Information Technology
Homeland Security Information Network Needs to Be Better Coordinated with Key State and Local Initiatives
Gao ID: GAO-07-822T May 10, 2007
The Department of Homeland Security (DHS) is responsible for coordinating the federal government's homeland security communications with all levels of government, the private sector, and the public. In support of its mission, the department has deployed a Web-based information-sharing application--the Homeland Security Information Network (HSIN)--and operates at least 11 homeland security networks. The department reported that in fiscal years 2005 and 2006, these investments cost $611.8 million to develop, operate, and maintain. In view of the significance of information sharing for protecting homeland security, GAO was asked to testify on the department's efforts to coordinate its development and use of HSIN with two key state and local initiatives under the Regional Information Sharing Systems--a nationwide information-sharing program operated and managed by state and local officials. This testimony is based on a recent GAO report that addresses, among other things, DHS's homeland security networks and HSIN. In performing the work for that report, GAO analyzed documentation on HSIN and state and local initiatives, compared it against the requirements of the Homeland Security Act and federal guidance and best practices, and interviewed DHS officials and state and local officials.
In developing HSIN, its key homeland security information-sharing application, DHS did not work effectively with two key Regional Information Sharing Systems program initiatives. This program, which is operated and managed by state and local officials nationwide, provides services to law enforcement, emergency responders, and other public safety officials. However, DHS did not coordinate with the program to fully develop joint strategies and policies, procedures, and other means to operate across agency boundaries, which are key practices for effective coordination and collaboration and a means to enhance information sharing and avoid duplication of effort. For example, DHS did not engage the program in ongoing dialogue to determine how resources could be leveraged to meet mutual needs. A major factor contributing to this limited coordination was that the department rushed to deploy HSIN after the events of September 11, 2001. In its haste, it did not develop a comprehensive inventory of key state and local information-sharing initiatives, and it did not achieve a full understanding of the relevance of the Regional Information Sharing Systems program to homeland security information sharing. As a result, DHS faces the risk that effective information sharing is not occurring and that HSIN may be duplicating state and local capabilities. Specifically, both HSIN and one of the Regional Information Sharing Systems initiatives target similar user groups, such as emergency management agencies, and all have similar features, such as electronic bulletin boards, "chat" tools, and document libraries. The department has efforts planned and under way to improve coordination and collaboration, including developing an integration strategy to allow other applications and networks to connect with HSIN, so that organizations can continue to use their preferred information-sharing applications and networks. In addition, it has agreed to implement recommendations made by GAO to take specific steps to (1) improve coordination, including developing a comprehensive inventory of state and local initiatives, and (2) ensure that similar coordination and duplication issues do not arise with other federal homeland security networks, systems, and applications. Until DHS completes these efforts, including developing an inventory of key state and local initiatives and fully implementing and institutionalizing key practices for effective coordination and collaboration, the department will continue to be at risk that information is not being effectively shared and that the department is duplicating state and local capabilities.
GAO-07-822T, Information Technology: Homeland Security Information Network Needs to Be Better Coordinated with Key State and Local Initiatives
This is the accessible text file for GAO report number GAO-07-822T
entitled 'Information Technology: Homeland Security Information Network
Needs to Be Better Coordinated with Key State and Local Initiatives'
which was released on May 10, 2007.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
GAO:
Testimony:
Before the Subcommittee on Intelligence, Information Sharing and
Terrorism Risk Assessment, Committee on Homeland Security, House of
Representatives:
For Release on Delivery:
Expected at 10 a.m. EDT Thursday, May 10, 2007:
Information Technology:
Homeland Security Information Network Needs to Be Better Coordinated
with Key State and Local Initiatives:
Statement of David A. Powner, Director:
Information Technology Management Issues:
GAO-07-822T:
GAO Highlights:
Highlights of GAO-07-822T, a report to Subcommittee on Intelligence,
Information Sharing and Terrorism Risk Assessment, Homeland Security
Committee, House of Representatives
Why GAO Did This Study:
The Department of Homeland Security (DHS) is responsible for
coordinating the federal government‘s homeland security communications
with all levels of government, the private sector, and the public. In
support of its mission, the department has deployed a Web-based
information-sharing application”the Homeland Security Information
Network (HSIN)”and operates at least 11 homeland security networks. The
department reported that in fiscal years 2005 and 2006, these
investments cost $611.8 million to develop, operate, and maintain.
In view of the significance of information sharing for protecting
homeland security, GAO was asked to testify on the department‘s efforts
to coordinate its development and use of HSIN with two key state and
local initiatives under the Regional Information Sharing Systems”a
nationwide information-sharing program operated and managed by state
and local officials.
This testimony is based on a recent GAO report that addresses, among
other things, DHS‘s homeland security networks and HSIN. In performing
the work for that report, GAO analyzed documentation on HSIN and state
and local initiatives, compared it against the requirements of the
Homeland Security Act and federal guidance and best practices, and
interviewed DHS officials and state and local officials.
What GAO Found:
In developing HSIN, its key homeland security information-sharing
application, DHS did not work effectively with two key Regional
Information Sharing Systems program initiatives. This program, which is
operated and managed by state and local officials nationwide, provides
services to law enforcement, emergency responders, and other public
safety officials. However, DHS did not coordinate with the program to
fully develop joint strategies and policies, procedures, and other
means to operate across agency boundaries, which are key practices for
effective coordination and collaboration and a means to enhance
information sharing and avoid duplication of effort. For example, DHS
did not engage the program in ongoing dialogue to determine how
resources could be leveraged to meet mutual needs.
A major factor contributing to this limited coordination was that the
department rushed to deploy HSIN after the events of September 11,
2001. In its haste, it did not develop a comprehensive inventory of key
state and local information-sharing initiatives, and it did not achieve
a full understanding of the relevance of the Regional Information
Sharing Systems program to homeland security information sharing.
As a result, DHS faces the risk that effective information sharing is
not occurring and that HSIN may be duplicating state and local
capabilities. Specifically, both HSIN and one of the Regional
Information Sharing Systems initiatives target similar user groups,
such as emergency management agencies, and all have similar features,
such as electronic bulletin boards, ’chat“ tools, and document
libraries.
The department has efforts planned and under way to improve
coordination and collaboration, including developing an integration
strategy to allow other applications and networks to connect with HSIN,
so that organizations can continue to use their preferred information-
sharing applications and networks. In addition, it has agreed to
implement recommendations made by GAO to take specific steps to (1)
improve coordination, including developing a comprehensive inventory of
state and local initiatives, and (2) ensure that similar coordination
and duplication issues do not arise with other federal homeland
security networks, systems, and applications. Until DHS completes these
efforts, including developing an inventory of key state and local
initiatives and fully implementing and institutionalizing key practices
for effective coordination and collaboration, the department will
continue to be at risk that information is not being effectively shared
and that the department is duplicating state and local capabilities.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-822T].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact David Powner at (202) 512-
9286 or pownerd@gao.gov.
[End of section]
Madame Chair and Members of the Subcommittee:
I appreciate the opportunity to be here today to discuss challenges
facing the Department of Homeland Security (DHS) in coordinating
efforts on its Homeland Security Information Network (HSIN) with state
and local governments and other parties involved in the mission of
keeping our nation secure. As you know, DHS is responsible for
coordinating the federal government's homeland security communications
with all levels of government--including state and local. In support of
this mission, the department developed HSIN as part of its goal to
establish an infrastructure for sharing homeland security
information.[Footnote 1] Besides HSIN, an Internet-based application,
DHS also operates at least 11 other networks in support of its homeland
security mission. The department reported that in fiscal years 2005 and
2006, these investments cost $611.8 million to develop, operate, and
maintain.
As agreed, in my remarks today I will discuss the department's efforts
to coordinate its development and use of HSIN with key state and local
information-sharing initiatives. These remarks are based on our recent
report on homeland security networks and applications.[Footnote 2] That
report focused on two key initiatives under the Regional Information
Sharing Systems program. This nationwide program, operated and managed
by state and local officials, provides services (including information
sharing) to support law enforcement and criminal justice agencies. Its
information-sharing efforts also include emergency responders and
public safety officials.
In performing the work for the report, we analyzed descriptive data
(e.g., type of network, estimated costs) on major networks and Internet-
based systems identified by DHS as supporting its homeland security
mission, including information sharing. We also reviewed documentation
on HSIN and state and local initiatives; compared it against the
requirements of the Homeland Security Act, federal guidance, and
related best practices; and interviewed DHS officials and state and
local officials. This work was performed in accordance with generally
accepted government auditing standards.
Results in Brief:
In developing HSIN, DHS did not effectively coordinate with key state
and local initiatives that are part of the Regional Information Sharing
Systems program. Specifically, the department did not fully develop
joint strategies and coordinated policies, procedures, and other means
to operate across agency boundaries and meet mutual needs, which are
key practices for effective coordination and collaboration and are a
means to enhance information sharing and avoid duplication of effort.
For example, DHS did not engage the program in ongoing dialogue to
determine how resources could be leveraged to meet mutual needs or work
through technical issues and differences in what each organization
considers to be terrorism information.
A major factor contributing to the limited coordination was that after
September 11, 2001, the department expedited its schedule for deploying
HSIN. In its haste, it did not develop a comprehensive inventory of key
state and local information-sharing initiatives.
Consequently, DHS faces the risk that effective information sharing is
not occurring. It also faces the risk that the HSIN system may be
duplicating state and local capabilities. Specifically, both HSIN and
one of the key initiatives target similar user groups, such as
emergency management agencies, and all have similar features, such as
Web portals,[Footnote 3] electronic bulletin boards, "chat" tools, and
document libraries.
The department has efforts planned and under way to improve
coordination and collaboration. For example, it is forming an HSIN
Mission Coordinating Committee and an HSIN Advisory Committee to help
ensure that HSIN meets the information-sharing needs of DHS and other
users. However, these activities have either just begun or are being
planned, with implementation milestones yet to be defined. In addition
to the planned improvements, DHS has agreed to implement our
recommendations to take steps to ensure that HSIN is effectively
coordinated with key state and local government information-sharing
initiatives, which include identifying and inventorying such
initiatives. We also recommended that DHS determine whether there are
coordination and duplication issues with its other homeland security
networks and associated systems and applications. Until DHS completes
these activities, including developing an inventory of key state and
local initiatives, and fully implementing and institutionalizing key
practices and guidance for effective coordination and collaboration, it
will continue to be at risk of not effectively sharing information with
other key state and local information initiatives and duplicating state
and local capabilities.
Background:
DHS is the lead department involved in securing our nation's homeland.
Its mission includes, among other things, leading the unified national
effort to secure the United States, preventing and deterring terrorist
attacks, and protecting against and responding to threats and hazards
to the nation. As part of its mission and as required by the Homeland
Security Act of 2002,[Footnote 4] the department is also responsible
for coordinating efforts across all levels of government and throughout
the nation, including with federal, state, tribal, local, and private
sector homeland security resources.
As we have previously reported, DHS relies extensively on information
technology (IT), such as networks and associated system applications,
to carry out its mission.[Footnote 5] Specifically, in our recent
report, we reported that the department identified 11 major networks it
uses to support its homeland security functions, including sharing
information with state and local governments.[Footnote 6] Examples of
such DHS networks include the Homeland Secure Data Network, the
Immigration and Customs Enforcement Network, and the Customs and Border
Protection Network. In addition, the department has deployed HSIN, a
homeland security information-sharing application that operates on the
public Internet. As shown in table 1, of the 11 networks, 1 is
categorized as Top Secret, 1 is Secret, 8 are Sensitive but
Unclassified, and 1 is unclassified. HSIN is considered Sensitive but
Unclassified.
Table 1: DHS Information-Sharing Networks and HSIN Application:
Name: C Local Area Network (C-LAN);
Categories: Top Secret;
Users outside DHS: --;
Reported cost per fiscal year (dollars in millions): 2005: (a);
Reported cost per fiscal year (dollars in millions): 2006: (a);
Reported cost per fiscal year (dollars in millions): Total: --.
Name: Homeland Secure Data Network (HSDN);
Categories: Secret;
Users outside DHS: Other federal, state, local;
Reported cost per fiscal year (dollars in millions): 2005: $46.2;
Reported cost per fiscal year (dollars in millions): 2006: $32.6;
Reported cost per fiscal year (dollars in millions): Total: $78.8.
Name: Coast Guard Data Network Plus (CGDN+);
Categories: Sensitive but Unclassified;
Users outside DHS: Other federal;
Reported cost per fiscal year (dollars in millions): 2005: 15.0;
Reported cost per fiscal year (dollars in millions): 2006: 15.0;
Reported cost per fiscal year (dollars in millions): Total: 30.0.
Name: Critical Infrastructure Warning Information Network (CWIN);
Categories: Sensitive but Unclassified;
Users outside DHS: Other federal, state;
Reported cost per fiscal year (dollars in millions): 2005: 12.1;
Reported cost per fiscal year (dollars in millions): 2006: 12.0;
Reported cost per fiscal year (dollars in millions): Total: 24.1.
Name: Customs and Border Protection (CBP) Network;
Categories: Sensitive but Unclassified;
Users outside DHS: --;
Reported cost per fiscal year (dollars in millions): 2005: 58.7;
Reported cost per fiscal year (dollars in millions): 2006: 63.0;
Reported cost per fiscal year (dollars in millions): Total: 121.7.
Name: DHS Core Network (DCN);
Categories: Sensitive but Unclassified;
Users outside DHS: --;
Reported cost per fiscal year (dollars in millions): 2005: 13.4;
Reported cost per fiscal year (dollars in millions): 2006: 10.3;
Reported cost per fiscal year (dollars in millions): Total: 23.7.
Name: Homeland Security Information Network (HSIN);
Categories: Sensitive but Unclassified;
Users outside DHS: Other federal, state, local;
Reported cost per fiscal year (dollars in millions): 2005: 11.9;
Reported cost per fiscal year (dollars in millions): 2006: 20.5;
Reported cost per fiscal year (dollars in millions): Total: 32.4.
Name: Immigration and Customs Enforcement Network (ICENet);
Categories: Sensitive but Unclassified;
Users outside DHS: Other federal, state, local;
Reported cost per fiscal year (dollars in millions): 2005: 14.4;
Reported cost per fiscal year (dollars in millions): 2006: 19.2;
Reported cost per fiscal year (dollars in millions): Total: 33.6.
Name: ONENet;
Categories: Sensitive but Unclassified;
Users outside DHS: --;
Reported cost per fiscal year (dollars in millions): 2005: 34.6;
Reported cost per fiscal year (dollars in millions): 2006: 40.0;
Reported cost per fiscal year (dollars in millions): Total: 74.6.
Name: Secret Service Wide Area Network (WAN);
Categories: Sensitive but Unclassified;
Users outside DHS: --;
Reported cost per fiscal year (dollars in millions): 2005: 2.8;
Reported cost per fiscal year (dollars in millions): 2006: 3.1;
Reported cost per fiscal year (dollars in millions): Total: 5.9.
Name: Transportation Security Administration Network (TSANet);
Categories: Sensitive but Unclassified;
Users outside DHS: Other federal;
Reported cost per fiscal year (dollars in millions): 2005: 70.0;
Reported cost per fiscal year (dollars in millions): 2006: 105.0;
Reported cost per fiscal year (dollars in millions): Total: 175.0.
Name: Federal Emergency Management Agency (FEMA) Switched Network;
Categories: Unclassified;
Users outside DHS: --;
Reported cost per fiscal year (dollars in millions): 2005: 6.0;
Reported cost per fiscal year (dollars in millions): 2006: 6.0;
Reported cost per fiscal year (dollars in millions): Total: 12.0.
Name: Total[A];
Categories: [Empty];
Users outside DHS: [Empty];
Reported cost per fiscal year (dollars in millions): 2005: $285.1;
Reported cost per fiscal year (dollars in millions): 2006: $326.7;
Reported cost per fiscal year (dollars in millions): Total: $611.8.
Source: GAO analysis of agency data.
[A] Costs for C-LAN are not included, as the information is not
publicly available.
[End of table]
As the table shows, some of these networks are used solely within DHS,
while others are also used by other federal agencies, as well as state
and local governments. In addition, the total cost to develop, operate,
and maintain these networks and HSIN in fiscal years 2005 and 2006, as
reported by DHS, was $611.8 million. Of this total, the networks
accounted for the vast majority of the cost: $579.4 million.
DHS Established HSIN to Provide Information-Sharing Capabilities:
DHS considers HSIN to be its primary communication application for
transmitting sensitive but unclassified information. According to DHS,
this network is an encrypted, unclassified, Web-based communications
application that serves as DHS's primary nationwide information-sharing
and collaboration tool. It is intended to offer both real-time chat and
instant messaging capability, as well as a document library that
contains reports from multiple federal, state, and local sources.
Available through the application are suspicious incident and pre-
incident information and analysis of terrorist threats, tactics, and
weapons. The application is managed within DHS's Office of Operations
Coordination.
HSIN includes over 35 communities of interest, such as emergency
management, law enforcement, counterterrorism, individual states, and
private sector communities. Each community of interest has Web pages
that are tailored for the community and contain general and community-
specific news articles, links, and contact information. The community
Web pages also provide access to other resources, such as the
following:
* Document library. Users can search the entire document library within
the communities they have access to.
* Discussion threads. HSIN has a discussion thread (or bulletin board)
feature that allows users to post information that other users should
know about and post requests for information that other users might
have. Community administrators can also post and track tasks assigned
to users during an incident.
* Chat tool. HSIN's chat tool, known as Jabber, is similar to other
instant message and chat tools--with the addition of security. Users
can customize lists of their coworkers and send messages individually
or set up chat rooms for more users. Other features include chat logs
(which allow users to review conversations), timestamps, and user
profiles.
States and Local Governments Have Also Established Similar Initiatives:
State and local governments have similar IT initiatives to carry out
their homeland security missions, including sharing information. A key
state and local-based initiative is the Regional Information Sharing
Systems (RISS) program.
The RISS program helps state and local jurisdictions to, among other
things, share information in support of their homeland security
missions. This nationwide program, operated and managed by state and
local officials, was established in 1974 to address crime that operates
across jurisdictional lines. The program consists of six regional
information analysis centers that serve as regional hubs across the
country. These centers offer services to RISS members in their regions,
including information sharing and research, analytical products, case
investigation support, funding, equipment loans, and training. Funding
for the RISS program is administered through a grant from the
Department of Justice.
As part of its information-sharing efforts, the RISS program operates
two key initiatives (among others): the RISS Secure Intranet (RISSNET)
and the Automated Trusted Information Exchange[Footnote 7] (RISS ATIX):
* Created in 1996, RISSNET is intended as a secure network serving
member law enforcement agencies throughout the United States and other
countries. Through this network, RISS offers services such as secure e-
mail, document libraries, intelligence databases, Web pages, bulletin
boards, and a chat tool.
* RISS ATIX offers services similar to those offered by RISSNET to
agencies beyond the law enforcement community, including executives and
officials from governmental and nongovernmental agencies and
organizations that have public safety responsibilities. RISS ATIX is
partitioned into 39 communities of interest, such as critical
infrastructure, emergency management, public health, and government
officials. Members of each community of interest contribute information
to be made available within each community.
According to RISS officials, the RISS ATIX application was developed in
response to the events of September 11, 2001; it was initiated in 2002
as an application to provide tools for information sharing and
collaboration among public safety stakeholders, such as first
responders and schools. As of July 2006, RISS ATIX supported 1,922
users beyond the traditional users of RISSNET.
RISS ATIX uses the technology of RISSNET to offer services through its
Web pages. The pages are tailored for each community of interest and
contain community-specific news articles, links, and contact
information. The pages also provide access to the following features:
* Document library. Participants can store and search relevant
documents within their community of interest.
* Bulletin board. The RISS ATIX bulletin board allows users to post
timely threat information in discussion forums and to view and respond
to posted information. Users can post documents, images, and
information related to terrorism and homeland security, as well as
receive DHS information, advisories, and warnings. According to RISS
officials, the bulletin boards are monitored by a RISS moderator to
relay any information that might be useful for other communities of
interest.
* Chat tool. ATIXLive is an online, real-time, collaborative
communications information-sharing tool for the exchange of information
by community members. Through this tool, users can post timely threat
information and view and respond to messages posted.
* Secure e-mail. RISS ATIX participants have access to e-mail that can
be used to provide alerts and related information. According to RISS,
this is done in a secure environment.
GAO Has Designated Information Sharing as High Risk:
The need to improve information sharing as part of a national effort to
improve homeland security and preparedness has been widely recognized,
not only to improve our ability to anticipate and respond to threats
and emergencies, but to avoid unnecessary expenditure of scarce
resources. In January 2005,[Footnote 8] and more recently in January
2007,[Footnote 9] we identified establishing appropriate and effective
information-sharing mechanisms to improve homeland security as a high-
risk area. The Office of Management and Budget (OMB) has also issued
guidance that stresses the importance of information sharing and
avoiding duplication of effort.[Footnote 10] Nonetheless, although this
area has received increased attention, the federal government faces
formidable challenges in sharing information among stakeholders in an
appropriate and timely manner.
As we concluded in October 2005, agencies can help address these
challenges by adopting and implementing key practices, related to OMB's
guidance, to improve collaboration, such as establishing joint
strategies and addressing needs by leveraging resources and developing
compatible policies, procedures, and other means to operate across
agency boundaries.[Footnote 11] Based on our research and experience,
these practices are also relevant for collaboration between federal
agencies and other levels of government (e.g., state, local). Until
these coordination and collaboration practices are implemented,
agencies face the risk that effective information sharing will not
occur.
Congress and the Administration have made several efforts to address
the challenges associated with information sharing. In particular, as
we reported in March 2006, the President initiated an effort to
establish an Information Sharing Environment that is to combine
policies, procedures, and networks and other technologies that link
people, systems, and information among all appropriate federal, state,
local, and tribal entities and the private sector.[Footnote 12] In
November 2006, in response to congressional direction, the
Administration issued a plan for implementing this environment and
described actions that the federal government intends--in coordination
with state, local, tribal, private sector, and foreign partners--to
carry out over the next 3 years.
Efforts to Coordinate HSIN with Key State and Local Information-Sharing
Initiatives Have Been Limited:
DHS did not fully adhere to the previously mentioned key practices in
coordinating its efforts on HSIN with key state and local information-
sharing initiatives. The department's limited use of these practices is
attributable to a number of factors: in particular, after the events of
September 11, 2001, the department expedited its schedule to deploy
HSIN capabilities, and in doing so, it did not develop an inventory of
key state and local information initiatives. Until the department fully
implements key coordination and collaboration practices and guidance,
it faces, among other things, the risk that effective information
sharing is not occurring. DHS has efforts planned and under way to
improve coordination and collaboration, including implementing the
recommendations in our recent report.[Footnote 13]
Key Practices Were Not Effectively Implemented:
In developing HSIN, DHS did not fully adhere to the practices related
to OMB's guidance. First, although DHS officials met with RISS program
officials to discuss exchanging terrorism-related documents, joint
strategies for meeting mutual needs by leveraging resources have not
been fully developed. DHS did not engage the RISS program to determine
how resources could be leveraged to meet mutual needs. According to
RISS program officials, they met with DHS twice (on September 25, 2003,
and January 7, 2004) to demonstrate that their RISS ATIX application
could be used by DHS for sharing homeland security information.
However, communication from DHS on this topic stopped after these
meetings, without explanation. According to DHS officials, they did not
remember the meetings, which they attributed to the departure from DHS
of the staff who had attended.
In addition, although DHS initially pursued a limited strategy of
exchanging selected terrorism-related documents with the RISS program,
the strategy was impeded by technical issues and by differences in what
each organization considers to be terrorism information. For example,
the exchange of documents between HSIN and the RISS program stopped on
August 1, 2006, because of technical problems with HSIN's upgrade to a
new infrastructure. As of May 3, 2007, the exchange of terrorism-
related documents had not yet resumed, according to HSIN's program
manager. This official also stated that the program is currently
working to fix the issue with the goal of having it resolved by June
2007.
Finally, DHS has yet to fully develop coordination policies,
procedures, and other means to operate across agency boundaries with
the RISS program. DHS has not fully developed such means to operate
with the RISS program and leverage its available technological
resources. Although an operating agreement was established to govern
the exchange of terrorism-related documents, according to RISS
officials, it did not cover the full range of information available
through the RISS program.
DHS's Expedited Schedule Was Major Cause for Limited Coordination,
Increasing the Risk of Ineffective Information Sharing and Duplication:
The extent of DHS's adherence to key practices (and the resulting
limited coordination) is attributable to DHS's expedited schedule to
deploy an information-sharing application that could be used across the
federal government in the wake of the September 11 attacks; in its
haste, DHS did not develop a complete inventory of key state and local
information initiatives. According to DHS officials, they still do not
have a complete inventory of key state and local information-sharing
initiatives. DHS's Office of Inspector General also reported that DHS
developed HSIN in a rapid and ad hoc manner, and among other things,
did not adequately identify existing federal, state, and local
resources, such as RISSNET, that it could have leveraged.[Footnote 14]
Further, DHS did not fully understand the RISS program. Specifically,
DHS officials did not acknowledge the RISS program as a state and local
based program with which to partner, but instead considered it to be
one of many vendors providing a tool for information sharing. In
addition, DHS officials believed that the RISS program was solely
focused on law enforcement information and did not capture the broader
terrorism-related or other information of interest to the department.
Because of this limited coordination and collaboration, DHS is at
increased risk that effective information sharing is not occurring. The
department also faces the risk that it is developing and deploying
capabilities on HSIN that duplicate those being established by state
and local agencies. There is evidence that this has occurred with
respect to the RISS program. Specifically:
* HSIN and RISS ATIX currently target similar user groups. DHS and the
RISS program are independently striving to make their applications
available to user communities involved in the prevention of, response
to, mitigation of, and recovery from terrorism and disasters across the
country. For example, HSIN and RISS ATIX are being used and marketed
for use at state fusion centers[Footnote 15] and other state
organizations, such as emergency management agencies across the
country.
* HSIN and RISS applications have similar approaches for sharing
information with their users. For example, on each application, users
from a particular community--such as emergency management--have access
to a portal or community area tailored to the user's information needs.
The community-based portals have similar features focused on user
communities. Both applications provide each community with the
following features:[Footnote 16]
- Web pages. Tailored for communities of interest (e.g., law
enforcement, emergency management, critical infrastructure sectors),
these pages contain general and community-specific news articles,
links, and contact information.
- Bulletin boards. Participants can post and discuss information.
- Chat tool. Each community has its own online, real-time, interactive
collaboration application.
- Document library. Participants can store and search relevant
documents.
DHS Has Improvements Planned and Under Way, Including Implementing Our
Recent Recommendations:
According to DHS officials, including the HSIN program manager, the
department has efforts planned and under way to improve coordination.
For example, the department is in the process of developing an
integration strategy that is to include enhancing HSIN so that other
applications and networks can interact with it. This would promote
integration by allowing other federal agencies and state and local
governments to use their preferred applications and networks--such as
RISSNET and RISS ATIX--while allowing DHS to continue to use HSIN.
Other examples of improvements either begun or planned include the
following:
* The formation of an HSIN Mission Coordinating Committee, whose roles
and responsibilities are to be defined in a management directive. It is
expected to ensure that all HSIN users are coordinated in information-
sharing relationships of mutual value.
* The recent development of engagement, communications, and feedback
strategies for better coordination and communication with HSIN,
including, for example, enhancing user awareness of applicable HSIN
contact points and changes to the system.
* The reorganization of the HSIN program management office to help the
department better meet user needs. According to the program manager,
this reorganization has included the use of integrated process teams to
better support DHS's operational mission priorities as well as the
establishment of a strategic framework and implementation plan for
meeting the office's key activities and vision.
* The establishment of a HSIN Advisory Committee to advise the
department on how the HSIN program can better meet user needs, examine
DHS's processes for deploying HSIN to the states, assess state
resources, and determine how HSIN can coordinate with these resources.
In addition to these planned improvements, DHS has agreed to implement
the recommendations in our recent report. Specifically, we recommended
that the department ensure that HSIN is effectively coordinated with
key state and local government information-sharing initiatives. We also
recommended that this include (1) identifying and inventorying such
initiatives to determine whether there are opportunities to improve
information sharing and avoid duplication, (2) adopting and
institutionalizing key practices related to OMB's guidance on enhancing
and sustaining agency coordination and collaboration, and (3) ensuring
that the department's coordination efforts are consistent with the
Administration's recently issued Information Sharing Environment
plan.[Footnote 17] In response to these recommendations, DHS described
actions it was taking to implement them. (The full recommendations and
DHS's written response to them are in report.)
In closing, DHS has not effectively coordinated its primary information-
sharing system with two key state and local initiatives. Largely
because of the department's hasty approach to delivering needed
information-sharing capabilities, it did not follow key coordination
and collaboration practices and guidance or invest the time to
inventory and fully understand how it could leverage state and local
approaches. Consequently, the department faces the risk that effective
information sharing is not occurring and that its HSIN application may
be duplicating existing state and local capabilities. This also raises
the issue of whether similar coordination and duplication issues exist
with the other federal homeland security networks and associated
systems and applications under the department's purview.
DHS recognizes these risks and has improvements planned and under way
to address them, including stated plans to implement our
recommendations. These are positive steps and should help address
shortfalls in the department's coordination practices on HSIN. However,
these actions have either just begun or are planned, with milestones
for implementation yet to be defined. Until all the key coordination
and collaboration practices are fully implemented and
institutionalized, DHS will continue to be at risk that the
effectiveness of its information sharing is not where it needs to be to
adequately protect the homeland and that its efforts are unnecessarily
duplicating state and local initiatives.
Madame Chair, this concludes my testimony today. I would be happy to
answer any questions you or other members of the subcommittee may have.
Contacts and Acknowledgements:
If you have any questions concerning this testimony, please contact
David Powner, Director, Information Technology Management Issues, at
(202) 512-9286 or pownerd@gao.gov. Other individuals who made key
contributions include Gary Mountjoy, Assistant Director, Barbara
Collier; Joseph Cruz; Matthew Grote; and Lori Martinez.
FOOTNOTES
[1] The Homeland Security Act of 2002 directed DHS to establish
communications to share homeland security information with federal
agencies, state and local governments, and other specified groups.
[2] GAO, Information Technology: Numerous Federal Networks Used to
Support Homeland Security Need to Be Better Coordinated with Key State
and Local Information Sharing Initiatives, GAO-07-455 (Washington,
D.C.: Apr. 16, 2007).
[3] A Web portal is generally a site that offers several resources or
services, such as search engines, news articles, forums, and other
tools.
[4] Homeland Security Act of 2002, Pub. L. No. 107-296, 116 Stat. 2135
(Nov. 25, 2002).
[5] See, for example, GAO, Information Technology: Major Federal
Networks That Support Homeland Security Functions, GAO-04-375
(Washington, D.C.: Sept. 17, 2004) and Information Technology: DHS
Needs to Fully Define and Implement Policies and Procedures for
Effectively Managing Investments, GAO-07-424 (Washington, D.C.: April
27, 2007).
[6] GAO-07-455.
[7] Formerly called the Anti-Terrorism Information Exchange.
[8] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.:
January 2005).
[9] GAO, High-Risk Series: An Update, GAO-07-310 (Washington, D.C.:
January 2007).
[10] For example, Office of Management and Budget, Management of
Federal Information Resources, Circular A-130 (Washington, D.C.: Nov.
30, 2000) and Preparation, Submission, and Execution of the Budget,
Circular A-11 (Washington, D.C.: June 30, 2006).
[11] GAO, Results-Oriented Government: Practices That Can Help Enhance
and Sustain Collaboration among Federal Agencies, GAO-06-15
(Washington, D.C.: October 2005).
[12] GAO, Information Sharing: The Federal Government Needs to
Establish Policies and Processes for Sharing Terrorism-Related and
Sensitive but Unclassified Information, GAO-06-385 (Washington, D.C.:
March 2006).
[13] GAO-07-455.
[14] Department of Homeland Security Office of Inspector General,
Office of Information Technology, HSIN Could Support Information
Sharing More Effectively, DHS/OIG-06-38 (Washington, D.C.: June 2006).
[15] A fusion center is defined as a "collaborative effort of two or
more agencies that provide resources, expertise, and information to the
center with the goal of maximizing their ability to detect, prevent,
investigate, and respond to criminal and terrorist activity."
[16] Beyond the collaboration tools listed, RISSNET also provides
access to other law enforcement resources, such as analytical criminal
data-visualization tools and criminal intelligence databases.
[17] As mentioned earlier, this plan is aimed at establishing, in 3
years, the networks and other technologies that link people, systems,
and information among all appropriate federal state, local, and tribal
entities and the private sector.
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site.
To have GAO e-mail you a list of newly posted products every afternoon,
go to www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125
Washington, D.C. 20548:
Public Affairs:
Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548: