This is the accessible text file for GAO report number GAO-03-322 entitled 'Information Technology: Terrorist Watch Lists Should Be Consolidated to Promote Better Integration and Sharing' which was released on April 30, 2003. This text file was formatted by the U.S. General Accounting Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. Report to Congressional Requesters: April 2003: Information Technology: Terrorist Watch Lists Should Be Consolidated to Promote Better Integration and Sharing: GAO-03-322: GAO Highlights: Highlights of GAO-03-322, a report to Congressional Requesters Why GAO Did This Study: Terrorist and criminal watch list systems—sometimes referred to as watchout, lookout, target, or tip-off systems—are important tools in controlling and protecting our nation’s borders. The events of September 11, 2001, and other incidents since then, have highlighted the need to share these watch lists. In light of the importance of border security, GAO was asked to identify federal databases and systems that contain watch lists, the agencies that maintain and use them in protecting our nation’s borders, the kind of data they contain, whether federal agencies are sharing information from these lists with each other and with state and local governments and private organizations, the structural characteristics of those lists that are automated, and whether opportunities exist to consolidate these watch lists. What GAO Found: Generally, the federal government’s approach to using watch lists in performing its border security mission is decentralized and nonstandard, largely because these lists were developed in response to individual agencies’ unique missions, including their respective legal, cultural, and systems environments. Specifically, as shown in the figure below, nine federal agencies—which prior to the creation of the Department of Homeland Security (DHS) spanned the Departments of Defense, Justice, State, Transportation, and the Treasury—develop and maintain 12 watch lists. These lists include overlapping but not identical sets of data, and different policies and procedures govern whether and how these data are shared with others. As a general rule, this sharing is more likely to occur among federal agencies than between federal agencies and either state and local government agencies or private entities. Further, the extent to which such sharing is accomplished electronically is constrained by fundamental differences in the watch lists’ systems architecture (that is, the hardware, software, network, and data characteristics of the systems). Two agencies identified opportunities to standardize and consolidate these lists, which GAO believes would improve information sharing. The President’s homeland security strategy further recognizes the need to address the proliferation of these lists. While the Office of Homeland Security was reportedly pursuing consolidation as part of an effort to develop a border and transportation security blueprint, referred to as an enterprise architecture, the DHS Chief Information Officer told us that the department had recently taken responsibility for the blueprint. However, we were not provided enough information to evaluate these efforts. What GAO Recommends: GAO recommends that the Secretary of DHS, in collaboration with the heads of the other departments and agencies that have and use watch lists, lead an effort to consolidate and standardize the federal government’s watch list structures and policies. DHS and other departments involved in this study generally agreed with GAO’s findings and recommendations. Letter: Results in Brief: Background: Federal Agencies Maintain Numerous Watch Lists, Containing Varying Types of Data, Used by Many Organizations: Watch List Sharing Is Governed by Varying Policies and Procedures: Federal Agency Watch List Data Sharing and Supporting System Architectures Vary: Opportunities Exist for Consolidating Watch Lists and Improving Information Sharing: Conclusions: Recommendations for Executive Action: Agency Comments And Our Evaluation: Appendixes: Appendix I: Objectives, Scope, and Methodology: Appendix II: Comments from the Department of Justice: Appendix III: Comments from the Department of State: Appendix IV: GAO’s Survey Instrument: Appendix V: GAO Contact and Staff Acknowledgments: GAO Contact: Staff Acknowledgments: Tables: Table 1: Departments, Agencies, and Their Watch Lists: Table 2: Selected Architectural Characteristics of the 12 Watch List Systems: Figures: Figure 1: Simplified Overview of the Border Security Process and the Departments and Agencies Involved: Figure 2: Simplified Diagram of the Border Security Process and the Departments and Agencies That Use Watch Lists: Figure 3: Simplified Diagram of the Complexity Associated with Connecting Decentralized Databases: Figure 4: Simplified Diagram of Central Data Store with Subsidiary Databases: Figure 5: Simplified Diagram of the Border Security Process, Departments and Agencies Involved, and Watch Lists Used: Figure 6: Types of Data Included in Watch Lists: Figure 7: Extent of Agency Sharing of Watch List Data with Other Federal Agencies and with State, Local, and Private Organizations: Figure 8: Simplified Overview of the Border Security Process, Departments and Agencies Involved, Watch Lists Used, and Sharing among Watch Lists: This is a work of the U.S. Government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. It may contain copyrighted graphics, images or other materials. Permission from the copyright holder may be necessary should you wish to reproduce copyrighted materials separately from GAO’s product. Abbreviations: DHS: Department of Homeland Security: FBI: Federal Bureau of Investigation: INS: Immigration and Naturalization Service: TSA: Transportation Security Administration: Letter April 15, 2003: The Honorable Charles E. Grassley Chairman Committee on Finance United States Senate: The Honorable Carl Levin Select Committee on Intelligence United States Senate: Terrorist and criminal watch list systems--sometimes referred to as watchout, lookout, target, or tip-off systems--are important tools in controlling and protecting our nation's borders. The events of September 11, 2001, and other incidents since then, have reinforced their importance and highlighted the need to share and use these lists. Because watch lists are important tools in border security, you requested that we identify: * federal databases and systems that contain watch lists, the agencies that maintain and use these watch lists in protecting our nation's borders, and the kinds of data these watch lists contain; * whether federal agencies' sharing of watch list data is governed by policies and procedures; * whether watch lists are (1) being exchanged among federal agencies and between federal agencies and state, local, and private organizations, and (2) supported by common system architectures (system hardware, software, and data characteristics); and: * whether opportunities exist for consolidating watch lists. To address these objectives, using a questionnaire, we surveyed nine agencies that perform border security functions and that, according to our research, either develop or use watch lists. We did not independently verify agencies' responses. Details of our objectives, scope, and methodology are discussed in appendix I. Results in Brief: Generally, the federal government's approach to developing and using terrorist and criminal watch lists in performing its border security mission is diffuse and nonstandard, largely because these lists were developed and have evolved in response to individual agencies' unique mission needs and the agencies' respective legal, cultural, and technological environments. More specifically, nine federal agencies[Footnote 1]--which spanned the Departments of Defense, Justice, State, Transportation, and the Treasury--have developed and maintain 12 watch lists. These lists contain a wide variety of data; most contain biographical data, such as name and date of birth, and a few contain biometric[Footnote 2] data, such as fingerprints. Beyond the nine agencies that have developed and maintain these watch lists, about 50 other federal agencies and many state and local government entities have access to one or more of these lists. Nonstandardization also extends to the policies and procedures governing whether and how agencies share watch lists. Specifically, two of the nine federal agencies do not have such policies and procedures, and the remaining seven have differing ones. For example, one of the agencies' policies included guidance on sharing with other federal agencies as well as state and local governments, but another addressed sharing only with federal agencies. As a general rule, the federal agencies that have watch lists share the lists among themselves. However, half of these agencies share their respective lists with state and local agencies, and one-fourth share them with private entities. The extent to which such sharing is accomplished electronically is constrained by fundamental differences in watch list system architectures (that is, the hardware, software, network, and data characteristics of the systems). The number and variability of federal watch lists, combined with the commonality of purpose of these lists, point to opportunities to consolidate and standardize them. Appropriately exploiting these opportunities offers certain advantages--such as faster access, reduced duplication, and increased consistency--which can reduce costs and improve data reliability. Some of the agencies that have developed and maintain watch lists acknowledged these opportunities, as does the President's homeland security strategy. To this end, Office of Homeland Security officials stated in public forums during the course of our review that watch list consolidation activities were under way as part of efforts to develop a set of integrated blueprints--commonly called an enterprise architecture[Footnote 3]--for the new Department of Homeland Security (DHS). According to DHS's Chief Information Officer, responsibility for the consolidation effort has been transferred to DHS. To strengthen our nation's homeland security capability, we are recommending that the Secretary of DHS take a series of steps aimed at ensuring that watch lists are appropriately and effectively standardized, consolidated, and shared. In commenting on a draft of this report, DHS--as well as other departments that develop and maintain watch lists and that commented on the draft--generally agreed with our findings and recommendations. Their comments are summarized and evaluated in the Agency Comments and Our Evaluation section of this report. Background: The President's national strategy for homeland security and the Homeland Security Act of 2002[Footnote 4] provide for securing our national borders against terrorists. Terrorist and criminal watch lists are important tools for accomplishing this end. Simply stated, watch lists can be viewed as automated databases that are supported by certain analytical capabilities. To understand the current state of watch lists, and the possibilities for improving them, it is useful to view them within the context of such information technology management disciplines as database management and enterprise architecture management. Overview of the President's Homeland Security Strategy and the Homeland Security Act: Since the September 11th terrorist attacks, homeland security-- including securing our nation's borders--has become a critical issue. To mobilize and organize our nation to secure the homeland from attack, the administration issued, in July 2002, a federal strategy for homeland security.[Footnote 5] Subsequently, the Congress passed and the President signed the Homeland Security Act, which established DHS in January 2003. Among other things, the strategy provides for performance of six mission areas, each aligned with a strategic objective, and identifies major initiatives associated with these mission areas. One of the mission areas is border and transportation security.[Footnote 6] For the border and transportation security mission area, the strategy and the act specify several objectives, including ensuring the integrity of our borders and preventing the entry of unwanted persons into our country. To accomplish this, the strategy provides for, among other things, reform of immigration services, large-scale modernization of border crossings, and consolidation of federal watch lists.[Footnote 7] It also acknowledges that accomplishing these goals will require overhauling the border security process. This will be no small task, given that the United States shares a 5,525 mile border with Canada and a 1,989 mile border with Mexico and has 95,000 miles of shoreline. Moreover, each year, more than 500 million people legally enter our country, 330 million of them noncitizens. More than 85 percent enter via land borders, often as daily commuters. Overview of the Border Security Process: Our nation's current border security process for controlling the entry and exit of individuals consists of four primary functions: (1) issuing visas, (2) controlling entries, (3) managing stays, and (4) controlling exits. The federal agencies involved in these functions include the Department of State's Bureau of Consular Affairs and its Bureau of Intelligence and Research, as well as the Justice Department's Immigration and Naturalization Service (INS), the Treasury Department's U.S. Customs Service (Customs), and the Transportation Department's Transportation Security Administration (TSA).[Footnote 8] The process begins at the State Department's overseas consular posts, where consular officers are to adjudicate visa applications for foreign nationals who wish to enter the United States. In doing so, consular officials review visa applications, and sometimes interview applicants, prior to issuing a visa. One objective of this adjudication process is to bar from entry any foreign national who is known or suspected to have engaged in terrorist activity, is likely to engage in such activity, or is a member or supporter of a known terrorist organization.[Footnote 9] Foreign nationals (and any other persons attempting to enter the United States, such as U.S. citizens) are to be screened for admission into the United States by INS or Customs inspectors. Generally, this consists of questioning the person and reviewing entry documents. Since October 2002, males aged 16 or over from certain countries (for example, Iran, Iraq, Syria, and the Sudan) are also required to provide their name and U.S. address and to be photographed and fingerprinted.[Footnote 10] In addition, airline officials use information provided by TSA to screen individuals attempting to travel by air. As discussed in the next section, requirements for checking a person against a watch list differ somewhat, depending upon whether the person arrives at a land-, air-, or seaport. After foreign nationals are successfully screened and admitted, they are not actively monitored unless they are suspected of illegal activity and come under the scrutiny of a law enforcement agency, such as the Department of Justice's Federal Bureau of Investigation (FBI). Also, when foreign nationals depart the country, they are not screened unless they are males aged 16 years or over from certain countries referenced above, or are leaving by air. According to TSA, all passengers on departing flights are screened prior to boarding the plane. Figure 1 is a simplified overview of the border entry/exit process. Figure 1: Simplified Overview of the Border Security Process and the Departments and Agencies Involved: [See PDF for image] Note: Customs and TSA appear twice in this figure because they support both entry and exit control. INS appears three times because it supports entry control, stay management, and exit control. [End of figure] The Role of Watch Lists in the Border Security Process: Watch lists are important tools that are used by federal agencies to help secure our nation's borders. These lists share a common purpose-- to provide decisionmakers with information about individuals who are known or suspected terrorists and criminals, so that these individuals can either be prevented from entering the country, apprehended while in the country, or apprehended as they attempt to exit the country. As shown in figure 2, which builds on figure 1 by adding watch list icons and associating them with the agencies that maintain the respective lists, watch lists collectively support nine federal agencies in performing the four primary functions in the border security process. Specifically: * When a person applies for a visa to enter the United States, State Department consular officials are to check that person against one or more watch lists before granting a visa. * When a person attempts to enter the United States by air or sea, INS or Customs officials are required to check that person against watch lists before the person is allowed to enter the country. In addition, when a person attempts to enter the United States by air, INS or Custom officials check him or her against watch lists provided by TSA prior to allowing him or her to board the plane. Persons arriving at land borders may be checked, but there is no requirement to do so. The exception, as previously discussed, is for males aged 16 or over from certain countries, who are required to be checked.[Footnote 11] * Once a watch list identifies a person as a known or suspected terrorist, INS, Customs, or airline officials are to contact the appropriate law enforcement or intelligence organization (for example, the FBI), and a decision will be made regarding the person's entry and the agency's monitoring of the person while he or she is in the country. * When a person exits the country by plane, airline officials are to check that person against watch lists. In performing these roles, the agencies use information from multiple watch lists. For example, U.S. National Central Bureau for Interpol officials told us that they provide information to the agencies involved in entry control, exit control, and stay management. Figure 2: Simplified Diagram of the Border Security Process and the Departments and Agencies That Use Watch Lists: [See PDF for image] Note: Customs and TSA, along with their associated lists, appear twice in this figure because they support both entry and exit control. INS appears three times because its lists support entry control, stay management, and exit control. [End of figure] President's Strategy Recognizes Problems with Watch Lists and Proposes Improvements: In addition to highlighting the importance of watch lists for border security, the President's national strategy cites problems with these lists, including limited sharing. According to the July 2002 strategy, in the aftermath of the September 11th attacks it became clear that vital watch list information stored in numerous and disparate federal databases as not available to the right people at the right time. In particular, federal agencies that maintained information about terrorists and other criminals had not consistently shared it. The strategy attributed these sharing limitations to legal, cultural, and technical barriers that resulted in the watch lists being developed in different ways, for different purposes, and in isolation from one another. To address these limitations, the strategy calls for integrating and reducing variations in watch lists and overcoming barriers to sharing the lists. It also calls for developing an enterprise architecture for border security and transportation (see next section for a description of an enterprise architecture).[Footnote 12] More specifically, the strategy provides for developing a consolidated watch list that would bring together the information on known or suspected terrorists contained in federal agencies' respective lists.[Footnote 13] Enterprise Architecture: A Brief Description: If properly developed, enterprise architectures provide clear and comprehensive pictures of an entity, whether it is an organization (for example, a federal department, agency, or bureau) or a functional or mission area that cuts across more than one organization (for example, grant management, homeland security, or border and transportation security). These architectures are recognized as essential tools for effectively and efficiently engineering business operations and the systems and databases needed to support these operations. More specifically, enterprise architectures are systematically derived and captured blueprints or descriptions--in useful models, diagrams, and narrative--of the mode of operation for a given enterprise. This mode of operation is described in both (1) logical terms, such as interrelated business processes and business rules, information needs and flows, data models, work locations, and users, and (2) technical terms, such as hardware, software, data, communications, and security attributes and performance standards. They provide these perspectives both for the enterprise's current, or "as is," environment and for its target, or "to be," environment, as well as a transition plan for moving from the "as is" to the "to be" environment. Using enterprise architectures is a basic tenet of effective IT management, embodied in federal guidance and commercial best practices.[Footnote 14] When developed and used properly, these architectures define both business operations and the technology that supports these operations in a way that optimizes interdependencies and interrelationships. They provide a common frame of reference to guide and constrain decisions about the content of information asset investments in a way that can ensure that the right information is available to those who need it, when they need it. Options for Enterprise Database Structures: As discussed in the previous section, enterprise architectures facilitate delivery of the right information to the right people at the right time. To this end, these architectures include data models, or logical representations of data types and their relationships, which are used to engineer physical data "stores," or repositories. When engineered properly, these data stores are structured in a way that effectively and efficiently supports both shared and unique enterprise applications, functions, and operations. The structure of these data stores, whether they are paper records or automated databases, can take many forms, employing varying degrees of centralization and standardization. Associated with the structures being employed are opportunities and limitations to effective and efficient information exchange and use. Generally, these structures can be viewed along a continuum. At one extreme, databases can be nonstandard, both in terms of metadata[Footnote 15] and the technologies that manage the data, and they can be decentralized, meaning that they were built in isolation from one another to support isolated or separate, "stovepiped" applications, functions, and operations. In this case, integrating the databases to permit information exchange requires the development of unique, and potentially complex and costly, point-to-point interfaces (hardware and software) that translate the data or bridge incompatibilities in the technology. Further, the sheer number of databases involved can exponentially increase the number of relationships, and thus interfaces, that have to be built and maintained. Structuring databases in this way can quickly evolve into an overly complex, unnecessarily inefficient, and potentially ineffective way to support mission operations. (See fig. 3 for a simplified diagram conceptually depicting this approach to structuring databases.): Figure 3: Simplified Diagram of the Complexity Associated with Connecting Decentralized Databases: [See PDF for image] [End of figure] At the other extreme, databases can be structured to recognize that various enterprise applications, functions, and operations have a need for the same data or sets of data, even though they may need to use them in different ways to support different mission applications, functions, and operations. If engineered properly, these database structures allow for greater use of standards, in terms of both data definitions and technology, and are more centralized, although the option exists to create subsidiary databases--known as data warehouses and data marts--to permit more uniquely configured and decentralized data sources to support specific and unique mission needs. Further, since the core data in these subsidiary databases are received from a corporate database(s), the need for interfaces to translate data or connect incompatible technologies is greatly reduced. Structuring databases in this way can minimize complexity and maximize efficiency and mission effectiveness. (See fig. 4 for a simplified diagram conceptually depicting this approach to structuring databases.): Figure 4: Simplified Diagram of Central Data Store with Subsidiary Databases: [See PDF for image] [End of figure] Federal Agencies Maintain Numerous Watch Lists, Containing Varying Types of Data, Used by Many Organizations: Terrorist watch lists are developed, maintained, or used by federal, state, and local government entities, as well as by private-sector entities, to secure our nation's borders. Twelve such lists are currently maintained by federal agencies. These lists contain various types of data, from biographical data--such as a person's name and date of birth--to biometric data--such as fingerprints. : Twelve Federal Watch Lists Are Maintained by Nine Agencies: Nine federal agencies, which prior to the establishment of DHS spanned five different cabinet-level departments, currently maintain 12 terrorist and criminal watch lists. These lists are also used by at least 50 federal, state, and local agencies. The above-mentioned departments are the Departments of State, Treasury, Transportation, Justice, and Defense. Table 1 shows the departments, the associated nine agencies that maintain watch lists, and the 12 watch lists. Table 1: Departments, Agencies, and Their Watch Lists: [See PDF for image] Source: GAO. [A] Interagency Border Inspection operates as a part of Customs' Treasury Enforcement Communications System, commonly referred to as TECS. [B] INS is in the process of integrating this system with the FBI's Integrated Automated Fingerprint Identification System. [C] This list is part of the FBI's National Crime Information Center.. [D] Interpol (International Police Organization) is an intergovernmental organization made up of 181 member countries for the purpose of ensuring cooperation among the world's law enforcement entities. It is headquartered in Lyon, France. The U.S. National Central Bureau for Interpol, within the Justice Department, serves as the U.S. member of Interpol and facilitates dissemination of Interpol watch list information to federal, state, and local agencies. [End of table] The 12 watch lists support the federal agencies involved in the border security process. Figure 5, which builds on figure 2, provides a graphical representation identifying the name of each of the lists and relating them to the agencies that maintain the lists and are involved in performing the four border security functions: issuing visas, controlling entries, managing stays, and controlling exits. Figure 5: Simplified Diagram of the Border Security Process, Departments and Agencies Involved, and Watch Lists Used: [See PDF for image] Notes: Customs and TSA, along with their associated lists, appear twice in this figure because they support both entry and exit control. INS appears three times because its systems support entry control, stay management, and exit control. INS also uses the Interagency Border Inspection System to control entry and exit as well as to monitor stays. [End of figure] Watch Lists Contain Different Types of Data: The 12 watch lists do not all contain the same types of data, although some types are included in all of the lists. At the same time, some types of data are included in only a few of the lists. More specifically, all of the lists include the name and date of birth; 11 include other biographical information (for example, passport number and any known aliases); 9 include criminal history (for example, warrants and arrests); 8 include biometric data (for example, fingerprints); 3 include immigration data (for example, visa type, travel dates, departure country, destination country, country visited, arrival dates, departure dates, and purpose of travel); and 2 include financial data (for example, large currency transactions). Figure 6 shows the data types that are included in each watch list. Figure 6: Types of Data Included in Watch Lists: [See PDF for image] Note: Shaded cells indicate data included in watch lists. [End of figure] Watch List Sharing Is Governed by Varying Policies and Procedures: Effective sharing of information from watch lists and of other types of data among multiple agencies can be facilitated by agencies' development and use of well-coordinated and aligned policies and procedures that define the rules governing this sharing. One effective way to implement such policies and procedures is to prepare and execute written watch list exchange agreements or memorandums of understanding. These agreements would specify answers to such questions as what data are to be shared with whom, and how and when they are to be shared. Not all of the nine agencies have policies and procedures governing the sharing of watch lists. In particular, two of the agencies reported that they did not have any policies and procedures on watch list sharing. In addition, of the seven that reported having such policies and procedures, one did not require any written agreements. Further, the policies and procedures of the seven have varied. For example, one agency's policies included guidance on sharing with other federal agencies as well as with state and local governments, but another's addressed sharing only with other federal agencies. In addition, each agency had different policies and procedures on memorandums of understanding, ranging from one agency's not specifying any requirements to others' specifying in detail that such agreements should include how, when, and where data would be shared with other parties. The variation in policies and procedures governing the sharing of information from watch lists can be attributed to the fact that each agency has developed its own policies and procedures in response to its own specific needs. In addition, the agencies reported that they received no direction from the Office of Homeland Security identifying the needs of the government as a whole in this area. As a result, federal agencies do not have a consistent and uniform approach to sharing watch list information. Federal Agency Watch List Data Sharing and Supporting System Architectures Vary: The President's homeland security strategy and recent legislation call for increased sharing of watch lists, not only among federal agencies, but also among federal, state, and local government entities and between government and private-sector organizations. Currently, sharing of watch list data is occurring, but the extent to which it occurs varies, depending on the entities involved. Further, these sharing activities are not supported by systems with common architectures. This is because agencies have developed their respective watch lists, and have managed their use, in isolation from each other, and in recognition of each agency's unique legal, cultural, and technological environments. The result is inconsistent and limited sharing. Watch List Sharing Varies: According to the President's homeland security strategy, watch list data sharing has to occur horizontally among federal agencies as well as vertically among federal, state, and local governments in order for the country to effectively combat terrorism. In addition, recent federal homeland security legislation, including the Homeland Security Act,[Footnote 16] USA PATRIOT ACT of 2001,[Footnote 17] and the Enhanced Border Security and Visa Entry Reform Act of 2002[Footnote 18] require, among other things, increased sharing of homeland security information both among federal agencies and across all levels of government. The degree to which watch list data are being shared is not consistent with the President's strategy and recent legislative direction on increased data sharing. Specifically, while federal agencies report that they are generally sharing watch list data with each other, they also report that sharing with organizations outside of the federal government is limited. That is, five of the nine agencies reported that they shared data from their lists with state and local agencies, and three reported that they shared data with private industry. Figure 7 visually summarizes the extent to which federal agencies share watch list data with each level of government (federal, state, and local) and with the private sector. Figure 7: Extent of Agency Sharing of Watch List Data with Other Federal Agencies and with State, Local, and Private Organizations: [See PDF for image] [End of figure] As noted above, federal agencies are sharing either all or some of their watch list data with each other. However, this sharing is the result of each agency's having developed and implemented its own interfaces with other federal agencies' watch lists. The consequence is the kind of overly complex, unnecessarily inefficient, and potentially ineffective network that is associated with unstructured and nonstandard database environments. In particular, this environment consists of nine agencies--with 12 watch lists--that collectively maintain at least 17 interfaces; one agency's watch list alone has at least 4 interfaces. A simplified representation of the number of watch list interfaces and the complexity of the watch list environment is provided in figure 8. Figure 8: Simplified Overview of the Border Security Process, Departments and Agencies Involved, Watch Lists Used, and Sharing among Watch Lists: [See PDF for image] Note: Several watch lists are used in more than one phase of the border security process. For example, Customs uses the Interagency Border Inspection System for controlling entry and for controlling exits. In such cases, we showed the watch list interfaces under only one phase. [End of figure] A key reason for the varying extent of watch list sharing is the cultural differences among the government agencies and private-sector organizations involved in securing U.S. borders. According to the President's strategy, cultural differences often prevent agencies from exchanging or integrating information. We also recently reported that differences in agencies' cultures has been and remains one of the principal impediments to integrating and sharing information from watch lists and other information.[Footnote 19] Historically, legal requirements have also been impediments to sharing, but recent legislation has begun addressing this barrier. Specifically, the President's strategy and our past work[Footnote 20] have reported on legal requirements, such as security, privacy, and other civil liberty protections, that restrict effective information sharing. To address this problem, Congress has recently passed legislation that has significantly changed the legal framework for information sharing, which, when fully implemented, should diminish the effect of existing legal barriers. In particular, Congress has enacted legislation providing for agencies to have increased access to other agencies' information and directing more data sharing among agencies. For example, section 701 of the USA PATRIOT ACT[Footnote 21] broadened the goals of regional law enforcement's information sharing to cover terrorist activities. The Enhanced Border Security and Visa Entry Reform Act[Footnote 22] expanded law enforcement and intelligence information sharing about aliens seeking to enter or stay in the United States. Most recently, the Homeland Security Act[Footnote 23] provides the newly created DHS with wide access to information held by federal agencies relating to "threats of terrorism" against the United States. Section 891 expresses the "sense of Congress" that "Federal, state, and local entities should share homeland security information to the maximum extent practicable." Further, section 892 of the Act requires the President to prescribe and implement procedures for the sharing of "homeland security information" among federal agencies and with state and local agencies, and section 895 requires the sharing of grand jury information. Watch List Sharing Is Not Supported by a Common Architecture: The President's homeland security strategy stresses the importance of information sharing and identifies, among other things, the lack of a common systems architecture--and the resultant incompatible watch list systems and data--as an impediment to systems' interoperating effectively and efficiently. To address this impediment, the strategy proposes developing a "system of systems" that would allow greater information sharing across federal agencies as well as among federal agencies, state and local governments, private industry, and citizens. In order for systems to work more effectively and efficiently, each system's key components have to meet certain criteria. In particular, their operating systems[Footnote 24] and applications[Footnote 25] have to conform to certain standards that are in the public domain, their databases have to be built according to explicitly defined and documented data schemas and data models, and their networks have to be connected. More specifically, critical system components would have to adhere to common standards, such as open systems standards, to ensure that different systems interoperate.[Footnote 26] One source for open system standards is the International Organization for Standardization.[Footnote 27] Also, these systems' data would have to have common--or at least mutually understood--data definitions so that data could, at a minimum, be received and processed, and potentially aggregated and analyzed. Such data definitions are usually captured in a data dictionary. Further, these systems would have to be connected to each other via a telecommunications network or networks. When system components and data do not meet such standards, additional measures have to be employed, such as acquiring or building and maintaining unique system interfaces (hardware and software) or using manual workarounds. These measures introduce additional costs and reduce efficiency and effectiveness. The 12 automated watch list systems do not meet all of these criteria (see table 2). For example, they use three different types of operating systems, each of which stores data and files differently. Overcoming these differences requires the use of software utilities to bridge the differences between systems. Without such utilities, for example, a Windows-based system cannot read data from a diskette formatted by a UNIX-based system. Table 2: Selected Architectural Characteristics of the 12 Watch List Systems: Watch list database: Consular Lookout and Support System; Is the operating system compatible with all other watch list operating systems?: No; Are the software applications compliant with open system standards?: No; Is the data dictionary available and shared?: Yes; Is the system connected to an external network?: Yes. Watch list database: TIPOFF; Is the operating system compatible with all other watch list operating systems?: No; Are the software applications compliant with open system standards?: No; Is the data dictionary available and shared?: Yes; Is the system connected to an external network?: No. Watch list database: Interagency Border Inspection System; Is the operating system compatible with all other watch list operating systems?: No; Are the software applications compliant with open system standards?: No; Is the data dictionary available and shared?: Yes; Is the system connected to an external network?: No. Watch list database: National Automated Immigration Lookout System; Is the operating system compatible with all other watch list operating systems?: No; Are the software applications compliant with open system standards?: No; Is the data dictionary available and shared?: No; Is the system connected to an external network?: No. Watch list database: Warrant Information Network; Is the operating system compatible with all other watch list operating systems?: No; Are the software applications compliant with open system standards?: No; Is the data dictionary available and shared?: Yes; Is the system connected to an external network?: Yes. Watch list database: Automated Biometric Identification System; Is the operating system compatible with all other watch list operating systems?: No; Are the software applications compliant with open system standards?: No; Is the data dictionary available and shared?: No; Is the system connected to an external network?: No. Watch list database: Violent Gang and Terrorist Organization File[A]; Is the operating system compatible with all other watch list operating systems?: No; Are the software applications compliant with open system standards?: No; Is the data dictionary available and shared?: Yes; Is the system connected to an external network?: Yes. Watch list database: Integrated Automated Fingerprint Identification System[A]; Is the operating system compatible with all other watch list operating systems?: No; Are the software applications compliant with open system standards?: Yes; Is the data dictionary available and shared?: Yes; Is the system connected to an external network?: Yes. Watch list database: Top Ten Fugitive List; Is the operating system compatible with all other watch list operating systems?: No; Are the software applications compliant with open system standards?: Yes; Is the data dictionary available and shared?: No; Is the system connected to an external network?: Yes. Watch list database: Interpol Terrorism Watch List; Is the operating system compatible with all other watch list operating systems?: No; Are the software applications compliant with open system standards?: Yes; Is the data dictionary available and shared?: Unknown[B]; Is the system connected to an external network?: No. Watch list database: No-Fly List; Is the operating system compatible with all other watch list operating systems?: No; Are the software applications compliant with open system standards?: No; Is the data dictionary available and shared?: No; Is the system connected to an external network?: No. Watch list database: Selectee List; Is the operating system compatible with all other watch list operating systems?: No; Are the software applications compliant with open system standards?: No; Is the data dictionary available and shared?: No; Is the system connected to an external network?: No. Source: GAO. [A] System is connected to a network, but databases are not accessible directly from the network. [B] Officials from the U.S. National Central Bureau for Interpol stated that they did not know to what extent Interpol headquarters shares its data dictionary with others. [End of table] Also, nine of the systems do not have software applications that comply with open system standards. In these cases, agencies may have had to invest time and resources in designing, developing, and maintaining unique interfaces[Footnote 28] so that the systems can exchange data. Further, five of the systems' databases do not have a data dictionary, and of the remaining seven systems that do have data dictionaries, at least one is not sharing its dictionary with other agencies. Without both the existence and sharing of these data dictionaries, meaningful understanding of data received from another agency could require an added investment of time and resources to interpret and understand what the received data mean. Moreover, aggregation and analysis of the data received with the data from other watch lists may require still further investment of time and resources to restructure and reformat the data in a common way. Last, seven of the systems are not connected to a network outside of their agencies or departments. Our experience has shown that without network connectivity, watch list data sharing among agencies can occur only through manual intervention. According to several of these agencies, the manual workarounds are labor-intensive and time- consuming, and they limit the timeliness of the data provided. For example, data from the TIPOFF system are shared directly with the National Automated Immigration Lookout System through a regular update on diskette. Those data are then transferred from the National Automated Immigration Lookout System to the Interagency Border Inspection System. The President' s strategy attributes these differences to the agencies' building their own systems to meet agency-specific mission needs, goals, and policies, without knowledge of the information needs and policies of the government as a whole. As noted and depicted in figure 6, this approach has resulted in an overly complex, unnecessarily inefficient, and potentially ineffective federal watch list sharing environment. Opportunities Exist for Consolidating Watch Lists and Improving Information Sharing: As addressed in the preceding sections of this report, federal watch lists share a common purpose and support the border security mission. Nevertheless, the federal government has developed, maintains, and-- along with state and local governments and private entities--uses 12 separate watch lists, some of which contain the same types of data. However, this proliferation of systems, combined with the varying policies and procedures that govern the sharing of each, as well as the architectural differences among the automated lists, create strong arguments for list consolidation. The advantages of doing so include faster access, reduced duplication, and increased consistency, which can reduce costs and improve data reliability. Most of the agencies that have developed and maintain watch lists did not identify consolidation opportunities. Of the nine federal agencies that operate and maintain watch lists, seven reported that the current state and configuration of federal watch lists meet their mission needs, and that they are satisfied with the level of watch list sharing. However, two agencies supported efforts to consolidate these lists. The State Department's Bureau of Consular Affairs and the Justice Department's U.S. Marshals Service agreed that some degree of watch list consolidation would be beneficial and would improve information sharing. Both cited as advantages of consolidation the saving of staff time and financial resources by limiting the number of labor-intensive and time-consuming data transfers, and one also cited the reduction in duplication of data that could be realized by decreasing the number of agencies that maintain lists. The President's strategy also recognizes that watch list consolidation opportunities exist and need to be exploited. More specifically, the strategy states that the events of September 11th raised concerns regarding the effectiveness of having multiple watch lists and the lack of integration and sharing among them. To address these problems, the strategy calls for integrating the numerous and disparate systems that support watch lists as a way to reduce the variations in watch lists and remove barriers to sharing them. To implement the strategy, Office of Homeland Security officials have stated in public settings that they were developing an enterprise architecture for border and transportation security, which is one of the six key mission areas of the newly created DHS.[Footnote 29] They also reported the following initial projects under this architecture effort: (1) developing a consolidated watch list that brings together information on known or suspected terrorists in the federal agencies' watch lists, and (2) establishing common metadata or data definitions for electronic watch lists and other information that is relevant to homeland security. However, the Office of Homeland Security did not respond to our inquiries about this effort, and thus we could not determine the substance, status, and schedule of any watch list consolidation activities. Since then, the DHS Chief Information Officer told us that DHS has assumed responsibility for these efforts. Conclusions: Our nation's success in achieving its homeland security mission depends in large part on its ability to get the right information to the right people at the right time. Terrorist and criminal watch lists make up one category of such information. To date, the federal watch list environment has been characterized by a proliferation of systems, among which information sharing is occurring in some cases but not in others. This is inconsistent with the most recent congressional and presidential direction. Our experience has shown that even when sharing is occurring, costly and overly complex measures have had to be taken to facilitate it. Cultural and technological barriers stand in the way of a more integrated, normalized set of watch lists, and agencies' legal authorities and individuals' civil liberties are also relevant considerations. To improve on the current situation, central leadership--spanning not only the many federal agencies engaged in maintaining and using watch lists, but also the state and local government and the private-sector list users--is crucial to introducing an appropriate level of watch list standardization and consolidation while still enforcing relevant laws and allowing agencies to (1) operate appropriately within their unique mission environments and (2) fulfill their unique mission needs. Currently, the degree to which such leadership is occurring, and the substance and status of consolidation and standardization efforts under way, are unclear. In our view, it is imperative that Congress be kept fully informed of the nature and progress of such efforts. Recommendations for Executive Action: To promote better integration and sharing of watch lists, we recommend that DHS's Secretary, in collaboration with the heads of the departments and agencies that have and use watch lists, lead an effort to consolidate and standardize the federal government's watch list structures and policies. To determine and implement the appropriate level of watch list consolidation and standardization, we further recommend that this collaborative effort include: 1. updating the watch list information provided in this report, as needed, and using this information to develop an architectural understanding of our nation's current or "as is" watch list environment; 2. defining the requirements of our nation's target or "to be" watch list architectural environment, including requirements that address any agency-unique needs that can be justified, such as national security issues and civil liberty protections; 3. basing the target architecture on achievement of the mission goals and objectives contained in the President's homeland security strategy and on congressional direction, as well as on opportunities to leverage state and local government and private-sector information sources; 4. developing a near-term strategy for implementing the target architecture that provides for the integration of existing watch lists, as well as a longer-term strategy that provides for migrating to a more consolidated and standardized set of watch lists; 5. ensuring that these strategies provide for defining and adopting more standard policies and procedures for watch list sharing and addressing any legal issues affecting, and cultural barriers to, greater watch list sharing; and: 6. developing and implementing the strategies within the context of the ongoing enterprise architecture efforts of each of the collaborating departments and agencies. In addition, we recommend that the Secretary report to Congress by September 30, 2003, and every 6 months thereafter, on the status and progress of these efforts, as well as on any legislative action needed to accomplish them. Agency Comments And Our Evaluation: In commenting on a draft this report, three of the six departments provided either written (Justice and State) or oral (DHS) comments. The remaining three departments (Defense, Transportation, and Treasury) said that they had reviewed the draft but had no comments. The Office of Homeland Security was also provided with a draft but said that it would not comment. The departments that provided comments generally agreed with our findings and recommendations. They also (1) provided technical comments, which we have incorporated as appropriate in the report, and (2) offered department-unique comments, which are summarized and evaluated below. In his oral comments, DHS's Chief Information Officer stated that the department now has responsibility for watch list consolidation. Additionally, the Chief Information Officer generally described DHS's plans for watch list consolidation and agreed that our recommendations were consistent with the steps he described. In light of DHS's assumption of responsibility for watch list consolidation, we have modified our recommendations to direct them to the DHS Secretary. In its written comments, Justice stated that, in addition to cultural differences, there are other reasons why agencies do not share watch list information, such as national security and civil liberty requirements, and that these requirements complicate the consolidation of watch list information. Justice also stated that, while it agrees that there is a need to establish a common watch list architecture to facilitate sharing, this need should not impede short-term efforts to improve sharing. We agree with Justice's first point, which is why our recommendations provide for ensuring that all relevant requirements, which would include pertinent national security and civil liberty protections, are taken into consideration in developing our nation's watch list architectural environment. To make this more explicit, we have modified our recommendations to specifically recognize national security and civil liberty requirements. We also agree with Justice's second point, and thus our recommendations also provide for pursuing short-term, cost-effective initiatives to improve watch list sharing while the architecture is being developed. (Justice's comments are reprinted in app. II.): In its written comments, State said that our report makes a number of valuable points concerning the benefits of watch list consolidation, enterprise architecture, and information sharing. However, State also said that our report (1) attributed watch list differences solely to varying agency cultures, (2) seemed to advocate a "one size fits all approach," and (3) often makes the assumption that software and systems architecture differences necessarily obstruct information sharing. With respect to State's first point, our report states clearly that watch list differences are attributable not only to varying cultural environments, but also to each agency's unique mission needs and its legal and technical environments as well. Concerning State's second point, our report does not advocate a "one size fits all" solution. Rather, our recommendation explicitly calls for DHS to lead a governmentwide effort to, among other things, determine the appropriate degree of watch list consolidation and standardization needed and to consider in this effort the differences in agencies' missions and needs. Regarding State's last point, our report does not state or assume that differences in software and system architecture categorically obstruct or preclude information sharing. Instead, we state that those differences requiring additional measures--such as building and maintaining unique system interfaces or using manual workarounds--introduce additional costs and reduce efficiency and effectiveness. (State's comments are reprinted in app. III.): : As agreed with your office, unless you publicly announce its contents earlier, we plan no further distribution of this report until 15 days from the date on the report. At that time, we will send copies of the report to other congressional committees. We will also send copies to the Directors of the Offices of Homeland Security and Management and Budget, and the Secretaries of the Departments of Defense, Homeland Security, Justice, State, Transportation, and the Treasury. Copies will also be made available at our Web site at www.gao.gov. Should you or your offices have questions on matters discussed in this report, please contact me at (202) 512-3439. I can also be reached by E-mail at hiter@gao.gov. An additional GAO contact and staff acknowledgments are listed in appendix V. Randolph C. Hite Director, Information Technology Architecture and Systems Issues: Signed by Randolph C. Hite: [End of section] Appendixes: Appendix I: Objectives, Scope, and Methodology: Our objectives were to identify (1) federal databases and systems that contain watch lists, the agencies that maintain and use these watch lists in protecting our nation's borders, and the kinds of data these watch lists contain; (2) whether federal agencies' sharing of watch list data is governed by policies and procedures; (3) whether watch lists are (a) being exchanged among federal agencies and between federal agencies and state, local, and private organizations and (b) supported by common system architectures (system hardware, software, and data characteristics); and (4) whether opportunities exist for consolidating watch lists. The scope of our work was based on the federal government's agency structure before the formation of the Department of Homeland Security. We focused on the agencies that use or maintain watch lists in performing border security functions. We identified these departments and agencies through discussions with federal government officials knowledgeable about the U.S. border security mission area. The specific departments and agencies included in our scope were: * Department of Justice: * Federal Bureau of Investigation: * Immigration and Naturalization Service: * U.S. Marshals Service: * U.S. National Central Bureau for Interpol: * Department of State: * Bureau of Consular Affairs: * Bureau of Intelligence and Research: * Department of the Treasury: * U.S. Customs Service: * Department of Defense: * Air Force Office of Special Investigations: * Department of Transportation: * Transportation Security Administration. To address our objectives, we surveyed each of the agencies cited above, using a data collection instrument. To develop this instrument, we reviewed, among other things, past GAO and other reports on watch lists and on the border security process, along with relevant guidance on such topics as systems interoperability, enterprise architecture management, database management, and information sharing. We used this research to develop a series of questions designed to obtain and aggregate information necessary to answer our objectives. We then incorporated these questions into the questionnaire (see app. IV for a copy of the questionnaire). We pretested the questionnaire at two federal agencies, made adjustments based on the pretest, and then transmitted it to the agencies cited above on July 29, 2002. Responses from agencies were received from August 2002 through October 2002. We did not independently verify agency responses. However, we did contact agency officials when necessary to clarify their responses. Next, we compiled the agencies' responses to determine the number of watch lists being used, confirm the universe of agencies that have lists, and determine the number of organizations that use the lists and the kinds of data the lists contain. We also analyzed the agencies' policies and procedures governing watch list sharing. In addition, we reviewed the survey responses to determine the degree of sharing among federal, state, local, and private-sector entities, and we compared the extent of sharing with the sharing goals contained in the President's homeland security strategy and the Homeland Security Act of 2002. Moreover, we aggregated the agencies' descriptions of their watch list systems architectures and analyzed them to identify similarities and differences. We also analyzed the architectural components of the watch list systems and compared them with the standards required for systems to interoperate and share data efficiently and effectively. Finally, we analyzed the agencies' responses on watch list consolidation, to identify whether there were opportunities for consolidating watch lists and, if so, what the benefits were of doing so. Additionally, we reviewed the President's homeland security strategy, homeland security legislation and agency budget requests, and other public documents to identify federal government efforts related to maintaining and sharing watch lists. We also attended conferences and other public events at which Office of Homeland Security officials spoke on homeland security enterprise architecture and watch list standardization and consolidation efforts. We attempted to meet with Office of Homeland Security officials, but they declined to meet with us. As a result, we submitted written questions to the Office of Homeland Security, but received no response. We conducted our work at the headquarters of the nine federal agencies identified above, in and around the Washington, D.C., metropolitan area, from July 2002 through March 2003, in accordance with generally accepted government auditing standards. [End of section] Appendix II: Comments from the Department of Justice: U.S. Department of Justice: Washington, D.C. 20530: MAR 27 2003: Joel C. Willemssen, Managing Director, Information Technology Issues U.S. General Accounting Office: 441 G. Street, NW Washington, DC 20548: Dear Mr. Willemssen: Thank you for the opportunity to review the final draft of the General Accounting Office (GAO) report entitled "Information Technology: Terrorist Watch Lists Should Be Consolidated to Promote Better Integration and Sharing, GAO-03-322." The draft was reviewed by representatives of the Department of Justice's (DOJ) Criminal Division, Federal Bureau of Investigation, Immigration and Naturalization Service, United States National Central Bureau, United States Marshals Service, and Justice Management Division. On March 7, 2003 the DOJ provided you technical comments to be incorporated in the report as appropriate. This letter constitutes the formal comments of the DOJ, and I request that it be included in the final report. The DOJ generally agrees with your recommendations to promote better integration and sharing of watch lists information. Your report indicates that a key reason for the varying extent of watch lists sharing is the cultural differences among the government agencies and private sector organizations. Further, it concludes that the inability of all interested federal, state, and local governments (and perhaps some private sector entities) to access all existing watch lists information is a systems architecture problem which could be solved through the eventual integration and consolidation of all systems containing watch lists information into one system. In fact it needs to be recognized that in addition to cultural differences there are national security, civil liberties, and strategic reasons for not sharing lists and other terrorism data, which may relate to mere suspects or even persons simply identified as of interest, to a wide range of government or even private sector entities with varying missions and "need to know." National Security Information or classified information within itself complicates the total consolidation of all watch lists information. There is no discussion of classified information in your report and the affect it will have on a consolidation effort due to the protection requirements such as clearances, "need to know," protection against improper disclosure, and handling of such data. Such concerns are in addition to and go beyond any cultural barriers that may exist with respect to watch list sharing. Whereas the DOJ agrees that the long term certainly requires the exploration of potential evolution to a common system architecture, this may or may not lead to sharing terrorist watch lists, and the DOJ believes this should not be an impediment to progress of sharing in the short term. Even though impediments exist and progress has been made as reflected in your report, the DOJ is committed to finding better and more efficient ways of sharing information with other federal, state, and local governments as well as the private industry organizations that have a "need to know.": Again, we appreciate the opportunity to comment on this report. If you have any questions regarding our comments, please contact Vickie Sloan, Director, Audit Liaison Office at 202-514-0469. Sincerely, Paul R. Corts, Assistant Attorney General for Administration: Signed by Paul R. Corts: [End of section] Appendix III: Comments from the Department of State: United States Department of State Washington, D. C. 20520: Dear Ms. Westin: We appreciate the opportunity to review your draft report, "INFORMATION TECHNOLOGY: Terrorist Watch Lists Should Be Consolidated to Promote Better Integration and Sharing," GAO-03-322, GAO Job Code 310228. The enclosed Department of State comments are provided for incorporation with this letter as an appendix to the final report. If you have any questions concerning this response, please contact Catherine Barry, Bureau of Consular Affairs, at (202) 6 63-1 1-: Christopher B. Burnham Assistant Secretary and Chief Financial Officer: Signed by Christopher B. Burnham: Enclosure: As stated. cc: GAO/IT - Joel Willemssen State/OIG - Luther Atkins State/CA/VO/F - Mike Regan: Ms. Susan S. Westin, Managing Director, International Affairs and Trade, U.S. General Accounting Office. Unclassified: Department of State Comments on GAO Draft Report INFORMATION TECHNOLOGY: Terrorist Watch Lists Should Be Consolidated to Promote Better Integration and Sharing, (GAO-03-322, GAO Code 310228): The draft GAO report on terrorist watch list consolidation makes a number of valuable points concerning the benefits of better coordination of intelligence sharing and watchlist activities. The Department of State has long made improved interagency information sharing a priority and looks forward to working with other USG agencies to make processes involved more effective and efficient. As this report points out, advances in enterprise architecture and other shared standards, increased coordination and, when appropriate, consolidation of data hold the promise of future improvements. At the same time, the report does not appear to adequately take into account the differences in agency missions and needs that have resulted in various systems being developed and used. The report seems to advocate a one size fits all approach to watch lists. Cultural differences exist, to be sure, but there are significant differences in operating and legal environments that dictate how data is formatted and used. Separate but linked databases structured so that all users have access to all appropriate data while still making allowance for differences in mission and operational focus will likely be more effective than monolithic resources. To imply, as the report does, that differences exist solely due to parochialism on the part of the agencies involved is misleading. Because each agency has a different mission, and different legal authorities, each may have a different threshold for acting on information about a particular individual. A law enforcement agency will, for example, require more information to arrest someone than a consular officer will require to deny a visa to the same person. This will lead to different criteria for an individual to qualify for a watch list --or a need for a consolidated watch list to contain different codes for different agencies. Different legal authorities may also affect what people can be in a watch list --e.g., some agencies can maintain information on US citizens for their lawful purposes while others may not be able to do so, given the Privacy Act and other constraints. The broad range of activities and needs in the law enforcement and intelligence communities will not disappear with consolidation of watchlists. The complexities of information sharing are the result of practical realities that cannot be addressed by responses that are simply bureaucratic or technological in nature. In the same vein, the report often makes the assumption that differences in software or systems architecture necessarily obstruct information sharing. A case in point is State's Consular Lookout and Support System (CLASS), which runs in a mainframe environment using specialized software unique to this system. Nonetheless, a wide range of data is effectively taken into and shared by CLASS with a variety of users. The differences in architecture have not prevented information sharing. Over its 15-year history, TIPOFF (a classified clearinghouse for terrorist threat information) has developed a number of methods for sharing data with its multiple users, from CLASS and INS's NAILS to the Australian and Canadian governments, no matter what software and systems architecture was used. Development of automated data sharing will be challenged by security restrictions and the cost and lack of singular authority to replace agency-specific existing legacy systems. The report also suggests that policies and procedures should be developed to define the rules of sharing information. The Department agrees and wishes to note that it has been steadily working with other agencies to create Mutual Agreements of Understanding to govern sharing of this sensitive information. Unclassified: [End of section] Appendix IV: GAO's Survey Instrument: [See PDF for image] [End of figure] [End of section] Appendix V: GAO Contact and Staff Acknowledgments: GAO Contact: Gary Mountjoy, (202) 512-6367. Staff Acknowledgments: In addition to the individual named above, Elizabeth Bernard, Neil Doherty, Joanne Fiorino, Will Holloway, Tonia Johnson, Anh Le, Kevin Tarmann, and Angela Watson made key contributions to this report. (310228): FOOTNOTES [1] The nine agencies are the State Department's Bureau of Intelligence and Research and Bureau of Consular Affairs; the Justice Department's Federal Bureau of Investigation, Immigration and Naturalization Service, U.S. Marshals Service, and U.S. National Central Bureau for Interpol; the Department of Defense's Air Force Office of Special Investigations; the Transportation Department's Transportation Security Administration; and the Treasury Department's U.S. Customs Service. Of these, the Immigration and Naturalization Service, the Transportation Security Administration, and the U.S. Customs Service are being incorporated into the new Department of Homeland Security. [2] Biometrics are records of physical identification marks, such as fingerprints and iris scans. [3] An enterprise architecture can be viewed as a blueprint that describes an entity's operational and technical environments. The blueprint includes descriptive models of the entity's current and future business and technical environments, along with a roadmap for transitioning from the current to the future environment. [4] P.L. 107-296. [5] Office of Homeland Security, National Strategy for Homeland Security (July 2002). [6] The other critical mission areas are intelligence and warning, domestic counterterrorism, protecting critical infrastructure, defending against catastrophic terrorism, and emergency preparedness and response. [7] The strategy assigned the Federal Bureau of Investigation the responsibility for standardizing and consolidating watch lists. However, according to the bureau, this responsibility was subsequently assumed by the Office of Homeland Security. [8] Of these agencies, INS, Customs, and TSA have been incorporated into DHS. [9] U.S. General Accounting Office, Border Security: Visa Process Should Be Strengthened as an Antiterrorism Tool, GAO-03-132NI (Washington, D.C.: October 2002). [10] The requirement to screen these individuals is part of the Justice Department's implementation of the National Security Entry-Exit Registration System. According to Justice, it implemented the first phase of the system in October 2002. [11] Inspectors are also required to check all entering vehicles' license plates against watch lists. [12] The President's strategy assigned the responsibility for developing an enterprise architecture to the Critical Infrastructure Assurance Office, which was part of the Commerce Department but is now being incorporated into the new Department of Homeland Security. However, according to the Critical Infrastructure Assurance Office, this responsibility for developing homeland security enterprise architectures was subsequently assumed by the Office of Homeland Security. [13] The President's strategy assigned the FBI the responsibility for standardizing and consolidating watch lists. However, according to the FBI, this responsibility has been transferred to the Office of Homeland Security. [14] For example, see Office of Management and Budget, Management of Federal Information Resources, Circular No. A-130 (Washington, D.C.: November 2000) and U.S. General Accounting Office, Executive Guide: Improving Mission Performance through Strategic Information Management and Technology: Learning from Leading Organizations, GAO/AIMD-94-115 (Washington, D.C.: May 1994). [15] In short, metadata are "data about data." That is, they are definitional data that describe the context, quality, condition, or characteristics of the specific data elements in a set of data or a database. [16] P.L. 107-296, section 202. [17] P.L. 107-56. [18] P.L. 107-173. [19] GAO-02-1122T. [20] For example, see U.S. General Accounting Office, National Preparedness: Integrating New and Existing Technology and Information Sharing into an Effective Homeland Security Strategy, GAO-02-811T (Washington, D.C.: June 2002). [21] P. L. 107-56. [22] P. L. 107-173. [23] P. L. 107-296. [24] An operating system is the program that manages all the other programs (called applications) in a computer. [25] An application is a program that is designed to perform a specific function for the user or another program. [26] Open system standards are standards, such as the ISO Open Systems Interconnection model that, when followed, result in a computer system that can incorporate all devices that use the same communications facilities and protocols, regardless of make or model. [27] The International Organization for Standardization is an international association of member countries, each of which is represented by its leading standard-setting organization--for example, ANSI (American National Standards Institute) for the United States. [28] An interface is the point at which a connection is made between two elements, such as systems, so that they can work with one another. [29] The President's July 2002 homeland security strategy assigns responsibility to the Critical Infrastructure Assurance Office (in the Commerce Department) for developing the enterprise architecture for data sharing and to the FBI for consolidating watch lists. Officials at these two agencies told us that their respective responsibilities were subsequently assumed by the Office of Homeland Security. GAO's Mission: The General Accounting Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to daily E-mail alert for newly released products" under the GAO Reports heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: