore, DHS officials indicated they were aware that the media
sometimes reported threat level changes before DHS notified federal and
state officials, and in the case of the second code-orange alert period
in our review, before the decision to raise the threat level was even
made. DHS officials told us that they send notifications/advisories to
the media to inform them of impending press conferences and that the
media may speculate about announcements of threat level changes that
may be made at the press conferences. DHS officials indicated that the
department is trying to determine the best approach for managing
expectations created by this situation.
Federal Agencies and States Reported that They Generally Did Not
Receive Specific Guidance and Threat Information for Code-Orange Alert
Periods, Hindering Their Response to the Alerts:
Risk communication experts said that without specific information on
the nature, location, and timing of threats and guidance on actions to
take, citizens may not be able to determine whether they are at risk
and make informed decisions about actions to take in response to
threats, and thus may take inappropriate actions. According to HSPD-3,
the Homeland Security Advisory System was established to inform and
facilitate decisions appropriate to different levels of government
regarding terrorist threats and measures to take in response to
threats. However, federal agencies and states responding to our
questionnaires generally indicated that they did not receive guidance
and specific information on threats on the three occasions included in
our review when the national threat level was raised to code-orange.
These entities reported that insufficient information on the nature,
location, and timing of threats and insufficient guidance on
recommended measures hindered their ability to determine whether they
were at risk as well as their ability to determine and implement
protective measures.[Footnote 27]
As shown in table 2, federal agencies and states responding to our
questionnaires indicated that they generally did not receive specific
information on threats with notification of increases in the national
threat level for the three code-orange alert periods included in our
review. Yet, as table 2 suggests, a greater number of federal agencies
and states reported receiving more specific threat information for the
third code-orange alert period than for the other two code-orange alert
periods.
Table 2: Number of Federal Agencies and States That Reported Receiving
Types of Information with Notification from DHS for the Three Code-
Orange Alert Periods:
Type of information: General information on threats;
Number of federal agencies n = 25[A]: March 17 to April 16, 2003: 10;
Number of federal agencies n = 25[A]: May 20 to 30, 2003: 11;
Number of federal agencies n = 25[A]: December 21, 2003, to January 9,
2004: 12;
Number of states n = 42[B]: March 17 to April 16, 2003: 35;
Number of states n = 42[B]: May 20 to 30, 2003: 34;
Number of states n = 42[B]: December 21, 2003, to January 9, 2004: 37.
Type of information: Information on region-or sector-specific threats;
Number of federal agencies n = 25[A]: March 17 to April 16, 2003: 6;
Number of federal agencies n = 25[A]: May 20 to 30, 2003: 6;
Number of federal agencies n = 25[A]: December 21, 2003, to January 9,
2004: 9;
Number of states n = 42[B]: March 17 to April 16, 2003: 9;
Number of states n = 42[B]: May 20 to 30, 2003: 11;
Number of states n = 42[B]: December 21, 2003, to January 9, 2004: 22.
Type of information: Information on site-or event-specific threats;
Number of federal agencies n = 25[A]: March 17 to April 16, 2003: 4;
Number of federal agencies n = 25[A]: May 20 to 30, 2003: 4;
Number of federal agencies n = 25[A]: December 21, 2003, to January 9,
2004: 8;
Number of states n = 42[B]: March 17 to April 16, 2003: 8;
Number of states n = 42[B]: May 20 to 30, 2003: 7;
Number of states n = 42[B]: December 21, 2003, to January 9, 2004: 15.
Type of information: Information on timing of threats;
Number of federal agencies n = 25[A]: March 17 to April 16, 2003: 4;
Number of federal agencies n = 25[A]: May 20 to 30, 2003: 4;
Number of federal agencies n = 25[A]: December 21, 2003, to January 9,
2004: 8;
Number of states n = 42[B]: March 17 to April 16, 2003: 6;
Number of states n = 42[B]: May 20 to 30, 2003: 7;
Number of states n = 42[B]: December 21, 2003, to January 9, 2004: 17.
Type of information: Recommended measures for preventing incidents;
Number of federal agencies n = 25[A]: March 17 to April 16, 2003: 6;
Number of federal agencies n = 25[A]: May 20 to 30, 2003: 4;
Number of federal agencies n = 25[A]: December 21, 2003, to January 9,
2004: 7;
Number of states n = 42[B]: March 17 to April 16, 2003: 20;
Number of states n = 42[B]: May 20 to 30, 2003: 18;
Number of states n = 42[B]: December 21, 2003, to January 9, 2004: 23.
Type of information: Recommended measures for responding to incidents;
Number of federal agencies n = 25[A]: March 17 to April 16, 2003: 4;
Number of federal agencies n = 25[A]: May 20 to 30, 2003: 4;
Number of federal agencies n = 25[A]: December 21, 2003, to January 9,
2004: 6;
Number of states n = 42[B]: March 17 to April 16, 2003: 8;
Number of states n = 42[B]: May 20 to 30, 2003: 7;
Number of states n = 42[B]: December 21, 2003, to January 9, 2004: 10.
Source: GAO analysis of questionnaire data.
[A] In the questionnaire we sent to DHS, we did not include questions
on how DHS was notified of changes in the national threat level. Thus,
this agency is not included in our analysis of code-orange alert
notifications.
[B] One state reported that it did not follow the Homeland Security
Advisory System. Thus, this state is not included in our analysis of
code-orange alert notifications.
[End of table]
As shown in tables 3 and 4, federal agencies and states responding to
our questionnaires indicated that guidance and specific information on
threats, if available, would have assisted them in determining their
levels of risk and measures to take for the December 21, 2003, to
January 9, 2004, code-orange alert period. Results for the other two
code-orange alert periods are consistent with those reported in tables
3 and 4 for the third code-orange alert period.
Table 3: Number of Federal Agencies That Indicated Specific Types of
Information That Would Have Been Helpful to Determine Measures to Take
for the Code-Orange Alert Period from December 21, 2003, to January 9,
2004:
Type of information: Timing of threats;
Number of federal agencies n = 25[A]: 24.
Type of information: Region-or sector-specific threats;
Number of federal agencies n = 25[A]: 23.
Type of information: Site-or event-specific threats;
Number of federal agencies n = 25[A]: 23.
Type of information: Recommended measures for preventing incidents;
Number of federal agencies n = 25[A]: 21.
Type of information: Recommended measures for responding to incidents;
Number of federal agencies n = 25[A]: 19.
Source: GAO analysis of questionnaire data.
[A] In the questionnaire we sent to DHS, we did not ask DHS to indicate
what other types of information would have been helpful to determine
measures to take for the three code-orange alert periods. Thus, this
agency is not included in our analysis of guidance and information
preferred by federal agencies.
[End of table]
Table 4: Number of States That Indicated Specific Types of Information
That Would Have Been Helpful to Determine Measures to Take for the
Code-Orange Alert Period from December 21, 2003, to January 9, 2004:
Type of information: Region-or sector-specific threats;
Number of states n = 41[A]: 34.
Type of information: Site-or event-specific threats;
Number of states n = 41[A]: 34.
Type of information: Timing of threats;
Number of states n = 41[A]: 32.
Type of information: Recommended measures for responding to incidents;
Number of states n = 41[A]: 29.
Type of information: Recommended measures for preventing incidents;
Number of states n = 41[A]: 27.
Source: GAO analysis of questionnaire data.
[A] One of the states responding to our questionnaire did not provide
responses on the types of information that would have been helpful to
it in determining measures to take for the three code-orange alert
periods. Additionally, 1 state reported that it did not follow the
Homeland Security Advisory System. Thus, these 2 states are not
included in our analysis of guidance and information preferred by
states.
[End of table]
Furthermore, 13 localities reported to us that information on site-,
area-, or event-specific threats would have been beneficial to them in
responding to the code-orange alert periods. Six of the localities from
which we obtained information reported that information on region-or
sector-specific threats would have assisted them in determining their
level of risk and measures to take in response to the three code-orange
alerts in our review.
When federal agencies and states perceive that they have not received
sufficient guidance and threat information, these entities may not be
able to determine whether they are at risk from possible threats or
what measures to take in response to the threats. For example, 1
federal agency reported that DHS never notified the agency as to
whether Washington, D.C., would remain at heightened security levels
after the national threat level was lowered to code-yellow on January
9, 2004, which resulted in the agency maintaining code-orange alert
measures for an additional week and incurring additional costs for
doing so. Another federal agency reported that to respond to the code-
orange alerts, it implemented measures at all facilities regardless of
the specific location or risk involved, which spread resources across
all facilities rather than focusing the measures on mitigating specific
threats. Officials from 1 state and 1 locality noted that without
specific threat information, these entities did not understand the true
nature of the threat and what impact the threat may have on them.
Federal agencies and states responding to our questionnaire also
indicated that without guidance and specific threat information, they
may not be able to effectively and efficiently target or enhance
protective measures to respond to the code-orange alerts. Eighteen of
the 25 federal agencies and 32 of the 41 states providing responses to
the questions on operational challenges in our questionnaires reported
that lack of sufficient threat information was a challenge they faced
during the three code-orange alert periods. Moreover, in responding to
our questionnaires, 16 federal agencies and 12 states noted that
insufficient information on threats makes it difficult for these
entities to focus resources on specific measures to respond to threats.
At a February 2004 hearing, the Deputy Secretary of Homeland Security
said that the department's communications of national threat level
changes are intended to provide specific information regarding the
intelligence supporting the change in the threat level, and that
protective measures are developed and communicated, along with the
threat information, prior to a public announcement of the decision. DHS
officials told us that they provide specific threat information, when
available, to federal agencies, states, and localities at risk and with
the authority to respond to threats. For example, the Deputy Secretary
said that threat information that was shared by DHS regarding changes
in the national threat level was primarily intended for security
professionals at all levels of government and the private sector.
Moreover, to provide more specific threat information and respond to
sector-and location-specific security needs, DHS officials told us they
have adjusted the system based on feedback from federal, state, local
and private sector officials; tests of the system; and experience with
previous periods of code-orange alert. For example, for the most recent
code-orange alert from December 21, 2003, to January 9, 2004, the
Deputy Secretary noted in his February 2004 testimony that DHS provided
specific recommendations for protective measures to industrial sectors
and for geographic areas in response to specific threat information.
Federal Agencies Reported Implementing Few New Protective Measures for
Code-Orange Alerts because They Always Operate at High Security Levels,
While States Varied Their Responses:
The majority of federal agencies responding to our questionnaire
indicated that they maintain high security levels regardless of the
national threat level and, as a result, they did not need to implement
a substantial number of new or additional protective measures to
respond to the three periods of code-orange alert from March 17 to
April 16, 2003; May 20 to 30, 2003; and December 21, 2003, to January
9, 2004. For the most part, these federal agencies reported enhancing
existing protective measures to respond to the three code-orange
alerts. To a lesser extent, federal agencies continued the use of
existing measures, without enhancement, during the code-orange alert
periods. On the other hand, states differed in the extent to which they
enhanced or maintained existing measures or implemented additional
protective measures solely in response to the code-orange alerts.
Federal agencies and states reported benefits, such as a heightened
sense of security among employees, from enhancing or implementing
protective measures for the code-orange alert periods. However, federal
agencies and states also indicated that taking such measures negatively
affected their operations, for example, by redirecting resources from
normal operations to code-orange alert duties.
Federal Agencies Reported that High Security Postures Reduced the Need
to Implement Additional Measures Solely in Response to Code-Orange
Alerts:
More than half of the federal agencies responding to our questionnaire
indicated that they operate at high security levels, regardless of the
national threat level. Thus, they did not need to implement a
significant number of new or additional protective measures to respond
to code-orange alerts. For example, in response to the third code-
orange alert period in our review--December 21, 2003 to January 9,
2004--10 of 24[Footnote 28] federal agencies indicated that they most
commonly enhanced existing protective measures, such as increasing
facility security patrols. During the same code-orange alert period, 8
federal agencies reported most often continuing protective measures at
their pre-code-orange alert levels, for example, relying on continuing
activation of monitoring systems and intrusion detection devices. For
the remaining 6 federal agencies, there were slight differences among
the number of protective measures they enhanced during the third code-
orange alert period, those they maintained at pre-code orange alert
levels, and those they implemented solely in response to the code-
orange alert. For one of these agencies,
* three of the protective measures in place for the third code-orange
alert period were maintained at their pre-code-orange alert levels,
* three of the protective measures were enhanced beyond their pre-code-
orange alert levels, and:
* four protective measures were implemented solely for the code-orange
alert period.
Results for the other two code-orange alert periods in our review are
similar to those reported for the third code-orange alert period. For
more information on protective measures federal agencies most commonly
reported having in place for the three code-orange alert periods and
their testing of such measures, see appendix IV.
States Differed in the Extent to Which They Implemented Additional
Protective Measures for Code-Orange Alerts:
Overall, states differed in the extent to which they implemented
additional protective measures for the three code-orange alert periods
in our review. Based on our analysis of questionnaire responses from
the 40 states[Footnote 29] that provided information on protective
measures for the third code-orange alert period in our review,
* 16 states most often enhanced protective measures that were already
in place prior to the code-orange alert period;
* 6 states most often implemented new protective measures for the code-
orange alert;
* 5 states most often maintained protective measures that were already
in place at their pre-code-orange alert levels; and:
* 13 states employed a varied response, enhancing measures, continuing
existing measures, and/or implementing new measures in roughly equal
proportion.
Results for the other two code-orange alert periods in our review are
similar to those reported for the third code-orange alert period.
Various reasons influenced the extent to which states responding to our
questionnaire enhanced, maintained, or implemented new protective
measures. For example, some states reported that they already operated
at heightened security levels and, therefore, did not need to implement
additional protective measures in response to the code-orange alerts in
our review; rather they enhanced measures already in place. Other
states indicated that the extent to which they implemented protective
measures for the code-orange alert periods in our review depended on
specific threat information. For example, 1 state indicated that it did
not enhance existing protective measures or implement new protective
measures for the code-orange alert periods in our review because there
were no specific threats to the state that required it to do so. Other
states indicated that the extent to which they implemented protective
measures for code-orange alert periods depended on the required level
of security for their critical infrastructure sites. For example, 1
state reported that it implemented new protective measures for its
nuclear power plants during code-orange alert periods, but for some
other critical infrastructure assets, it enhanced security measures
already in place. Some states also indicated that resource constraints
determined the extent to which they enhanced or implemented new
protective measures for code-orange alert periods. For example, 2
states indicated that they had to implement a substantial number of new
protective measures for the three code-orange alert periods in our
review because they could not afford to always operate at a high level
of security. For more detailed information on protective measures that
states most commonly reported having in place for code-orange alert
periods and testing of these measures, see appendix IV.
Additionally, 4 localities from which we obtained information reported
that they did not enhance or implement a substantial number of
protective measures to respond to the code-orange alerts because they
did not receive specific threat information indicating that the
localities were at risk. For example, 1 locality reported that because
it did not receive specific threat information on possible targets, the
locality did not take any measures to respond to the code-orange
alerts. Additionally, another locality noted that its emergency
response staff was not able to implement additional measures in
response to the code-orange alerts because the staff was too busy with
regular duties such as responding to 911 calls.
Federal Agencies and States Reported that Protective Measures for Code-
Orange Alerts Were Beneficial, but also Presented Operational
Challenges and Affected Normal Operations:
Federal agencies and states responding to our questionnaires indicated
that they benefited in various ways from the protective measures they
enhanced or implemented during the code-orange alert periods, but also
noted that they faced operational challenges in responding to the three
code-orange alert periods in our review. For example, federal agencies
and states reported that protective measures increased employees' sense
of security, promoted staff awareness, and provided visible deterrents
to possible threats. However, federal agencies and states responding to
our questionnaires also reported that their operations were negatively
affected during code-orange alerts as a result of protective measures
they enhanced or implemented. For example, 10 federal agencies and 13
states reported that they had to redirect resources from normal
operations to enhance or implement protective measures for code-orange
alerts. One locality also reported that its operations were negatively
affected by the redirection of personnel, which resulted in delays of
maintenance activities and preventative exercises as well as
postponement of training. Additionally, 15 federal agencies noted
delays for visitors and employees. Some of these federal agencies and
states reported that maintaining a code-orange alert level of security
for more than a few days at a time significantly drained their security
resources--an effect federal agencies and states have identified as
"code-orange alert fatigue."
Federal agencies and states also indicated that the lack of federal
governmentwide coordination hindered their ability to respond to
threats. Without coordination of information and intelligence sharing
during code-orange alert periods, federal agencies and states
responding to our questionnaires noted that they may not receive threat
information needed to help them determine and implement their responses
to code-orange alerts. For example, 1 federal agency reported that it
received different requests from several federal agencies to deploy
personnel to different locations. This federal agency noted that
improved federal governmentwide coordination might result in more
efficient assignment of resources. Similarly, 1 locality noted that
because different government agencies notified different local agencies
of changes in the national threat level, first responders and local
officials could not effectively and efficiently coordinate and
implement protective resources. On the other hand, 1 state official
raised concerns about whether federal agencies were fully informed of
the information DHS provided to states and had the information needed
to implement appropriate local security measures. This official noted
that persons from the Transportation Security Administration, the Coast
Guard, and the U.S. Army Corps of Engineers called his state's homeland
security office for advisories and bulletins DHS had provided to the
state. Because of these information requests, this official noted that
the state was concerned that officials from these federal agencies did
not receive information needed to implement security measures,
especially at airports. In commenting on a draft of this report, DHS
officials stated that the department is working to address this
problem.
Six states also indicated that insufficient information from DHS on
national critical infrastructure assets made it difficult to
effectively protect these assets during the code-orange alert periods.
Three of these states indicated that DHS asked them to protect specific
national critical infrastructure sites, some of which were no longer
operational or others that were closed, such as shopping malls.
Officials in one state indicated that DHS did not coordinate with the
state when it initially developed this list of national critical
infrastructure assets. DHS officials told us that the department
developed a list of national critical infrastructure assets to assist
states in determining protective measures to implement at their
national critical infrastructure sites. According to the Deputy
Director of the Protective Security Division of IAIP, DHS initially
developed a list of 145 national critical infrastructure assets,
including nuclear power plants, chemical facilities, and transportation
systems, to ensure their security during Operation Liberty
Shield.[Footnote 30] This official told us that DHS identified national
critical infrastructure assets for the list based on intelligence
information indicating possible assets at risk, the vulnerabilities of
these assets, and possible consequences of an attack on assets,
including health, safety, and economic impacts. DHS did not coordinate
with states and localities in developing the national critical
infrastructure assets list for Operation Liberty Shield because
planning and timing of military operations for the war in Iraq and for
Operation Liberty Shield were given the highest classification levels
and discussed only at the federal level. The Deputy Director said that
since Operation Liberty Shield, DHS has continually expanded and
revised its national critical infrastructure assets list based on
ongoing analysis of threat information and input from states. In
reviewing a draft of this report, DHS officials told us that its
Protective Security Division has given all states and territories
opportunities to suggest assets to be included in the National Asset
Database as well as to verify and validate information DHS maintains on
such assets. To enhance standard security levels at national critical
infrastructure sites, this DHS official said that the department is
working with states to develop plans for protecting the immediate areas
surrounding national critical infrastructure assets and reducing
vulnerabilities in those areas. In particular, the Deputy Director told
us that DHS provided guidance and information to states and local law
enforcement agencies to develop protection plans for areas around
national critical infrastructure assets.
DHS Efforts to Gather Information on Protective Measures Taken by
States and Localities:
The majority of states responding to our questionnaire indicated that,
for all three code-orange alert periods in our review, DHS requested
some information on protective measures taken by states in response to
the heightened threat levels. However, as shown in table 5, most states
reported that DHS did not request information on the effectiveness of
these security measures.
Table 5: Number of States That Indicated DHS Requested Information on
Protective Measures Taken by the State in Response to the Three Code-
Orange Alert Periods:
Type of information: Security actions taken in response to the elevated
threat;
Number of states n = 40[A]: March 17 to April 16, 2003: 28;
Number of states n = 40[A]: May 20 to 30, 2003: 22;
Number of states n = 40[A]: December 21, 2003, to January 9, 2004: 33.
Type of information: Security actions taken at specific critical
infrastructure sites;
Number of states n = 40[A]: March 17 to April 16, 2003: 24;
Number of states n = 40[A]: May 20 to 30, 2003: 18;
Number of states n = 40[A]: December 21, 2003, to January 9, 2004: 31.
Type of information: Effectiveness of state or government security
actions taken;
Number of states n = 40[A]: March 17 to April 16, 2003: 7;
Number of states n = 40[A]: May 20 to 30, 2003: 7;
Number of states n = 40[A]: December 21, 2003, to January 9, 2004: 8.
Source: GAO analysis of questionnaire data.
[A] Of the 43 states responding to our questionnaire, 1 reported that
it did not follow the Homeland Security Advisory System and 2 did not
provide responses to the question regarding the extent to which DHS
requested information on protective measures taken by states in
response to increased threat levels. Therefore, these 3 states are not
included in our analysis of states from which DHS requested information
on protective measures.
[End of table]
An Office of State and Local Government Coordination official said that
DHS maintains close contact with states and localities during code-
orange alert periods and fosters information sharing about actions
taken to increase security. For example, this official noted that DHS
co-sponsored a February 2003 workshop with the FBI to encourage state-
level implementation of the Homeland Security Advisory System and
provide a forum for information exchange among state and local homeland
security representatives. More recently, on April 19, 2004, DHS
launched a new Web site (www.llis.gov) to provide a nationwide network
of lessons learned and best practices for homeland security officials
and emergency responders. For the most recent code-orange alert from
December 21, 2003 to January 9, 2004, DHS officials noted that they
contacted states to inquire about protective measures that were put in
place. According to DHS officials, they made such inquiries to (1)
monitor the extent to which states implemented protective measures that
DHS recommended, (2) apprise the White House of actions taken in
response to code-orange alerts, and (3) enhance DHS officials'
understanding of protective measures for which states may seek
reimbursement.
Costs Reported by Federal Agencies, though Limited, Suggest a Decline
in Additional Costs:
Sixteen of 26 federal agencies responding to our questionnaire reported
additional costs for at least one of the code-orange alert periods in
our review. We examined the cost information provided by these agencies
for obvious errors and inconsistencies and examined agencies' responses
to the questionnaire regarding the development of the cost information.
In doing so, we found that these federal agencies' cost data were
generated from various sources, such as financial accounting systems,
credit card logs, and security contracts. Additionally, this cost
information is not precise, nor do the costs likely represent all
additional costs incurred during code-orange alert periods. In some
cases, we have concerns about the reliability of the data sources used
to develop the costs reported to us. For example, 6 of the 16 federal
agencies reported that they extracted some of the code-orange alert
cost data from their agencies' financial accounting systems. However,
as reported in the fiscal year 2005 President's Budget, 5 of these
agencies' financial management performance had serious flaws as of
December 31, 2003. Despite these limitations, we believe the cost data
to be sufficiently reliable as indicators of general ranges of cost and
overall trends. However, the data should not be used to determine the
cumulative costs incurred across all federal agencies.
Based on the information provided by federal agencies, total additional
costs reported by federal agencies responding to our questionnaire for
the March 17 to April 16, 2003, and May 20 to 30, 2003, code-orange
alert periods were less than 1 percent of these agencies' fiscal year
2003 homeland security funding, as reported to OMB. On the basis of
this cost information, we determined additional average daily costs
ranged from about $190 to about $3.7 million across all three code-
orange alert periods in our review. Based on information reported by
these agencies, the additional average daily costs incurred across
code-orange alert periods have declined over time.
Some of these federal agencies attribute this decline to continued
enhancement of standard levels of security. Some federal agencies
reported that they did not have any additional costs during code-orange
alert periods, as they either did not implement any additional
protective measures or they redirected already existing resources to
implement additional code-orange alert measures rather than employ
additional resources. Although federal agencies may not have reported
additional costs directly as a result of implementing protective
measures for code-orange alerts, actions taken such as redirecting
resources from normal operations would have resulted in indirect costs.
Additional Costs Reported by Federal Agencies for the First and Second
Alert Periods in Our Review Were Less than 1 Percent of Agencies' 2003
Homeland Security Funding:
Sixteen of 26 federal agencies responding to our questionnaire reported
additional costs for the first code-orange alert period in our review-
-March 17 to April 16, 2003. Fifteen of these agencies also reported
additional costs for the second code-orange alert period in our review-
-May 20 to 30, 2003. For 13 of the 15 federal agencies that reported
additional costs for both the first and second code-orange alert
periods in our review, we calculated that the additional costs reported
by these agencies were less than 1 percent of these agencies' fiscal
year 2003 homeland security funding. This calculation is based on OMB's
2003 Report to Congress on Combating Terrorism, which presented
information federal agencies reported to OMB on the amount of homeland
security funding authorized to federal agencies in fiscal year 2003.
For the 16 federal agencies responding to our questionnaire that
reported additional costs during the first code-orange alert period in
our review, we calculated average daily additional costs, which ranged
from about $190 to about $848,000.[Footnote 31] A cabinet level agency
with security responsibilities limited to protecting its facilities and
employees reported the least additional costs for this code-orange
alert period, while another cabinet level agency that, in addition to
securing its facilities, is responsible for the protection of national
critical infrastructure assets reported the most additional costs. For
the 15 federal agencies that reported additional costs for the second
and third--December 21, 2003, to January 9, 2004--code-orange alert
periods in our review, we calculated additional average daily costs
that ranged from about $240 to about $3.7 million and from about $190
to about $1 million, respectively.[Footnote 32] The agency that
reported the least additional costs for the second and third code-
orange alert periods in our review was an independent agency, while the
agencies that reported the most additional costs for these code-orange
alert periods were generally cabinet agencies that are responsible for
the protection of national critical infrastructure assets. Most of the
additional costs federal agencies reported were personnel costs, such
as overtime wages or costs for additional security personnel. Appendix
V provides additional information regarding cost information submitted
by federal agencies.
Federal Agencies' Additional Average Daily Costs for Code-Orange Alerts
Declined:
Based on the cost information provided by federal agencies, we
determined that there was a decline in the additional average daily
costs incurred by these federal agencies over the three code-orange
alert periods in our review. Of the 15 federal agencies that reported
additional costs for the first and third code-orange alert periods, 11
federal agencies experienced an overall decline in the additional
average daily costs across the code-orange alert periods. Five of these
11 federal agencies indicated that their additional costs declined
across the three code-orange alert periods in our review because they
were consistently enhancing their baseline levels of security, which,
in turn, required fewer additional protective measures during
subsequent code-orange alert periods. Three agencies indicated that the
decline in additional average daily costs was due to a reduction in the
number of protective measures they had in place. One of these agencies
explained that rather than implementing general protective measures
with the receipt of specific threat information for the third code-
orange alert in our review, it was able to determine the most
appropriate protective measures to put in place.
Some Federal Agencies Reported No Additional Costs Due to Redirection
of Existing Resources and Lack of Additional Measures:
Six federal agencies reported that they did not have additional costs
for at least two of the code-orange alert periods in our review. Four
of these agencies indicated that they did not have additional costs
because they redirected already existing resources to implement
additional protective measures for the code-orange alert periods rather
than employ additional resources. For example, 2 agencies said that
they were able to increase the frequency of their facility patrols
without hiring additional guards or requiring guards to work overtime
by closing one of the facility's entrances during code-orange alert.
Therefore, the guards who would normally secure that entrance were
assigned to conduct additional roaming facility patrols. Furthermore, 2
of the 4 agencies indicated that they planned their protective measures
with the specific intent that the agency would not incur any additional
security-related costs during code-orange alert periods. The remaining
2 agencies reported that they did not have any additional costs because
they did not implement additional protective measures for the code-
orange alert periods. One agency explained that it did not implement
any protective measures during code-yellow or code-orange alert periods
because it is located in a privately owned building and is not
responsible for the security of its facility, nor does this agency have
field offices for which it is responsible.
Although these federal agencies reported that they did not directly
incur additional costs to implement protective measures for code-orange
alert periods, the consequences of implementing such protective
measures may have resulted in indirect costs for these agencies. Some
federal agencies responding to our questionnaire indicated they could
not quantify these indirect costs. However, federal agencies provided
examples of redirection of resources that may have caused them to incur
such costs. For example, 13 federal agencies noted that in order to
implement code-orange alert measures, they had to redirect existing
resources from normal operations. Furthermore, one agency indicated
that redirecting resources in response to code-orange alerts prevented
the agency from performing mission-related activities, such as
deterrence of criminal activity other than terrorism. Additionally, 16
federal agencies said that as a result of implementing measures for
code-orange alerts, there were delays for employees and visitors
entering facilities, which may have resulted in loss of productivity
among employees and a delay in provision of services. Seven federal
agencies indicated that as part of their response to code-orange
alerts, they postponed or cancelled agency-sponsored activities such as
training for staff development.
Cost Data Collected by DHS and Data Reported by Others Cannot be
Generalized:
DHS has collected limited information on costs incurred by states and
localities during code-orange alert periods through its State Homeland
Security Grant Program - Part II and the Urban Areas Security
Initiative - Part II. States must submit information to DHS to be
reimbursed for costs incurred as a result of actions taken to increase
critical infrastructure protection during code-orange alerts. However,
this cost information does not represent all costs incurred by states
and their localities during code-orange alert periods. Therefore, it
cannot be used to assess the financial impact of code-orange alerts on
states and localities. The U.S. Conference of Mayors also collected
information and reported estimates of costs localities incurred in
response to code-orange alerts. Moreover, a Director with the Center
for Strategic and International Studies estimated and reported[Footnote
33] costs incurred by federal agencies during code-orange alerts.
However, because of limitations in the scope and methodologies used in
these estimates, the cost information they reported may not be adequate
for making generalizations regarding additional costs states and
localities incurred in response to code-orange alerts.
DHS Collected Limited Information on Costs Incurred by States and
Localities during Code-Orange Alert Periods through Its Grant Programs:
DHS issued an information bulletin to states on March 21, 2003,
advising them to capture additional costs incurred by the state and its
localities during the March 17 to April 16, 2003, code-orange alert
period for the protection of critical infrastructure, in the event that
funds became available to reimburse states and localities for these
additional costs. Through the fiscal year 2003 State Homeland Security
Grant Program - Part II (SHSGP II), DHS made a total of $200 million
available to states and local communities to mitigate costs of critical
infrastructure protection[Footnote 34] during the period of hostilities
with Iraq and future periods of heightened threat.[Footnote 35]
According to SHSGP II guidelines, SHSGP II funds can be used for:
* public safety agency overtime costs,
* contract security personnel costs, and:
* state-ordered National Guard deployments required to augment security
at critical infrastructure.[Footnote 36]
Additionally, at least 50 percent of a state's award must be allocated
to local communities.
Through the fiscal year 2003 Urban Areas Security Initiative - Part II
(UASI II), DHS made approximately $125 million available to reimburse
select urban areas for costs incurred during the February 7 to February
27, 2003; March 17, 2003, to April 16, 2003; and May 20 to 30, 2003,
code-orange alert periods. Specifically, UASI guidelines allowed for
the reimbursement of costs associated with overtime and critical
infrastructure protection.[Footnote 37] On January 23, 2004, DHS issued
a memorandum to state officials indicating that SHSGP II and UASI II
funding could also be used to reimburse states and localities for
additional costs incurred for protection of critical infrastructure for
the December 21, 2003, to January 9, 2004, code-orange alert period.
For the March 17 to April 16, 2003, and May 20 to 30, 2003, code-orange
alert periods, DHS required states to submit budget detail worksheets,
including the name of the state agency or local jurisdiction that
incurred the additional critical infrastructure protection costs and
the amount the agency or locality requested for reimbursement. For the
December 21, 2003, to January 9, 2004, code-orange alert period, DHS
provided a more detailed template for the budget detail worksheet,
which asked states to identify the critical infrastructure site
protected and the amount of costs incurred and personnel deployed for
each of the following categories:
* National Guard deployment,
* public safety overtime,
* contract security personnel, and:
* emergency operations center overtime.
Additionally, for all three code-orange alert periods in our review,
DHS asked states to distinguish between state-level and local-level
costs. Through SHSGP II and UASI II, states were awarded a specified
amount from which they could draw down over a period of 2 years to
reimburse them for additional costs incurred during code-orange alert
periods. According to the grant guidelines, DHS must approve the budget
detail worksheet before states and localities can obligate, expend, or
draw down these grant funds. DHS, in monitoring these grant programs,
takes steps to validate critical infrastructure protection costs.
Additionally, amounts that states and localities expend in excess of
$300,000 are subject to an external audit which, when completed,
provides assurance regarding the reliability of the cost data.[Footnote
38]
Based on the following, it is unlikely that the cost information
submitted by states to DHS represents all additional costs incurred by
states and localities during code-orange alert periods:
* States have up to 2 years from the time when the grant is awarded to
submit requests for reimbursement of additional code-orange alert
costs.
* Some states are still in the process of validating proposed costs
incurred by the state and its localities. For example, one state
estimated that its state agencies and localities incurred an additional
$3.7 million for the March 17 to April 16, 2003, code-orange alert
period. However, the state could only validate additional code-orange
alert costs of about $1.3 million, and thus could only report this
amount as eligible for DHS reimbursement.
* The cost information submitted by states does not include additional
costs for training or the purchase of equipment and materials during
code-orange alert periods.
Additionally, DHS officials told us that not all states and localities
that incurred additional costs have requested reimbursement; therefore,
not all states and localities have submitted information to DHS on
additional code-orange alert costs. Since the cost information does not
include all costs incurred by states and localities for code-orange
alerts, it should not be used to reach conclusions about the financial
impact of these alerts on states and localities.
According to the cost information collected by DHS, as of April 14,
2004, 40 states provided cost information to DHS in order to draw down
funds to reimburse additional costs incurred during the March 17 to
April 16, 2003, and May 20 to 30, 2003, code-orange alert periods.
Based on this cost information, the reported state share of additional
code-orange alert costs ranged from about $7,900 to about $8 million
for both the first and second code-orange alert periods, which lasted a
total of 40 days. The locality share of additional costs incurred
during these two code-orange alert periods ranged from about $2,800 to
about $28 million.
As of April 14, 2004, 33 states provided information on additional
costs incurred during the December 21, 2003, to January 9, 2004, code-
orange alert period to DHS. Based on this information, additional costs
incurred by state agencies for this code-orange alert period, which
lasted 19 days, ranged from about $2,000 to about $7 million.
Additional costs incurred by localities during this code-orange alert
period ranged from about $3,000 to about $4 million. In general, the
states that have numerous critical infrastructure sites, as identified
by DHS, were the ones that reported the most additional code-orange
alert costs collectively for the state and its localities.
Additionally, DHS officials noted that overtime costs for law
enforcement or security personnel appear to be the primary expense
incurred by states and localities.
You also requested that we determine the extent to which DHS analyzes
available cost data related to code-orange alerts and the role that OMB
plays in providing guidance to DHS on capturing such costs. Though not
required to do so, DHS has not analyzed the cost data collected to
identify trends or assess the financial impact code-orange alerts have
on states and localities. DHS has not tallied individual or overall
state and local costs for any of the increased threat alert periods.
However, as cost information submitted by states for reimbursement
through SHSGP II and UASI II does not include all costs incurred by
states and localities during code-orange alert periods, such analysis
may not be appropriate using these data. According to an OMB
representative, OMB has not provided specific guidance to DHS in
capturing and totaling additional costs that states and localities
incurred during periods of heightened national threat levels, nor is it
required to do so. However, the representative noted that OMB is
concerned about the funds that the federal government expends on these
programs and activities.
Publicly Reported Cost Information May be Insufficient for Assessing
Financial Impact of Code-Orange Alerts:
Prior to this report, the U.S. Conference of Mayors and a Director with
the Center for Strategic and International Studies have been the only
organization or official to attempt to report estimates of costs
incurred by various governmental entities in response to code-orange
alerts. However, despite their efforts, the information reported by the
U.S. Conference of Mayors and a Director at the Center for Strategic
and International Studies Homeland Security Initiatives, may not be
adequate to draw conclusions regarding the extent to which responding
to code-orange alerts imposes a financial burden on governmental
entities.
On March 27, 2003, the Conference of Mayors published a report[Footnote
39] that estimated localities within the United States were spending
$69.5 million per week in response to the March 17 to April 16, 2003,
code-orange alert period. However, the U.S. Conference of Mayors'
estimate may not provide an adequate basis for drawing conclusions
regarding the financial impact of code-orange alerts on localities due
to several factors such as:
* lack of guidance to localities for developing their estimates,
* low response rate,
* limited scope, and:
* the absence of independent verification or confirmation of amounts
reported to the Conference of Mayors.
For example, the Conference of Mayors surveyed its membership asking
them to report, "What are you spending extra per week?" However,
according to a Conference of Mayors' official, members were not
provided guidance on how to develop their costs. Thus, localities could
have used different methodologies potentially resulting in the
inclusion of certain costs in one locality's estimate that may not be
included in another locality's estimate. Additionally, only 145 cities
out of the U.S. Conference of Mayors total membership of 1,185
responded to the survey, representing a 12 percent response rate. The
scope for this study was also somewhat limited in that the U.S.
Conference of Mayors issued its report and estimates prior to the
conclusion of the March 17 to April 16, 2003, code-orange alert period.
Thus, the estimate may not represent all costs incurred during that
time period. Finally, the U.S. Conference of Mayors' staff did not take
any additional steps to verify the validity of the estimates provided
in response to its survey nor did they request that localities provide
information to assist them in corroborating the localities' responses.
Similarly, a December 21, 2003, news release[Footnote 40] from the
Center for Strategic and International Studies cited remarks by one of
its directors who independently estimated that it costs the nation $1
billion a week to implement protective measures in response to a code-
orange alert. According to the official that generated this estimate,
it was an informal calculation based primarily on the funds
appropriated by Congress to federal agencies for Operation Liberty
Shield. The director divided the total amount of federal appropriations
related to Operation Liberty Shield by the number of weeks that
Operation Liberty Shield lasted. However, appropriated funds are not
accurate representations of expenditures or costs incurred by federal
agencies. Additionally, Operational Liberty Shield was a comprehensive
national plan to increase protection for America's citizens and the
nation's infrastructure during the war with Iraq. Thus, federal
agencies may have taken additional protective measures in relation to
the war that are not normally associated with code-orange alerts. As a
result, this estimate may not be an accurate reflection of costs
incurred by federal agencies in relation to other code-orange alerts.
Conclusions:
DHS's implementation of the Homeland Security Advisory System is
evolving, and the responses to our questionnaires from federal agencies
and states suggest that DHS has made progress in providing more
specific information to federal agencies and states and localities
regarding the specific threats and risks they may face. However, DHS
has not yet officially documented its protocols for communicating
changes in the national threat level, as well as guidance and threat
information, to federal agencies and states. The responses we received
to our questionnaires indicated continuing confusion on the part of
federal agencies and states and localities regarding the process and
methods that DHS uses to communicate changes in the national threat
level or recommendations for heightened security measures in specific
regions or sectors. Without clearly defined and consistently applied
communication policies and procedures, DHS may have difficulty managing
the communication expectations of federal agencies and states and
effectively communicating the methods, timing, and content of guidance
and information--including information on protective measures and
potential threats--the department provides to federal agencies and
states. We believe that risk communication principles are applicable to
the Homeland Security Advisory System and should be applied in DHS
communications with federal agencies, states, and localities. Risk
communication experts suggest that warnings should include the
following principles to provide for early, open, and comprehensive
information dissemination and for informed decision making: (1)
communication through multiple methods, (2) timely notification, and
(3) specific information about the nature, location, and timing of the
threat and guidance on actions to take. To the extent that DHS does not
communicate specific threat information and guidance on actions to
take, federal agencies, states, and localities may not be able to
effectively determine their levels of risk, the appropriate protective
measures to implement in response to threats, and how to effectively
and efficiently focus their limited resources on implementing those
appropriate protective measures. Finally, it is important to note that
although periods of code-orange alert do result in some additional
costs for many federal agencies, states, and localities, the available
cost data have many limitations, are not precise or complete, and thus,
any conclusions based on these data must reflect those limitations.
Recommendations for Executive Action:
We recommend that the Secretary of Homeland Security direct the Under
Secretary for Information Analysis and Infrastructure Protection to
take the following two actions: (1) document communication protocols
for notifying federal agencies and states of changes in the national
threat level and for providing guidance and threat information to these
entities, including methods and time periods for sharing information,
to better manage these entities' expectations regarding the methods,
timing, and content of information shared; and (2) incorporate risk
communication principles into the Homeland Security Advisory System to
assist in determining and documenting information to provide to federal
agencies and states, including, to the extent possible, information on
the nature, location, and time periods of threats and guidance on
protective measures to take in response to those threats.
Agency Comments:
We provided a draft copy of this report to DHS for comment. DHS
generally concurred with the findings and recommendations in the report
and provided formal written comments, which are presented in appendix
IX. In commenting on the draft report, DHS expressed concern that we
generalize examples cited in the report across all states and
localities, rather than characterizing the examples as isolated
experiences. As previously discussed, we surveyed 56 states and
territories to obtain information on their experiences related to
national threat level changes. We discuss the results of this
questionnaire throughout the report, including information on the
number of states that provided similar responses. After citing the
number of states that provide a similar response related to a code-
orange alert issue, we frequently use examples to illustrate those
perspectives. We did not cite all examples we received, but rather
those that most effectively illustrate our message. Thus, we believe
the report accurately portrays state perspectives on code-orange
alerts. In regard to DHS's comments on the examples we discuss related
to localities, we believe that we appropriately cautioned the reader in
the report's introduction and scope and methodology sections that
information from the 16 localities we visited or from which we received
questionnaire responses were used only as anecdotal examples and cannot
be generalized across all localities in the United States. DHS also
provided technical comments, which we have incorporated as appropriate.
We plan no further distribution of this report until 14 days after the
date of this report. At that time, we will send copies of this report
to the Subcommittee on Terrorism, Technology, and Homeland Security,
Senate Committee on the Judiciary; the Subcommittee on National
Security, Emerging Threats, and International Relations, House
Committee on Government Reform; the Secretary of Homeland Security; the
Director, Office of Management and Budget; and other interested
parties. Copies will be made available to others on request. In
addition, this report will be available at no charge on GAO's Web site
at [Hyperlink, http://www.gao.gov].
If you or your staffs have any questions about this report, please
contact me at (202) 512-8777 or by e-mail at
[Hyperlink, jenkinswo@gao.gov]. Other GAO contacts and key contributors
are listed in appendix X.
Signed by:
William O. Jenkins, Jr.,
Director, Homeland Security and Justice Issues:
[End of section]
Appendixes:
Appendix I: Federal Agencies', States', Localities', and Foreign
Countries' Threat Advisory Systems:
Some federal agencies, states, localities, and foreign countries had
threat advisory systems in place prior to the implementation of the
Homeland Security Advisory System in March 2002, while others have
since developed such systems. Some of these advisory systems were
generally similar to the Homeland Security Advisory System, identifying
different threat levels and requiring or suggesting certain protective
actions be taken at each threat level. However, other systems differed
in terms of structural and operational characteristics--such as the
number of threat levels, the issuance of local or regional alerts, and
the dissemination of threat advisories to the public.
Federal Agencies' Threat Advisory Systems:
Seven of the 25 federal agencies[Footnote 41] responding to our
questionnaire reported that they operated their own threat advisory
systems prior to the establishment of the Homeland Security Advisory
System in March 2002. One agency, for example, indicated that it
developed its own five-level alert system 8 years ago to ensure
protection of critical national security assets. These seven agencies
currently follow the Homeland Security Advisory System as well as their
own agency advisory system that conforms to the Homeland Security
Advisory System. Three of these agencies also reported they could
independently raise agency threat levels in response to threats or
events that specifically affect their operations, regardless of whether
the national threat level is raised at the same time. However, they
generally cannot lower a facility threat level below that specified by
the agency head or other designated agency authority. Further, although
these agencies can operate at a threat level that is higher than the
Homeland Security Advisory System national threat level (e.g., at code-
orange when the national threat level is code-yellow), they generally
cannot operate at a lower threat level.
Unlike federal civilian agencies, Department of Defense (DOD) military
installations are exempt from following the Homeland Security Advisory
System. Accordingly, DOD operates under its own terrorist threat
advisory system--known as the Force Protection Condition system.
According to DOD officials, this system has five threat conditions--
normal, alpha, bravo, charlie, delta--indicating increasing threats of
a terrorist attack, and the system prescribes mandatory minimum
protective measures for all units and installations for each condition
level. Each of the nine DOD Unified Combatant Commands[Footnote 42]--
for example, Central Command (Middle East and Asia)--establishes a
force protection condition for the entire Command, based on a variety
of information including threat and vulnerability assessments from such
sources as the Department of Homeland Security (DHS), the Federal
Bureau of Investigation (FBI), and the Defense Intelligence Agency.
Beyond this level of protection, installation and unit commanders may
then require additional protective measures, also based on intelligence
assessments. This system, therefore, provides flexibility to base
commanders to set protective measures based on local threat conditions.
In contrast to civilian federal agencies, changes in the Homeland
Security Advisory System do not necessarily result in changes in DOD's
force protection condition. When the national threat level is raised to
code-orange, DOD reviews and analyzes the same intelligence used by DHS
to decide to raise the national threat level. Based on this analysis,
DOD military commanders then decide whether any change is warranted in
their own force protection condition.
States' and Localities' Threat Advisory Systems:
As discussed earlier in the report, the Homeland Security Advisory
System is not binding on states or localities and they are not required
to conform their advisory systems to the Homeland Security Advisory
System. However, 42 of the 43 states responding to our
questionnaire[Footnote 43] indicated they currently followed the
Homeland Security Advisory System, an equivalent state system, or both.
Eight of the states responding to our questionnaire and 1 locality we
visited indicated that they had implemented their threat advisory
systems prior to the Homeland Security Advisory System. For example, 1
state told us that it amended its state emergency response plan and
implemented a state advisory system in 1998, in response to the bombing
of the federal building in Oklahoma City.
Twenty-two states responding to our questionnaire and 5 localities we
visited indicated that they currently operate their own advisory
systems. Most of these states reported that their systems provided
information about the type or location of the threat, notified other
governmental entities, and identified protective measures to be taken-
-while most localities indicated their systems conformed to the
Homeland Security Advisory System. Some state and local advisory
systems are similar to the Homeland Security Advisory System, but
contain a different number of threat levels than the Homeland Security
Advisory System. For example:
* One state uses a numbered, 4-level threat advisory system, which is
similar to the Homeland Security Advisory System but combines the
levels of Blue and Yellow into a single threat level.
* One locality uses a 4-level advisory system, which does not include
the Homeland Security Advisory System Blue threat level.
State and local advisory systems typically identified actions or
protective measures that were to be taken at each threat level. For
example, one state advisory system identified state, county, and local
government actions, as well as specific security recommendations; while
another identified actions for law enforcement agencies, non-law
enforcement agencies, businesses, and citizens. One locality advisory
system identified general security recommendations, as well as specific
agency action checklists identifying a minimum level of response by
agencies and departments within the locality. Some states and
localities can raise their systems' threat levels based on specific
threats or events independent of changes in the national threat level.
One state, for example, raised its state threat level in early February
2003 (prior to the February 2003 code-orange alert) in response to the
crash of the space shuttle Columbia. One locality could change its
threat level locally based on information and coordination with the
local FBI office, the state's department of public safety, and the
locality's police department.
Foreign Countries' Systems:
The United Kingdom has a developed threat advisory system and processes
for communicating threat information that are similar to the Homeland
Security Advisory System but, unlike the U.S. system, it does not
require that terrorism threat alerts be issued to the public. According
to United Kingdom officials, under the United Kingdom's threat advisory
system, (1) threat levels are assigned nationwide, as well as to
specific regions and economic sectors; and (2) these levels and related
changes are communicated to government and law enforcement agencies and
private sector entities with responsibility for critical infrastructure
protection, but not to the public. The United Kingdom does not publicly
announce these threat warnings because it wants to protect its
intelligence sources and avoid alerting terrorists that the government
is aware of the threat. If terrorists know that the government is aware
of their planned attack, the terrorists may change their plans and
modes of operation, allowing them to carry out attacks that are even
more lethal. Additionally, the United Kingdom is concerned about
causing public anxiety regarding possible threats, when, in most cases,
the public cannot do anything to mitigate the threat.
However, United Kingdom officials noted that if warnings are necessary
to protect public safety from specific and credible threats, the United
Kingdom will issue public warnings. Additionally, the United Kingdom
instituted a public campaign to encourage public vigilance regarding
potential terrorist activity. The campaign included posters warning the
public to alert the police to unattended baggage, as shown in figure 1.
Figure 1: London Metropolitan Police Antiterror Alert Poster:
[See PDF for image]
[End of figure]
Unlike the United Kingdom system, the Australian threat advisory system
places a greater emphasis on publicizing changes in national threat
levels. Australia implemented its current four-level, national
counter-terrorist threat alert system in June 2003.[Footnote 44] As in
the United States, a threat level condition is publicly announced and
defined. Under the Australian system, each level of alert is defined as
follows:
* Low--no information to suggest a terrorist attack in Australia.
* Medium--medium risk of a terrorist attack in Australia.
* High--high risk of a terrorist attack in Australia.
* Extreme--terrorist attack is imminent or has occurred.
According to the Australian Attorney-General's Department, the system
was not introduced as a reaction to any particular threat, but rather
as an arrangement to help inform national preparation and planning and
provide greater flexibility for responding to threats. Accordingly,
should any intelligence information come to light which causes the
government to change the assessed level of threat, the public is to be
advised immediately.
Conversely, Norway does not have a nationwide threat advisory system.
According to Norwegian officials, the Norwegian Police Security Service
conducts threat assessments--which are graded into levels of low,
medium, and high--and these are issued to government agencies with
responsibilities for preventing and responding to threats within their
jurisdictions. Unlike the Homeland Security Advisory System, there are
no routines in place for communicating these threat assessments
directly to local governments, private sector entities or the general
public, but a decision to do so can be made depending on the situation.
National government agencies and county governors can be instructed to
take action to address various types of emergencies. However,
municipalities, private sector entities, and the general public cannot
be instructed to take specific action, except in situations where such
instructions are warranted by law.
Like Norway, Germany does not have a uniform nationwide system of
threat levels or requirements that specific actions be taken by
governmental entities in response to different types of emergencies,
including terror attacks. However, Germany does have a single, central
24-hour communication center. For natural disasters and other threats,
this center collects, screens, and processes the incoming information
for subsequent forwarding to other government agencies regarding
actions to take. According to German officials, the central
communication center is concerned primarily with information
management, rather than with controlling and warning functions. After
receiving the threat assessments from the central communication center,
governmental entities at the German federal and state level are each
responsible for deciding which measures are to be taken, based on the
threat.
According to German officials, threat information is communicated to
affected persons, individual institutions, the business community, and
the general public by law enforcement agencies, the state governments
or the German federal government, according to the nature of the threat
or danger concerned and the underlying situation. For example, the
federal Criminal Police Office informs the business community on a
regular basis as to the current assessment of the situation regarding
Islamic terrorism.
Additionally, Germany has a satellite-based warning system that enables
official warnings to be broadcast to the public. Government agencies
and emergency situation centers are linked via satellite and are able
to relay warnings and information on prevailing dangers to the
connected media in a matter of seconds.
[End of section]
Appendix II: Scope and Methodology:
To determine the process that the Department of Homeland Security (DHS)
used to make decisions about changes in the national threat level, we
met with and obtained information from DHS officials. We examined this
information to identify DHS's processes for determining whether to
raise or lower the national threat level and for issuing threat
products to federal agencies, states, localities, and private sector
entities. We also analyzed DHS threat products to determine the type of
threat information and guidance on protective measures that DHS
included in the products.
To determine guidance and information provided to federal agencies,
states, and localities; protective measures these entities implemented
in response to the three code-orange alerts from March 17 to April 16,
2003; May 20 to 30, 2003; and December 21, 2003, to January 9, 2004;
and additional costs these entities reported for the code-orange alert
periods, we sent questionnaires to (1) 28 federal agencies;[Footnote
45] and (2) the homeland security or emergency management offices in
the 50 states, the District of Columbia, American Samoa, Guam, the
Northern Islands, Puerto Rico, and the U.S. Virgin Islands. We selected
the 28 federal agencies because they reported receiving homeland
security funding for fiscal year 2003 to the Office of Management and
Budget (OMB) and are Chief Financial Officers Act agencies. We sent the
questionnaire to the 25 federal agencies that reported homeland
security funding for fiscal year 2003 to OMB and to 3 other federal
agencies that are Chief Financial Officers Act agencies but did not
report homeland security funding for fiscal year 2003.[Footnote 46]
To develop the questionnaires, we met with and obtained information
from 8 federal agencies, 4 states, the District of Columbia, and 9
localities. Overall, the questionnaires sent to federal agencies and
states were very similar. We obtained comments on draft versions of the
federal questionnaire from the 8 federal agencies. We adapted the final
version of the federal questionnaire to create the state questionnaire.
We pretested the questionnaires with 4 federal agencies and 3 states
and made relevant changes to the questions based on these pretests. See
appendixes VII and VIII for the federal and state questionnaires.
As of April 20, 2004, we received questionnaire responses from 26
federal agencies,[Footnote 47] which account for about 99 percent of
total fiscal year 2003 nondefense homeland security funding as reported
to OMB, and 43 states,[Footnote 48] for a 77 percent response rate. We
made extensive efforts to encourage federal agencies and states to
complete and return the questionnaires, such as contacting all
nonrespondents on multiple occasions and sending additional copies of
questionnaires when requested. We performed this work from October 2003
through May 2004.
Because our surveys were not statistical sample surveys, but rather a
survey of a nonprobability selection of federal agencies and a census
of all states, there are no sampling errors. However, the practical
difficulties of conducting any survey may introduce errors, commonly
referred to as nonsampling errors. For example, measurement errors are
introduced if difficulties exist in how a particular question is
interpreted or in the sources of information available to respondents
in answering a question. In addition, coding errors may occur if
mistakes are entered into a database. We took extensive steps in the
development of the questionnaires, the collection of data, and the
editing and analysis of data to minimize total survey error. As noted
above, to reduce measurement error and ensure questions and response
categories were interpreted in a consistent manner, we pretested the
questionnaires with several federal agencies and states. We edited all
completed surveys for consistency, such as ensuring that responses were
provided for all appropriate questions, and, if necessary, contacted
respondents to clarify responses. All questionnaire responses were
double key-entered into our database (i.e., the entries were 100
percent verified), and random samples of the questionnaires were
further verified for completeness and accuracy of data entry.
Furthermore, all computer syntax was peer reviewed and verified by
separate staff to ensure that the syntax was written and executed
correctly.
In addition to sending questionnaires to 28 federal agencies and 56
states, we conducted site visits at 12 localities (eight cities and
four counties) and sent a questionnaire to another 8 localities. The 12
localities were Atlanta and Fulton County, Georgia; Denver, Colorado
Springs, and Douglas County, Colorado; Norfolk, Virginia; Portland and
Wasco County, Oregon; Chicago and Cook County, Illinois; and Boston and
Fitchburg, Massachusetts. We selected these localities based on the
following criteria: the locality's receipt of urban area
grants[Footnote 49] from DHS, geographic location, topography (e.g.,
inland, border, or seaport), and type of locality (e.g., metropolitan
or nonmetropolitan area). We selected four cities and one county that
received grants from DHS and four cities and three counties that did
not. We also selected cities and counties from different geographic
regions and with different topographic characteristics, as well as some
cities and counties located in metropolitan areas and some cities and
counties located in nonmetropolitan areas. We used a structured data
collection instrument to interview emergency management officials and
first responders in these localities. We selected the 8 localities that
we surveyed based on their populations and geographic locations. We
received responses from 4 of these localities;[Footnote 50] 3 with
populations of less than 40,000 - Helena, Montana; Mankato, Minnesota;
and Rock Springs, Wyoming - and 1 with a population of greater than
40,000 - San Jose, California.
To determine the extent to which risk communication principles could be
incorporated into the Homeland Security Advisory System, we spoke with
and obtained information from individuals and organizations with
expertise in homeland security issues and risk communication. We
analyzed reports and documents from the ANSER Institute for Homeland
Security, Carnegie Mellon University, the Center for Strategic and
International Studies, the Department of Health and Human Services, the
Harvard Center for Risk Analysis, the Oak Ridge National Laboratory,
and the Partnership for Public Warning.
To assess the reliability of cost data provided by federal agencies on
our questionnaire, we examined the cost information for obvious errors
and inconsistencies and examined responses to the questionnaire items
requesting information regarding the development of the cost data. If
necessary, we contacted respondents to clarify responses and, when
provided, reviewed documentation about the cost data. Federal agencies
generated their cost data from various sources such as their financial
accounting systems, credit card logs, and security services contracts.
This cost information is not precise, nor do the costs likely represent
all additional costs for the code-orange alert periods. In some cases,
we have concerns about the reliability of the cost data source within
particular agencies. For example, 6 of the 16 federal agencies reported
that they extracted some of the code-orange alert cost data from their
agencies' financial accounting systems. As reported in the fiscal year
2005 President's Budget, 5 of these agencies' financial management
performance had serious flaws as of December 31, 2003. Despite these
limitations, we believe the cost data to be sufficiently reliable as
indicators of general ranges of cost and overall trends. However, the
data should not be used to determine the cumulative costs for all
federal agencies for code-orange alert periods. See appendix V for
additional information on cost information reported by federal
agencies.
To determine the extent to which DHS has collected information on costs
reported by states and localities during periods of code-orange alert,
we met with and obtained information from DHS officials on costs that
states and their localities submitted to DHS for reimbursement for
increased critical infrastructure asset protection during the three
code-orange alert periods. We examined this information to identify the
methods used by DHS to collect cost information from states and
localities. We also met with and obtained information from
representatives of OMB regarding the extent to which the office
provided guidance to DHS for collecting cost information from states
and localities.
We reported these cost data that DHS collected from states and
localities for the three code-orange alert periods only to illustrate
the range of costs that states reported to DHS for reimbursement. Cost
information submitted by states to DHS does not include all costs for
states and localities during the code-orange alert periods. In
particular, not all states submitted costs to DHS for reimbursement,
and not all state agencies and localities in states that submitted cost
information to DHS may have reported costs to their states for
submission to DHS. In addition, the cost information submitted by
states does not include additional costs for training or equipment and
material purchases during code-orange alert periods because these costs
are not reimbursable through the critical infrastructure protection
grant programs. Moreover, some states have not finished validating
costs they plan to submit for reimbursement. Despite these limitations,
we believe the cost data to be sufficiently reliable as indicators of
general ranges of costs that states submitted for reimbursement to DHS
and overall trends. However, because this cost information from states
and localities is not complete, it should not be used to reach
conclusions about the financial impact of code-orange alerts on states
and localities.
To determine the methodologies used by other organizations to develop
estimates of costs reported by federal agencies, states, and localities
during code-orange alert periods, we spoke with and obtained
information from officials at the U.S. Conference of Mayors and the
Director of the Center for Strategic and International Studies Homeland
Security Initiatives regarding how this organization and this
individual developed their estimates. We evaluated methodologies used
by the U.S. Conference of Mayors and the Director of the Center for
Strategic and International Studies Homeland Security Initiatives based
on their scopes, data collection methods, and analyses to assess the
reliability of the cost estimates. Moreover, we examined costs
estimates reported by other organizations, including the Council on
Foreign Relations, the National League of Cities, the National
Association of Counties, and the International Association of Emergency
Managers. We did not include these organizations' reports in our review
because they did not specifically address costs associated with
responses to increases in the national threat level.
To obtain information on federal agencies', states', and localities'
threat advisory systems, we analyzed questionnaire responses and other
documents to determine the number of federal agencies, states, and
localities that had their own threat advisory systems in place prior to
the establishment of the Homeland Security Advisory System as well as
the number of federal agencies, states, and localities that follow
their own threat advisory systems and the Homeland Security Advisory
System. We reviewed documentation of the threat advisory systems that
these federal agencies, states, and localities provided with their
questionnaire responses to identify the characteristics of the systems,
including systems' threat levels and protective measures and
conformance to the Homeland Security Advisory System. We also met with
and received documents from the Department of Defense on its Force
Protection Condition System. Furthermore, we spoke with and obtained
information from officials of four foreign countries--Australia,
Germany, Norway, and the United Kingdom--on these countries' threat
advisory systems and information sharing processes.[Footnote 51] We
compared the characteristics of these systems with characteristics of
the Homeland Security Advisory System to identify similarities and
differences between the systems. We selected the four countries because
they are democracies similar to the United States that have generally
faced terrorist threats.
We conducted our work from July 2003 to May 2004 in accordance with
generally accepted government auditing standards:
[End of section]
Appendix III: Guidance and Information Federal Agencies and States
Reported Using to Determine Protective Measures:
Federal agencies and states responding to our questionnaire indicated
that they used guidance from various sources, such as the Federal
Emergency Management Agency (FEMA), the Federal Protective Service
(FPS), the Department of Justice, and the White House, among other
sources, to develop plans for responding to each Homeland Security
Advisory System threat level. For example, 12 federal agencies reported
using the Department of Justice's Vulnerability Assessment of Federal
Facilities[Footnote 52] that established security levels for various
types of federal facilities and minimum-security standards for each
security level. In addition, to develop their response plans, 8 federal
agencies indicated that they used Homeland Security Presidential
Directive 3, which established the Homeland Security Advisory System
and suggested general protective measures for each advisory system
threat level. Six states reported using terrorism alerts and guidelines
from FEMA to develop their plans for protective measures for national
threat levels.
In addition to their response plans for national threat levels, federal
agencies and states responding to our questionnaires reported using
guidance and information from various sources to determine protective
measures to implement or enhance in response to the three code-orange
alert periods from March 17 to April 16, 2003; May 20 to 30, 2003; and
December 21, 2003, to January 9, 2004. As shown in tables 6 and 7,
these federal agencies reported using guidance and information and
intelligence from such sources as the Department of Homeland Security
(DHS), the Federal Bureau of Investigation (FBI), and the White House
to determine measures to take in response to the third code-orange
alert period in our review. These federal agencies generally reported
that this guidance and information and intelligence was useful and
timely. Results for the other two code-orange alert periods - March 17
to April 16, 2003; and May 20 to 30, 2003 - were consistent with those
reported in tables 6 and 7 for the third code-orange alert period.
Table 6: Number of Federal Agencies That Used Guidance from Sources and
Found It Useful and Timely for the Code-Orange Alert Period December
21, 2003, to January 9, 2004:
Source of guidance: DHS[C];
Number of federal agencies n = 26:
Number that reported using guidance: 16;
Number that reported that the guidance was useful[A]: 14;
Number that reported that the guidance was timely[B]: 11.
Source of guidance: FBI;
Number of federal agencies n = 26:
Number that reported using guidance: 9;
Number that reported that the guidance was useful[A]: 9;
Number that reported that the guidance was timely[B]: 9.
Source of guidance: White House;
Number of federal agencies n = 26:
Number that reported using guidance: 6;
Number that reported that the guidance was useful[A]: 5;
Number that reported that the guidance was timely[B]: 5.
Source of guidance: Local law enforcement;
Number of federal agencies n = 26:
Number that reported using guidance: 3;
Number that reported that the guidance was useful[A]: 3;
Number that reported that the guidance was timely[B]: 3.
Source: GAO analysis of questionnaire data.
[A] We asked federal agencies to indicate whether the guidance they
received was very useful, somewhat useful, or of little or nor use.
Useful reflects respondents' ratings of very useful and somewhat
useful.
[B] We also asked agencies to indicate whether the guidance they
received was timely by responding yes or no.
[C] In the questionnaire we sent to DHS, we did not include DHS as a
choice for guidance used to determine protective measures to take
during the three code-orange alert periods.
[End of table]
Table 7: Number of Federal Agencies That Used Information and
Intelligence from Sources and Found It Useful and Timely for the Code-
Orange Alert Period December 21, 2003, to January 9, 2004:
Source of information/intelligence: DHS[C];
Number of federal agencies n = 26:
Number that reported using information and intelligence: 16;
Number that reported that the information and intelligence was
useful[A]: 14;
Number that reported that the information and intelligence was
timely[B]: 14.
Source of information/intelligence: FBI;
Number of federal agencies n = 26:
Number that reported using information and intelligence: 17;
Number that reported that the information and intelligence was
useful[A]: 16;
Number that reported that the information and intelligence was
timely[B]: 15.
Source of information/intelligence: White House;
Number of federal agencies n = 26:
Number that reported using information and intelligence: 8;
Number that reported that the information and intelligence was
useful[A]: 7;
Number that reported that the information and intelligence was
timely[B]: 7.
Source of information/intelligence: Local law enforcement;
Number of federal agencies n = 26:
Number that reported using information and intelligence: 7;
Number that reported that the information and intelligence was
useful[A]: 7;
Number that reported that the information and intelligence was
timely[B]: 6.
Source of information/intelligence: National Joint Terrorism Task
Force[D];
Number of federal agencies n = 26:
Number that reported using information and intelligence: 11;
Number that reported that the information and intelligence was
useful[A]: 11;
Number that reported that the information and intelligence was
timely[B]: 10.
Source of information/intelligence: Agency intelligence sources;
Number of federal agencies n = 26:
Number that reported using information and intelligence: 9;
Number that reported that the information and intelligence was
useful[A]: 9;
Number that reported that the information and intelligence was
timely[B]: 8.
Source: GAO analysis of questionnaire data.
[A] We asked federal agencies to indicate whether the information and
intelligence they received was very useful, somewhat useful, or of
little or nor use. Useful reflects respondents' ratings of very useful
and somewhat useful.
[B] We also asked agencies to indicate whether the information and
intelligence they received was timely by responding yes or no.
[C] In the questionnaire we sent to DHS, we did not include DHS as a
choice for information and intelligence used to determine protective
measures to take during the three code-orange alert periods.
[D] The task force is comprised of numerous federal agencies co-
located in the Strategic Information and Operations Center at FBI
headquarters. This task force provides a central fusion point for
terrorism information and intelligence to the Joint Terrorism Task
Forces, which include state and local law enforcement officers, federal
agents, and other federal personnel who work in the field to prevent
and investigate acts of terrorism.
[End of table]
As shown in tables 8 and 9, states responding to our questionnaire also
indicated that they used guidance and information from sources such as
DHS, other federal entities, and state, territory, and local law
enforcement agencies to determine actions to take in response to the
third code-orange alert period. These states generally reported that
this guidance and information and intelligence was useful and timely.
Results for the other two code-orange alert periods in our review were
similar to those reported in tables 8 and 9.
Table 8: Number of States That Used Guidance from Sources and Found It
Useful and Timely for the Code-Orange Alert Period December 21, 2003,
to January 9, 2004:
Source of guidance: DHS;
Number of states n = 41[A]:
Number that reported using guidance: 34;
Number that reported that guidance was useful[B]: 30;
Number that reported that guidance was timely[C]: 29.
Source of guidance: Other federal entity, such as the FBI;
Number of states n = 41[A]:
Number that reported using guidance: 30;
Number that reported that guidance was useful[B]: 27;
Number that reported that guidance was timely[C]: 28.
Source of guidance: Other state, territory, or local government
agency;
Number of states n = 41[A]:
Number that reported using guidance: 15;
Number that reported that guidance was useful[B]: 15;
Number that reported that guidance was timely[C]: 15.
Source of guidance: Regional, state, or local law enforcement
agencies;
Number of states n = 41[A]:
Number that reported using guidance: 19;
Number that reported that guidance was useful[B]: 18;
Number that reported that guidance was timely[C]: 18.
Source of guidance: Governor or legislature;
Number of states n = 41[A]:
Number that reported using guidance: 20;
Number that reported that guidance was useful[B]: 20;
Number that reported that guidance was timely[C]: 20.
Source of guidance: Private sector organizations;
Number of states n = 41[A]:
Number that reported using guidance: 10;
Number that reported that guidance was useful[B]: 9;
Number that reported that guidance was timely[C]: 10.
Source: GAO analysis of questionnaire data.
[A] One of the states responding to our questionnaire did not provide
responses to the questions on guidance and information and intelligence
used to determine protective measures to take for the three code-orange
alert periods. Additionally, 1 reported that it did not follow the
Homeland Security Advisory System. Thus, these 2 states are not
included in our analysis of guidance and information and intelligence
used to determine protective measures.
[B] We asked states to indicate whether the guidance they received was
very useful, somewhat useful, or of little or nor use. Useful reflects
respondents' ratings of very useful and somewhat useful.
[C] We also asked states to indicate whether the guidance they received
was timely by responding yes or no.
[End of table]
Table 9: Number of States That Used Information and Intelligence from
Sources and Found It Useful and Timely for the Code-Orange Alert
Period December 21, 2003, to January 9, 2004:
Source of information/intelligence: DHS;
Number of states n = 41[A]:
Number that reported using information and intelligence: 32;
Number that reported that information and intelligence was useful[B]:
29;
Number that reported that information and intelligence was timely[C]:
27.
Source of information/intelligence: Other federal entity, such as the
FBI;
Number of states n = 41[A]:
Number that reported using information and intelligence: 30;
Number that reported that information and intelligence was useful[B]:
28;
Number that reported that information and intelligence was timely[C]:
27.
Source of information/intelligence: Other state, territory, or local
government agency;
Number of states n = 41[A]:
Number that reported using information and intelligence: 14;
Number that reported that information and intelligence was useful[B]:
14;
Number that reported that information and intelligence was timely[C]:
14.
Source of information/intelligence: Regional, state, or local law
enforcement agencies;
Number of states n = 41[A]:
Number that reported using information and intelligence: 21;
Number that reported that information and intelligence was useful[B]:
20;
Number that reported that information and intelligence was timely[C]:
19.
Source of information/intelligence: Governor or legislature;
Number of states n = 41[A]:
Number that reported using information and intelligence: 11;
Number that reported that information and intelligence was useful[B]:
11;
Number that reported that information and intelligence was timely[C]:
11.
Source of information/intelligence: Private sector organizations;
Number of states n = 41[A]:
Number that reported using information and intelligence: 10;
Number that reported that information and intelligence was useful[B]:
10;
Number that reported that information and intelligence was timely[C]:
10.
Source: GAO analysis of questionnaire data.
[A] One of the states responding to our questionnaire did not provide
responses to the questions on guidance and information and intelligence
used to determine protective measures to take for the three code-orange
alert periods. Additionally, 1 state reported that it did not follow
the Homeland Security Advisory System. Thus, these 2 states are not
included in our analysis of guidance and information and intelligence
used to determine protective measures.
[B] We asked states to indicate whether the information and
intelligence they received was very useful, somewhat useful, or of
little or nor use. Useful reflects respondents' ratings of very useful
and somewhat useful.
[C] We also asked states to indicate whether the information and
intelligence they received was timely by responding yes or no.
[End of table]
[End of section]
Appendix IV: Most Commonly Implemented Protective Measures, Measures
Tested, and Methods of Confirmation:
Federal agencies and states responding to our questionnaires reported
having a variety of protective measures in place for responding to the
three code-orange alert periods from March 17 to April 16, 2003; May 20
to 30, 2003; and December 21, 2003, to January 9, 2004, regardless of
whether the measures were most commonly enhanced, maintained at pre-
code-orange alert levels, or implemented solely in response to the
code-orange alerts. Table 10 provides examples of the protective
measures that federal agencies most commonly reported having in place
for the third code-orange alert period in our review. Results from the
other two code-orange alert periods are consistent with those reported
in the following table for the third code-orange alert period.
Table 10: Protective Measures Most Commonly Reported by Federal
Agencies Responding to Our Questionnaire for the December 21, 2003, to
January 9, 2004, Code-Orange Alert Period:
Protective measures: Implement facility patrols;
Number of federal agencies n = 24[A]:
Number that reported measure: 24;
Number that indicated no change in measure that was already in
place[B]: 3;
Number that enhanced measure that was already in place[C]: 21;
Number that implemented measure for code- orange only[D]: 0.
Protective measures: Activate monitoring systems;
Number of federal agencies n = 24[A]:
Number that reported measure: 24;
Number that indicated no change in measure that was already in
place[B]: 16;
Number that enhanced measure that was already in place[C]: 8;
Number that implemented measure for code- orange only[D]: 0.
Protective measures: Screen mail and deliveries;
Number of federal agencies n = 24[A]:
Number that reported measure: 24;
Number that indicated no change in measure that was already in
place[B]: 12;
Number that enhanced measure that was already in place[C]: 12;
Number that implemented measure for code- orange only[D]: 0.
Protective measures: Screen facility visitors;
Number of federal agencies n = 24[A]:
Number that reported measure: 23;
Number that indicated no change in measure that was already in
place[B]: 12;
Number that enhanced measure that was already in place[C]: 11;
Number that implemented measure for code- orange only[D]: 0.
Protective measures: Activate instrusion detection systems;
Number of federal agencies n = 24[A]:
Number that reported measure: 23;
Number that indicated no change in measure that was already in
place[B]: 19;
Number that enhanced measure that was already in place[C]: 4;
Number that implemented measure for code- orange only[D]: 0.
Protective measures: Escort facility visitors;
Number of federal agencies n = 24[A]:
Number that reported measure: 22;
Number that indicated no change in measure that was already in
place[B]: 10;
Number that enhanced measure that was already in place[C]: 9;
Number that implemented measure for code- orange only[D]: 3.
Protective measures: Ensure that response procedures and plans are up
to date;
Number of federal agencies n = 24[A]:
Number that reported measure: 21;
Number that indicated no change in measure that was already in
place[B]: 4;
Number that enhanced measure that was already in place[C]: 17;
Number that implemented measure for code-orange only[D]: 0.
Protective measures: Conduct emergency response drills and/or
training;
Number of federal agencies n = 24[A]:
Number that reported measure: 20;
Number that indicated no change in measure that was already in
place[B]: 10;
Number that enhanced measure that was already in place[C]: 10;
Number that implemented measure for code-orange only[D]: 0.
Source: GAO analysis of questionnaire data.
[A] One federal agency responding to our questionnaire reported that
it does not implement protective measures because it is located in a
privately owned building and is not responsible for its own security.
Another federal agency did not provide a response to questions related
to the protective measures taken during code-orange alerts due to
security concerns. Thus, these 2 federal agencies are not included in
our analysis of protective measures.
[B] No change in a protective measure indicates that the measure was
already in place prior to the code-orange alert period and continued at
the same level of use or frequency during a code-orange alert.
[C] The enhancement of a measure that was already in place refers to
the increased use of an existing protective measure, such as more
frequent facility security patrols or increased volume of mail
screened.
[D] The implementation of a measure for code-orange only refers to the
use of an additional measure that was not already in place solely to
respond to a code-orange alert.
[End of table]
Table 11 provides examples of the protective measures that states most
commonly reported having in place during the third code-orange alert
period in our review. Results for the other two code-orange alert
periods in our review are similar to those reported in table 11.
Table 11: Protective Measures Most Commonly Reported by States
Responding to Our Questionnaire for the December 21, 2003, to January
9, 2004, Code-Orange Alert Period:
Protective measures: Alert other state, territorial, local and private
sector counterparts;
Number of states n = 40[A]:
Number that reported measure: 38;
Number that indicated no change in measure that was already in
place[B]: 4;
Number that enhanced measure that was already in place[C]: 21;
Number that implemented measure for code- orange only[D]: 13.
Protective measures: Ensure response and communication plans are up to
date;
Number of states n = 40[A]:
Number that reported measure: 36;
Number that indicated no change in measure that was already in
place[B]: 12;
Number that enhanced measure that was already in place[C]: 21;
Number that implemented measure for code-orange only[D]: 3.
Protective measures: Issue recommendations or guidance for protective
measures;
Number of states n = 40[A]:
Number that reported measure: 35;
Number that indicated no change in measure that was already in
place[B]: 2;
Number that enhanced measure that was already in place[C]: 25;
Number that implemented measure for code-orange only[D]: 8.
Protective measures: Implement facility security patrols;
Number of states n = 40[A]:
Number that reported measure: 34;
Number that indicated no change in measure that was already in
place[B]: 3;
Number that enhanced measure that was already in place[C]: 26;
Number that implemented measure for code-orange only[D]: 5.
Protective measures: Place vehicle barriers around facilities;
Number of states n = 40[A]:
Number that reported measure: 31;
Number that indicated no change in measure that was already in
place[B]: 8;
Number that enhanced measure that was already in place[C]: 17;
Number that implemented measure for code-orange only[D]: 6.
Protective measures: Prepare for possible biological, chemical, or
radiological attacks;
Number of states n = 40[A]:
Number that reported measure: 30;
Number that indicated no change in measure that was already in
place[B]: 16;
Number that enhanced measure that was already in place[C]: 13;
Number that implemented measure for code- orange only[D]: 1.
Protective measures: Screen mail and deliveries;
Number of states n = 40[A]:
Number that reported measure: 30;
Number that indicated no change in measure that was already in
place[B]: 19;
Number that enhanced measure that was already in place[C]: 9;
Number that implemented measure for code-orange only[D]: 2.
Protective measures: Restrict parking near facilities;
Number of states n = 40[A]:
Number that reported measure: 30;
Number that indicated no change in measure that was already in
place[B]: 5;
Number that enhanced measure that was already in place[C]: 16;
Number that implemented measure for code-orange only[D]: 9.
Protective measures: Limit number of facility access points;
Number of states n = 40[A]:
Number that reported measure: 30;
Number that indicated no change in measure that was already in
place[B]: 11;
Number that enhanced measure that was already in place[C]: 14;
Number that implemented measure for code-orange only[D]: 5.
Source: GAO analysis of questionnaire data.
[A] Two states responding to our questionnaire did not provide
responses on protective measures they had in place for the three
periods of code-orange alert. Additionally, 1 state reported that it
did not follow the Homeland Security Advisory System. Thus, these 3
states are not included in our analysis on protective measures.
[B] No change in a protective measure indicates that the measure was
already in place prior to the code-orange alert period and continued at
the same level of use or frequency during a code-orange alert.
[C] The enhancement of a measure that was already in place refers to
the increased use of an existing protective measure, such as more
frequent facility security patrols or increased volume of mail
screened.
[D] The implementation of a measure for code-orange only refers to the
use of an additional measure that was not already in place solely to
respond to a code-orange alert.
[End of table]
To ensure that protective measures operate as intended and are
implemented as planned, most of the federal agencies and states
responding to our questionnaires indicated that they had conducted
tests or exercises on the functionality and reliability of protective
measures within the past year. Table 12 provides examples of protective
measures on which federal agencies and states reported conducting
tests and exercises.
Table 12: Number of Federal Agencies and States That Reported
Conducting Tests or Exercises on the Functionality and Reliability of
Protective Measures:
Protective measures: Intrusion detection systems;
Number of federal agencies that reported testing protective measure
n = 25[A]: 25;
Number of states that reported testing protective measure n = 37[B]:
14.
Protective measures: Visitor and employee screening equipment and
procedures;
Number of federal agencies that reported testing protective measure
n = 25[A]: 24;
Number of states that reported testing protective measure n = 37[B]:
22.
Protective measures: Vehicle inspection equipment and procedures;
Number of federal agencies that reported testing protective measure
n = 25[A]: 24;
Number of states that reported testing protective measure n = 37[B]:
23.
Protective measures: Baggage and cargo screening equipment and
procedures;
Number of federal agencies that reported testing protective measure
n = 25[A]: 16;
Number of states that reported testing protective measure n = 37[B]:
14.
Protective measures: Mail and delivery screening procedures;
Number of federal agencies that reported testing protective measure
n = 25[A]: 25;
Number of states that reported testing protective measure n = 37[B]:
23.
Protective measures: Monitoring systems, such as surveillance cameras;
Number of federal agencies that reported testing protective measure
n = 25[A]: 25;
Number of states that reported testing protective measure n = 37[B]:
24.
Protective measures: Continuity of operations measures;
Number of federal agencies that reported testing protective measure
n = 25[A]: 25;
Number of states that reported testing protective measure n = 37[B]:
21.
Protective measures: Emergency response measures;
Number of federal agencies that reported testing protective measure
n = 25[A]: 25;
Number of states that reported testing protective measure n = 37[B]:
32.
Source: GAO analysis of questionnaire data.
[A] One federal agency responding to our questionnaire reported that
it does not implement protective measures because it is located in a
privately owned building and is not responsible for its own security.
Thus, this agency is not included in our analysis of protective
measures tested by federal agencies.
[B] Six states responding to our questionnaire did not provide
responses on the testing of protective measures they had in place for
the three periods of code-orange alert. Thus, these 6 states are not
included in our analysis of protective measures tested by states.
[End of table]
In addition, most of the federal agencies and states responding to our
questionnaires reported receiving confirmation from component
entities, offices, or personnel that protective measures were actually
enhanced or implemented during the three code-orange alert periods.
Table 13 provides examples of the methods by which federal agencies and
states reported receiving confirmation from their component entities,
offices, and personnel, for the code-orange alert period from December
21, 2003, to January 9, 2004. Results for the other two code-orange
alert periods from March 17 to April 16, 2003, and May 20 to 30, 2003,
are consistent with those reported in table 13.
Table 13: Number of Federal Agencies and States That Reported Receiving
Confirmation on the Implementation of Protective Measures through
Various Methods for the Code-Orange Alert Period from December 21,
2003, to January 9, 2004:
Methods of confirmation: Oral notification of protective measures
implementation;
Number of federal agencies that reported receiving confirmation n =
25[A]: 20;
Number of states that reported receiving confirmation n = 41[B]: 35.
Methods of confirmation: Written notification of protective measures
implementation;
Number of federal agencies that reported receiving confirmation n =
25[A]: 18;
Number of states that reported receiving confirmation n = 41[B]: 23.
Methods of confirmation: Inspection of protective measures
implementation;
Number of federal agencies that reported receiving confirmation n =
25[A]: 22;
Number of states that reported receiving confirmation n = 41[B]: 16.
Source: GAO analysis of questionnaire data.
[A] One federal agency responding to our questionnaire reported that
it does not implement protective measures because it is located in a
privately owned building and is not responsible for its own security.
Thus, this agency is not included in our analysis of the confirmation
of protective measures.
[B] One state responding to our questionnaire did not provide responses
on the receipt of confirmation of the implementation of protective
measures. Additionally, 1 state reported that it did not follow the
Homeland Security Advisory System. Thus, these 2 states are not
included in our analysis of the confirmation of protective measures.
[End of table]
[End of section]
Appendix V: Cost Information Provided by Federal Agencies, States, and
Localities:
Cost Information Provided by Federal Agencies:
Table 14: Number of Federal Agencies That Provided Cost Information and
the Type of Cost Information They Provided for Each Code-Orange Alert
Period under Review:
Cost information: Provided code-orange alert cost information;
Number of federal agencies n = 26:
March 17 to April 16, 2003: 21;
May 20 to 30, 2003: 21;
December 21, 2003, to January 9, 2004: 21.
Cost information: * Incurred additional costs;
Number of federal agencies n = 26:
March 17 to April 16, 2003: 16;
May 20 to 30, 2003: 15;
December 21, 2003, to January 9, 2004: 15.
Cost information: * Provided cost estimates;
Number of federal agencies n = 26:
March 17 to April 16, 2003: 13;
May 20 to 30, 2003: 13;
December 21, 2003, to January 9, 2004: 13.
Cost information: * Provided actual costs;
Number of federal agencies n = 26:
March 17 to April 16, 2003: 3;
May 20 to 30, 2003: 2;
December 21, 2003, to January 9, 2004: 2.
Cost information: * Provided costs for immediately preceding code-
yellow alert period;
Number of federal agencies n = 26:
March 17 to April 16, 2003: 12;
May 20 to 30, 2003: 11;
December 21, 2003, to January 9, 2004: 11.
Cost information: * Did not incur additional costs;
Number of federal agencies n = 26:
March 17 to April 16, 2003: 5;
May 20 to 30, 2003: 6;
December 21, 2003, to January 9, 2004: 6.
Cost information: Did not provide code-orange alert cost information;
Number of federal agencies n = 26:
March 17 to April 16, 2003: 5;
May 20 to 30, 2003: 5;
December 21, 2003, to January 9, 2004: 5.
Source: GAO analysis of questionnaire data.
[End of table]
For each code-orange alert period, the federal agencies that reported
incurring additional costs generally provided cost estimates. Many of
these agencies reported using similar methods to develop their
estimates. For example, 8 of these agencies reported using the
additional hours accumulated by security personnel during code-orange
alerts and the hourly rates of security personnel to develop estimates
for additional personnel costs incurred during code-orange alerts. The
majority of additional costs reported by federal agencies are personnel
costs. One federal agency indicated that it provided cost estimates
rather than actual costs for the code-orange alert periods because,
given the short durations of the code-orange alerts and the changes
required to track these limited costs in the accounting system, it was
more efficient to utilize security cost estimates.
Six federal agencies that provided cost information extracted at least
some of their cost data from their agencies' financial accounting
systems. However, as reported in the fiscal year 2005 President's
Budget, 5 of these agencies' financial management performance had
serious flaws as of December 31, 2003. Thus, we have concerns regarding
the accuracy of the cost information these 5 agencies provided to us.
Agencies that did not provide cost information indicated that either
they did not track additional code-orange alert costs or they did not
have the capability to separate additional code-orange alert costs from
their total annual security-related costs.
Cost Information Provided by States:
In our questionnaire, we asked states to provide information on
additional costs incurred by the state during the three code-orange
alert periods in our review. However, of the 42 states that responded
to our questionnaire and follow the Homeland Security Advisory System,
only 6 reported additional costs incurred by state agencies during at
least one of the three code-orange alerts in our review. Therefore, we
did not collect sufficient cost information from our questionnaire to
provide ranges or assess general trends in costs incurred by states
during code-orange alert periods.
Twenty-two of the 42 states that responded to our questionnaire and
follow the Homeland Security Advisory System provided us with cost
information they submitted to DHS in order to be reimbursed for state
and local critical infrastructure protection costs through the State
Homeland Security Grant Program - Part II and the Urban Areas Security
Initiative - Part II. As discussed previously in this report, through
these two grant programs, DHS offered financial assistance to reimburse
costs incurred by state agencies and localities as a result of
increased security measures at critical infrastructure sites during the
period of hostilities with Iraq and for other periods of heightened
alert. We obtained this critical infrastructure protection cost
information from DHS for 40 states and their localities for the March
17 to April 16, 2003, and May 20 to 30, 2003, code-orange alert periods
and for 33 states and their localities for the December 21, 2003, to
January 9, 2004, code-orange alert period. However, this cost
information does not represent all additional costs incurred by states
and localities during code-orange alert periods.
Cost Information Provided by Localities:
We also received information on additional code-orange alert costs from
14 select metropolitan and rural localities. However, information on
localities' costs is most appropriately used anecdotally, as these
cities and counties represent a small, nonprobability sample of
localities within the United States.
The rural localities from which we obtained information indicated that
they did not incur additional costs for any of the code-orange alert
periods because they did not take significant action in response to the
alert. These localities explained that they had insufficient resources
to do so or did not perceive their localities to be at risk.
[End of section]
Appendix VI: Acknowledgment of Agency and Government Contributors:
We would like to acknowledge the time and effort made by agencies and
governments that provided information by responding to questionnaires
and talked with us during site visits.
Federal Agencies:
Department of Agriculture:
Department of Commerce:
Department of Education:
Department of Energy:
Department of Health and Human Services:
Department of Homeland Security:
Department of Housing and Urban Development:
Department of the Interior:
Department of Justice:
Department of Labor:
Department of State:
Department of Transportation:
Department of the Treasury:
Department of Veterans Affairs:
Corporation for National and Community Service:
Environmental Protection Agency:
Federal Communications Commission:
General Services Administration:
National Aeronautics and Space Administration:
National Archives and Records Administration:
National Science Foundation:
Nuclear Regulatory Commission:
Small Business Administration:
Smithsonian Institution:
Social Security Administration:
United States Holocaust Memorial Museum:
States and Territories:
Alabama:
Alaska:
Arizona:
Arkansas:
Connecticut:
Delaware:
Florida:
Georgia:
Idaho:
Illinois:
Iowa:
Kansas:
Kentucky:
Louisiana:
Maine:
Massachusetts:
Michigan:
Minnesota:
Mississippi:
Missouri:
Montana:
Nebraska:
New Hampshire:
New Jersey:
New Mexico:
New York:
North Carolina:
North Dakota:
Ohio:
Oklahoma:
Pennsylvania:
South Carolina:
South Dakota:
Tennessee:
Texas:
Utah:
Vermont:
Washington:
West Virginia:
Wisconsin:
Wyoming:
Guam:
Puerto Rico:
Localities:
Atlanta, Ga.:
Fulton County, Ga.:
Denver, Colo.:
Douglas County, Colo.:
Colorado Springs, Colo.:
Portland, Ore.:
Wasco County, Ore.:
Boston, Mass.:
Fitchburg, Mass.:
Norfolk, Va.:
Chicago, Ill.:
Cook County, Ill.:
Mankato, Minn.:
Helena, Mont.:
San Jose, Calif.:
Rock Springs, Wyo.: [Footnote 53]
[End of section]
Appendix VII: Federal Agency Questionnaire:
[See PDF for image]
[End of figure]
[End of section]
Appendix VIII: State and Territory Questionnaire:
[See PDF for image]
[End of figure]
[End of section]
Appendix IX: Agency Comments:
U.S. Department of Homeland Security:
Washington, DC 20528:
Homeland Security:
June 8, 2004:
William O. Jenkins, Jr.
Director, Homeland Security and Justice Issues:
United States General Accounting Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Jenkins:
Thank you for the opportunity to review and comment on the GAO Draft
Report, "Homeland Security: Communication Protocols and Risk
Communication Principles Can Assist in Refining the Advisory System
(GAO-04-682). We concur with the purpose of the report and generally
concur with its contents. We fully agree that the provision of accurate
and timely threat information is critical to the nation's security.
Your report effectively discusses many of the important issues
in this area and will be of great value.
While the report carefully notes when only one state or a particular
entity reported or observed something, there are instances where the
report uses the term "one state" or "one locality" as an example (as
noted in the critical asset discussion for Liberty Shield). This could
be misleading to some readers who might not look carefully and jump to
the conclusion that one particular point of view is an accurate
characterization of the whole.
With respect to the two recommendations, we concur subject to the
comments provided:
Recommendation 1: The Under Secretary for Information Analysis and
Infrastructure Protection should document communication protocols for
notifying federal agencies and states of changes in the national threat
level and for providing guidance and threat information to these
entities, including methods and time periods for sharing information,
to better manage these entities' expectations regarding the methods,
timing, and content of information shared.
Response: Concur. I am pleased to report that the Department is moving
forward and making significant progress in developing a thoughtfu and
balanced approach to documenting these protocols. Communication
protocols must provide clear guidance to federal agencies and states.
However, the Department must also retain provide appropriate
flexibility in adapting threat communications to a variety of
circumstances. The Department is moving deliberately to create such
flexible communications protocols and continues to work with federal
agencies and states in refining these protocols.
Recommendation 2: The Under Secretary for Information Analysis and
Infrastructure Protection should incorporate risk communication
principles into the Homeland Security Advisory System to assist in
determining and documenting information to provide to federal
agencies and states, including, to the extent possible, information on
the nature, location, and time periods of threats and guidance on
protective measures to take in response to those threats.
Response: Concur. The Department is also committed to incorporating
appropriate risk communications principles and procedures when we
develop our written communications protocols, As the report notes, the
cited risk communication procedures have primarily been
developed in response to threats such as severe weather, traffic
situations, and hazardous materials contamination. The report implies,
and we fully agree, that terrorist threats are substantially different
in nature and as such full application of the risk communication
principles will be somewhat problematic in many situations, For
example, it will be rare that we ever have the degree of specificity in
threat information that we or the receiving audience would prefer.
Additionally, we have forwarded a number of technical comments, under
separate cover, which we believe will add value to and improve the
accuracy of this report.
We look forward to receiving your final report. If you or your staff
have any questions or need additional information, contact John Daley
at 202-282-8381.
Sincerely,
Signed by:
Anna F. Dixon:
Director, Bank card Programs and GAO/OIG Liaison:
[End of section]
Appendix X: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
William O. Jenkins, Jr. (202) 512-8777 Debra B. Sebastian (202) 512-
9385:
Staff Acknowledgments:
In addition to the individuals named above, David P. Alexander,
Fredrick D. Berry, Nancy A. Briggs, Kristy N. Brown, Philip D. Caramia,
Christine F. Davis, Michele Fejfar, Rebecca Gambler, Catherine M.
Hurley, Gladys Toro, Jonathan R. Tumin, Tamika S. Weerasingha, and
Kathryn G. Young made key contributions to this report.
[End of section]
Bibliography:
Dory, Amanda. "American Civil Security: The U.S. Public and Homeland
Security." The Washington Quarterly, vol. 27, no. 1 (2003-2004) 37-52.
Fischoff, Baruch. "Assessing and Communicating the Risks of Terrorism."
Science and Technology in a Vulnerable World. eds. Albert H. Teich,
Stephen D. Nelson, and Stephen J. Lita. Washington, D.C.: American
Association for the Advancement of Science, 2003: 51-64.
Fischoff, Baruch, Roxana M. Gonzalez, Deborah A. Small, and Jennifer S.
Lerner. "Evaluating the Success of Terror Risk Communications."
Biosecurity and Bioterrorism: Biodenfense Strategy, Practice, and
Science, vol. 1, no. 4 (2003) 255-258.
Gray, George M., and David P. Ropeik. "Dealing with the Dangers of
Fear: The Role of Risk Communication." Health Affairs, vol. 21, no. 6
(2002) 106-116.
Mileti, Dennis S., and John H. Sorensen. Communication of Emergency
Public Warnings: A Social Science Perspective and State-of-the-Art
Assessment, a report prepared for the Federal Emergency Management
Agency, August 1990.
Mitchell, Charles, and Chris Decker. "Apply Risk-Based Decision-Making
Methods and Tools to U.S. Navy Antiterrorism Capabilities." Journal of
Homeland Security. February 2004.
National Research Council. Improving Risk Communication. Washington,
D.C.: National Academy Press, 1989.
Partnership for Public Warning. A National Strategy for Integrated
Public Warning Policy and Capability. McLean, VA: May 16, 2003.
Partnership for Public Warning. Developing a Unified All-Hazard Public
Warning System. Emmitsburg, MD: Nov. 25, 2002.
Ropeik, David, and Paul Slovic. "Risk Communication: A Neglected Tool
in Protecting Public Health." Risk in Perspective, vol. 11, no. 2
(2003) 1-4.
(440224):
FOOTNOTES
[1] According to the National Research Council, risk communication is
the exchange of information among individuals and groups regarding the
nature of risk, reactions to risk messages, and legal and institutional
approaches to risk management.
[2] See U.S. General Accounting Office, Homeland Security: Risk
Communication Principles May Assist in Refinement of the Homeland
Security Advisory System, GAO-04-538T (Washington, D.C.: Mar. 16,
2004).
[3] Office of Management and Budget, 2003 Report to Congress on
Combating Terrorism (Washington, D.C.: September 2003).
[4] One state for which we received a questionnaire response indicated
that it did not follow the Homeland Security Advisory System. We
analyzed questionnaire responses for the other 42 states that indicated
they followed the Homeland Security Advisory System.
[5] P.L. 101-576 (Nov. 15, 1990). Three of the federal agencies to
which we sent a questionnaire are Chief Financial Officers Act agencies
but did not report receiving homeland security funding in fiscal year
2003 to the Office of Management and Budget. We sent our questionnaire
to these three federal agencies to include all Chief Financial Officers
Act agencies in our review, and thus these 28 federal agencies
accounted for about 91 percent of total nondefense gross federal
obligations for fiscal year 2003.
[6] The 12 localities are Atlanta and Fulton County, Georgia; Denver,
Colorado Springs, and Douglas County, Colorado; Norfolk, Virginia;
Portland and Wasco County, Oregon; Chicago and Cook County, Illinois;
and Boston and Fitchburg, Massachusetts.
[7] We selected the 12 localities based on a mix of these criteria. For
example, 5 of the localities we selected received urban areas grants
from DHS, while 7 did not. Nine of the localities we visited were in
metropolitan areas, while 3 were not.
[8] The 8 localities are Helena, Montana; Mankato, Minnesota; Rock
Springs, Wyoming; San Jose, California; Miami/Dade County, Florida;
Seattle, Washington; Jamestown, North Dakota; and New York City, New
York.
[9] One of the localities from which we received a questionnaire
response indicated that it did not follow the Homeland Security
Advisory System. We analyzed questionnaire responses for the other 3
localities that indicated following the Homeland Security Advisory
System.
[10] Members of the Homeland Security Council include the President;
the Vice President; the Secretaries of Defense, Health and Human
Services, Homeland Security, Transportation, and the Treasury; the
Attorney General; the Director of the Federal Emergency Management
Agency; the Director of the Federal Bureau of Investigation; the
Director of Central Intelligence; and the Assistant to the President
for Homeland Security.
[11] We calculated the additional code-orange alert costs for the March
17 to April 16, 2003, and May 20 to 30, 2003, code-orange alert periods
as a percentage of agencies' fiscal year 2003 homeland security funding
because these are the only two code-orange alert periods in our review
that occurred during fiscal year 2003.
[12] Typically, there are indirect costs associated with redirection of
resources from one agency function to another. Federal agencies
responding to our questionnaire were not able to quantify such indirect
costs. However, they provided examples of redirection of resources that
may have caused them to incur such costs.
[13] The Homeland Security Advisory System does not directly apply to
the armed forces, including their military facilities. Rather, the
Department of Defense's Force Protection Condition system rates threats
and sets specific measures for military facilities.
[14] DHS components and offices collaborate and share responsibility
for notifying federal agencies, states, localities, the private sector,
and the public of changes in the national threat level.
[15] P.L. 107-296, Sec. 201(d)(7).
[16] According to HSPD-3, threat levels may be assigned for the entire
nation, or they may be set for a particular geographic area or
industrial sector.
[17] DHS's Homeland Security Operations Center and its IAIP Directorate
monitor threats and conduct information assessments on a daily basis.
The Center is comprised of representatives from DHS component entities,
other federal agencies, and local law enforcement agencies.
[18] The Terrorist Threat Integration Center is responsible for
analyzing and sharing terrorist-related information that is collected
domestically and abroad. It is an interagency joint venture that is
comprised of elements of DHS, the FBI's Counterterrorism Division, the
Director of Central Intelligence Counterterrorist Center, the
Department of Defense, and other agencies.
[19] Under HSPD-5, the Secretary can change the national threat level
without consulting other Homeland Security Council members in exigent
circumstances. However, DHS officials told us that this did not occur
for any of the code-orange alert periods in our review.
[20] DHS also issues threat advisories and information bulletins that
provide general information to the public about indicators of possible
terrorist attacks.
[21] See U.S. General Accounting Office, Standards for Internal Control
in the Federal Government, GAO/AIMD-00.21.3.1 (Washington, D.C.:
November 1999).
[22] Public warning systems in the weather and health sectors provide
information to citizens that allow them to determine their actions to
respond to threats. For example, for severe storms, the National
Weather Service and the mass media attempt to alert the public in
advance when they might pose a hazard to public safety. Similarly, the
CDC developed a nationwide reporting system that seeks to detect
emerging epidemics and then to warn the public about the nature of the
health threat.
[23] DHS officials told us that they are currently studying the impact
that public announcement of changes in the national threat level may
have on terrorist planning, targeting decisions, and attack execution.
[24] The Federal Protective Service became part of DHS upon creation of
the department in March 2003. Its overall mission is to provide law
enforcement and security services to over one million tenants and daily
visitors to all federally owned and leased facilities nationwide. FPS
protection services focus directly on the interior security of the
nation's facilities and the reduction of crimes and potential threats
in federal facilities throughout the nation.
[25] We did not ask DHS questions about how it first learned about
changes in the national threat level. One other federal agency did not
respond to our questions on how federal agencies first learned about
changes in the national threat level. Thus, these 2 federal agencies
are not included in our analysis of how federal agencies first learned
about national threat level changes.
[26] Two states did not provide responses to our questions on how
states first learned about changes in the national threat level.
Additionally, 1 state reported that it does not follow the Homeland
Security Advisory System. Thus, these 3 states are not included in our
analysis of how states first learned about national threat level
changes.
[27] Please see appendix III for information on guidance and
information and intelligence federal agencies and states reported using
from sources other than DHS to determine protective measures to take
for the three code-orange alert periods.
[28] One federal agency responding to our questionnaire reported that
it did not implement protective measures because it is located in a
privately owned building and is not responsible for its own security.
Another federal agency did not provide a response to questions related
to the protective measures taken during code-orange alerts due to
security concerns. Thus, these 2 agencies are not included in our
analysis of protective measures.
[29] Of the 43 states responding to our questionnaire, 1 reported that
it did not follow the Homeland Security Advisory System and 2 did not
provide responses to questions related to protective measures taken
during code-orange alerts. Thus, these 3 states are not included in our
analysis of protective measures.
[30] Operation Liberty Shield was a comprehensive plan to increase
protection for U.S. citizens and critical infrastructure assets during
the war with Iraq in March and April 2003. For example, this plan
included increased security measures at U.S. borders and enhanced
protection for the transportation system.
[31] Five federal agencies reported that they did not incur any
additional costs during the March 17 to April 16, 2003, code-orange
alert period.
[32] Six federal agencies reported that they did not incur any
additional costs during the May 20 to 30, 2003, and December 21, 2003,
to January 9, 2004, code-orange alert periods. One of these 6 agencies
did incur additional costs for the March 17 to April 16, 2003, code-
orange alert period.
[33] According to a Center for Strategic and International Studies
press release, the estimate cited by its Director is solely the view of
the Director and not that of the Center.
[34] The SHSGP II guidelines define critical infrastructure as any
system or asset that if attacked would result in catastrophic loss of
life and/or catastrophic economic loss. Some examples of critical
infrastructure are public water systems serving large population
centers and nuclear power plants.
[35] SHSGP II also made $1.3 billion available for first responder
preparedness to supplement funding received by first responders through
the fiscal year 2003 State Homeland Security Grant Program.
[36] For the December 21, 2003, to January 9, 2004, code-orange alert
period, DHS informed states that SHSGP II funds could also be used to
reimburse costs incurred by states and localities for staffing their
emergency operations centers for this, as well as previous, code-orange
alert periods.
[37] Only 25 percent of UASI II funding can be used by localities to
reimburse additional costs incurred during code-orange alert periods.
[38] According to SHSGP II and UASI II program guidelines, recipients
that expend $300,000 or more of federal funds during their fiscal year
are required to submit a statewide financial and compliance audit
report. The audit must be performed in accordance with the U.S. General
Accounting Office's Government Auditing Standards and OMB Circular A-
133.
[39] U.S. Conference of Mayors, "Survey On Cities' Direct Homeland
Security Cost Increases Related to War/High Threat Alert," Mar. 27,
2003.
[40] Center for Strategic and International Studies, Orange Threat
Alert: Cost, Burden of Raising Level Signals Serious Concern by
Administration (Washington, D.C.: Dec. 21, 2003).
[41] DHS was not formally established until March 1, 2003. Thus, we did
not include DHS in our analysis of federal agencies with threat
advisory systems in place prior to the creation of the Homeland
Security Advisory System.
[42] Operational control of U.S. combat forces is assigned to the
nation's Unified Combatant Commands. A Unified Combatant Command is
composed of forces from two or more military services, has a broad and
continuing mission, and is normally organized on a geographical basis.
There are currently nine Unified Combatant Commands.
[43] One state did not respond to our questions about whether it
currently followed the Homeland Security Advisory System or its own
state advisory system, or whether it had established a state advisory
system prior to the Homeland Security Advisory System. We contacted
this state and determined that it currently follows the Homeland
Security Advisory System, as well as its own state system that does not
conform to the Homeland Security Advisory System and was implemented
prior to the Homeland Security Advisory System. Therefore, this state
is included in our analysis of the questionnaire responses in this
section.
[44] This four-level system replaced a three-level system that had been
in use since 1978.
[45] We sent DHS a modified version of the questionnaire we sent to the
other 27 federal agencies.We sent DHS a modified questionnaire because
some of the questions included in the questionnaire sent to the other
27 federal agencies did not apply to DHS. For example, we asked the
other federal agencies to indicate the methods by which they received
notification of changes in the national threat level from DHS.
[46] We sent the questionnaire to all Chief Financial Officers Act
agencies except DOD. Although DOD is a Chief Financial Officers Act
agency and, along with the Army Corps of Engineers-Civil Works,
reported homeland security funding for fiscal year 2003, we did not
send the questionnaire to these agencies because these agencies and
their component entities do not follow the Homeland Security Advisory
System.
[47] See appendix VI for a list of federal agencies that responded to
our questionnaire. We did not receive questionnaire responses from 2
federal agencies in time to include their responses in the report. The
2 federal agencies were the Office of Personnel Management and U.S.
Agency for International Development. Of the other 26 federal agencies,
24 provided one questionnaire response for the entire agency. The
Department of Justice and DHS provided questionnaire responses for
their component entities. For these 2 agencies, we consolidated their
component entities' responses into one response for the entire agency.
In most cases, we did this by identifying the responses most often
selected by the component entities.
[48] We did not receive questionnaire responses from 13 states in time
to include their responses in the report. The 13 states were
California, Colorado, the District of Columbia, Hawaii, Indiana,
Maryland, Neveda, Oregon, Rhode Island, Virginia, American Samoa,
Northern Mariana Islands, and the U.S. Virgin Islands. One state for
which we received a questionnaire response indicated that it did not
follow the Homeland Security Advisory System. We analyzed questionnaire
responses for the other 42 states that indicated following the Homeland
Security Advivory System.
[49] The Urban Areas Security Initiative grants are awarded based on a
combination of current threat estimates, critical assets within the
urban area, and population density.
[50] We did not receive responses from Miami/Dade County, Florida;
Seattle, Washington; Jamestown, North Dakota; and New York City, New
York.
[51] We also contacted officials from France and Israel, but did not
receive information from these officials in sufficient time to include
the information in the report.
[52] Department of Justice, Vunerability Assessment of Federal
Facilities (Washington, D.C.: June 28, 1995). The Department of Justice
developed the assessment in consultation with the General Services
Administration, the Department of Defense, the Secret Service, the
Department of State, the Social Security Administration, and the
Administrative Office of the U.S. Courts.
[53] In addition to the federal agencies listed, we sent questionnaires
to the Agency for International Development and the Office of Personnel
Management. Also, in addition to the states and territories listed, we
sent questionnaires to California, Colorado, the District of Columbia,
Hawaii, Indiana, Maryland, Nevada, Oregon, Rhode Island, Virginia,
American Samoa, Northern Mariana Islands, and the U.S. Virgin Islands.
We also sent questionnaires to Miami/Dade County, Florida; Seattle,
Washington; Jamestown, North Dakota; and New York City, New York.
GAO's Mission:
The General Accounting Office, the investigative arm of Congress,
exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. General Accounting Office
441 G Street NW,
Room LM Washington,
D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.
General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.
20548: