Homeland Security
Process for Reporting Lessons Learned from Seaport Exercises Needs Further Attention Gao ID: GAO-05-170 January 14, 2005Seaports are a critical vulnerability in the nation's defense against terrorism. They are potential entry points for bombs or other devices smuggled into cargo ships and ports' often-sprawling nature presents many potential targets for attack. To assess the response procedures that would be implemented in an attack or security incident, officials conduct port-specific exercises. Many federal, state, and local agencies may potentially be involved. The Coast Guard has primary responsibility for coordinating these exercises and analyzing the results. GAO examined (1) the emerging framework for coordinating entities involved in security responses, (2) legal and operational issues emerging from exercises conducted to date, and (3) Coast Guard management of reports analyzing exercises. GAO reviewed reports on 82 exercises from fiscal year 2004 and observed 4 exercises as they were being conducted.
The framework under which federal agencies would manage a port-terrorism incident is still evolving. The primary guidance for response, the National Response Plan, is in the final stages of approval, and the National Incident Management System, the structure for multiagency coordination, is still being put in place. As a result, it is too early to determine how well the complete framework will function in an actual incident. GAO's review of fiscal year 2004 terrorism-related reports and exercises identified relatively few legal issues, and none of these issues produced recommendations for statutory changes. Most issues have instead been operational in nature and have surfaced in nearly every exercise. They are of four main types: difficulties in sharing or accessing information, inadequate coordination of resources, difficulties in coordinating effectively in a command and control environment, and lack of knowledge about who has jurisdictional or decision-making authority. Reports on the exercises often do not meet the Coast Guard's standards for timeliness or completeness. Sixty-one percent of the reports were not submitted within 60 days of completing the exercise--the Coast Guard standard. The Coast Guard has implemented a new system for tracking the reports, but after a year of use, timeliness remains a concern. The Coast Guard has requirements for what the reports should contain, but 18 percent of the reports did not meet the requirement to assess each objective of the exercise. The Coast Guard has cited several planned actions that may allow for improving completeness. These actions are still in development, and it is too early to determine how much they will help.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-05-170, Homeland Security: Process for Reporting Lessons Learned from Seaport Exercises Needs Further Attention
This is the accessible text file for GAO report number GAO-05-170
entitled 'Homeland Security: Process for Reporting Lessons Learned from
Seaport Exercises Needs Further Attention' which was released on
February 16, 2005.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
United States Government Accountability Office:
GAO:
January 2005:
Homeland Security:
Process for Reporting Lessons Learned from Seaport Exercises Needs
Further Attention:
GAO-05-170:
GAO Highlights:
Highlights of GAO-05-170, a report to congressional requesters
Why GAO Did This Study:
Seaports are a critical vulnerability in the nation‘s defense against
terrorism. They are potential entry points for bombs or other devices
smuggled into cargo ships and ports‘ often-sprawling nature presents
many potential targets for attack. To assess the response procedures
that would be implemented in an attack or security incident, officials
conduct port-specific exercises. Many federal, state, and local
agencies may potentially be involved. The Coast Guard has primary
responsibility for coordinating these exercises and analyzing the
results.
GAO examined (1) the emerging framework for coordinating entities
involved in security responses, (2) legal and operational issues
emerging from exercises conducted to date, and (3) Coast Guard
management of reports analyzing exercises. GAO reviewed reports on 82
exercises from fiscal year 2004 and observed 4 exercises as they were
being conducted.
What GAO Found:
The framework under which federal agencies would manage a port-
terrorism incident is still evolving. The primary guidance for
response, the National Response Plan, is in the final stages of
approval, and the National Incident Management System, the structure
for multiagency coordination, is still being put in place. As a result,
it is too early to determine how well the complete framework will
function in an actual incident.
GAO‘s review of fiscal year 2004 terrorism-related reports and
exercises identified relatively few legal issues, and none of these
issues produced recommendations for statutory changes. Most issues have
instead been operational in nature and have surfaced in nearly every
exercise. They are of four main types: difficulties in sharing or
accessing information, inadequate coordination of resources,
difficulties in coordinating effectively in a command and control
environment, and lack of knowledge about who has jurisdictional or
decision-making authority.
Reports on the exercises often do not meet the Coast Guard‘s standards
for timeliness or completeness. Sixty-one percent of the reports were
not submitted within 60 days of completing the exercise”the Coast Guard
standard. The Coast Guard has implemented a new system for tracking the
reports, but after a year of use, timeliness remains a concern. The
Coast Guard has requirements for what the reports should contain, but
18 percent of the reports did not meet the requirement to assess each
objective of the exercise. The Coast Guard has cited several planned
actions that may allow for improving completeness. These actions are
still in development, and it is too early to determine how much they
will help.
Port Terrorism Exercise Conducted at the Port of Los Angeles/Long
Beach:
[See PDF for image]
[End of figure]
What GAO Recommends:
To help ensure reports on terrorism-related exercises are submitted in
a timely manner that complies with all Coast Guard requirements, the
Commandant of the Coast Guard should review the Coast Guard‘s actions
for ensuring timeliness and determine if further actions are needed.
The Coast Guard generally concurred with GAO‘s findings and this
recommendation.
www.gao.gov/cgi-bin/getrpt?GAO-05-170.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Margaret Wrightson at
(415) 904-2200 or WrightsonM@gao.gov.
[End of section]
Contents:
Letter:
Background:
Results:
Conclusions:
Recommendation for Executive Action:
Agency Comments:
Appendix I: Briefing on Legal and Operational Issues Identified from
U.S. Port Terrorism Exercises:
Appendix II: Objectives, Scope, and Methodology:
Abbreviations:
AAR: after-action reports:
CGCoast Guard:
CONPLAN: Interagency Domestic Concept of Operations Plan:
CPS: Contingency Preparedness System:
DHS: Department of Homeland Security:
DOD: Department of Defense:
DOJ: Department of Justice:
FAA: Federal Aviation Administration:
FEMA: Federal Emergency Management Agency:
FBI: Federal Bureau of Investigation:
FRERP: Federal Radiological Emergency Response Plan:
FRP: Federal Response Plan:
HSPD-5: Homeland Security Presidential Directive-5:
ICS: Incident Command Structure:
INRP: Initial National Response Plan:
NCP: National Contingency Plan:
NIMS: National Incident Management System:
NRP: National Response Plan:
United States Government Accountability Office:
Washington, DC 20548:
January 14, 2005:
The Honorable Bennie G. Thompson:
Ranking Minority Member:
Committee on Homeland Security:
House of Representatives:
The Honorable Robert E. Andrews:
House of Representatives:
Seaports have emerged as a critical vulnerability in the nation's
defense against terrorism. More than 95 percent of the nation's
overseas trade passes through these ports, and the nation's economy is
highly dependent on an efficient transfer of goods flowing into and out
of these gateways. Seaports are vulnerable entry points for bombs or
other devices smuggled into cargo ships, and ports' often-sprawling
nature presents many potential targets for attack. But, the
repercussions of such an attack go far beyond the port immediately
affected; an attack at one port could disrupt the broader flow of
goods, creating economic consequences in the billions of dollars.
In the wake of the terrorist attacks of September 11, 2001, law
enforcement and other agencies have become more aware of the threats to
America's strategic targets and have taken steps to make ports more
secure. To assess coordination and response procedures that would be
implemented in the event of a terrorist attack, officials in U.S. ports
have conducted exercises that simulate a potential threat, attack, or
incident. These exercises have addressed such scenarios as the
explosion of a "dirty bomb" that releases radioactive materials,
threats of an approaching ship that may have a bomb or other hazardous
material aboard, or disruptive attacks on critical infrastructure or
specific facilities within a port. In fiscal year 2004, the United
States Coast Guard, which is the Department of Homeland Security agency
with primary responsibility for port security, conducted 85 port-based
terrorism exercises.
Responding effectively in such exercise scenarios can be difficult.
Depending on the nature of the incident and the particular port
involved, dozens of federal, state, and local agencies may be involved.
The incident may also require close coordination across many
jurisdictions, raising issues about who has authority or how agency
personnel can communicate effectively when they have different chains
of command, operating procedures, and equipment. After these exercises
are conducted, the Coast Guard requires that the unit participating in
the exercise submit an "after-action" report describing the results and
highlighting any lessons learned. These reports are approved for
content and lessons learned by the commanding officer of that unit.
Upon approval, each report is electronically transmitted to Coast Guard
headquarters for inclusion in a master exercise database. Analysis of
these reports presents an opportunity to identify potential barriers to
an effective response during an actual threat or incident. These
reports can also provide valuable input for future exercises conducted
by the Coast Guard or other agencies.
You asked that we examine what has been learned to date in the nation's
attempts to use such exercises to coordinate effective port security
procedures. Our specific objectives were to (1) describe the emerging
framework under which the federal government coordinates with state and
local entities to address a terrorist incident in a U.S. port; (2)
identify the issues, if any, regarding federal agencies' legal
authority that have emerged from port security exercises and what
statutory actions might address them; (3) describe the types of
operational issues being identified through these exercises; and (4)
identify any management issues related to Coast Guard-developed after-
action reports. On December 8, 2004, we briefed your offices on the
results of our work. Appendix I contains the briefing slides we
presented at that meeting.[Footnote 1]
Our description of the emerging framework for coordinating an effective
response to a terrorist incident is based on our review of statutes,
regulations, directives, plans, and agency guidance, as well as
interviews with officials from various agencies at the federal, state,
and local levels. Our analysis of statutory and operational issues
arising from exercises is based on a review of 82 Coast Guard after-
action reports on terrorism-related exercises conducted at U.S. ports
in fiscal year 2004.[Footnote 2] In addition, to obtain a more in-depth
understanding of exercise issues, we attended four exercises at various
locations around the country. Our evaluation of management issues
related to Coast Guard after-action reports included interviews with
officials at Coast Guard headquarters and in the field, analysis of
Coast Guard and Department of Homeland Security guidance, and reliance
on our prior work related to managing and evaluating exercises. While
our audit work allowed us to review a large number of exercises for
potential legal and operational issues, our analysis is limited to the
degree that, (1) for most exercises, we had to rely on Coast-Guard-
developed after-action reports rather than direct observation and (2)
the scope of the exercises themselves was designed around specific plan
elements and subject to resource constraints. Appendix II describes our
scope and methodology in more detail. We conducted our work from June
to December 2004 in accordance with generally accepted government
auditing standards.
Background:
On November 25, 2002, the President signed into law the Homeland
Security Act,[Footnote 3] which created the new federal Department of
Homeland Security, and the Maritime Transportation Security
Act,[Footnote 4] which created a consistent security program
specifically for the nation's seaports. Since that time, and in keeping
with the provisions of these new laws, the federal government has been
developing a variety of new national policies and procedures for
improving the nation's response to domestic emergencies. These policies
and procedures are designed to work together to provide a cohesive
framework for preparing for, responding to, and recovering from
domestic incidents.
A key element of this new response framework is the use of exercises to
test and evaluate federal agencies' policies and procedures, response
capabilities, and skill levels. The Coast Guard has primary
responsibility for such testing and evaluation in the nation's ports
and waterways, and as part of its response, it has added multiagency
and multicontingency terrorism exercises to its training program. These
exercises vary in size and scope and are designed to test specific
aspects of the Coast Guard's terrorism response plans, such as
communicating with state and local responders, raising maritime
security levels, or responding to incidents within the port. For each
exercise the Coast Guard conducts, an after-action report detailing the
objectives, participants, and lessons learned must be produced within
60 days.
Results:
Coordination Framework Is Still Evolving:
The framework under which federal agencies would coordinate with state
and local entities to manage a port-terrorism incident is still
evolving. As directed by Homeland Security Presidential Directive/HSPD-
5, issued in February 2003, this framework is designed to address all
types of responses to national emergencies, not just port-related
events. Key elements of the framework have been released over the past
2 years. For example, the Department of Homeland Security released the
Interim National Response Plan in September 2003 and was in the final
approval stage for a more comprehensive National Response Plan in
November 2004, as our work was drawing to a close. DHS announced the
completion of the National Response Plan on January 6, 2005, too late
for a substantive review to be included in this report. However, the
finalized plan is designed to be the primary operational guidance for
incident management and, when fully implemented, will incorporate or
supersede existing federal interagency response plans. According to the
updated implementation schedule in the National Response Plan, federal
agencies will have up to 120 days to bring their existing plans,
protocols, and training into accordance with the new plan. In March
2004, the department also put in place a system, called the National
Incident Management System, which requires common principles,
structures, and terminology for incident management and multiagency
coordination. Although the framework that will be brought about by the
final plan, the management system, and other actions is still in the
implementation phase, some of the protocols and procedures contained in
this framework were already evident at the port exercises we observed.
However, it is still too early to determine how well the complete
framework will function in coordinating an effective response to a
port-related threat or incident.
Exercises Identified Few Legal Issues:
Port security exercises have identified relatively few issues related
to federal agencies' legal authority, and none of these issues were
statutory problems according to exercise participants and agency
officials. Our review of fiscal year 2004 after-action reports and
observation of specific exercises showed that exercise participants
encountered seven legal issues, but exercise participants and agency
officials we interviewed did not recommend statutory changes to address
these issues. In three instances, exercise participants made
nonstatutory recommendations (such as policy clarifications) to assist
agencies in better exercising their authority, but did not question the
adequacy of that authority. In the other four instances, no
recommendations were made either because statutory authority was deemed
sufficient or, in one case, because the issue involved a constitutional
restraint (i.e., under the Fourth Amendment, police are prohibited from
detaining passengers not suspected of terrorism).
While the exercises were conducted to examine a wide range of issues
and not specifically to identify gaps in agencies' legal authority, the
results of the exercises are consistent with the information provided
by agency officials we interviewed, who indicated that sufficient
statutory authority exists to respond to a terrorist attack at a
seaport. Moreover, when Department of Homeland Security officials
reviewed the issue of statutory authority, as required by Homeland
Security Presidential Directive/HSPD-5, they concluded that federal
agencies had sufficient authority to implement the National Response
Plan and that any implementation issues could be addressed by
nonstatutory means, such as better coordination mechanisms.
Exercises Identified Four Main Types of Operational Issues:
Most of the issues identified in port security exercises have been
operational rather than legal in nature. Such issues appeared in most
after-action reports we reviewed and in all four of the exercises we
observed. While such issues are indications that improvements are
needed, it should be pointed out that the primary purpose of the
exercises is to identify matters that need attention and that surfacing
problems is therefore a desirable outcome, not an undesirable one. The
operational issues can be divided into four main categories, listed in
descending order of frequency with which they were reported:
* Communication--59 percent of the exercises raised communication
issues, including problems with interoperable radio communications
among first responders, failure to adequately share information across
agency lines, and difficulties in accessing classified information when
needed.
* Adequacy or coordination of resources--54 percent of the exercises
raised concerns with the adequacy or coordination of resources,
including inadequate facilities or equipment, differing response
procedures or levels of acceptable risk exposure, and the need for
additional training in joint agency response.
* Ability of participants to coordinate effectively in a command and
control environment--41 percent of the exercises raised concerns
related to command and control, most notably a lack of knowledge or
training in the incident command structure.
* Lack of knowledge about who has jurisdictional or decision-making
authority--28 percent of the exercises raised concerns with
participants' knowledge about who has jurisdiction or decision-making
authority. For example, agency personnel were sometimes unclear about
who had the proper authority to raise security levels, board vessels,
or detain passengers.
After-Action Reports Show Problems Related to Timeliness and
Completeness:
Our review of the Coast Guard's fiscal year 2004 after-action reports
from port terrorism exercises identified problems with timeliness in
completing the reports and limitations in the information they
contained. Specifically,
* Timeliness: Coast Guard guidance states that after-action reports are
an extremely important part of the exercise program, and the guidance
requires that such reports be submitted to the after-action report
database (Contingency Preparedness System) within 60 days of completing
the exercise. However, current practice falls short: 61 percent of the
85 after-action reports were not submitted within this 60-day time
frame. Late reports were submitted, on average, 61 days past the due
date. Exercises with late reports include large full-scale exercises
designed to identify major interagency coordination and response
capabilities. Not meeting the 60-day requirement can lessen the
usefulness of these reports. Coast Guard guidance notes, and officials
confirm, that exercise planners should regularly review past after-
action reports when planning and designing future exercises, and to the
extent that reports are unavailable, such review cannot be done. In
previous reviews of exercises conducted by the Coast Guard and others,
we found that timely after-action reports were necessary to help ensure
that potential lessons can be learned and applied after each
counterterrorism exercise.[Footnote 5] The main problem in producing
reports on a more timely basis appeared to be one of competing
priorities: Coast Guard field personnel indicated that other workload
priorities were an impediment to completing reports, but most of them
also said 60 days is a sufficient amount of time to develop and submit
an after-action report.
Officials cited the development of the Contingency Preparedness System,
which is the program for managing exercises and after-action reports,
as a step allowing for a renewed emphasis on timeliness. Headquarters
planning staff are able to run reports using this system and regularly
notify key Coast Guard officials of overdue after-action reports.
However, this system was implemented more than 1 year ago, in August
2003, and was, therefore, in place during the period in which we found
a majority of after-action reports were late. We did not compare our
results with timeliness figures for earlier periods, and we, therefore,
do not know the extent to which the system may have helped reduce the
number of reports that are submitted late. Even if the new system has
produced improvement, however, the overall record is still not in
keeping with the Coast Guard's 60-day requirement.
* Content and quality: Coast Guard guidance also contains criteria for
the information that should be included in an after-action report.
These criteria, which are consistent with standards identified in our
prior work,[Footnote 6] include listing each exercise objective and
providing an assessment of how well each objective was met. However, 18
percent of the after-action reports we reviewed either did not provide
such an objective-by-objective assessment or identified no issues that
emerged from the exercise. While the scope of each exercise may
contribute to a limited number of issues being raised, our past reviews
found that after-action reports need to accurately capture all exercise
results and lessons learned; otherwise, agencies may not be benefiting
fully from exercises in which they participate. Similarly, officials at
the Department of Defense, which like the Coast Guard conducts a
variety of exercises as part of its training, said that if their after-
action reports lack sufficient fundamental content, they cannot be used
effectively to plan exercises and make necessary revisions to programs
and protocols. Our review indicated that, in addition to the pressure
of other workload demands, two additional factors may be contributing
to limitations in report content and quality--current review procedures
and a lack of training for planners. Headquarters planning officials
noted that local commands have primary responsibility for reviewing
after-action reports and that limited criteria exist at headquarters
for evaluating the content of reports submitted by these commands. At
the field level, many planners with whom we spoke said they were
unaware of any written documentation or exercise-planning guidance they
could refer to when developing an after-action report.
The Coast Guard has cited several planned actions that may allow for
improved content and quality in after-action reports. These actions
include updating exercise management guidance and promulgating new
instructions related to preparing after-action reports and collecting
lessons learned. While these initiatives may address issues of content
and quality in after-action reports, they are currently still in the
development phase.
Conclusions:
A successful response to a terrorist threat or incident in a seaport
environment clearly requires the effective cooperation and coordination
of numerous federal, state, local, and private entities--issues that
exercises and after-action reports are intended to identify. Complete
and timely analyses of these exercises represent an important
opportunity to identify and correct barriers to a successful response.
The Coast Guard's inability to consistently report on these exercises
in a timely and complete manner represents a lost opportunity to share
potentially valuable information across the organization. The Coast
Guard's existing requirements, which include submitting these reports
within 60 days and assessing how well each objective has been met,
appear reasonable but are not being consistently met. Coast Guard
officials cited a new management system as their main effort to making
reports more timely, but this system has been in place for more than a
year, and timeliness remains a problem. It is important for Coast Guard
officials to examine this situation to determine if more needs to be
done to meet the standard. The Coast Guard has several other steps
under development to address issues of report content and completeness,
and it is too early to assess the effect these actions will have. For
this set of actions, it will be important for the Coast Guard to
monitor the situation to help ensure that exercises can achieve their
full and stated purpose.
Recommendation for Executive Action:
To help ensure that reports on terrorism-related exercises are
submitted in a timely manner that complies with all Coast Guard
requirements, we are making one recommendation, that the Commandant of
the Coast Guard review the Coast Guard's actions for ensuring
timeliness and determine if further actions are needed.
Agency Comments:
We provided DHS, DOJ, and DOD with a draft of this report for review
and comment. The Coast Guard generally concurred with our findings and
recommendation and did not provide any formal comments for inclusion in
the final report. DOJ and DOD also did not have any official comments.
DOD provided two technical clarifications, which we have incorporated
to ensure the accuracy of our report.
As agreed with your offices, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days
from its issue date. At that time, we will send copies of this report
to the Secretary of Homeland Security, the Commandant of the Coast
Guard, appropriate congressional committees, and other interested
parties. The report will also be available at no charge on GAO's Web
site at http://www.gao.gov.
If you or your staffs have any questions about this report, please
contact me at (415) 904-2200 or by email at wrightsonm@gao.gov, or
Steve Caldwell, Assistant Director, at (202) 512-9610 or by email at
caldwells@gao.gov, or Steve Calvo, Assistant Director, at (206) 287-
4839 or by email at calvos@gao.gov. Other key contributors to this
report were Christine Davis, Wesley Dunn, Michele Fejfar, Lynn Gibson,
Dawn Hoff, David Hudson, Dan Klabunde, Ryan Lambert, and Stan
Stenersen.
Signed by:
Margaret T. Wrightson:
Director, Homeland Security and Justice Issues:
[End of section]
Appendix I: Briefing on Legal and Operational Issues Identified from
U.S. Port Terrorism Exercises:
Review of Legal and Operational Issues Identified from U.S. Port
Terrorism Exercises:
Briefing to Congressional Requesters:
Select Committee on Homeland Security:
House of Representatives:
Port terrorism exercise at the port of Los Angeles:
[See PDF for image]
Source: GAO.
[End of figure]
Overview:
Introduction:
Objectives, Scope, and Methodology:
Background:
Evolving National Response Framework:
Legal Issues Arising at Exercises:
Operational Issues Arising at Exercises:
Coast Guard Management of After-Action Reports:
Summary of Preliminary Findings:
Introduction:
The Homeland Security Act of 2002 and Homeland Security Presidential
Directive-5 (HSPD-5) set forth a comprehensive approach for ensuring
that all levels of government can work together to prevent, prepare
for, respond to, and recover from domestic incidents.
Constructing this framework is a difficult and complicated task because
* so many agencies and jurisdictions are involved,
* potential incidents are numerous and difficult to predict, and:
* the procedures under which these agencies would respond are evolving:
Because U.S. ports are considered key potential terrorist targets,
simulated attacks and other exercises designed to assess coordination
and response have been conducted at many U.S. ports. Department of
Homeland Security (DHS) and other federal, state, and local agencies
have participated in these exercises.
Objectives, Scope, and Methodology:
Objectives:
1. Describe the emerging framework under which the federal government
coordinates with state and local entities to address a terrorist
incident in a U.S. port.
2. Identify the issues, if any, regarding federal agencies' legal
authority that emerged from port security exercises and what statutory
actions might address them.
3. Describe the types of operational issues being identified through
these exercises.
4. Identify any management issues related to Coast Guard-developed
after-action reports.
Port terrorism exercise at the port of Los Angeles:
[See PDF for image]
Source: GAO.
[End of figure]
Scope and Methodology:
* Reviewed relevant statutes, regulations, directives, plans and agency
guidance.
* Interviewed a variety of federal, state, and local officials.
* Reviewed Coast Guard after-action reports (AARs) on terrorism-related
exercises conducted at U.S. ports in FY 2004.
* Participated as observers at four terrorism-related exercises:
Hampton Roads, Va; Los Angeles/Long Beach, Calif; Charleston, S.C;
and Philadelphia, Pa.
Limitations:
* Reviewed only Coast Guard-developed AARs.
* Exercise sample may have limited the number of operational and legal
issues identified.
* Exercises are typically designed to test specific plan elements, not
all potential elements.
* Resource issues may affect exercise results, a less likely constraint
for real-world response.
* We did not independently assess the need for legislation by auditing
the specific issues identified in the exercises, but generally relied
upon the agency's position as to whether legislation was necessary.
Background:
Executive Branch Direction for New Response Framework:
Since the passage of the Homeland Security Act of 2002, considerable
attention has been focused on developing systems and processes that
provide a consistent nationwide framework for responding to and
recovering from acts of terrorism.
To this end, the Homeland Security Act, as implemented through HSPD-5,
requires DHS to:
* Implement a National Incident Management System (NIMS).
* Consolidate existing federal emergency response plans into a single
coordinated National Response Plan (NRP).
* Review federal agencies' authorities and recommend to the President
revisions needed to fully implement the NRP.
These efforts are designed to replace or harmonize existing authorities
and plans to ensure that all levels of government can work efficiently
and effectively together to prepare for, respond to, and recover from
domestic incidents, including terrorist events.
Background:
Other Acts That Potentially Affect the National Response Framework:
Maritime Transportation Security Act of 2002:
* Mandates Maritime Transportation Security Plans at all levels.
* National, port areas, and certain port facilities and vessels.
* Plans include detecting, deterring, and responding to threats and
incidents.
Stafford Disaster Relief Act:
* Authorizes the President to issue disaster or emergency declarations
to provide federal aid.
Posse Comitatus Act:
* Does not apply to military operations at home or abroad.
* Applies to civilian law enforcement operations such as searches,
seizures, and arrests, which federal military troops may not undertake
unless "expressly authorized by the Constitution or Act of Congress."
Maritime Safety and Security Team at the port of Los Angeles:
[See PDF for image]
Source: GAO.
[End of figure]
* Emergency exception to protect life and property.
* Exceptions to assist in the enforcement of certain laws against
drugs,
terrorism, and Weapons of Mass Destruction (monitoring vessels, aerial
reconnaissance, and chemical-biological-nuclear disposal).
Objective 1:
Evolving National Response Framework Existing Federal Interagency
Response Plans:
Federal Response Plan (FRP):
* FEMA-developed plan that coordinates delivery of federal assistance
and resources during a presidentially declared disaster or emergency.
The Interagency Domestic Terrorism Concept of Operations Plan
(CONPLAN):
* Outlines an organized and unified capability for a timely,
coordinated
federal agency response to a terrorist threat or act (agencies:
Defense, Energy, EPA, FEMA, HHS, and DOJ).
Federal Radiological Emergency Response Plan (FRERP):
* Allows federal agencies to carry out their responsibilities during
peacetime radiological emergencies, (agencies: Energy, Defense, EPA,
Nuclear Regulatory Commission).
National Contingency Plan (NCP):
* Coordinates Coast Guard and EPA response to an oil spill or hazardous
material release, as well as implements additional requirements
mandated in the Comprehensive Environmental Response, Compensation, and
Liability Act of 1980 and the Oil Pollution Act of 1990.
These plans will be superseded or incorporated into the National
Response Plan:
Evolving National Response Framework Key Milestones to Date:
September 2003:
Initial National Response Plan (INRP):
* Bridging document to full NRP that harmonizes existing operational
processes, procedures, and protocols:
* Introduces organizational elements that integrate DHS into the
national interagency response:
March 2004:
National Incident Management System (NIMS):
* Standardizes process and procedures for incident management utilizing
a core set of concepts, principles, and terminology for incident
command and multiagency coordination:
* Incident management activites coordinated by a unified command that
represents governmental and nongovernmental entities with incident
management responsibilities.
June 2004:
Draft National Response Plan:
* Supersedes or incorporates existing interagency plans into a single
coordinated response:
* Consists of an overarching base plan that can be supplemented by
annexes specific to the type of support needed for a particular
incident (e.g., Terrorism Annex, Mass Care Annex, Public Affairs
Annex):
Source. GAO.
[End of figure]
Objective 1:
Evolving National Response Framework Status of Final NRP and DHS
Statutory Review:
HSPD-5 does not establish a deadline for issuing the final NRP. DHS
informed us that the final NRP is complete, but is awaiting approval by
the Homeland Security Council.
Federal, state, and local entities used NIMS in the exercises, but use
of the draft NRP was not evident.
* Once completed, the NRP will be implemented in a phased approach,
under which federal agencies will have up to 180 days to modify
existing plans, protocols, and training to align with the NRP.
HSPD-5 required DHS to review federal agencies' authorities by
September 1, 2003, and recommend to the President revisions needed to
fully implement the NRP.
The HSPD-5 statutory review is complete according to DHS officials and
was forwarded to the DHS Secretary for review.
Objective 2:
Legal Issues Arising at Exercises Review of After-Action Reports:
* No statutory issues surfaced in our review of 82 AARs.
* While the AARs disclosed four issues of a legal nature, statutory
changes were not recommended for these issues.
Issue: During a tabletop exercise simulating an explosive threat aboard
a cruise ship, Federal Bureau of Investigation (FBI) officials
questioned whether they had authority to detain passengers after
evacuating the ship to question them as potential suspects.
Action recommended by participants: Exercise participants acknowledged
that the FBI could not detain passengers as suspects unless it
possessed
sufficient information implicating them. This is a matter of
constitutional criminal procedure, not a statutory issue.
Issue: When personnel from several different agencies boarded a cruise
ship during a simulated terrorist incident, they found they had
different rules of engagement, leading to confusion and delay in
responding properly.
Action recommended by participants: Participants recommended that
problems be solved through interagency memorandums of understanding.
Issue: Officials conducting a portwide exercise found that security
plans for particular facilities and vessels were not necessarily in
concert with the Area Maritime Security Plan. While the Maritime
Transportation Security Act requires integration of these plans, the
implementing regulations provide no mechanism for resolving conflicts
between the lower plans and the Area Maritime Security Plan.
Action recommended by participants: Participants recommended resolving
the issue through regulation or policy change.
Issue: During an exercise, the Coast Guard found the Area Maritime
Security Plan contained no procedure for the Captain of the Port to
raise the MARSEC security level in only one port, as allowed by
regulation. The standard procedure in the Command Center was to raise
the MARSEC level across a wider area. This caused serious and
unnecessary disruptions, according to officials.
Action recommended by participants: Participants recommended that the
Coast Guard issue a policy clarification consistent with the Coast
Guard's regulatory authority.
Source: GAO.
[End of table]
Objective 2:
Legal Issues Arising at Exercises GAO Exercise Observations:
During observations of four exercises, three possible legal issues
surfaced, but officials interviewed during our follow up did not
recommend statutory changes for these issues.
Issue: During an exercise involving a bioterror attack aboard ship, a
question arose as to whether the attack would qualify for federal
disaster relief assistance under the Stafford Act.
Result of GAO follow-up: Such an attack appears eligible for a
presidential emergency declaration but not necessarily for a disaster
declaration under the Stafford Act unless the attack results in a
"fire,
flood, or explosion." 42 U.S.C. 5122(2). While emergency assistance is
more limited than disaster assistance, officials from FEMA and DHS
believe the Stafford Act provides sufficient authority to meet state
needs without amendment.
Issue: When people were quarantined during a bioterror exercise, an
agency participant asked about the proper procedure and legal that
authority for dealing with anyone who tried to escape the quarantine.
Result of GAO follow-up: Our follow-up with senior Department of
Justice
officials indicated federal and state statutes are in place that would
enable police to enforce a quarantine.
Issue: During a chemical attack exercise, the Unified Command for the
incident questioned whether the Posse Comitatus Act (PCA) might prevent
the Department of Defense (DOD) from enforcing FAA-restricted airspace
above the vessel.
Result of GAO follow-up: DOD agreed to enforce the no-fly zone shortly
after receiving the request. DOD officials we interviewed said that
they
saw no statutory barrier to enforcement. They said that a no-fly zone
could be enforced against threat aircraft as part of the military air
defense of the United States or in defense of the military forces
nearby, without raising a Posse Comitatus Act issue.
Source: GAO.
[End of table]
Objective 2:
Legal Issues Arising at Exercises Comments from Key Agencies:
Interviews with agency legal officials have not revealed concerns about
the adequacy of their agencies' legal authority.
* Coast Guard officials told us that the Coast Guard and Maritime
Transportation Act of 2004 (Pub.L.108-293), enacted in August 2004,
contained provisions that would alleviate prior concerns about the
Coast Guard's shoreside authority and its authority to seize property
as well as people.
* Senior Department of Justice officials told us their current legal
authority is adequate to effectively respond to a terrorist event.
* In March 2003 congressional testimony, the Commander of U.S. Northern
Command stated, "We believe the [Posse Comitatus] Act, as amended,
provides the authority we need to do our job, and no modification is
needed at this time." Department of Defense officials told us that they
are not aware of any change in the position that the Posse Comitatus
Act does not prevent the Department of Defense from doing its job, and
that no modification is needed at this time.
* Department of Homeland Security legal officials told us that the
agency's HSPD-5 review of federal statutory authorities is complete and
that federal agencies (including DHS) have sufficient statutory
authority to fully implement the NRP.
Objective 3:
Operational Issues Arising at Exercises Review of After-Action Reports:
Operational issues fall into four categories:
Type of issue: Communication;
Percentage of after-action reports raising issues (82 reports
reviewed):
58.5:
Type of issue: Command and control/incident command structure:
Percentage of after-action reports raising issues (82 reports
reviewed):
41.46:
Type of issue: Unclear decision making/jurisdictional knowledge:
Percentage of after-action reports raising issues (82 reports
reviewed):
28:
Type of issue: Resource coordination/capabilities:
Percentage of after-action reports raising issues (82 reports
reviewed):
3.6:
Note: The same categories of operational issues were also identified at
the four port security exercises we attended.
Source: GAO.
[End of table]
Objective 3:
Operational Issues Arising at Exercises:
Examples from After-Action Reports and GAO Observations:
Communication:
* Radio equipment interoperability problems.
* Formal protocols needed to improve notifications, radio usage,
information sharing.
* Key personnel did not always have security clearances needed to
access
classified information.
Command and Control/Incident Command Structure (ICS):
* Additional NIMS/ICS training needed.
* Improved information flow required between Unified Command and
section
chiefs.
Unclear Decision Making/Jurisdictional Knowledge:
* Anchoring and vessel boarding decisions were sometimes in conflict
among agencies.
* Lack of knowledge of other agencies' jurisdictions and/or authorities.
Resource Coordination/Capabilities:
* Inadequate facilities, equipment, training, or resources.
* Different rules of engagement or levels of acceptable risk exposure
among agencies.
* Additional training and protocols needed for joint agency operations.
* Confusion over procedures to request resources or inadequate
involvement of potential resources (e.g., access to the Strategic
Stockpile, cruise ship companies, or terminal operators).
Objective 4:
Coast Guard Management of AARs Reports Are Submitted Late:
Guidance and experience stress timely reporting as key to AAR
usefulness.
* Coast Guard guidance: requires that AARs be submitted within 60 days
of exercise completion. Guidance notes that AARs are an extremely
important part of the exercise program and are the means by which
deficiencies are brought to the attention of senior managers. Guidance
also states, and officials confirm, that the review of previous AARs is
standard planning doctrine when designing an exercise. Untimely AARs
may serve as an impediment to conducting such reviews.
* Past GAO work: GAO's analysis of past exercises reported on the
importance of producing timely AARs: "To ensure that individual
agencies learn lessons after each federal counterterrorism exercise,
special event, or operation, agencies should prepare a timely AAR or
other evaluation that documents the results." [NOTE 1]
* Department of Defense perspective: senior exercise planners said that
untimely AARs can negatively impact the effectiveness of exercises
because (1) the agency may miss funding opportunities to correct
deficiencies (2) information may not be available for incorporation
into future exercises (a standard DOD practice to determine what
objectives need to be evaluated or reevaluated).
Current Coast Guard practice falls short of meeting standards: 61
percent of terrorism-related AARs for fiscal year 2004 were late.
Although Coast Guard field personnel cited operational priorities,
planning resources, and workload as the primary impediments to
completing timely reports, they generally said that 60 days is enough
time to develop and submit an AAR.
Objective 4:
Coast Guard Management of AARs Report Content and Quality Need
Attention:
Guidance and experience stress producing AARs that fully assess
training objectives and document deficiencies.
* Coast Guard guidance: calls for exercises to be designed to expose
weaknesses in plans and procedures and highlight resource and training
deficiencies. Minimum requirements for AARs include documentation of
each supporting objective and an assessment of how well each objective
was met.
* Past GAO work: when AARs do not accurately capture exercise results
and lessons learned, agencies may not be benefiting fully from
exercises in which they participate.
* DOD perspective: DOD officials said AARs that did not provide
fundamental content cannot be used effectively to plan exercises and
make necessary revisions to programs and protocols. They also noted
that new operational missions may require an additional emphasis on
exercise planning and after-action reporting.
Assessment of exercises may not be sufficient: 18 percent of AARs we
reviewed identified no issues or did not provide adequate assessment of
training objectives.
Review procedures and training for planners may be insufficient in this
area.
* Headquarters planning officials noted that the primary review of all
AARs resides solely at the local command level. Although all submitted
AARs are reviewed "for general approval" by headquarters officials,
they said that this review uses limited criteria (grounds for rejection
include use of inappropriate language or participants' names).
* Many Coast Guard field personnel we interviewed said they were
unaware
of any written documentation or exercise planning guidance they could
refer to when developing an AAR.
Objective 4:
coast Guard Management of AARs:
Internal Coast Guard Efforts to Address Issues:
Some efforts to address timeliness are under way, but effects to date
are limited.
* Coast Guard officials said the Contingency Preparedness System (CPS),
the program for managing exercises and AARs, has allowed for a renewed
emphasis on report timeliness. Headquarters planning staff currently
use this system to notify each Area of overdue AARs. However, CPS has
been in place since August 2003, and timeliness remains a concern.
* Officials have also discussed the possibility of reducing the AAR
submission deadline (to as few as 15 days), but efforts are still
ongoing due to "pushback from the field." They also said that the
formal Coast Guard training courses emphasize that AAR development be
incorporated into the planning process and exercise timeline.
* Senior exercise management officials said they are also updating an
instruction related to collecting AARs and lessons learned. They expect
it to be promulgated to the field in 1-6 months.
Officials noted the following efforts to improve content and quality of
AARs.
* Formal training courses that encourage documenting exercise
information quickly to capture relevant information and lessons learned
before recall is diminished or competing priorities take over.
* Updated instruction on AARs and lessons learned collection (currently
in development).
* Increased functionality of CPS has been proposed, which may offer
additional incentives for planners to utilize the system.
Summary of Findings:
Objective 1:
* Key elements of the national response framework are evolving.
* Release of National Incident Management System and draft National
Response Plan.
* Transitional period for agencies to revise their plans once the final
NRP is released, agencies will have up to 180 days to revise their
plans to align with the NRP.
Objective 2:
* Few legal issues surfaced in port exercises or after-action reports.
* None of these issues were statutory problems according to exercise
participants and agency officials.
Objective 3:
* Exercises and after-action reports identified operational issues to
varying degrees.
* Key issues included: communication, incident command, and resource
coordination concerns.
Objective 4:
* Many after-action reports are not submitted timely, and content and
quality of some does not meet standards.
* Actions taken by the Coast Guard to address these problems have had
limited effect thus far.
NOTES:
[1] See GAO, Combating Terrorism: Selected Challenges and Related
Recommendations, GAO-01-822 (Washington, D.C.: Sept 20, 2001).
[End of section]
Appendix II: Objectives, Scope, and Methodology:
The objectives of this report were to (1) describe the emerging
framework under which the federal government coordinates with state and
local entities to address a terrorist incident in a U.S. port; (2)
identify the issues, if any, regarding federal agencies' legal
authority that have emerged from port security exercises and what
statutory actions might address them; (3) describe the types of
operational issues being identified through these exercises; and (4)
identify any management issues related to Coast Guard-developed after-
action reports. To address these objectives, we reviewed relevant
legislation, regulations, directives and plans, analyzed agency
operational guidance and Coast Guard after-action reports (AARs),
interviewed a variety of federal officials, and observed several port
security exercises.
To identify the emerging framework to address a terrorist incident in a
U.S. port, we reviewed relevant statutes such as the Homeland Security
Act of 2002 and the Maritime Transportation Security Act of 2002 and
implementing maritime regulations at 33 CFR, parts 101 to 106. We also
reviewed Homeland Security Presidential Directive/HSPD-5 and
Presidential Decision Directive 39. Operational plans that were
included in our analysis included the Initial National Response Plan,
the Interagency Domestic Terrorism Concept of Operations plan
(CONPLAN), Interim Federal Response Plan, and the National Response
Plan "Final Draft." We also reviewed agency guidance related to
exercise planning and evaluation such as the Coast Guard Exercise
Planning Manual and Contingency Preparedness Planning Manual, as well
as the Department of Homeland Security/ Office of Disaster
Preparedness' Exercise and Evaluation Program. Findings were
supplemented with interviews of key officials in federal agencies,
including the Coast Guard (CG), the Department of Homeland Security
(DHS), Department of Defense (DOD), Department of Justice (DOJ), and
related federal maritime entities such as Project Seahawk.
To provide a framework for evaluating agencies' legal authority in
responding to a terrorist incident in a U.S. port, we adopted a case
study methodology because it afforded a factual context for the
emergence of legal issues that could confront agencies in the exercise
of their authority. Our efforts included attending four U.S. port based
terrorism exercises (Los Angeles, Calif.; Hampton Roads, Va.;
Charleston, S.C.; Philadelphia, Pa.), reviewing CG AARs for fiscal year
2004, and conducting in-person and telephone interviews with DHS, CG,
DOJ, DOD, and Project Seahawk. The port exercises we selected to visit
were geographically diverse and each was conducted in either August or
September of fiscal year 2004. Additional criteria for exercise
selection included the strategic importance of the port (as defined by
the Maritime Administration), the variety of terrorism scenarios to be
exercised, and the federal, state, and local players involved. The AARs
we reviewed were based on a list of all fiscal year 2004 exercises
provided to us by the CG. We focused on any contingency that included
terrorism and then requested AARs for those completed exercises from
the CG. According to CG guidance, AARs are required to be submitted
within 60 days of exercise completion. To ascertain compliance with
this guidance, CG personnel provided us with the dates that AARs for
terrorism-related exercises were received at headquarters. We used this
information, in conjunction with the exercise start and stop dates, to
determine which reports were on time, which were late, and the average
time late reports were submitted beyond the 60-day requirement.
While issues of a legal nature did surface during our observation of
exercises and analysis of AARs, exercise participants and agency
officials did not recommend statutory changes for these issues. We
generally relied upon the agency's position as to whether legislation
was necessary and did not independently assess the need for legislation
by auditing the specific issues identified in the exercises.
To identify operational issues that occurred during port terrorism
exercises, we relied extensively on perspectives gained through our
observations at the four port terrorism exercises as well as a
comprehensive review of the available AARs for operational issues based
on criteria we developed. In order to determine the frequency of
various operational issues identified in the CG's AARs, we noted
instances that each subcategory within the major category appeared.
These categories and subcategories were chosen through exercise
observation and an initial review of available AARs by two independent
analysts. This allowed us to identify operational issues that were
consistent across the terrorism exercises. We used the following major
categories and subcategories (which appear in parentheses):
* Communication (communication interoperability issues, communication
policy or protocols between or within agencies, information sharing
between agencies),
* Command and Control/ Incident Command Structure (NIMS/ICS training,
UC/IC information flow),
* Unclear Decision Making/ Jurisdictional Knowledge (unclear decision
making authority, unclear lead authority, unclear authorities/
jurisdictions of other agencies), and:
* Resource Coordination/ Capabilities (response capabilities, response
coordination/joint tactics).
To analyze the reports, two GAO analysts independently reviewed each
report and coded operational issues based on the above subcategories.
The results of each analysis were then compared and any discrepancies
were resolved. Overall percentages for the major categories were
determined based on whether any of the issues were identified under the
respective subcategories. The maximum number of observations for any
major category was equal to one, regardless of the number of times a
subcategory was recorded.
To identify management concerns regarding the CG's AARs, we reviewed
our previous studies on this issue as well as CG and DHS issued
guidance on exercise management, such as the Coast Guard's Exercise
Planning Manual and Contingency Preparedness Planning Manual Volume
III. Our analysis also included in-person interviews with CG exercise
management officials from headquarters and CG planners in the field to
gain additional information on how terrorism exercises are planned and
evaluated as well as how lessons learned are cataloged and
disseminated. To ascertain the effect of untimely CG AARs (CG AARs are
required to be completed within 60 days of exercise completion), we
also interviewed exercise management experts from DOD. We conducted a
content analysis of the available AARs to determine the weaknesses in
the reports and where deviations from CG protocol were taking place.
We conducted our work from June to December 2004 in accordance with
generally accepted government auditing standards.
FOOTNOTES
[1] On January 6, 2005, as this report was being finalized for
printing, the Department of Homeland Security issued the final version
of the National Response Plan, a plan discussed in several of the
briefing slides. Some details of the plan were changed in the final
version and thus differ in a few respects from the information
presented in the slides. These differences do not affect the
conclusions or recommendations contained in this report.
[2] As of December 1, 2004, all 85 after-action reports were required
to be submitted to the Coast Guard. Three reports had not been
submitted by this date. We conducted our content analysis on the 82
available reports.
[3] Pub.L. 107-296.
[4] Pub.L. 107-295.
[5] See GAO, Combating Terrorism: Selected Challenges and Related
Recommendations, GAO-01-822 (Washington, D.C.: Sept 20, 2001).
[6] See GAO-01-822.
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
