Summary
A number of initiatives to improve information sharing have been called for, including the Homeland Security Act of 2002 and in the Intelligence Reform and Terrorism Prevention Act of 2004. The 2002 act required the development of policies for sharing classified and sensitive but unclassified homeland security information. The 2004 act called for the development of an Information Sharing Environment for terrorism information. This report examines (1) the status of efforts to establish government-wide information sharing policies and processes and (2) the universe of sensitive but unclassified designations used by the 26 agencies that GAO surveyed and their related policies and procedures.
More than 4 years after September 11, the nation still lacks governmentwide policies and processes to help agencies integrate the myriad of ongoing efforts, including the agency initiatives we identified, to improve the sharing of terrorism-related information that is critical to protecting our homeland. Responsibility for creating these policies and processes shifted initially from the White House to the Office of Management and Budget (OMB), and then to the Department of Homeland Security, but none has yet completed the task. Subsequently, the Intelligence Reform Act called for creation of an Information Sharing Environment, including governing policies and processes for sharing, and a program manager to oversee its development. In December 2005, the President clarified the roles and responsibilities of the program manager, now under the Director of National Intelligence, as well as the new Information Sharing Council and the other agencies in support of creating an Information Sharing Environment by December 2006. At the time of our review, the program manager was in the early stages of addressing this mandate. He issued an interim implementation report with specified tasks and milestones to Congress in January 2006, but soon after announced his resignation. This latest attempt to establish an overall information-sharing road map under the Director of National Intelligence, if it is to succeed once a new manager is appointed, will require the Director's continued vigilance in monitoring progress toward meeting key milestones, identifying any barriers to achieving them, and recommending any necessary changes to the oversight committees. The agencies that GAO reviewed are using 56 different sensitive but unclassified designations (16 of which belong to one agency) to protect information that they deem critical to their missions--for example, sensitive law or drug enforcement information or controlled nuclear information. For most designations there are no governmentwide policies or procedures that describe the basis on which an agency should assign a given designation and ensure that it will be used consistently from one agency to another. Without such policies, each agency determines what designations and associated policies to apply to the sensitive information it develops or shares. More than half the agencies reported challenges in sharing such information. Finally, most of the agencies GAO reviewed have no policies for determining who and how many employees should have authority to make sensitive but unclassified designations, providing them training on how to make these designations, or performing periodic reviews to determine how well their practices are working. The lack of such recommended internal controls increases the risk that the designations will be misapplied. This could result in either unnecessarily restricting materials that could be shared or inadvertently releasing materials that should be restricted.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
David A. Powner
Government Accountability Office: Information Technology
No phone on record
Recommendations for Executive Action
Recommendation: To ensure effective implementation of the Intelligence Reform Act, the Director of National Intelligence should assess progress toward the milestones set in its Interim Implementation Plan.
Agency Affected: Office of the Director of National Intelligence
Status: Implemented
Comments: In fiscal year 2006, we reviewed and reported on efforts to establish government-wide information sharing policies and processes. We found that one effort to establish these tools included the creation of an Information Sharing Environment (ISE), as mandated by the Intelligence Reform and Terrorism Prevention Act of 2004. Part of this effort included the development of an Interim Implementation Plan that included a schedule for completing a number of key milestones for implementing the ISE. We recommended that the Director of National Intelligence assess progress toward the milestones set in its Interim Implementation Plan. The Program Manager for the ISE, within the Office of the Director of National Intelligence, subsequently issued a formal Implementation Plan in November 2006 and reported on the progress of the ISE in its 2007 Annual Report to Congress.
Recommendation: To ensure effective implementation of the Intelligence Reform Act, the Director of National Intelligence should identify any barriers to achieving these milestones, such as insufficient resources and determine ways to resolve them.
Agency Affected: Office of the Director of National Intelligence
Status: Implemented
Comments: In fiscal year 2006, we reviewed and reported on efforts to establish government-wide information sharing policies and processes. We found that one effort to establish government-wide information sharing policies and processes included the creation of an Information Sharing Environment (ISE) as mandated by the Intelligence Reform and Terrorism Prevention Act of 2004, and barriers, such as the availability of resources to meet the Act's mandates for the ISE may exist. While progress had been made towards implementing the ISE, the ISE Program Manager at the time expressed concern over resources, such as the budget for the ISE and number of staff available. Therefore, we recommended that the Director of National Intelligence identify any barriers to achieving the milestones in the Interim Implementation Plan and determine ways to resolve them. Since then, the Program Manager for the ISE, housed within the Office of the Director of National Intelligence, has taken several steps to assess resource barriers and to determine ways to resolve them. For instance, in the November 2006 ISE Implementation Plan, the Program Manager stated that the initial period of standing up the ISE will be longer than the two years originally authorized by the Intelligence Reform and Terrorism Prevention Act. Therefore, the Program Manager recommended continuation of the project through June 2009. The implementation plan also describes the use of the Information Sharing Council consisting of member departments to leverage knowledge and resources. Finally, the Program Manager partnered with the Office of Management and Budget to identify resources in the budgets of other agencies that can be leveraged for the ISE.
Recommendation: To ensure effective implementation of the Intelligence Reform Act, the Director of National Intelligence should recommend to the oversight committees with jurisdiction any necessary changes to the organizational structure or approach to creating the Information Sharing Environment.
Agency Affected: Office of the Director of National Intelligence
Status: Implemented
Comments: In fiscal year 2006, we reviewed and reported on efforts to establish government-wide information sharing policies and processes. We found that one effort to establish these tools included the creation of an Information Sharing Environment (ISE) as mandated by the Intelligence Reform and Terrorism Prevention Act of 2004. While progress had been made towards implementing the ISE, the ISE Program Manager at the time expressed concern over resources, such as the budget for the ISE and number of staff available. Therefore, we recommended that the Director of National Intelligence recommend to the oversight committees with jurisdiction any necessary changes to the organizational structure or approach to creating the ISE. Toward implementing this, the November 2006 ISE Implementation Plan recommends an organizational change to grant the Program Manager for the ISE authority to issue the procedures, guidelines, functional standards, and instructions necessary for the management, development, and operations of the ISE as well as the continuation of the Office of the Program Manager for the ISE and the Information Sharing Council for the 3 years covered by the Implementation Plan. The Implementing the 9/11 Commission Act of 2007 codified the first recommendation and provided for the continuation of the Program Manager's appointment until he is removed from office or replaced.
Recommendation: In carrying out the President's December 2005 mandates for standardizing sensitive but unclassified information, the Director of National Intelligence and the Director of OMB should use the results of our work to validate the inventory of designations that agencies are required to conduct in accordance with the memo.
Agency Affected: Office of the Director of National Intelligence
Status: Implemented
Comments: Among other things, our report recommended that in carrying out the President's December 2005 mandates for standardizing sensitive but unclassified information, the Director of National Intelligence and the Director of OMB use the results of our work to validate the inventory of designations that agencies are required to conduct in accordance with the memo. According the DHS co-chair of the interagency task force conducting this inventory and a senior official in the Office of the Director of National Intelligence--the organization that has ultimate responsibility for the results--our work has been very useful to the task force and helped them complete their inventory more expeditiously than they could have without it.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Implemented
Comments: Among other things, our report recommended that in carrying out the President's December 2005 mandates for standardizing sensitive but unclassified information, the Director of National Intelligence and the Director of OMB use the results of our work to validate the inventory of designations that agencies are required to conduct in accordance with the memo. According the DHS co-chair of the interagency task force conducting this inventory and a senior official in the Office of the Director of National Intelligence--the organization that has ultimate responsibility for the results--our work has been very useful to the task force and helped them complete their inventory more expeditiously than they could have without it.
Recommendation: In carrying out the President's December 2005 mandates for standardizing sensitive but unclassified information, the Director of National Intelligence and the Director of OMB should issue a policy that consolidates sensitive but unclassified designations where possible and addresses their consistent application across agencies.
Agency Affected: Office of the Director of National Intelligence
Status: Implemented
Comments: On March 17, 2006, we reported on (1) the status of efforts to establish government-wide homeland security information sharing policies and processes, and (2) the universe of sensitive but unclassified (SBU) designations used by the 26 agencies that we surveyed to protect and restrict the dissemination of certain sensitive information, as well as the agencies' related policies and procedures. We reported, among other things, that the agencies that we reviewed were using 56 different sensitive but unclassified designations to protect information that they deemed critical to their missions. For most designations, there were no governmentwide policies or procedures that describe the basis on which an agency should assign a given designation and ensure that it will be used consistently from one agency to another. We noted that without such policies, each agency determined what designations and associated policies to apply to the sensitive information it develops or shares, posing challenges for sharing, especially with state and local partners. We also observed that most of the agencies we reviewed had no policies for determining who and how many employees should have authority to make sensitive but unclassified designations, providing them training on how to make these designations, or performing periodic reviews to determine how well their practices are working. Finally, we reported that the President had issued a memorandum in 2005 that called for the standardization of SBU data across the government and the Office of the Director of National Intelligence's Program Manager for the Information Sharing Environment had been working to standardize SBU policies. We recommended, among other things, that in carrying out the President's December 2005 mandates for standardizing sensitive but unclassified information, the Director of National Intelligence and the Director of the Office of Management and Budget (OMB) (1) use the results of our work to validate the inventory of designations that agencies are required to conduct in accordance with the memo and (2) issue a policy that consolidates sensitive but unclassified designations where possible and addresses their consistent application across agencies. To address this issue, on May 9, 2008, the President released new standards for how agencies should label sensitive but unclassified information, creating a single set of policies and procedures on the way materials should be marked, stored safely and disseminated. The new "Controlled Unclassified Information" (CUI) framework replaces the sensitive but unclassified categorization and establishes three CUI categories. Under those categories, agencies that are part of the federal information sharing environment or the information sharing council should label unclassified data that is considered sensitive. The President mandated that any additional markings can be prescribed only by the National Archives and Records Administration (NARA) , which will be the "executive agent" in charge of implementing the framework. These changes will standardize practices for the designation of SBU information and make information sharing more effective across the federal government.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: Implemented
Comments: On March 17, 2006, we reported on (1) the status of efforts to establish government-wide homeland security information sharing policies and processes, and (2) the universe of sensitive but unclassified (SBU) designations used by the 26 agencies that we surveyed to protect and restrict the dissemination of certain sensitive information, as well as the agencies' related policies and procedures. We reported, among other things, that the agencies that we reviewed were using 56 different sensitive but unclassified designations to protect information that they deemed critical to their missions. For most designations, there were no governmentwide policies or procedures that describe the basis on which an agency should assign a given designation and ensure that it will be used consistently from one agency to another. We noted that without such policies, each agency determined what designations and associated policies to apply to the sensitive information it develops or shares, posing challenges for sharing, especially with state and local partners. We also observed that most of the agencies we reviewed had no policies for determining who and how many employees should have authority to make sensitive but unclassified designations, providing them training on how to make these designations, or performing periodic reviews to determine how well their practices are working. Finally, we reported that the President had issued a memorandum in 2005 that called for the standardization of SBU data across the government and the Office of the Director of National Intelligence's Program Manager for the Information Sharing Environment had been working to standardize SBU policies. We recommended, among other things, that in carrying out the President's December 2005 mandates for standardizing sensitive but unclassified information, the Director of National Intelligence and the Director of the Office of Management and Budget (OMB) (1) use the results of our work to validate the inventory of designations that agencies are required to conduct in accordance with the memo and (2) issue a policy that consolidates sensitive but unclassified designations where possible and addresses their consistent application across agencies. To address this issue, on May 9, 2008, the President released new standards for how agencies should label sensitive but unclassified information, creating a single set of policies and procedures on the way materials should be marked, stored safely and disseminated. The new "Controlled Unclassified Information" (CUI) framework replaces the sensitive but unclassified categorization and establishes three CUI categories. Under those categories, agencies that are part of the federal information sharing environment or the information sharing council should label unclassified data that is considered sensitive. The President mandated that any additional markings can be prescribed only by the National Archives and Records Administration (NARA) , which will be the "executive agent" in charge of implementing the framework. These changes will standardize practices for the designation of SBU information and make information sharing more effective across the federal government.
Recommendation: The Director of OMB, in his oversight role with respect to federal information management, should work with other agencies to develop and issue a directive requiring that agencies have in place internal controls that meet the standards set forth in GAO's Standards for Internal Controls in the Federal Government. This directive should include guidance for employees to use in deciding what information to protect with sensitive but unclassified designations; provisions for training on making designations, controlling, and sharing such information with other entities; and a review process to determine how well the program is working.
Agency Affected: Executive Office of the President: Office of Management and Budget
Status: In process
Comments: In fiscal year 2006, we reviewed and reported on efforts to establish government-wide information sharing policies and processes. We found that federal agencies we surveyed reported using a total of 56 different designations for information they determined to be sensitive but unclassified and no governmentwide policies or procedures were in place to describe the basis on which agencies should designate, mark, and handle this information. Moreover, governmentwide policies that required internal control practices were not in place. We concluded that by not providing guidance and monitoring, there is a probability that a designation might be misapplied, potentially restricting material unnecessarily or resulting in dissemination of information that should be restricted. Therefore, we recommended that the Director of OMB, in his oversight role with respect to federal information management, should work with other agencies to develop and issue a directive requiring that agencies have in place internal controls that meet the standards set forth in GAO's Standards for Internal Controls in the Federal Government. This directive should include guidance for employees to use in deciding what information to protect with sensitive but unclassified designations; provisions for training on making designations, controlling, and sharing such information with other entities; and a review process to determine how well the program is working. Consistent with our recommendations and the President's December 2005 mandates calling for standardization of sensitive but unclassified information designations, on May 9, 2008, the President issued a memorandum that adopted Controlled Unclassified Information (CUI) as the single categorical designation used for sensitive but unclassified information throughout the executive branch. The memo made the National Archives and Records Administration (NARA) responsible for overseeing and managing the implementation of the CUI framework. In response, NARA established a CUI Office to accomplish the new tasks associated with implementing the CUI policy. The new office is expected to undertake key steps for the implementation and standardization governing CUI policy. For example, the new office is to establish new safeguards and dissemination controls as well as monitor department and agency compliance with CUI policy and standards. Efforts to address these steps and meet the intent of our recommendations remain ongoing at this time.
