Summary
Established in March 2002, the Homeland Security Advisory System was designed to disseminate information on the risk of terrorist acts to federal agencies, states, localities, and the public. However, these entities have raised questions about the threat information they receive from the Department of Homeland Security (DHS) and the costs they incurred as a result of responding to heightened alerts. This report examines (1) the decision making process for changing the advisory system national threat level; (2) information sharing with federal agencies, states, and localities, including the applicability of risk communication principles; (3) protective measures federal agencies, states, and localities implemented during high (codeorange) alert periods; (4) costs federal agencies reported for those periods; and (5) state and local cost information collected by DHS.
DHS assigns threat levels for the entire nation and assesses threat conditions for geographic regions and industrial sectors based on analyses of threat information and vulnerability of potential terrorist targets. DHS has not yet officially documented its protocols for communicating threat level changes and related threat information to federal agencies and states. Such protocols could assist DHS to better manage these entities' expectations about the methods, timing, and content of information received from DHS. To ensure early, open, and comprehensive information dissemination and allow for informed decisionmaking, risk communication experts suggest that warnings should include (1) multiple communication methods, (2) timely notification, and (3) specific threat information and guidance on actions to take. Federal agencies and states responding to GAO's questionnaires sent to 28 federal agencies and 56 states and territories generally indicated that they did not receive specific threat information and guidance, which they believe hindered their ability to determine and implement protective measures. The majority of federal agencies reported operating at heightened security levels regardless of the threat level, and thus, did not need to implement a substantial number of additional measures to respond to code-orange alerts. States reported that they varied in their actions during code-orange alerts. The costs reported by federal agencies, states, and selected localities are imprecise and may be incomplete, but provide a general indication of costs that may have been incurred. Additional costs reported by federal agencies responding to GAO's questionnaire were generally less than 1 percent of the agencies' fiscal year 2003 homeland security funding. DHS collected information on costs incurred by states and localities for critical infrastructure protection during periods of code-orange alert. However, this information does not represent all additional costs incurred by these entities during the code-orange alert periods.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
William O. Jenkins Jr
Government Accountability Office: Homeland Security and Justice
No phone on record
Recommendations for Executive Action
Recommendation: The Secretary of Homeland Security should direct the Under Secretary for Information Analysis and Infrastructure Protection to document communication protocols for notifying federal agencies and states of changes in the national threat level and for providing guidance and threat information to these entities, including methods and time periods for sharing information, to better manage these entities' expectations regarding the methods, timing, and content of information shared.
Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection
Status: Implemented
Comments: In June 2004, we reported on several aspects of the Homeland Security Advisory System that was established to disseminate information regarding the risk of terrorist acts to federal agencies, states and localities, and the public utilizing five color-coded threat levels. At that time, we reported, among other things, that the Department of Homeland Security (DHS) had not yet officially documented its protocols for communicating threat level changes and related threat information to federal agencies and states. As a result, we recommended that DHS document communication protocols for notifying federal agencies and states of changes in the national threat level and for providing guidance and threat information to these entities, including methods and time periods for sharing information, to better manage these entities' expectations regarding the methods, timing, and content of information shared. In February of 2007, DHS issued guidance that documents the procedures its staff are to follow in notifying federal agencies, states, and others when changes occur in the national threat level including roles and responsibilities associated with these notifications and the methods by which agencies, states, and others are to be notified. This guidance specifically discusses the text of the announcement to be included in the notification, such as when the change is effective, the sectors or geographic area impacted, the rationale for the change (e.g., intelligence or open-source threat), and any special guidance or recommended actions for the entity to take in response to the change. As a result, DHS is better positioned to
Recommendation: The Secretary of Homeland Security should direct the Under Secretary for Information Analysis and Infrastructure Protection to incorporate risk communication principles into the Homeland Security Advisory System to assist in determining and documenting information to provide to federal agencies and states, including, to the extent possible, information on the nature, location, and time periods of threats and guidance on protective measures to take in response to those threats.
Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection
Status: Implemented
Comments: In June 2004, we reported on several aspects of the Homeland Security Advisory System that was established to disseminate information regarding the risk of terrorist acts to federal agencies, states and localities, and the public utilizing five color-coded threat levels. At that time, we reported, among other things, that federal agencies and states and territories generally indicated that they did not receive specific threat information and guidance on actions to take when the national threat level was raised from code yellow (that is, an elevated or significant risk of terrorist attacks) to code orange (that is, a high risk of terrorist attacks). As a result, we recommended that the Department of Homeland Security (DHS) incorporate risk communication principles into the Homeland Security Advisory System to assist in determining and documenting information to provide to federal agencies and states, including, to the extent possible, information on the nature, location, and time periods of threats and guidance on protective measures to take in response to those threats. Since our report was issued, DHS has provided more specific warnings by both sector and location and provided additional guidance. For example, in August 2004, DHS raised the threat level from code yellow to code orange for the financial services sectors in New York City, Northern New Jersey, and Washington, D.C. and suggested protective measures for personnel at the affected locations. Similarly, in July 2005, DHS raised the threat level from code yellow to code orange for mass transit in the transportation sector and requested that state and local leaders as well as transportation officials enhance their protective measures, such as adding perimeter barriers and increased video surveillance. In August 2006, DHS raised the threat level from code yellow to code red (that is, a severe risk of terrorist attacks) for flights originating in the United Kingdom bound for the United States, and from code yellow to code orange for all commercial aviation operating in or destined for the United States. Thus, DHS has taken action to incorporate risk communication principles into the Homeland Security Advisory System to assist those impacted by threat level changes in taking appropriate action to prepare for and respond to terrorist attacks.
