This is the accessible text file for GAO report number GAO-05-170 entitled 'Homeland Security: Process for Reporting Lessons Learned from Seaport Exercises Needs Further Attention' which was released on February 16, 2005. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States Government Accountability Office: GAO: January 2005: Homeland Security: Process for Reporting Lessons Learned from Seaport Exercises Needs Further Attention: GAO-05-170: GAO Highlights: Highlights of GAO-05-170, a report to congressional requesters Why GAO Did This Study: Seaports are a critical vulnerability in the nation’s defense against terrorism. They are potential entry points for bombs or other devices smuggled into cargo ships and ports’ often-sprawling nature presents many potential targets for attack. To assess the response procedures that would be implemented in an attack or security incident, officials conduct port-specific exercises. Many federal, state, and local agencies may potentially be involved. The Coast Guard has primary responsibility for coordinating these exercises and analyzing the results. GAO examined (1) the emerging framework for coordinating entities involved in security responses, (2) legal and operational issues emerging from exercises conducted to date, and (3) Coast Guard management of reports analyzing exercises. GAO reviewed reports on 82 exercises from fiscal year 2004 and observed 4 exercises as they were being conducted. What GAO Found: The framework under which federal agencies would manage a port- terrorism incident is still evolving. The primary guidance for response, the National Response Plan, is in the final stages of approval, and the National Incident Management System, the structure for multiagency coordination, is still being put in place. As a result, it is too early to determine how well the complete framework will function in an actual incident. GAO’s review of fiscal year 2004 terrorism-related reports and exercises identified relatively few legal issues, and none of these issues produced recommendations for statutory changes. Most issues have instead been operational in nature and have surfaced in nearly every exercise. They are of four main types: difficulties in sharing or accessing information, inadequate coordination of resources, difficulties in coordinating effectively in a command and control environment, and lack of knowledge about who has jurisdictional or decision-making authority. Reports on the exercises often do not meet the Coast Guard’s standards for timeliness or completeness. Sixty-one percent of the reports were not submitted within 60 days of completing the exercise—the Coast Guard standard. The Coast Guard has implemented a new system for tracking the reports, but after a year of use, timeliness remains a concern. The Coast Guard has requirements for what the reports should contain, but 18 percent of the reports did not meet the requirement to assess each objective of the exercise. The Coast Guard has cited several planned actions that may allow for improving completeness. These actions are still in development, and it is too early to determine how much they will help. Port Terrorism Exercise Conducted at the Port of Los Angeles/Long Beach: [See PDF for image] [End of figure] What GAO Recommends: To help ensure reports on terrorism-related exercises are submitted in a timely manner that complies with all Coast Guard requirements, the Commandant of the Coast Guard should review the Coast Guard’s actions for ensuring timeliness and determine if further actions are needed. The Coast Guard generally concurred with GAO’s findings and this recommendation. www.gao.gov/cgi-bin/getrpt?GAO-05-170. To view the full product, including the scope and methodology, click on the link above. For more information, contact Margaret Wrightson at (415) 904-2200 or WrightsonM@gao.gov. [End of section] Contents: Letter: Background: Results: Conclusions: Recommendation for Executive Action: Agency Comments: Appendix I: Briefing on Legal and Operational Issues Identified from U.S. Port Terrorism Exercises: Appendix II: Objectives, Scope, and Methodology: Abbreviations: AAR: after-action reports: CGCoast Guard: CONPLAN: Interagency Domestic Concept of Operations Plan: CPS: Contingency Preparedness System: DHS: Department of Homeland Security: DOD: Department of Defense: DOJ: Department of Justice: FAA: Federal Aviation Administration: FEMA: Federal Emergency Management Agency: FBI: Federal Bureau of Investigation: FRERP: Federal Radiological Emergency Response Plan: FRP: Federal Response Plan: HSPD-5: Homeland Security Presidential Directive-5: ICS: Incident Command Structure: INRP: Initial National Response Plan: NCP: National Contingency Plan: NIMS: National Incident Management System: NRP: National Response Plan: United States Government Accountability Office: Washington, DC 20548: January 14, 2005: The Honorable Bennie G. Thompson: Ranking Minority Member: Committee on Homeland Security: House of Representatives: The Honorable Robert E. Andrews: House of Representatives: Seaports have emerged as a critical vulnerability in the nation's defense against terrorism. More than 95 percent of the nation's overseas trade passes through these ports, and the nation's economy is highly dependent on an efficient transfer of goods flowing into and out of these gateways. Seaports are vulnerable entry points for bombs or other devices smuggled into cargo ships, and ports' often-sprawling nature presents many potential targets for attack. But, the repercussions of such an attack go far beyond the port immediately affected; an attack at one port could disrupt the broader flow of goods, creating economic consequences in the billions of dollars. In the wake of the terrorist attacks of September 11, 2001, law enforcement and other agencies have become more aware of the threats to America's strategic targets and have taken steps to make ports more secure. To assess coordination and response procedures that would be implemented in the event of a terrorist attack, officials in U.S. ports have conducted exercises that simulate a potential threat, attack, or incident. These exercises have addressed such scenarios as the explosion of a "dirty bomb" that releases radioactive materials, threats of an approaching ship that may have a bomb or other hazardous material aboard, or disruptive attacks on critical infrastructure or specific facilities within a port. In fiscal year 2004, the United States Coast Guard, which is the Department of Homeland Security agency with primary responsibility for port security, conducted 85 port-based terrorism exercises. Responding effectively in such exercise scenarios can be difficult. Depending on the nature of the incident and the particular port involved, dozens of federal, state, and local agencies may be involved. The incident may also require close coordination across many jurisdictions, raising issues about who has authority or how agency personnel can communicate effectively when they have different chains of command, operating procedures, and equipment. After these exercises are conducted, the Coast Guard requires that the unit participating in the exercise submit an "after-action" report describing the results and highlighting any lessons learned. These reports are approved for content and lessons learned by the commanding officer of that unit. Upon approval, each report is electronically transmitted to Coast Guard headquarters for inclusion in a master exercise database. Analysis of these reports presents an opportunity to identify potential barriers to an effective response during an actual threat or incident. These reports can also provide valuable input for future exercises conducted by the Coast Guard or other agencies. You asked that we examine what has been learned to date in the nation's attempts to use such exercises to coordinate effective port security procedures. Our specific objectives were to (1) describe the emerging framework under which the federal government coordinates with state and local entities to address a terrorist incident in a U.S. port; (2) identify the issues, if any, regarding federal agencies' legal authority that have emerged from port security exercises and what statutory actions might address them; (3) describe the types of operational issues being identified through these exercises; and (4) identify any management issues related to Coast Guard-developed after- action reports. On December 8, 2004, we briefed your offices on the results of our work. Appendix I contains the briefing slides we presented at that meeting.[Footnote 1] Our description of the emerging framework for coordinating an effective response to a terrorist incident is based on our review of statutes, regulations, directives, plans, and agency guidance, as well as interviews with officials from various agencies at the federal, state, and local levels. Our analysis of statutory and operational issues arising from exercises is based on a review of 82 Coast Guard after- action reports on terrorism-related exercises conducted at U.S. ports in fiscal year 2004.[Footnote 2] In addition, to obtain a more in-depth understanding of exercise issues, we attended four exercises at various locations around the country. Our evaluation of management issues related to Coast Guard after-action reports included interviews with officials at Coast Guard headquarters and in the field, analysis of Coast Guard and Department of Homeland Security guidance, and reliance on our prior work related to managing and evaluating exercises. While our audit work allowed us to review a large number of exercises for potential legal and operational issues, our analysis is limited to the degree that, (1) for most exercises, we had to rely on Coast-Guard- developed after-action reports rather than direct observation and (2) the scope of the exercises themselves was designed around specific plan elements and subject to resource constraints. Appendix II describes our scope and methodology in more detail. We conducted our work from June to December 2004 in accordance with generally accepted government auditing standards. Background: On November 25, 2002, the President signed into law the Homeland Security Act,[Footnote 3] which created the new federal Department of Homeland Security, and the Maritime Transportation Security Act,[Footnote 4] which created a consistent security program specifically for the nation's seaports. Since that time, and in keeping with the provisions of these new laws, the federal government has been developing a variety of new national policies and procedures for improving the nation's response to domestic emergencies. These policies and procedures are designed to work together to provide a cohesive framework for preparing for, responding to, and recovering from domestic incidents. A key element of this new response framework is the use of exercises to test and evaluate federal agencies' policies and procedures, response capabilities, and skill levels. The Coast Guard has primary responsibility for such testing and evaluation in the nation's ports and waterways, and as part of its response, it has added multiagency and multicontingency terrorism exercises to its training program. These exercises vary in size and scope and are designed to test specific aspects of the Coast Guard's terrorism response plans, such as communicating with state and local responders, raising maritime security levels, or responding to incidents within the port. For each exercise the Coast Guard conducts, an after-action report detailing the objectives, participants, and lessons learned must be produced within 60 days. Results: Coordination Framework Is Still Evolving: The framework under which federal agencies would coordinate with state and local entities to manage a port-terrorism incident is still evolving. As directed by Homeland Security Presidential Directive/HSPD- 5, issued in February 2003, this framework is designed to address all types of responses to national emergencies, not just port-related events. Key elements of the framework have been released over the past 2 years. For example, the Department of Homeland Security released the Interim National Response Plan in September 2003 and was in the final approval stage for a more comprehensive National Response Plan in November 2004, as our work was drawing to a close. DHS announced the completion of the National Response Plan on January 6, 2005, too late for a substantive review to be included in this report. However, the finalized plan is designed to be the primary operational guidance for incident management and, when fully implemented, will incorporate or supersede existing federal interagency response plans. According to the updated implementation schedule in the National Response Plan, federal agencies will have up to 120 days to bring their existing plans, protocols, and training into accordance with the new plan. In March 2004, the department also put in place a system, called the National Incident Management System, which requires common principles, structures, and terminology for incident management and multiagency coordination. Although the framework that will be brought about by the final plan, the management system, and other actions is still in the implementation phase, some of the protocols and procedures contained in this framework were already evident at the port exercises we observed. However, it is still too early to determine how well the complete framework will function in coordinating an effective response to a port-related threat or incident. Exercises Identified Few Legal Issues: Port security exercises have identified relatively few issues related to federal agencies' legal authority, and none of these issues were statutory problems according to exercise participants and agency officials. Our review of fiscal year 2004 after-action reports and observation of specific exercises showed that exercise participants encountered seven legal issues, but exercise participants and agency officials we interviewed did not recommend statutory changes to address these issues. In three instances, exercise participants made nonstatutory recommendations (such as policy clarifications) to assist agencies in better exercising their authority, but did not question the adequacy of that authority. In the other four instances, no recommendations were made either because statutory authority was deemed sufficient or, in one case, because the issue involved a constitutional restraint (i.e., under the Fourth Amendment, police are prohibited from detaining passengers not suspected of terrorism). While the exercises were conducted to examine a wide range of issues and not specifically to identify gaps in agencies' legal authority, the results of the exercises are consistent with the information provided by agency officials we interviewed, who indicated that sufficient statutory authority exists to respond to a terrorist attack at a seaport. Moreover, when Department of Homeland Security officials reviewed the issue of statutory authority, as required by Homeland Security Presidential Directive/HSPD-5, they concluded that federal agencies had sufficient authority to implement the National Response Plan and that any implementation issues could be addressed by nonstatutory means, such as better coordination mechanisms. Exercises Identified Four Main Types of Operational Issues: Most of the issues identified in port security exercises have been operational rather than legal in nature. Such issues appeared in most after-action reports we reviewed and in all four of the exercises we observed. While such issues are indications that improvements are needed, it should be pointed out that the primary purpose of the exercises is to identify matters that need attention and that surfacing problems is therefore a desirable outcome, not an undesirable one. The operational issues can be divided into four main categories, listed in descending order of frequency with which they were reported: * Communication--59 percent of the exercises raised communication issues, including problems with interoperable radio communications among first responders, failure to adequately share information across agency lines, and difficulties in accessing classified information when needed. * Adequacy or coordination of resources--54 percent of the exercises raised concerns with the adequacy or coordination of resources, including inadequate facilities or equipment, differing response procedures or levels of acceptable risk exposure, and the need for additional training in joint agency response. * Ability of participants to coordinate effectively in a command and control environment--41 percent of the exercises raised concerns related to command and control, most notably a lack of knowledge or training in the incident command structure. * Lack of knowledge about who has jurisdictional or decision-making authority--28 percent of the exercises raised concerns with participants' knowledge about who has jurisdiction or decision-making authority. For example, agency personnel were sometimes unclear about who had the proper authority to raise security levels, board vessels, or detain passengers. After-Action Reports Show Problems Related to Timeliness and Completeness: Our review of the Coast Guard's fiscal year 2004 after-action reports from port terrorism exercises identified problems with timeliness in completing the reports and limitations in the information they contained. Specifically, * Timeliness: Coast Guard guidance states that after-action reports are an extremely important part of the exercise program, and the guidance requires that such reports be submitted to the after-action report database (Contingency Preparedness System) within 60 days of completing the exercise. However, current practice falls short: 61 percent of the 85 after-action reports were not submitted within this 60-day time frame. Late reports were submitted, on average, 61 days past the due date. Exercises with late reports include large full-scale exercises designed to identify major interagency coordination and response capabilities. Not meeting the 60-day requirement can lessen the usefulness of these reports. Coast Guard guidance notes, and officials confirm, that exercise planners should regularly review past after- action reports when planning and designing future exercises, and to the extent that reports are unavailable, such review cannot be done. In previous reviews of exercises conducted by the Coast Guard and others, we found that timely after-action reports were necessary to help ensure that potential lessons can be learned and applied after each counterterrorism exercise.[Footnote 5] The main problem in producing reports on a more timely basis appeared to be one of competing priorities: Coast Guard field personnel indicated that other workload priorities were an impediment to completing reports, but most of them also said 60 days is a sufficient amount of time to develop and submit an after-action report. Officials cited the development of the Contingency Preparedness System, which is the program for managing exercises and after-action reports, as a step allowing for a renewed emphasis on timeliness. Headquarters planning staff are able to run reports using this system and regularly notify key Coast Guard officials of overdue after-action reports. However, this system was implemented more than 1 year ago, in August 2003, and was, therefore, in place during the period in which we found a majority of after-action reports were late. We did not compare our results with timeliness figures for earlier periods, and we, therefore, do not know the extent to which the system may have helped reduce the number of reports that are submitted late. Even if the new system has produced improvement, however, the overall record is still not in keeping with the Coast Guard's 60-day requirement. * Content and quality: Coast Guard guidance also contains criteria for the information that should be included in an after-action report. These criteria, which are consistent with standards identified in our prior work,[Footnote 6] include listing each exercise objective and providing an assessment of how well each objective was met. However, 18 percent of the after-action reports we reviewed either did not provide such an objective-by-objective assessment or identified no issues that emerged from the exercise. While the scope of each exercise may contribute to a limited number of issues being raised, our past reviews found that after-action reports need to accurately capture all exercise results and lessons learned; otherwise, agencies may not be benefiting fully from exercises in which they participate. Similarly, officials at the Department of Defense, which like the Coast Guard conducts a variety of exercises as part of its training, said that if their after- action reports lack sufficient fundamental content, they cannot be used effectively to plan exercises and make necessary revisions to programs and protocols. Our review indicated that, in addition to the pressure of other workload demands, two additional factors may be contributing to limitations in report content and quality--current review procedures and a lack of training for planners. Headquarters planning officials noted that local commands have primary responsibility for reviewing after-action reports and that limited criteria exist at headquarters for evaluating the content of reports submitted by these commands. At the field level, many planners with whom we spoke said they were unaware of any written documentation or exercise-planning guidance they could refer to when developing an after-action report. The Coast Guard has cited several planned actions that may allow for improved content and quality in after-action reports. These actions include updating exercise management guidance and promulgating new instructions related to preparing after-action reports and collecting lessons learned. While these initiatives may address issues of content and quality in after-action reports, they are currently still in the development phase. Conclusions: A successful response to a terrorist threat or incident in a seaport environment clearly requires the effective cooperation and coordination of numerous federal, state, local, and private entities--issues that exercises and after-action reports are intended to identify. Complete and timely analyses of these exercises represent an important opportunity to identify and correct barriers to a successful response. The Coast Guard's inability to consistently report on these exercises in a timely and complete manner represents a lost opportunity to share potentially valuable information across the organization. The Coast Guard's existing requirements, which include submitting these reports within 60 days and assessing how well each objective has been met, appear reasonable but are not being consistently met. Coast Guard officials cited a new management system as their main effort to making reports more timely, but this system has been in place for more than a year, and timeliness remains a problem. It is important for Coast Guard officials to examine this situation to determine if more needs to be done to meet the standard. The Coast Guard has several other steps under development to address issues of report content and completeness, and it is too early to assess the effect these actions will have. For this set of actions, it will be important for the Coast Guard to monitor the situation to help ensure that exercises can achieve their full and stated purpose. Recommendation for Executive Action: To help ensure that reports on terrorism-related exercises are submitted in a timely manner that complies with all Coast Guard requirements, we are making one recommendation, that the Commandant of the Coast Guard review the Coast Guard's actions for ensuring timeliness and determine if further actions are needed. Agency Comments: We provided DHS, DOJ, and DOD with a draft of this report for review and comment. The Coast Guard generally concurred with our findings and recommendation and did not provide any formal comments for inclusion in the final report. DOJ and DOD also did not have any official comments. DOD provided two technical clarifications, which we have incorporated to ensure the accuracy of our report. As agreed with your offices, unless you publicly announce its contents earlier, we plan no further distribution of this report until 30 days from its issue date. At that time, we will send copies of this report to the Secretary of Homeland Security, the Commandant of the Coast Guard, appropriate congressional committees, and other interested parties. The report will also be available at no charge on GAO's Web site at http://www.gao.gov. If you or your staffs have any questions about this report, please contact me at (415) 904-2200 or by email at wrightsonm@gao.gov, or Steve Caldwell, Assistant Director, at (202) 512-9610 or by email at caldwells@gao.gov, or Steve Calvo, Assistant Director, at (206) 287- 4839 or by email at calvos@gao.gov. Other key contributors to this report were Christine Davis, Wesley Dunn, Michele Fejfar, Lynn Gibson, Dawn Hoff, David Hudson, Dan Klabunde, Ryan Lambert, and Stan Stenersen. Signed by: Margaret T. Wrightson: Director, Homeland Security and Justice Issues: [End of section] Appendix I: Briefing on Legal and Operational Issues Identified from U.S. Port Terrorism Exercises: Review of Legal and Operational Issues Identified from U.S. Port Terrorism Exercises: Briefing to Congressional Requesters: Select Committee on Homeland Security: House of Representatives: Port terrorism exercise at the port of Los Angeles: [See PDF for image] Source: GAO. [End of figure] Overview: Introduction: Objectives, Scope, and Methodology: Background: Evolving National Response Framework: Legal Issues Arising at Exercises: Operational Issues Arising at Exercises: Coast Guard Management of After-Action Reports: Summary of Preliminary Findings: Introduction: The Homeland Security Act of 2002 and Homeland Security Presidential Directive-5 (HSPD-5) set forth a comprehensive approach for ensuring that all levels of government can work together to prevent, prepare for, respond to, and recover from domestic incidents. Constructing this framework is a difficult and complicated task because * so many agencies and jurisdictions are involved, * potential incidents are numerous and difficult to predict, and: * the procedures under which these agencies would respond are evolving: Because U.S. ports are considered key potential terrorist targets, simulated attacks and other exercises designed to assess coordination and response have been conducted at many U.S. ports. Department of Homeland Security (DHS) and other federal, state, and local agencies have participated in these exercises. Objectives, Scope, and Methodology: Objectives: 1. Describe the emerging framework under which the federal government coordinates with state and local entities to address a terrorist incident in a U.S. port. 2. Identify the issues, if any, regarding federal agencies' legal authority that emerged from port security exercises and what statutory actions might address them. 3. Describe the types of operational issues being identified through these exercises. 4. Identify any management issues related to Coast Guard-developed after-action reports. Port terrorism exercise at the port of Los Angeles: [See PDF for image] Source: GAO. [End of figure] Scope and Methodology: * Reviewed relevant statutes, regulations, directives, plans and agency guidance. * Interviewed a variety of federal, state, and local officials. * Reviewed Coast Guard after-action reports (AARs) on terrorism-related exercises conducted at U.S. ports in FY 2004. * Participated as observers at four terrorism-related exercises: Hampton Roads, Va; Los Angeles/Long Beach, Calif; Charleston, S.C; and Philadelphia, Pa. Limitations: * Reviewed only Coast Guard-developed AARs. * Exercise sample may have limited the number of operational and legal issues identified. * Exercises are typically designed to test specific plan elements, not all potential elements. * Resource issues may affect exercise results, a less likely constraint for real-world response. * We did not independently assess the need for legislation by auditing the specific issues identified in the exercises, but generally relied upon the agency's position as to whether legislation was necessary. Background: Executive Branch Direction for New Response Framework: Since the passage of the Homeland Security Act of 2002, considerable attention has been focused on developing systems and processes that provide a consistent nationwide framework for responding to and recovering from acts of terrorism. To this end, the Homeland Security Act, as implemented through HSPD-5, requires DHS to: * Implement a National Incident Management System (NIMS). * Consolidate existing federal emergency response plans into a single coordinated National Response Plan (NRP). * Review federal agencies' authorities and recommend to the President revisions needed to fully implement the NRP. These efforts are designed to replace or harmonize existing authorities and plans to ensure that all levels of government can work efficiently and effectively together to prepare for, respond to, and recover from domestic incidents, including terrorist events. Background: Other Acts That Potentially Affect the National Response Framework: Maritime Transportation Security Act of 2002: * Mandates Maritime Transportation Security Plans at all levels. * National, port areas, and certain port facilities and vessels. * Plans include detecting, deterring, and responding to threats and incidents. Stafford Disaster Relief Act: * Authorizes the President to issue disaster or emergency declarations to provide federal aid. Posse Comitatus Act: * Does not apply to military operations at home or abroad. * Applies to civilian law enforcement operations such as searches, seizures, and arrests, which federal military troops may not undertake unless "expressly authorized by the Constitution or Act of Congress." Maritime Safety and Security Team at the port of Los Angeles: [See PDF for image] Source: GAO. [End of figure] * Emergency exception to protect life and property. * Exceptions to assist in the enforcement of certain laws against drugs, terrorism, and Weapons of Mass Destruction (monitoring vessels, aerial reconnaissance, and chemical-biological-nuclear disposal). Objective 1: Evolving National Response Framework Existing Federal Interagency Response Plans: Federal Response Plan (FRP): * FEMA-developed plan that coordinates delivery of federal assistance and resources during a presidentially declared disaster or emergency. The Interagency Domestic Terrorism Concept of Operations Plan (CONPLAN): * Outlines an organized and unified capability for a timely, coordinated federal agency response to a terrorist threat or act (agencies: Defense, Energy, EPA, FEMA, HHS, and DOJ). Federal Radiological Emergency Response Plan (FRERP): * Allows federal agencies to carry out their responsibilities during peacetime radiological emergencies, (agencies: Energy, Defense, EPA, Nuclear Regulatory Commission). National Contingency Plan (NCP): * Coordinates Coast Guard and EPA response to an oil spill or hazardous material release, as well as implements additional requirements mandated in the Comprehensive Environmental Response, Compensation, and Liability Act of 1980 and the Oil Pollution Act of 1990. These plans will be superseded or incorporated into the National Response Plan: Evolving National Response Framework Key Milestones to Date: September 2003: Initial National Response Plan (INRP): * Bridging document to full NRP that harmonizes existing operational processes, procedures, and protocols: * Introduces organizational elements that integrate DHS into the national interagency response: March 2004: National Incident Management System (NIMS): * Standardizes process and procedures for incident management utilizing a core set of concepts, principles, and terminology for incident command and multiagency coordination: * Incident management activites coordinated by a unified command that represents governmental and nongovernmental entities with incident management responsibilities. June 2004: Draft National Response Plan: * Supersedes or incorporates existing interagency plans into a single coordinated response: * Consists of an overarching base plan that can be supplemented by annexes specific to the type of support needed for a particular incident (e.g., Terrorism Annex, Mass Care Annex, Public Affairs Annex): Source. GAO. [End of figure] Objective 1: Evolving National Response Framework Status of Final NRP and DHS Statutory Review: HSPD-5 does not establish a deadline for issuing the final NRP. DHS informed us that the final NRP is complete, but is awaiting approval by the Homeland Security Council. Federal, state, and local entities used NIMS in the exercises, but use of the draft NRP was not evident. * Once completed, the NRP will be implemented in a phased approach, under which federal agencies will have up to 180 days to modify existing plans, protocols, and training to align with the NRP. HSPD-5 required DHS to review federal agencies' authorities by September 1, 2003, and recommend to the President revisions needed to fully implement the NRP. The HSPD-5 statutory review is complete according to DHS officials and was forwarded to the DHS Secretary for review. Objective 2: Legal Issues Arising at Exercises Review of After-Action Reports: * No statutory issues surfaced in our review of 82 AARs. * While the AARs disclosed four issues of a legal nature, statutory changes were not recommended for these issues. Issue: During a tabletop exercise simulating an explosive threat aboard a cruise ship, Federal Bureau of Investigation (FBI) officials questioned whether they had authority to detain passengers after evacuating the ship to question them as potential suspects. Action recommended by participants: Exercise participants acknowledged that the FBI could not detain passengers as suspects unless it possessed sufficient information implicating them. This is a matter of constitutional criminal procedure, not a statutory issue. Issue: When personnel from several different agencies boarded a cruise ship during a simulated terrorist incident, they found they had different rules of engagement, leading to confusion and delay in responding properly. Action recommended by participants: Participants recommended that problems be solved through interagency memorandums of understanding. Issue: Officials conducting a portwide exercise found that security plans for particular facilities and vessels were not necessarily in concert with the Area Maritime Security Plan. While the Maritime Transportation Security Act requires integration of these plans, the implementing regulations provide no mechanism for resolving conflicts between the lower plans and the Area Maritime Security Plan. Action recommended by participants: Participants recommended resolving the issue through regulation or policy change. Issue: During an exercise, the Coast Guard found the Area Maritime Security Plan contained no procedure for the Captain of the Port to raise the MARSEC security level in only one port, as allowed by regulation. The standard procedure in the Command Center was to raise the MARSEC level across a wider area. This caused serious and unnecessary disruptions, according to officials. Action recommended by participants: Participants recommended that the Coast Guard issue a policy clarification consistent with the Coast Guard's regulatory authority. Source: GAO. [End of table] Objective 2: Legal Issues Arising at Exercises GAO Exercise Observations: During observations of four exercises, three possible legal issues surfaced, but officials interviewed during our follow up did not recommend statutory changes for these issues. Issue: During an exercise involving a bioterror attack aboard ship, a question arose as to whether the attack would qualify for federal disaster relief assistance under the Stafford Act. Result of GAO follow-up: Such an attack appears eligible for a presidential emergency declaration but not necessarily for a disaster declaration under the Stafford Act unless the attack results in a "fire, flood, or explosion." 42 U.S.C. 5122(2). While emergency assistance is more limited than disaster assistance, officials from FEMA and DHS believe the Stafford Act provides sufficient authority to meet state needs without amendment. Issue: When people were quarantined during a bioterror exercise, an agency participant asked about the proper procedure and legal that authority for dealing with anyone who tried to escape the quarantine. Result of GAO follow-up: Our follow-up with senior Department of Justice officials indicated federal and state statutes are in place that would enable police to enforce a quarantine. Issue: During a chemical attack exercise, the Unified Command for the incident questioned whether the Posse Comitatus Act (PCA) might prevent the Department of Defense (DOD) from enforcing FAA-restricted airspace above the vessel. Result of GAO follow-up: DOD agreed to enforce the no-fly zone shortly after receiving the request. DOD officials we interviewed said that they saw no statutory barrier to enforcement. They said that a no-fly zone could be enforced against threat aircraft as part of the military air defense of the United States or in defense of the military forces nearby, without raising a Posse Comitatus Act issue. Source: GAO. [End of table] Objective 2: Legal Issues Arising at Exercises Comments from Key Agencies: Interviews with agency legal officials have not revealed concerns about the adequacy of their agencies' legal authority. * Coast Guard officials told us that the Coast Guard and Maritime Transportation Act of 2004 (Pub.L.108-293), enacted in August 2004, contained provisions that would alleviate prior concerns about the Coast Guard's shoreside authority and its authority to seize property as well as people. * Senior Department of Justice officials told us their current legal authority is adequate to effectively respond to a terrorist event. * In March 2003 congressional testimony, the Commander of U.S. Northern Command stated, "We believe the [Posse Comitatus] Act, as amended, provides the authority we need to do our job, and no modification is needed at this time." Department of Defense officials told us that they are not aware of any change in the position that the Posse Comitatus Act does not prevent the Department of Defense from doing its job, and that no modification is needed at this time. * Department of Homeland Security legal officials told us that the agency's HSPD-5 review of federal statutory authorities is complete and that federal agencies (including DHS) have sufficient statutory authority to fully implement the NRP. Objective 3: Operational Issues Arising at Exercises Review of After-Action Reports: Operational issues fall into four categories: Type of issue: Communication; Percentage of after-action reports raising issues (82 reports reviewed): 58.5: Type of issue: Command and control/incident command structure: Percentage of after-action reports raising issues (82 reports reviewed): 41.46: Type of issue: Unclear decision making/jurisdictional knowledge: Percentage of after-action reports raising issues (82 reports reviewed): 28: Type of issue: Resource coordination/capabilities: Percentage of after-action reports raising issues (82 reports reviewed): 3.6: Note: The same categories of operational issues were also identified at the four port security exercises we attended. Source: GAO. [End of table] Objective 3: Operational Issues Arising at Exercises: Examples from After-Action Reports and GAO Observations: Communication: * Radio equipment interoperability problems. * Formal protocols needed to improve notifications, radio usage, information sharing. * Key personnel did not always have security clearances needed to access classified information. Command and Control/Incident Command Structure (ICS): * Additional NIMS/ICS training needed. * Improved information flow required between Unified Command and section chiefs. Unclear Decision Making/Jurisdictional Knowledge: * Anchoring and vessel boarding decisions were sometimes in conflict among agencies. * Lack of knowledge of other agencies' jurisdictions and/or authorities. Resource Coordination/Capabilities: * Inadequate facilities, equipment, training, or resources. * Different rules of engagement or levels of acceptable risk exposure among agencies. * Additional training and protocols needed for joint agency operations. * Confusion over procedures to request resources or inadequate involvement of potential resources (e.g., access to the Strategic Stockpile, cruise ship companies, or terminal operators). Objective 4: Coast Guard Management of AARs Reports Are Submitted Late: Guidance and experience stress timely reporting as key to AAR usefulness. * Coast Guard guidance: requires that AARs be submitted within 60 days of exercise completion. Guidance notes that AARs are an extremely important part of the exercise program and are the means by which deficiencies are brought to the attention of senior managers. Guidance also states, and officials confirm, that the review of previous AARs is standard planning doctrine when designing an exercise. Untimely AARs may serve as an impediment to conducting such reviews. * Past GAO work: GAO's analysis of past exercises reported on the importance of producing timely AARs: "To ensure that individual agencies learn lessons after each federal counterterrorism exercise, special event, or operation, agencies should prepare a timely AAR or other evaluation that documents the results." [NOTE 1] * Department of Defense perspective: senior exercise planners said that untimely AARs can negatively impact the effectiveness of exercises because (1) the agency may miss funding opportunities to correct deficiencies (2) information may not be available for incorporation into future exercises (a standard DOD practice to determine what objectives need to be evaluated or reevaluated). Current Coast Guard practice falls short of meeting standards: 61 percent of terrorism-related AARs for fiscal year 2004 were late. Although Coast Guard field personnel cited operational priorities, planning resources, and workload as the primary impediments to completing timely reports, they generally said that 60 days is enough time to develop and submit an AAR. Objective 4: Coast Guard Management of AARs Report Content and Quality Need Attention: Guidance and experience stress producing AARs that fully assess training objectives and document deficiencies. * Coast Guard guidance: calls for exercises to be designed to expose weaknesses in plans and procedures and highlight resource and training deficiencies. Minimum requirements for AARs include documentation of each supporting objective and an assessment of how well each objective was met. * Past GAO work: when AARs do not accurately capture exercise results and lessons learned, agencies may not be benefiting fully from exercises in which they participate. * DOD perspective: DOD officials said AARs that did not provide fundamental content cannot be used effectively to plan exercises and make necessary revisions to programs and protocols. They also noted that new operational missions may require an additional emphasis on exercise planning and after-action reporting. Assessment of exercises may not be sufficient: 18 percent of AARs we reviewed identified no issues or did not provide adequate assessment of training objectives. Review procedures and training for planners may be insufficient in this area. * Headquarters planning officials noted that the primary review of all AARs resides solely at the local command level. Although all submitted AARs are reviewed "for general approval" by headquarters officials, they said that this review uses limited criteria (grounds for rejection include use of inappropriate language or participants' names). * Many Coast Guard field personnel we interviewed said they were unaware of any written documentation or exercise planning guidance they could refer to when developing an AAR. Objective 4: coast Guard Management of AARs: Internal Coast Guard Efforts to Address Issues: Some efforts to address timeliness are under way, but effects to date are limited. * Coast Guard officials said the Contingency Preparedness System (CPS), the program for managing exercises and AARs, has allowed for a renewed emphasis on report timeliness. Headquarters planning staff currently use this system to notify each Area of overdue AARs. However, CPS has been in place since August 2003, and timeliness remains a concern. * Officials have also discussed the possibility of reducing the AAR submission deadline (to as few as 15 days), but efforts are still ongoing due to "pushback from the field." They also said that the formal Coast Guard training courses emphasize that AAR development be incorporated into the planning process and exercise timeline. * Senior exercise management officials said they are also updating an instruction related to collecting AARs and lessons learned. They expect it to be promulgated to the field in 1-6 months. Officials noted the following efforts to improve content and quality of AARs. * Formal training courses that encourage documenting exercise information quickly to capture relevant information and lessons learned before recall is diminished or competing priorities take over. * Updated instruction on AARs and lessons learned collection (currently in development). * Increased functionality of CPS has been proposed, which may offer additional incentives for planners to utilize the system. Summary of Findings: Objective 1: * Key elements of the national response framework are evolving. * Release of National Incident Management System and draft National Response Plan. * Transitional period for agencies to revise their plans once the final NRP is released, agencies will have up to 180 days to revise their plans to align with the NRP. Objective 2: * Few legal issues surfaced in port exercises or after-action reports. * None of these issues were statutory problems according to exercise participants and agency officials. Objective 3: * Exercises and after-action reports identified operational issues to varying degrees. * Key issues included: communication, incident command, and resource coordination concerns. Objective 4: * Many after-action reports are not submitted timely, and content and quality of some does not meet standards. * Actions taken by the Coast Guard to address these problems have had limited effect thus far. NOTES: [1] See GAO, Combating Terrorism: Selected Challenges and Related Recommendations, GAO-01-822 (Washington, D.C.: Sept 20, 2001). [End of section] Appendix II: Objectives, Scope, and Methodology: The objectives of this report were to (1) describe the emerging framework under which the federal government coordinates with state and local entities to address a terrorist incident in a U.S. port; (2) identify the issues, if any, regarding federal agencies' legal authority that have emerged from port security exercises and what statutory actions might address them; (3) describe the types of operational issues being identified through these exercises; and (4) identify any management issues related to Coast Guard-developed after- action reports. To address these objectives, we reviewed relevant legislation, regulations, directives and plans, analyzed agency operational guidance and Coast Guard after-action reports (AARs), interviewed a variety of federal officials, and observed several port security exercises. To identify the emerging framework to address a terrorist incident in a U.S. port, we reviewed relevant statutes such as the Homeland Security Act of 2002 and the Maritime Transportation Security Act of 2002 and implementing maritime regulations at 33 CFR, parts 101 to 106. We also reviewed Homeland Security Presidential Directive/HSPD-5 and Presidential Decision Directive 39. Operational plans that were included in our analysis included the Initial National Response Plan, the Interagency Domestic Terrorism Concept of Operations plan (CONPLAN), Interim Federal Response Plan, and the National Response Plan "Final Draft." We also reviewed agency guidance related to exercise planning and evaluation such as the Coast Guard Exercise Planning Manual and Contingency Preparedness Planning Manual, as well as the Department of Homeland Security/ Office of Disaster Preparedness' Exercise and Evaluation Program. Findings were supplemented with interviews of key officials in federal agencies, including the Coast Guard (CG), the Department of Homeland Security (DHS), Department of Defense (DOD), Department of Justice (DOJ), and related federal maritime entities such as Project Seahawk. To provide a framework for evaluating agencies' legal authority in responding to a terrorist incident in a U.S. port, we adopted a case study methodology because it afforded a factual context for the emergence of legal issues that could confront agencies in the exercise of their authority. Our efforts included attending four U.S. port based terrorism exercises (Los Angeles, Calif.; Hampton Roads, Va.; Charleston, S.C.; Philadelphia, Pa.), reviewing CG AARs for fiscal year 2004, and conducting in-person and telephone interviews with DHS, CG, DOJ, DOD, and Project Seahawk. The port exercises we selected to visit were geographically diverse and each was conducted in either August or September of fiscal year 2004. Additional criteria for exercise selection included the strategic importance of the port (as defined by the Maritime Administration), the variety of terrorism scenarios to be exercised, and the federal, state, and local players involved. The AARs we reviewed were based on a list of all fiscal year 2004 exercises provided to us by the CG. We focused on any contingency that included terrorism and then requested AARs for those completed exercises from the CG. According to CG guidance, AARs are required to be submitted within 60 days of exercise completion. To ascertain compliance with this guidance, CG personnel provided us with the dates that AARs for terrorism-related exercises were received at headquarters. We used this information, in conjunction with the exercise start and stop dates, to determine which reports were on time, which were late, and the average time late reports were submitted beyond the 60-day requirement. While issues of a legal nature did surface during our observation of exercises and analysis of AARs, exercise participants and agency officials did not recommend statutory changes for these issues. We generally relied upon the agency's position as to whether legislation was necessary and did not independently assess the need for legislation by auditing the specific issues identified in the exercises. To identify operational issues that occurred during port terrorism exercises, we relied extensively on perspectives gained through our observations at the four port terrorism exercises as well as a comprehensive review of the available AARs for operational issues based on criteria we developed. In order to determine the frequency of various operational issues identified in the CG's AARs, we noted instances that each subcategory within the major category appeared. These categories and subcategories were chosen through exercise observation and an initial review of available AARs by two independent analysts. This allowed us to identify operational issues that were consistent across the terrorism exercises. We used the following major categories and subcategories (which appear in parentheses): * Communication (communication interoperability issues, communication policy or protocols between or within agencies, information sharing between agencies), * Command and Control/ Incident Command Structure (NIMS/ICS training, UC/IC information flow), * Unclear Decision Making/ Jurisdictional Knowledge (unclear decision making authority, unclear lead authority, unclear authorities/ jurisdictions of other agencies), and: * Resource Coordination/ Capabilities (response capabilities, response coordination/joint tactics). To analyze the reports, two GAO analysts independently reviewed each report and coded operational issues based on the above subcategories. The results of each analysis were then compared and any discrepancies were resolved. Overall percentages for the major categories were determined based on whether any of the issues were identified under the respective subcategories. The maximum number of observations for any major category was equal to one, regardless of the number of times a subcategory was recorded. To identify management concerns regarding the CG's AARs, we reviewed our previous studies on this issue as well as CG and DHS issued guidance on exercise management, such as the Coast Guard's Exercise Planning Manual and Contingency Preparedness Planning Manual Volume III. Our analysis also included in-person interviews with CG exercise management officials from headquarters and CG planners in the field to gain additional information on how terrorism exercises are planned and evaluated as well as how lessons learned are cataloged and disseminated. To ascertain the effect of untimely CG AARs (CG AARs are required to be completed within 60 days of exercise completion), we also interviewed exercise management experts from DOD. We conducted a content analysis of the available AARs to determine the weaknesses in the reports and where deviations from CG protocol were taking place. We conducted our work from June to December 2004 in accordance with generally accepted government auditing standards. FOOTNOTES [1] On January 6, 2005, as this report was being finalized for printing, the Department of Homeland Security issued the final version of the National Response Plan, a plan discussed in several of the briefing slides. Some details of the plan were changed in the final version and thus differ in a few respects from the information presented in the slides. These differences do not affect the conclusions or recommendations contained in this report. [2] As of December 1, 2004, all 85 after-action reports were required to be submitted to the Coast Guard. Three reports had not been submitted by this date. We conducted our content analysis on the 82 available reports. [3] Pub.L. 107-296. [4] Pub.L. 107-295. [5] See GAO, Combating Terrorism: Selected Challenges and Related Recommendations, GAO-01-822 (Washington, D.C.: Sept 20, 2001). [6] See GAO-01-822. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: