Recovery Act
FEMA Could Take Steps to Protect Sensitive Port Security Grant Details and Improve Recipient Reporting Instructions Gao ID: GAO-11-88 October 15, 2010The American Recovery and Reinvestment Act of 2009 (Recovery Act) requires recipients to report, among other things, project descriptions on Recovery.gov, the federal Recovery Act Web site. Within the Department of Homeland Security, the Federal Emergency Management Agency's (FEMA) Grant Programs Directorate administers the Port Security Grant Program (PSGP) to strengthen ports against risks from terrorist attacks. FEMA received and obligated $150 million in Recovery Act PSGP funds in 2009, and, as of September 2010, recipients have drawn down over $10 million. To facilitate recipient reporting, FEMA must consider the need both for transparency and for protection of Sensitive Security Information (SSI), which could be detrimental to transportation security if disclosed. As requested, GAO assessed FEMA's: (1) controls to ensure Recovery Act PSGP staff consistently follow SSI policies, and (2) steps to ensure PSGP recipients have not disclosed SSI on Recovery.gov. GAO reviewed relevant laws, regulations, guidance, and a random sample of PSGP Recovery Act recipient reports available as of February 2010, and interviewed agency officials.
FEMA has taken steps to ensure Recovery Act PSGP staff consistently follow the Department of Homeland Security's SSI policies and processes, but key actions have not been taken. For instance, FEMA has appointed an SSI Program Manager--responsible for FEMA-wide SSI oversight--and an SSI Coordinator to facilitate the Grant Programs Directorate's use of SSI. Also, the SSI Program Manager provided SSI training to FEMA's Grant Programs Directorate staff; however, the training did not include FEMA-specific examples to illustrate the application of SSI, which the staff requested. GAO has previously reported that, when assessing training, managers should consider whether the training includes both the theoretical basis of the material--such as context and principles--and the practical application of the issues. Including FEMA-specific examples could help FEMA ensure Recovery Act PSGP staff have the necessary knowledge to handle and safeguard SSI. In addition, the SSI Coordinator has not assessed whether SSI documents have been appropriately labeled, in accordance with SSI regulations. For example, FEMA has determined that certain materials grant recipients submit to FEMA during the application process to describe how their projects will address current gaps and deficiencies are SSI, but has not marked them as such. While these documents have not been posted to Recovery.gov, immediately reviewing and marking them as SSI could improve safeguards and help prevent the information contained therein from inadvertent disclosure. FEMA has taken steps to develop a quarterly review process for Recovery Act PSGP recipient reports--prior to their public release on Recovery.gov--but does not have key controls to help prevent public disclosure of SSI. For instance, FEMA staff drafted a procedure for reviewing recipient reports, but FEMA management has not approved it and the draft does not include a procedure to verify the reviews' accuracy. Further, while GAO found that SSI had not been disclosed in Recovery Act recipient reports posted on Recovery.gov for the single reporting period GAO reviewed--with data publicly available as of February 2010--FEMA lacks a process for comparing recipient reports to SSI criteria, and a protocol that informs recipients when FEMA determines that their reports contain SSI. Introducing these measures could help Grant Programs Directorate staff consistently review reports, identify when they contain SSI, reduce the risk of SSI disclosure on Recovery.gov, and reinforce recipients' obligations to safeguard SSI. In addition, GAO found wide variation in the level of detail about the awards' descriptions among the recipient reports sampled from Recovery.gov as of February 2010, although the majority provided minimal detail. According to FEMA, the sensitive nature of PSGP information affects the transparency of PSGP recipient reporting. By providing instruction to recipients on what should and should not be reported due to SSI requirements, FEMA could help recipients report project details in a transparent manner on the expenditure of Recovery Act funds while protecting information that could otherwise jeopardize transportation security if released. GAO recommends that FEMA improve SSI training, ensure proper marking of SSI, enhance recipient report review controls, and instruct recipients on safeguarding SSI while reporting on funded activities and expected outcomes in a transparent manner. FEMA concurred.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: David C. Maurer Team: Government Accountability Office: Homeland Security and Justice Phone: (202) 512-9627GAO-11-88, Recovery Act: FEMA Could Take Steps to Protect Sensitive Port Security Grant Details and Improve Recipient Reporting Instructions
This is the accessible text file for GAO report number GAO-11-88
entitled 'Recovery Act: FEMA Could Take Steps to Protect Sensitive
Port Security Grant Details and Improve Recipient Reporting
Instructions' which was released on November 17, 2010.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Republican Leader, U.S. Senate:
United States Government Accountability Office:
GAO:
October 2010:
Recovery Act:
FEMA Could Take Steps to Protect Sensitive Port Security Grant Details
and Improve Recipient Reporting Instructions:
GAO-11-88:
GAO Highlights:
Highlights of GAO-11-88, a report to the Republican Leader, U.S.
Senate.
Why GAO Did This Study:
The American Recovery and Reinvestment Act of 2009 (Recovery Act)
requires recipients to report, among other things, project
descriptions on Recovery.gov, the federal Recovery Act Web site.
Within the Department of Homeland Security, the Federal Emergency
Management Agency‘s (FEMA) Grant Programs Directorate administers the
Port Security Grant Program (PSGP) to strengthen ports against risks
from terrorist attacks. FEMA received and obligated $150 million in
Recovery Act PSGP funds in 2009, and, as of September 2010, recipients
have drawn down over $10 million. To facilitate recipient reporting,
FEMA must consider the need both for transparency and for protection
of Sensitive Security Information (SSI), which could be detrimental to
transportation security if disclosed. As requested, GAO assessed
FEMA‘s: (1) controls to ensure Recovery Act PSGP staff consistently
follow SSI policies, and (2) steps to ensure PSGP recipients have not
disclosed SSI on Recovery.gov. GAO reviewed relevant laws,
regulations, guidance, and a random sample of PSGP Recovery Act
recipient reports available as of February 2010, and interviewed
agency officials.
What GAO Found:
FEMA has taken steps to ensure Recovery Act PSGP staff consistently
follow the Department of Homeland Security‘s SSI policies and
processes, but key actions have not been taken. For instance, FEMA has
appointed an SSI Program Manager”responsible for FEMA-wide SSI
oversight”and an SSI Coordinator to facilitate the Grant Programs
Directorate‘s use of SSI. Also, the SSI Program Manager provided SSI
training to FEMA‘s Grant Programs Directorate staff; however, the
training did not include FEMA-specific examples to illustrate the
application of SSI, which the staff requested. GAO has previously
reported that, when assessing training, managers should consider
whether the training includes both the theoretical basis of the
material-”such as context and principles-”and the practical
application of the issues. Including FEMA-specific examples could help
FEMA ensure Recovery Act PSGP staff have the necessary knowledge to
handle and safeguard SSI. In addition, the SSI Coordinator has not
assessed whether SSI documents have been appropriately labeled, in
accordance with SSI regulations. For example, FEMA has determined that
certain materials grant recipients submit to FEMA during the
application process to describe how their projects will address
current gaps and deficiencies are SSI, but has not marked them as
such. While these documents have not been posted to Recovery.gov,
immediately reviewing and marking them as SSI could improve safeguards
and help prevent the information contained therein from inadvertent
disclosure.
FEMA has taken steps to develop a quarterly review process for
Recovery Act PSGP recipient reports”prior to their public release on
Recovery.gov”but does not have key controls to help prevent public
disclosure of SSI. For instance, FEMA staff drafted a procedure for
reviewing recipient reports, but FEMA management has not approved it
and the draft does not include a procedure to verify the reviews‘
accuracy. Further, while GAO found that SSI had not been disclosed in
Recovery Act recipient reports posted on Recovery.gov for the single
reporting period GAO reviewed”with data publicly available as of
February 2010”FEMA lacks a process for comparing recipient reports to
SSI criteria, and a protocol that informs recipients when FEMA
determines that their reports contain SSI. Introducing these measures
could help Grant Programs Directorate staff consistently review
reports, identify when they contain SSI, reduce the risk of SSI
disclosure on Recovery.gov, and reinforce recipients‘ obligations to
safeguard SSI. In addition, GAO found wide variation in the level of
detail about the awards‘ descriptions among the recipient reports
sampled from Recovery.gov as of February 2010, although the majority
provided minimal detail. According to FEMA, the sensitive nature of
PSGP information affects the transparency of PSGP recipient reporting.
By providing instruction to recipients on what should and should not
be reported due to SSI requirements, FEMA could help recipients report
project details in a transparent manner on the expenditure of Recovery
Act funds while protecting information that could otherwise jeopardize
transportation security if released.
What GAO Recommends:
GAO recommends that FEMA improve SSI training, ensure proper marking
of SSI, enhance recipient report review controls, and instruct
recipients on safeguarding SSI while reporting on funded activities
and expected outcomes in a transparent manner. FEMA concurred.
View [hyperlink, http://www.gao.gov/products/GAO-11-88] or key
components. For more information, contact David C. Maurer at (202) 512-
9627 or maurerd@gao.gov.
[End of section]
Contents:
Letter:
Background:
FEMA Has Taken Steps to Implement DHS' SSI Policies in Administering
the Recovery Act PSGP, but Further Actions Could Improve Consistency:
FEMA Has Taken Initial Steps to Develop and Document a Review Process,
but Additional Controls Could Help Prevent the Unauthorized Disclosure
of SSI:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Comments from the Department of Homeland Security:
Appendix II: GAO Contacts and Acknowledgments:
Figure:
Figure 1: FEMA's Recipient Review Process for Recovery Act PSGP:
Abbreviations:
DHS: Department of Homeland Security:
FEMA: Federal Emergency Management Agency:
GPD: Grant Programs Directorate:
MTSA: Maritime Transportation Security Act of 2002:
OMB: Office of Management and Budget:
PSGP: Port Security Grant Program:
Recovery Act: The American Recovery and Reinvestment Act of 2009:
Recovery Board: Recovery Accountability and Transparency Board:
SSI: Sensitive Security Information:
TSA: Transportation Security Administration:
TWIC: Transportation Worker Identification Credential program:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
October 15, 2010:
The Honorable Mitch McConnell:
Republican Leader United States Senate:
Dear Senator McConnell:
The American Recovery and Reinvestment Act of 2009 (Recovery Act)
provided $150 million to the Department of Homeland Security's (DHS)
Port Security Grant Program (PSGP) for awards to states, localities,
and private port operators to strengthen the nation's ports against
risks associated with potential terrorist attacks.[Footnote 1] To
promote transparency and accountability, the Recovery Act includes a
requirement that recipients report quarterly on a number of measures,
such as a description of the projects funded,[Footnote 2] and that
these reports be made available to the public through Recovery.gov,
the government's Recovery Act Web site.[Footnote 3]
The transparency that is envisioned for tracking Recovery Act spending
and results is an extensive undertaking for the federal government.
Both Congress and the President have emphasized the need for
accountability, efficiency, and transparency in the expenditure of
Recovery Act funds and have made it a central principle of the act.
However, tracking billions of dollars that are being disbursed to
thousands of recipients is an enormous effort. The administration
expects that achieving this degree of visibility will be iterative,
whereby both the reporting process and the information recipients
provide improve over time and, if successful, could be a model for
transparency and oversight beyond the Recovery Act.
To implement Recovery Act reporting requirements, the Office of
Management and Budget (OMB) provides guidance to federal agencies for
overseeing recipients' Recovery Act quarterly reporting, which
includes a requirement that agencies review the overall data quality
of recipient reports before they are posted on Recovery.gov. While the
Recovery Act does not specifically define transparency, OMB's guidance
states that recipients' narrative information, such as their award
descriptions, must be sufficiently clear to facilitate understanding
by the general public of how Recovery Act funds are being used.
In addition, OMB directs federal agencies to consider both
transparency as well as national security concerns, when applicable,
when reviewing recipients' quarterly reports in preparation for
posting on Recovery.gov.[Footnote 4] Among other agencies, this
directive applies to DHS' Federal Emergency Management Agency (FEMA),
which operates the Recovery Act PSGP. On the one hand, FEMA must help
ensure that award and project descriptions publicly available on
Recovery.gov explain how recipients are using PSGP funds in order to
promote transparency. On the other hand, FEMA is responsible for
helping to ensure that specific information about the ports' existing
vulnerabilities, such as the absence of security systems, is
safeguarded and not publicly disclosed on Recovery.gov. This is
particularly important since the disclosure of such information--some
of which stems from grant recipient documents that contain Sensitive
Security Information (SSI)--could compromise national security.
[Footnote 5]
In response to your request regarding the federal role in reporting on
the use of Recovery Act funds and the extent to which recipients
transparently report on their activities, we issued a report in May
2010 on the extent to which descriptions of awards found on
Recovery.gov fostered a basic understanding of award activities and
expected outcomes.[Footnote 6] This report provided information on the
level of transparency in reporting on Recovery.gov for federal
agencies administering 11 Recovery Act programs including broadband,
energy, transportation, infrastructure, and civil works. Our
assessment of transparency on Recovery.gov included a review of the
transparency of award descriptions on Recovery.gov for FEMA's Recovery
Act PSGP. The Recovery Act PSGP recipient reports varied widely in
level of detail--as we will discuss later in this report--because FEMA
lacked a process for considering both the need to report on funded
activities and expected outcomes in a transparent manner and the need
to safeguard SSI in recipient reports. Therefore, as agreed with your
office, this report focuses on FEMA's efforts to safeguard sensitive
information associated with its Recovery Act port security awards.
Specifically, it addresses: (1) the extent to which FEMA has
implemented management controls to ensure that DHS' SSI policies and
processes are consistently followed when administering the Recovery
Act PSGP, and (2) the steps that FEMA has taken to ensure that
sensitive information has not been publicly disclosed by PSGP
recipients on Recovery.gov.
To conduct our work, we reviewed relevant laws, regulations, and DHS
guidance on SSI to determine the extent to which FEMA has adopted DHS
management controls to apply applicable safeguards to SSI contained in
PSGP grant materials.[Footnote 7] We also attended a new SSI training
course on July 12, 2010, that FEMA provided to its staff to observe
the applicability of course material to FEMA grant managers. In
addition, we reviewed FEMA's draft standard operating procedure for
reviewing Recovery Act recipient reports prior to their release on
Recovery.gov and compared it with Standards for Internal Control in
the Federal Government and DHS' guidance for safeguarding SSI to
determine the steps FEMA has taken to help prevent public disclosure
of sensitive Recovery Act PSGP grantee details.[Footnote 8] We
complemented this review by interviewing FEMA and DHS officials with
responsibility for ensuring a reasonable degree of quality across PSGP
recipient reports, as laid out in OMB's Recovery Act reporting
guidance.
In addition, we reviewed existing Recovery Act guidance from OMB to
determine the extent to which instructions are available to agencies
on handling sensitive information from grant recipients and reviewed
documentation of FEMA's contact with recipients after reviewing their
reports to assess the extent to which FEMA consistently attempted to
prevent disclosure of protected information.[Footnote 9] We also
selected a representative probability (random) sample of 61 out of the
total 214 PSGP recipient reports available on Recovery.gov as of
February, 2010, and reviewed the level of detail they provided. We
also spoke with DHS officials responsible for assessing whether or not
documents contain SSI to determine the extent to which recipient award
descriptions available on Recovery.gov could reveal vulnerabilities at
the ports and potentially jeopardize port security.[Footnote 10]
Finally, we interviewed a nonprobability sample of 6 of the 61
randomly sampled Recovery Act PSGP recipients to determine the extent
to which FEMA had provided recipients with information related to
safeguarding sensitive details when submitting Recovery Act reports.
We selected the 6 recipients based on diversity in geographical
location; PSGP award size; level of detail included in quarterly
report submission provided to FEMA; and whether the recipient made
changes to its entries following FEMA's review. Our interviews
provided us with an understanding of recipients' experience in
balancing transparency and the safeguarding of SSI in reporting
information for ultimate posting on Recovery.gov. However, because we
used a nonprobability sample, the results cannot be generalized to all
Recovery Act PSGP recipients.
We conducted this performance audit from June 2010 through October
2010 in accordance with generally accepted government auditing
standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives.
Background:
Port Security Grant Program Priorities and Management:
The Recovery Act Port Security Grant Program (PSGP) is based on the
existing PSGP, which was first established under the Maritime
Transportation Security Act of 2002 (MTSA).[Footnote 11] Since 2007,
FEMA has been operating the PSGP to provide grant funding to port
areas for the protection of critical port infrastructure from
terrorism.[Footnote 12] When the Recovery Act was enacted in February
2009, it provided an additional $150 million while preserving the
funding priorities of the existing PSGP, which emphasize prevention
and response to threats against the nation's seaports, including
weapons of mass destruction.[Footnote 13] FEMA had obligated all $150
million of its Recovery Act PSGP funds as of September 29, 2009. As of
September 3, 2010, 64 of the 218 PSGP recipients had drawn down funds,
for a total of $10,002,461.
The Recovery Act PSGP also placed additional priority on cost-
effective projects that can be started quickly and stimulate the
economy through jobs creation. PSGP recipients, such as owners and
operators of MTSA-regulated vessel and facilities, can use their 3
year grants for, among other things, equipment purchases, such as
acquiring security cameras and security gates to strengthen access
controls, as well as card readers and other infrastructure necessary
to implement DHS' Transportation Worker Identification Credential
(TWIC) program.[Footnote 14]
FEMA's Grant Programs Directorate (GPD) is the central unit for grants
management at FEMA and within DHS, both FEMA's GPD and the U.S. Coast
Guard (Coast Guard) are involved in managing the Recovery Act PSGP.
[Footnote 15] FEMA (1) has the lead in creating selection criteria for
use in the application review process, (2) administers the Recovery
Act PSGP, (3) provides outreach and support to applicants about
program requirements, and (4) manages the Recovery Act PSGP to ensure
compliance with federal grant management requirements. In addition,
FEMA assigned all Recovery Act PSGP recipients a FEMA program analyst
to serve as the recipient's "one-stop" account manager, who would meet
with the recipient as needed and coordinate with other agencies to
support the recipient. The Coast Guard has the lead in setting port
security priorities associated with Recovery Act PSGP award selection
criteria. These priorities are emphasized in the Recovery Act PSGP
application process, which requires eligible port areas and ferry
systems to provide, among other things, an investment justification
describing how the proposed project will help address gaps and
deficiencies in current programs and capabilities, the length of time
needed to begin and complete the project, and the number of jobs the
project would create.
DHS' Policy for SSI:
DHS Management Directive 11056.1 establishes the department's policy
regarding the recognition, identification, and safeguarding of SSI.
[Footnote 16] In addition to requiring certain actions by specified
agencies such as Immigration and Customs Enforcement, Customs and
Border Protection, and the Coast Guard, the directive provides that
other DHS component heads not specifically identified--where
appropriate based on the extent of use of SSI--should appoint an
official to serve as the component's SSI Program Manager, who is to be
responsible for, among other things, developing component-specific SSI
identification and procedural guidance as necessary, and conducting
self-inspections of the component for the effective management and
practical application of SSI, and consistent and appropriate
application and use of SSI at least once every 18 months.
In addition, the directive states that those other component heads not
specifically identified in the directive, where appropriate, should
appoint at least one employee in each office that generates or
accesses SSI to serve as SSI Coordinator and have the authority to
make determinations on behalf of DHS that records generated by this
office are appropriately marked SSI. Further, among other
responsibilities, the SSI Coordinator is to conduct annual self-
inspections of the office for the effective management and practical
application of SSI, and consistent and appropriate application and use
of SSI, as well as ensure that office personnel who access SSI receive
training.
FEMA considers the narratives within PSGP recipients' investment
justifications to be SSI, the disclosure of which could compromise
national security, because information found in the investment
justifications could reveal current vulnerabilities and present
opportunities for potential terrorist threats. Therefore, FEMA does
not permit the investment justifications to be publicly released. In
addition, under federal SSI regulations, both FEMA's grants management
staff and PSGP recipients are considered to be "covered persons"
because, among other things, they access SSI contained in the
investment justifications.[Footnote 17] Covered persons'
responsibilities include, among others, taking reasonable steps to
safeguard SSI in their possession or control from unauthorized
disclosure, regardless of medium, and marking information as SSI.
[Footnote 18]
Recovery Act Recipient Reporting Process:
To promote transparency and accountability, the Recovery Act requires
recipients of Recovery Act funds, such as PSGP recipients, to report
each calendar quarter on the use of funds, and further requires that
this reporting continue for every quarter in which the recipient
receives Recovery Act funds from the federal government. Specifically,
these reports collect numerical information, such as the amount of
funds obligated--or committed for payment--as well as narrative
details, such as a description of the activity funded at the port.
[Footnote 19] To implement Recovery Act reporting requirements, OMB
has worked with the Recovery Accountability and Transparency Board
(Recovery Board) to deploy a nationwide data collection system at
Federalreporting.gov.[Footnote 20]
OMB set specific time lines for recipients to submit reports and for
agencies to review the data using this site. Specifically, recipients
are required to prepare, enter, and validate their information by the
tenth day following the end of a quarter, after which federal agencies
perform data quality reviews, in accordance with OMB guidance, to
identify material omissions and significant reporting errors, and
notify recipients of the need to make appropriate and timely changes
to erroneous reports.[Footnote 21] Recipients have the ultimate
responsibility for responding to the agency's data quality reviews and
then submitting the final data for posting on Recovery.gov, as
illustrated in figure 1. Recovery.gov was designed to provide
transparency of information related to spending on Recovery Act
programs and is the public's official source of information related to
the Recovery Act.
As a federal agency administering Recovery Act funds, FEMA is
responsible for adhering to OMB guidance and Recovery Act requirements
and GPD has the lead for executing these responsibilities for the
Recovery Act PSGP. In addition, DHS officials responsible for
agencywide Recovery Act implementation also review recipient quarterly
reports, checking data fields, such as award numbers, for accuracy,
and informing GPD staff of noncompletion.
Figure 1: FEMA's Recipient Review Process for Recovery Act PSGP:
[Refer to PDF for image: illustration]
The illustration depicts a pyramid as the review process, from bottom
to top, as follows:
Recovery Act Port Security Grant Program (PSGP) recipients:
FederalReporting.gov:
FEMA (agency review):
U.S. Department of Homeland Security (departmental review):
Recovery.gov.
Source: GAO.
[End of figure]
FEMA Has Taken Steps to Implement DHS' SSI Policies in Administering
the Recovery Act PSGP, but Further Actions Could Improve Consistency:
FEMA has taken recent steps to adhere to DHS' Management Directive
when administering the PSGP, such as appointing officials with direct
responsibility for SSI; however, FEMA has not yet established or put
in place all of the management controls, or taken all the actions,
called for in the directive. For example, in January 2010, FEMA
appointed its first SSI Program Manager, and in July 2010--during the
course of our review--GPD appointed an SSI Coordinator. Nevertheless,
GPD's SSI Coordinator has not assessed the extent to which SSI
documents, including Recovery Act PSGP investment justifications, have
been marked appropriately, or instilled practices to ensure that GPD
personnel who access SSI receive appropriate training, as required by
DHS' directive.
FEMA Has Taken Some Steps to Adhere to DHS' SSI Policies and
Procedures:
FEMA has appointed an SSI Program Manager, GPD has appointed an SSI
Coordinator, and both individuals are taking steps to adhere to DHS'
Management Directive, issued in 2005.
FEMA has appointed an SSI Program Manager. FEMA appointed its first
SSI Program Manager in January 2010, and this individual has developed
a standard operating procedure that, in accordance with DHS' 2005
Management Directive, establishes FEMA's protocols for recognizing,
identifying, and safeguarding SSI. According to the SSI Program
Manager, the standard operating procedure was reviewed by
Transportation Security Administration (TSA) and Coast Guard
officials, and approved by officials in FEMA's Office of Security
before distribution to FEMA staff in mid-August. The SSI Program
Manager also reported that he is planning to develop an SSI
Instruction Guide for FEMA GPD in November 2010 that will identify the
types of information in grant documents handled by FEMA GPD staff that
should and should not be marked and treated as SSI. According to the
SSI Program Manager, this guide will be completed in collaboration
with FEMA GPD, TSA, and the Coast Guard, and will be applicable to
FEMA GPD staff, contractors, and grantees. Further, the SSI Program
Manager reported to us that he is developing a self-inspection program
based on an SSI evaluation program that the Coast Guard currently
uses. This will fulfill the Management Directive's instruction to
conduct self-inspections for effective management, and consistent and
appropriate application and use of SSI, at least once every 18 months.
[Footnote 22] He expects to conduct FEMA's self-inspection in December
2010.
In addition, in response to our questions regarding the extent of SSI
training offered to GPD staff, the Program Manager provided training
to FEMA's GPD staff in mid-July on identifying, handing, and
safeguarding SSI. We observed this training, and noted that it
explained the difference between SSI and classified information,
defined the 16 categories of SSI in the SSI regulations, and provided
guidance regarding how to handle SSI.
FEMA's GPD has appointed an SSI Coordinator. During the course of our
review, and in response to our questions regarding the status of GPD's
efforts to appoint an SSI Coordinator within GPD, the GPD Assistant
Administrator appointed GPD's Director of Internal Controls and Risk
Management to be GPD's first SSI Coordinator on July 8, 2010. The SSI
Coordinator told us that she informed all GPD staff of the SSI Program
Manager's July SSI training and encouraged GPD personnel who access or
generate SSI to attend. Further, according to the SSI Coordinator, she
and her staff will reach out to ensure that the remaining staff who
have not yet received training attend one of the upcoming training
sessions that the SSI Program Manager is offering throughout the fall
of 2010. In addition, the SSI Coordinator told us that, once staff are
trained, she plans to identify and reach out to supervisors in GPD
branches who will have responsibility for staff managing SSI within
their units to discuss and delineate their unit's SSI
responsibilities, including determining whether documents in their
office are appropriately marked SSI, and reporting back to her.
Further, the SSI Coordinator told us that she plans to issue a
bulletin or memorandum to GPD staff and grantees to provide additional
information beyond that discussed in the initial SSI training, such as
GPD staff members' specific roles in identifying and handling SSI and
the relevance of SSI to GPD grants. Before writing the bulletin, the
SSI Coordinator reported that she planned to talk to GPD staff--
including Recovery Act PSGP program officials, as well as the official
responsible for reviewing Recovery Act PSGP recipient reports--to
determine the process being used for handling recipient information
and reporting, and what information related to SSI these officials
need. According to the SSI Coordinator, she has drafted the bulletin
but plans to make revisions before issuing it to GPD staff and
grantees later this fall. Additionally, the SSI Coordinator told us
she will--while conducting training and working with GPD staff
responsible for SSI in their branches--assume responsibility for
conducting GPD's annual self-inspection, in accordance with DHS' 2005
Management Directive. According to FEMA's SSI Program Manager, he and
the SSI Coordinator will jointly complete a self-inspection of FEMA
GPD in December 2010 to identify to the SSI Coordinator what the self-
inspection program should entail.
Additional Actions Could Help FEMA Better Ensure That DHS' SSI
Policies Are Consistently Followed:
FEMA has established some management controls outlined in DHS'
Management Directive to help ensure that its staff are better able to
appropriately identify and handle SSI, but it has not yet taken all
the actions or fully established all the management controls included
in the directive.
Marking of SSI: The SSI Coordinator told us that with respect to
Management Directive-required oversight of SSI within GPD, she has not
made any determinations as to whether SSI documents are appropriately
marked. While FEMA considers all PSGP investment justifications to be
SSI, our analysis showed that not all Recovery Act PSGP investment
justifications--documents recipients submit to FEMA when applying for
the grant and that FEMA keeps on file--have been marked as such,
pursuant to SSI regulations. Specifically, our sample review of six
Recovery Act PSGP investment justifications showed that none of the
materials were marked as SSI, as required by SSI regulations.
According to one Recovery Act PSGP official, while the investment
justifications are not labeled SSI, GPD staff convey the sensitive
nature of the documents to the covered parties involved.
The SSI Coordinator told us that supervisors she designates throughout
GPD will be responsible for reviewing their unit's grant file
documents to determine if they are marked appropriately and report the
results to her after these supervisors receive SSI training. However--
while FEMA does not publicly release the investment justifications,
such as on Recovery.gov---some of the Recovery Act PSGP investment
justifications are currently not marked SSI in accordance with SSI
regulations. As a result, others who access the information in the
investment justifications may not be aware that it is SSI and, thus,
are at a greater risk of inadvertently disclosing such information.
Reviewing these justifications and marking them immediately as SSI
could help the SSI Coordinator ensure that GPD personnel are better
positioned to safeguard them from inadvertent unauthorized disclosure.
SSI Training: Prior to July 2010, FEMA did not provide specific SSI
training to its grants management staff, and the FEMA SSI Program
Manager told us the development of this course stemmed largely from
our work on the subject. However, based on our observations, the
course did not include grant-specific examples that could have helped
facilitate GPD staff's understanding in applying the training concepts
regarding SSI to their work.
For instance, GPD officials with whom we spoke were unclear about the
application of SSI to the Recovery Act PSGP and grant specific
examples could clarify how to determine if grant information is SSI.
For instance, according to a TSA SSI official, the information upon
which the PSGP investment justifications are based--port vulnerability
assessments--are identified as SSI in the C.F.R. Therefore, the
investment justifications may contain SSI, but the TSA official told
us that the investment justifications are not SSI in their entirety
because information from the vulnerability assessments could be
removed from the documents. However, the three Recovery Act PSGP
officials with responsibility for administering the program offered
conflicting information with regard to the sensitive nature of PSGP
materials. One official reported that FEMA considers all PSGP
investment justifications to be SSI because the disclosure of
activities under the PSGP could demonstrate current vulnerabilities
and present opportunities for potential terrorist threats. Another
official told us that he disagrees with the determination that the
investment justifications are SSI because projects funded under the
PSGP are visible to the public--for instance, if a port is adding
lighting, the public can see that the project is being undertaken.
Moreover, this official noted that information about the Recovery Act
PSGP projects could easily be obtained from other publicly available
sources, such as construction permits. A third FEMA official believed
that certain information in the investment justifications may be SSI,
but the investment justifications in their entirety are not.
Moreover, during the training session we observed, numerous GPD staff
asked for clarification and examples to understand how the SSI
regulations apply to their day-to-day work. The training did not
provide this information. The SSI Coordinator acknowledged that the
training lacked specific examples and told us that GPD staff likely
will need additional information about the relevance of SSI to FEMA's
grant management. We have previously reported on a number of factors
that managers should consider when assessing training. One of these
factors includes whether the training incorporated a suitable blend of
content, addressing both the theoretical basis of the material (such
as an explanation of the context and principles involved) and the
practical application of the issues (such as agency administrative
procedures related to the material).[Footnote 23] The initial SSI
training delineated the context of SSI and the regulations involved,
but it did not incorporate any GPD-specific examples to illustrate the
appropriate identification and handling of SSI by GPD personnel. In
addition, it did not include any reference to the Recovery Act PSGP or
any other Recovery Act program FEMA administers. Further, it also did
not address how GPD staff should ensure transparent reporting on
funded activities and expected outcomes while also safeguarding SSI.
Given that Recovery Act PSGP staff were unclear about the application
of SSI to their work and attendees at GPD's initial SSI training
requested examples to illustrate how SSI pertains to their work,
providing grant-specific examples in its SSI training could help FEMA
ensure that all GPD staff, including Recovery Act PSGP staff, are
better positioned to identify, mark, and safeguard SSI within their
programs.
FEMA Has Taken Initial Steps to Develop and Document a Review Process,
but Additional Controls Could Help Prevent the Unauthorized Disclosure
of SSI:
FEMA has implemented an agencywide standard operating procedure
governing the safeguarding of SSI within FEMA; however, this is a
broad policy that does not specifically address aspects related to the
Recovery Act PSGP recipient report review process. Further, while FEMA
GPD staff have taken steps to outline their recipient review process,
GPD management has not approved the procedure and the draft does not
include key controls for reducing the risk of error. Moreover, when
conducting its data quality review, FEMA does not have a distinct
process for comparing recipients' quarterly reports against SSI
criteria to ensure that sensitive information, similar to that which
is described in the recipients' investment justifications, is not
included in the Recovery Act reporting and thus made publicly
available. FEMA also lacks a protocol for informing recipients when
their draft Recovery Act reports contain sensitive information and
should be safeguarded appropriately. Finally, FEMA has not provided
instruction to recipients cautioning them up front against revealing
SSI in their recipient report submissions and guiding them on what an
appropriate level of detail would be.
FEMA's Process for Reviewing Recovery Act PSGP Recipient Reports Is
Documented but Lacks Key Controls and Has Not Been Approved:
Two officials within GPD were responsible for performing quality
reviews on recipients' quarterly submissions to FederalReporting.gov
before these submissions were posted to Recovery.gov in February 2010,
the reporting period we reviewed. One official told us that he and his
former colleague drafted a standard operating procedure after they
were charged with reviewing recipients' reports in 2009 which
described the Recovery Act recipient report reviewing process they
undertook. This draft standard operating procedure included
descriptions of the reporting cycle, the various elements recipients
report, sources of the reporting data, the Recovery Act process for
reviewing recipient information, and directions on how to compile and
report the required information. However, the draft standard operating
procedure does not have managerial approval as of September 2010 and
lacks a discussion of internal controls, including a process to ensure
that a secondary review of the comments occurs.
Internal control standards state that transactions and significant
events--in this case, FEMA's data quality review of Recovery Act
recipients' reports--should be authorized and the authorization should
be clearly communicated to employees to assure that only valid
transactions take place.[Footnote 24] We found that the draft standard
operating procedure being used was not approved by senior GPD
management as of September 2010. A former director in GPD with
oversight of the individuals conducting reviews of recipients'
submissions did not approve the standard operating procedure before
she left the agency and, as of September 2010, it has neither been
approved nor presented to her replacement for approval. Approving a
standard operating procedure for Recovery Act quarterly recipient
report reviews could help FEMA management better ensure that the
Recovery Act PSGP personnel are conducting reviews in a consistent
manner.
In addition, internal control standards state that key duties and
responsibilities need to be divided or segregated among different
people to reduce the risk of error or fraud, including separating the
responsibilities for authorizing, processing and recording, and
reviewing transactions.[Footnote 25] Moreover, internal control
standards call for internal controls and all transactions and other
significant events to be clearly documented and appear in management
directives, administrative policies, or operating manuals. The draft
standard operating procedure FEMA's Recovery Act staff developed does
not describe procedures for verifying the accuracy of reviews, such as
the process whereby one reviewer independently verifies the other's
work, that its author told us had been occurring. Without determining
what procedures FEMA will use to verify its reviews of recipient
reports and documenting those procedures, FEMA management lacks
reasonable assurance that the reviews are being conducted consistently
and in accordance with management's direction. For instance, the GPD
official with responsibility for reviewing quarterly Recovery Act
recipient reports told us that a former director in GPD completed
another layer of review before FEMA concluded its data quality review.
Further, although this official reported that four additional GPD or
DHS officials verified the accuracy of his initial reviews, three of
the officials named told us that they have not reviewed recipient
reports in any manner. The remaining official told us that she reviews
the numerical fields solely for data accuracy and does not review the
narrative fields, such as the award description where potential SSI
may appear.
FEMA Lacks a Procedure for Comparing Recipient Reports Against SSI
Criteria:
FEMA's standard operating procedure does not include a method for its
Recovery Act PSGP recipient report reviewers to safeguard SSI as
required of covered persons in SSI regulations. For example, none of
the FEMA officials with whom we spoke reported that they--or anyone
else--was responsible for incorporating a sensitivity review into
their quarterly data quality assessment during which they could
compare recipients' submissions to FederalReporting.gov against SSI
standards to determine if the information should be prevented from
public disclosure on Recovery.gov.
A Recovery Act PSGP official with whom we spoke reported that it is
Recovery Act PSGP recipients' responsibility to ensure that they do
not report SSI in their quarterly reports because it is the recipients
who initially report the information, not FEMA. However, since FEMA
treats the investment justifications as SSI, and much of the
information requested in the reporting fields on FederalReporting.gov
is similar in nature, conducting such a review would help FEMA ensure
that nothing from the investment justifications was inadvertently
copied into the FederalReporting.gov reporting fields and ultimately
published on Recovery.gov. Further, pertinent SSI regulations require
that a covered person must take reasonable steps to safeguard SSI in
that person's possession or control from unauthorized disclosure,
[Footnote 26] and state that violations of the SSI regulations, such
as unauthorized disclosure of SSI, is grounds for, among other things,
a civil penalty and other enforcement or corrective action by DHS.
[Footnote 27] While recipients initially report the information, FEMA
accesses this information during its data quality review and,
therefore, under SSI regulations, Recovery Act PSGP personnel are
considered to be covered persons and have the accompanying
responsibility to safeguard any SSI in the recipient reports.
A TSA security official who reviewed our sample of 61 PSGP recipient
reports available on Recovery.gov for the reporting period with data
available as of February 2010, informed us that none contained SSI;
however, FEMA should consider a cautious approach when reviewing this
material in advance and inform recipients if their draft submissions
contain SSI.[Footnote 28] While our review showed that none of the
Recovery Act PSGP recipient reports for the single reporting period in
our review contained SSI, developing a management-approved policy for
reviewing Recovery Act PSGP recipient reports that includes steps to
compare submissions against SSI criteria and properly safeguard it
could reduce the risk that SSI is made publicly available on
Recovery.gov in subsequent reporting periods. Further, such a policy
could help better position FEMA to ensure that officials responsible
for Recovery Act recipient reviews take reasonable steps to safeguard
SSI from unauthorized disclosure, as required by SSI regulations.
FEMA Lacks a Protocol for Informing Recipients When Their Draft
Recovery Act Reports Contain SSI and Should Be Safeguarded:
According to the GPD official responsible for reviewing recipients'
submissions and performing the data quality review on
FederalReporting.gov, when the Recovery Act quarterly reporting began,
the issue of data sensitivity was not discussed in any manner.
However, the official noted that the GPD Director to whom he reported
at the time told him to use his judgment and when he thought recipient
submissions included "too much detail" in the narrative-based fields,
such as the one for "award description," he should notify recipients.
Specifically, the director instructed him to use boilerplate language
when commenting back to the recipients, with the following
notification statement: "Due to the public nature of this report,
please adjust the Award Description to: American Recovery and
Reinvestment Act Port Security Grant Program (ARRA PSGP)."[Footnote
29] This official stated that he did not develop standard criteria to
determine what "too much detail" meant, nor does he compare the
information contained in these quarterly reports against SSI criteria
while conducting his data quality review. Instead, he explained that
he used his best judgment and if the details in the narrative field
appeared similar to the information the recipient reported in its
investment justification, then he sent the recipient the standard
notification statement.
This notification statement did not communicate the rationale for
change--that the specific information about their use of award funds
or expected outcomes could disclose SSI, which could document
vulnerabilities or jeopardize port security--or a reason for
recipients to take action, even though SSI regulations require covered
persons to take reasonable steps to safeguard SSI from unauthorized
disclosure. Moreover, internal control standards call for managers to
ensure that there are adequate means of communicating with, and
obtaining information from, external stakeholders that may have a
significant impact on the agency achieving its goals. Most
importantly, FEMA's notification statement does not inform recipients
of their responsibility as covered persons to safeguard SSI. Including
in its standard operating procedures a process for notifying
recipients when their reports include SSI and taking steps to inform
recipients about their responsibilities as covered persons could
better position FEMA to help prevent the inadvertent release into the
public domain of information that could potentially compromise
national security.
FEMA Has Not Provided Instruction to Recipients on Safeguarding SSI
While Reporting Project Details in a Transparent Manner for Posting on
Recovery.gov:
During the Recovery Act quarterly reporting process, under federal SSI
regulations, both recipients--who submit the initial information--and
FEMA personnel--who review the information--are considered to be
covered persons with a duty to safeguard SSI. In addition, OMB's
Recovery Act reporting guidance states that recipients' narrative
information must be sufficiently clear to facilitate understanding by
the general public of how Recovery Act funds are being used.
In reviewing the narrative descriptions provided on Recovery.gov for
the 61 recipients in our sample, we found wide variation in the level
of detail provided regarding the awards' purposes, scope and nature of
activities, locations, costs, outcomes, and status of work. In a few
instances, the reports had clear and complete information across these
areas. For instance, the description of an award for a Missouri port
stated that it will be used for surveillance cameras that will allow
the police department to receive information about potential attacks
using improvised explosive devices and, as a result, increase the
likelihood of preemptive action. In the majority of cases, however,
the reports provided little or none of the information on what funds
are being spent on and what outcomes are expected. For instance, an
award description for a port in Washington did not provide the
location where the award activities are being conducted, what the
award would fund, or the outcomes expected as a result of the award.
According to FEMA, the sensitive nature of port security information
affects the transparency of PSGP recipient reporting. However FEMA's
GPD has not provided technical assistance or program-specific guidance
to Recovery Act PSGP recipients on how to report on funded activities
and expected outcomes in a transparent manner while also safeguarding
SSI. For example, all of the PSGP recipients with whom we spoke
reported that FEMA had not instructed them on how to consider
transparency needs and safeguard SSI in Recovery Act reporting.
[Footnote 30]
According to a Coast Guard Recovery Act PSGP official, GPD's SSI
Coordinator, and three of the five Recovery Act PSGP recipients with
whom we spoke, Recovery Act PSGP recipients are not always clear
regarding what information they should report and what information
they should protect. For instance, GPD's SSI Coordinator told us that
the recipients may be confused about what they should report in their
quarterly Recovery Act reports because OMB guidance stresses
transparency even though SSI regulations stress safeguards. Therefore,
the SSI Coordinator stated that recipients may be unsure how to comply
with both because of their seemingly conflicting messages. Moreover,
the Coast Guard official and four of the five Recovery Act PSGP
recipients with whom we spoke told us that guidance from FEMA on what
recipients should and should not report for ultimate posting on
Recovery.gov would be helpful to recipients and assist them in better
understanding how to adhere to the requirements in both OMB's existing
guidance on Recovery Act recipient reporting and those found in the
SSI-related regulations.
Recovery Act PSGP officials with whom we spoke cited two reasons why
FEMA has not issued instructions to recipients on what information to
include in the narrative fields when completing their quarterly
reports. First, the officials reported to us that FEMA was concerned
that issuing instructions to recipients on what to report in the
narrative fields may conflict with OMB's emphasis on transparency in
Recovery Act reporting. When we raised this issue with OMB, staff
there told us that OMB allows agencies discretion with regard to
balancing transparency with national security concerns and it cannot
provide guidance that addresses the details of each Recovery Act
program. OMB staff noted that agencies should be aware of what program
information may be sensitive and address these concerns directly with
recipients. Further, according to OMB officials, agencies overseeing
Recovery Act programs have discretion to provide their recipients with
technical assistance or supplemental materials to aid recipients in
reporting.
In our May 2010 report, we reported that some agencies--unlike FEMA--
supplemented OMB's high-level guidance with program-specific technical
assistance on how to meet OMB's reporting requirements, including
specific instructions on what to write in the narrative fields.
[Footnote 31] In addition, OMB's March 2010 Memorandum 10-14 permits
federal agencies overseeing Recovery Act reporting to provide program-
specific guidance on Recovery Act recipient reporting to recipients as
long as it does not conflict with OMB guidance and the agency obtains
OMB approval.[Footnote 32] Two other agencies--the departments of
Transportation and Education--have obtained OMB approval to issue such
program-specific guidance to assist recipients with Recovery Act
reporting. As we reported in May 2010, OMB officials told us that OMB
created generic reporting guidance because they expected the guidance
to be a baseline, with agencies providing supplemental guidance that
was more specific to unique program characteristics and situations
than OMB's one-size-fits-all guidance was designed to address. We also
reported that, according to OMB, the agencies would be better sources
of program specific individualized guidance, tailored to the awards
made under their programs.[Footnote 33]
Second, FEMA officials said that even if they were to issue
instructions to recipients on what to report in the narrative fields
that ultimately will be posted on Recovery.gov, some recipients might
not follow them and FEMA cannot require them to do so. However, given
that under federal SSI regulations Recovery Act PSGP recipients are
considered to be covered persons, they have a duty under SSI
regulations to safeguard SSI.
Taking appropriate measures to provide instruction--which could be in
the form of technical assistance, supplemental materials, or OMB-
approved guidance--to Recovery Act PSGP recipients has several
benefits. Namely, by describing the information to include in
narrative fields that ultimately will be posted on Recovery.gov and
informing recipients of their duty to protect SSI as covered persons,
FEMA could help ensure that recipients consider both the need to
report on funded activities and expected outcomes in a transparent
manner while safeguarding SSI when reporting information on issues
that ultimately will be posted on Recovery.gov.
With regard to additional controls to prevent unauthorized disclosure
of Recovery Act PSGP SSI, FEMA officials reported that their ability
to implement such controls--including their assessments of information
recipients submit quarterly to FederalReporting.gov--is constrained
due to the small number of PSGP staff on board, as well as significant
staff turnover. According to FEMA data, as of July 2010, 10 FEMA
employees were administering both the Recovery Act PSGP and regular
PSGP, and GPD's staff turnover rates were 4 percent and 8 percent in
the 2nd quarter and 3rd quarter of 2010, respectively. Further,
according to FEMA officials, OMB is primarily concerned with data
quality surrounding the numerical reporting fields, such as the award
amount, and is less concerned with the content of the narrative
reporting fields, such as the award description. In addition, DHS
officials charged with overall Recovery Act implementation confirmed
that their review of DHS-wide recipient information focuses on the
nonnarrative fields--such as jobs created, recipient addresses, or
recipient Congressional district. As a result, the FEMA official
charged with conducting the data quality reviews told us his
priorities have been on numbers rather than narrative. OMB staff with
whom we spoke told us that agencies are better positioned to review
narrative information because they have knowledge of the programs and
OMB staff explained that agencies are expected to use their judgment
to help ensure that recipients do not disclose SSI in the information
that ultimately will be posted on Recovery.gov.
Conclusions:
Reporting on the funded activities and expected outcomes of Recovery
Act funds in a transparent manner is vital to ensuring public trust.
As such, OMB has made transparency a priority in the oversight of
Recovery Act spending and instructed agencies that when reviewing
recipients' quarterly reports they should aim to ensure transparency
while also safeguarding information that is crucial to national
security.
FEMA's GPD has taken some recent steps to establish polices and
procedures to ensure that it appropriately identifies, handles, and
safeguards any Recovery Act PSGP information that is SSI. However,
FEMA could do more to ensure that FEMA officials are helping to
prevent the disclosure of information that ultimately will be posted
on Recovery.gov and that is otherwise considered SSI. Specifically,
determining whether Recovery Act PSGP documents, such as investment
justifications, that contain SSI are appropriately marked as such and
taking steps to ensure Recovery Act PSGP officials receive FEMA-
specific SSI training could help better position FEMA to ensure that
its Recovery Act PSGP staff protect SSI from unauthorized disclosure.
Further, having an approved policy for reviewing Recovery Act PSGP
recipient reports could help ensure that initial reviews by different
FEMA GPD staff will be conducted in a consistent manner to reduce the
risk of error. Moreover, including in its process a review to identify
recipient-reported information as SSI, and taking appropriate measures
to improve recipients' understanding of what information to include in
the narrative fields that ultimately will be posted on Recovery.gov
and what information to safeguard as SSI could better position FEMA to
help prevent the disclosure of sensitive information on Recovery.gov.
Recommendations for Executive Action:
To enhance the identification, management, and protection of SSI
within FEMA in its administration of the Recovery Act PSGP, we
recommend that the FEMA Administrator take the following four actions:
* Direct GPD's SSI Coordinator to review Recovery Act PSGP investment
justifications in FEMA's possession and ensure that they are
appropriately marked as SSI.
* Direct GPD's SSI Coordinator, when developing and providing further
SSI training to GPD staff, to incorporate FEMA-specific examples of
the application and use of SSI in the training.
* Direct FEMA's Assistant Administrator for GPD to develop, document,
and approve a policy that reflects management's intent to implement
internal controls governing FEMA's review process for Recovery Act
recipient reports that include appropriate internal controls and a
procedure both for comparing recipient reports against SSI criteria
and notifying recipients when their submissions contain SSI.
* Direct FEMA's Assistant Administrator for GPD to take appropriate
measures--such as issuing technical assistance, supplemental
materials, or OMB-approved guidance--to inform Recovery Act PSGP
recipients of what information they should include in the narrative
fields that ultimately will be posted on Recovery.gov to foster a
basic understanding of funded activities and expected outcomes in a
transparent manner while ensuring that SSI is not disclosed on
Recovery.gov.
Agency Comments and Our Evaluation:
We provided a draft of this report to FEMA for review and comment.
FEMA provided written comments on the draft report, which are
reproduced in full in appendix I. FEMA concurred with all four of our
recommendations, and reported that it plans to take steps to implement
them. Specifically, FEMA plans to ensure that all Recovery Act PSGP
grant documents are reviewed and appropriately marked as SSI, which
would address our first recommendation. Further, FEMA intends to
enhance its current SSI training to ensure that it is relevant to FEMA
personnel. If implemented, such training would address our second
recommendation. In addition, FEMA plans to take steps to incorporate
appropriate internal controls into its written Recovery Act PSGP
policies to help ensure consistency in its review of Recovery Act PSGP
recipient reports. Implementing such controls will address our third
recommendation. FEMA also agreed with our final recommendation to take
appropriate measures to inform Recovery Act PSGP recipients of what
information they should include in their Recovery Act reports.
However, FEMA did not describe specific actions it planned to take to
address this recommendation. Nevertheless, FEMA noted that, while no
SSI was released to the public for the reporting period which we
reviewed, implementing this recommendation, as well as our others,
will enhance ongoing review of Recovery Act PSGP recipient reports and
better enable FEMA to protect SSI from disclosure in the future. FEMA
also provided technical comments, which we incorporated as appropriate.
As agreed with your office, unless you publicly announce the contents
of this report earlier, we plan no further distribution for 30 days
from the report date. At that time, we will send copies of this report
to the Secretary of Homeland Security and interested congressional
committees. In addition, this report will be available at no charge on
the GAO Web site at [hyperlink, http://www.gao.gov].
Should you or your staff have any questions concerning this report,
please contact David Maurer at 202-512-9627 or by e-mail at
maurerd@gao.gov. Contact points from our Offices of Congressional
Relations and Public:
Affairs may be found on the last page of this report. Key contributors
to this report are listed in appendix II.
Sincerely yours,
Signed by:
David C. Maurer:
Director, Homeland Security and Justice Issues:
[End of section]
Appendix I: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
Washington, DC 20528:
October 12, 2010:
David Maurer:
Director, Homeland Security and Justice:
441 G Street, NW:
U.S. Government Accountability Office:
Washington, DC 20548:
Dear Mr. Maurer:
RE: Federal Emergency Management Agency's (FEMA) Review of GAO Draft
Report 10979, "Recovery Act: FEMA Could Take Steps to Protect
Sensitive Port Security Grant Details and Improve Recipient Reporting
Instructions. "(440889)
Thank you for the opportunity to review and comment on the Government
Accountability Office (GAO) draft report entitled, "RECOVERY ACT: FEMA
Could Take Steps to Protect Sensitive Port Security Grant Details and
Improve Recipient Reporting Instructions."
This report included four recommendations. FEMA concurs with the four
recommendations addressed to DHS. FEMA appreciates the opportunity to
highlight current efforts that will not only comply with the
recommendations, but will also improve our overall operational
effectiveness. The recommendations and FEMA's corrective actions to
address the recommendations are described below.
Recommendation 1: Direct GPD's SSI Coordinator to review Recovery Act
PSGP investment justifications in FEMA's possession and ensure that
they are appropriately marked as SSI.
Response: Concur. FEMA will ensure that all grants are reviewed and
have appropriate markings.
Recommendation 2: Direct GPD's SSI Coordinator, when developing and
providing further SSI training to GPD staff, to incorporate FEMA-
specific examples of the application and use of SSI in the training.
Response: Concur. FEMA believes that training goals are better
fulfilled by providing relevance to those impacted by or those who
impact the outcomes or actions of the subject of the training, and is
moving beyond the standard training platform currently in place.
Recommendation 3: Direct FEMA's Assistant Administrator for GPD to
develop, document, and approve a policy that reflects management's
intent to implement internal controls governing FEMA's review process
for Recovery Act recipient reports that includes appropriate internal
controls and procedures both for comparing recipient reports against
SSI criteria and notifying recipients when their submissions contain
SSI.
Response: Concur. SSI is a matter that is broader than Recovery Act
awards for FEMA. It was an important consideration before Recovery Act
funds and will remain beyond this segment of funds. The FEMA Assistant
Administrator for GPD has documented policies that reflect
management's intentions and assurances relative to internal controls
governing many of GPD's management and operational activities. The
Recovery Act and the transparency requirements through new reporting
portals introduced a new direction for both the Agency and the
grantees. In the wake of those new directions, we acknowledge the need
to ensure that internal controls arc applied consistently in FEMA's
review process for Recovery Act recipient reports as well as in our
grants management generally. GPD will take steps to ensure that
internal controls related to ARRA are added to our existing policies.
Recovery Act recipients self-report on Recovery.gov. It was understood
by the agency as well as the grantee community that the intent of the
Recovery Act reporting was for information to be posted on a public
website. Staff reviewed the contents of the material and generally
found that the grantees were reporting appropriate information. It was
the lack of detail that initiated the inquiry into insufficient
transparency. In the end, the report found no incidence of SSI
information being publicly reported. We did find very limited cases in
which grantees were overzealous in complying with the intentions of
transparency. Staff asked if they might revise their submission in
consideration of SSI.
Recommendation 4: Direct FEMA's Assistant Administrator for GPD to
take appropriate measures ” such as issuing technical assistance,
supplemental materials, or OMB-approved guidance ” to inform Recovery
Act PSGP recipients of what information they should include in
Recovery.gov's narrative fields to foster a basic understanding of
funded activities and expected outcomes in a transparent manner while
ensuring that SSI is not disclosed on Recovery.gov.
Response: Concur. It is important to note, as mentioned in the report,
throughout the implementation of the Recovery Act transparency process
that FEMA, through timely and diligent attention, has NOT permitted
the release to the public any SSI with respect to the reviewed
program. The ongoing reporting process will be enhanced through the
implementation of the recommendations in this report. FEMA is certain,
the processes and training currently in place did, in fact, ensure
that NO SSI was released to the public on Federal Reporting.gov.
Thank you for the opportunity to comment on this Draft Report. We look
forward to working with you on future Homeland Security issues.
Sincerely,
Signed by:
Jerald E. Levine:
Director:
Departmental Audit Liaison Office:
[End of section]
Appendix II: GAO Contacts and Acknowledgments:
GAO Contacts:
David C. Maurer, (202) 512-9627 or maurerd@gao.gov:
Acknowledgments:
In addition to the contact named above, key contributors to this
report were Joy Gambino, Assistant Director; Jill Evancho, Analyst-in-
Charge; and Kathryn Crosby. Tom Beall assisted with design and
methodology; Geoffrey Hamilton provided legal support; Katherine
Siggerud, Yvonne Jones, and Susan Zimmerman contributed expertise in
the Recovery Act; George Erhart and Richard Winsor helped with on-site
record review; and Labony Chakraborty provided assistance in report
preparation.
[End of section]
Footnotes:
[1] Pub. L. No. 111-5, 123 Stat. 115, 164 (2009).
[2] Recovery Act, div. A, title XV, § 1512, 123 Stat. 287-88.
[3] Id. at §§ 1523(b)(4), 1526.
[4] This guidance provides that, "in general, if a question arises
about whether to provide public disclosure of information, agencies
should promote transparency to the maximum extent practicable when
consistent with national security interests." OMB, Memorandum for the
Heads of Departments and Agencies: Initial Implementing Guidance for
the American Recovery and Reinvestment Act of 2009, M-09-10
(Washington, D.C.: February 2009).
[5] Under federal regulations, SSI is, in general, information
obtained or developed in the conduct of security activities, including
research and development, the disclosure of which the Transportation
Security Administration (TSA) has determined would, among other
things, be detrimental to the security of transportation. See 49
C.F.R. § 1520.5.
[6] GAO, Recovery Act: Increasing the Public's Understanding of What
Funds Are Being Spent on and What Outcomes Are Expected, [hyperlink,
http://www.gao.gov/products/GAO-10-581] (Washington, D.C.: May 27,
2010).
[7] Pub. L. No. 111-5, 123 Stat. 115 (2009). 49 C.F.R. Part 1520. DHS,
Sensitive Security Information (SSI), Management Directive 11056.1
(Washington, D.C.: November 2006).
[8] GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 2009). Internal control
is an integral component of an organization's management that provides
reasonable assurance that the following objectives are being achieved:
effectiveness and efficiency of operations, reliability of financial
reporting, and compliance with applicable laws and regulations. These
standards, issued pursuant to the requirements of the Federal
Managers' Financial Integrity Act of 1982 (FMFIA), provide the overall
framework for establishing and maintaining internal control in the
federal government. Also pursuant to FMFIA, the Office of Management
and Budget issued Circular A-123, revised December 21, 2004, to
provide the specific requirements for assessing the reporting on
internal controls. Internal control standards and the definition of
internal control in Circular A-123 are based on the GAO Standards for
Internal Control in the Federal Government.
[9] OMB, Memorandum for the Heads of Departments and Agencies: Initial
Implementing Guidance for the American Recovery and Reinvestment Act
of 2009, M-09-10 (Washington, D.C.: February 2009). OMB, Memorandum
for the Heads of Departments and Agencies: Updated Implementing
Guidance for the American Recovery and Reinvestment Act of 2009, M-09-
15 (Washington, D.C.: April 2009). OMB, Memorandum for the Heads of
Departments and Agencies: Implementing Guidance for the Reports on Use
of Funds Pursuant to the American Recovery and Reinvestment Act of
2009, M-09-21 (Washington, D.C.: June 2009). OMB, Memorandum for the
Heads of Departments and Agencies: Updated Guidance on the American
Recovery and Reinvestment Act - Data Quality, Non-Reporting
Recipients, and Reporting of Job Estimates, M-10-08 (Washington, D.C.:
December 2009). OMB, Memorandum for the Heads of Departments and
Agencies: Updated Guidance for the American Recovery and Reinvestment
Act, M-10-14 (Washington, D.C.: March 2010).
[10] While there are 218 total Recovery Act PSGP recipients, we found
214 Recovery Act PSGP recipient reports available on Recovery.gov as
of February 10, 2010, when we took our sample. According to FEMA
officials, reports from 2 of the remaining 4 recipients were not
available at the time we took our sample because the recipients had
experienced problems entering information in certain fields in
Recovery.gov, and the other 2 recipients likely had similar problems.
[11] Pub. L. No. 107-295, 116 Stat. 2064, 2075-79 (2002).
[12] Prior to 2007, the PSGP was operated by a number of offices
within the Department of Transportation and DHS.
[13] These are (1) enhancing "maritime domain awareness," which
involves enhancements to intelligence sharing and analysis amongst law
enforcement and government leaders; (2) enhancing prevention,
protection, response, and recovery to improvised explosive devices and
weapons of mass destruction; (3) supporting implementation of DHS'
Transportation Worker Identification Credential (TWIC) program; and
(4) completing construction or infrastructure improvement projects
that align with existing port and vessel risk management and security
plans.
[14] Access controls can include security measures such as pedestrian
and vehicle gates, keypad access codes that use personal
identification numbers, magnetic stripe cards and readers, fingerprint
readers, or other biometric technology, turnstiles, locks and keys,
and security personnel. In general, under the TWIC program, maritime
workers who require unescorted access to secure areas of MTSA-
regulated port facilities and vessels must obtain a biometric TWIC
credential to access such secure areas to help ensure appropriate
security checks of such personnel.
[15] GPD was formally created on April 1, 2007, pursuant to the Post-
Katrina Emergency Management Reform Act of 2006 (Pub. L. No. 109-295,
120 Stat. 1355, 1394 (2006)). GPD consolidated the grant business
operations, systems, training, policy, and oversight of all FEMA
grants and the program management of the suite of preparedness grants.
[16] In 2005, we reported that TSA lacked policies, procedures, and
internal controls related to the identification and safeguarding of
SSI. Following our report, DHS issued Management Directive 11056 in
December 2005. See GAO, Transportation Security Administration: Clear
Policies and Oversight Needed for Designation of Sensitive Security
Information, GAO-05-677 (Washington, D.C.: June 2005). We also
reported that DHS issued a revised management directive, Management
Directive 11056.1, to address legislative requirements in the DHS
Appropriations Act of 2007 and our 2005 recommendations. See GAO,
Transportation Security Administration's Processes for Designating and
Releasing Sensitive Security Information, GAO-08-232R (Washington,
D.C.: November 2007).
[17] The regulatory definition of "covered person" includes, for
example, DHS, each person who has access to SSI, owners and operators
of MTSA-regulated vessels and facilities, and each person employed by,
or contracted to, or acting for a covered person, including a grantee
of DHS. See 49 C.F.R. § 1520.7. In general, under SSI regulations,
access to SSI is to be provided only to those covered persons with a
need to know. The regulations establish the circumstances under which
a person has a need to know SSI, such as when a person requires access
to specific SSI to carry out transportation security activities
approved, accepted, funded, recommended, or directed by DHS or the
Department of Transportation.
[18] To mark paper information as SSI, a covered person must place a
protective marking--Sensitive Security Information--conspicuously at
the top of the outside of the front and back cover, the title page,
and each page of the document. In addition, the covered person must
also include a distribution limitation statement at the bottom of each
page. The distribution limitation statement is: "WARNING: This record
contains Sensitive Security Information that is controlled under 49
CFR parts 15 and 1520. No part of this record may be disclosed to
persons without a 'need to know,' as defined in 49 CFR parts 15 and
1520, except with the written permission of the Administrator of the
Transportation Security Administration or the Secretary of
Transportation. Unauthorized release may result in civil penalty or
other action. For U.S. government agencies, public disclosure is
governed by 5 U.S.C. 552 and 49 CFR parts 15 and 1520."
[19] The required field "Award Description" asks recipients to
describe in narrative form "the overall purpose, expected outputs, and
outcomes or results of the award, including significant deliverables
and, if appropriate, units of measure." See GAO 10-581.
[20] The Recovery Act created the Recovery Accountability and
Transparency Board, which is composed of 12 Inspectors General from
various federal agencies, who serve with a chairman of the board.
[21] Material omissions are defined as instances where required data
are not reported or reported information is not otherwise responsive
to the data requests resulting in a significant risk that the public
is not fully informed as to the status of a Recovery Act project or
activity. Significant reporting errors are defined as those instances
where required data are not reported and such erroneous reporting
results in significant risks that the public will be misled or
confused by the recipient report in question.
[22] DHS, Sensitive Security Information (SSI), Management Directive
11056.1. (Washington, D.C.: November 2006).
[23] GAO, Human Capital: A Guide for Assessing Strategic Training and
Developing Efforts in the Federal Government, [hyperlink,
http://www.gao.gov/products/GAO-04-546G] (Washington: D.C.: March
2004).
[24] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00.21.3.1].
[25] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00.21.3.1].
[26] 49 C.F.R. §1520.9(a)(1).
[27] 49 C.F.R. §1520.17.
[28] TSA's SSI Branch is the focal point governmentwide for making
assessments to determine if information is SSI.
[29] While federal agencies are required under OMB guidance to perform
data quality reviews of recipient data before they are posted on
Recovery.gov and notify recipients of the need to make appropriate and
timely changes to erroneous reports, recipients are ultimately
responsible for data quality checks and final submission of the data.
[30] One of the six PSPG recipients in our sample did not respond to
our inquiries.
[31] [hyperlink, http://www.gao.gov/products/GAO-10-581].
[32] Office of Management and Budget, Memorandum for the Heads of
Executive Departments and Agencies: Updated Guidance on the American
Recovery and Reinvestment Act, M-10-14 (Washington, D.C.: March 2010).
[33] [hyperlink, http://www.gao.gov/products/GAO-10-581].
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
