Summary

Since 2002, the Department of Homeland Security (DHS) has distributed almost $20 billion in funding to enhance the nation's capabilities to respond to acts of terrorism or other catastrophic events. In fiscal year 2007, DHS provided approximately $1.7 billion to states and urban areas through its Homeland Security Grant Program (HSGP) to prevent, protect against, respond to, and recover from acts of terrorism or other catastrophic events. As part of the Omnibus Appropriations Act of 2007, GAO was mandated to review the methodology used by DHS to allocate HSGP grants. This report addresses (1) the changes DHS has made to its risk-based methodology used to allocate grant funding from fiscal year 2007 to fiscal year 2008 and (2) whether the fiscal year 2008 methodology is reasonable. To answer these questions, GAO analyzed DHS documents related to its methodology and grant guidance, interviewed DHS officials about the grant process used in fiscal year 2007 and changes made to the process for fiscal year 2008, and used GAO's risk management framework based on best practices.

For fiscal year 2008 HSGP grants, DHS is primarily following the same methodology it used in fiscal year 2007, but incorporated metropolitan statistical areas (MSAs) within the model used to calculate risk. The methodology consists of a three-step process--a risk analysis of urban areas and states based on measures of threat, vulnerability and consequences, an effectiveness assessment of applicants' investment justifications, and a final allocation decision. The principal change in the risk analysis model for 2008 is in the definition of the geographic boundaries of eligible urban areas. In 2007, the footprint was defined using several criteria, which included a 10-mile buffer zone around the center city. Reflecting the requirements of the Implementing Recommendations of the 9/11 Commission Act of 2007, DHS assessed risk for the Census Bureau's 100 largest MSAs by population in determining its 2008 Urban Areas Security Initiative (UASI) grant allocations. This change altered the geographic footprint of the urban areas assessed, aligning them more closely with the boundaries used by government agencies to collect some of the economic and population data used in the model. This may have resulted in DHS using data in its model that more accurately estimated the population and economy of those areas. The change to the use of MSA data in fiscal year 2008 also resulted in changes in the relative risk rankings of some urban areas. As a result, DHS officials expanded the eligible urban areas in fiscal year 2008 to a total of 60 UASI grantees, in part, to address the effects of this change to MSA data, as well as to ensure that all urban areas receiving fiscal year 2007 funding continued to receive funding in fiscal year 2008, according to DHS officials. Generally, DHS has constructed a reasonable methodology to assess risk and allocate funds within a given fiscal year. The risk analysis model DHS uses as part of its methodology includes empirical risk analysis and policy judgments to select the urban areas eligible for grants (all states are guaranteed a specified minimum percentage of grant funds available) and to allocate State Homeland Security Program (SHSP) and UASI funds. However, our review found that the vulnerability element of the risk analysis model has limitations that reduce its value. Measuring vulnerability is considered a generally-accepted practice in assessing risk; however, DHS's current risk analysis model does not measure vulnerability for each state and urban area. Rather, DHS considered all states and urban areas equally vulnerable to a successful attack and assigned every state and urban area a vulnerability score of 1.0 in the risk analysis model, which does not take into account any geographic differences. Thus, as a practical matter, the final risk scores are determined by the threat and consequences scores.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Implemented" or "Not implemented" based on our follow up work.

Recommendations for Executive Action