UPDATED: GAO: Feds must standardize info-sharing policies

GAO's report on information sharing

Editor's Note: This story was updated at 1:30 p.m. April 18, 2006, to correct Russack's first name and to add that President Bush nominated Thomas McNamara to take over Russack's position after Russack resigned.

More than four years after the 2001 terrorist attacks, the federal government still lacks processes and policies to improve how agencies share terrorism-related and sensitive-but-unclassified (SBU) information, the Government Accountability Office said today in a new report.

“Until governmentwide policies and processes on sharing are in place, the federal government will lack a comprehensive road map to improve the exchange of critical information needed to protect the homeland,” the report states.

GAO found that the 26 agencies it reviewed have 56 different SBU designations. No governmentwide rules, however, determine how they are applied or how they differ.

“Sometimes agencies used different labels and handling requirements for similar information and, conversely, similar labels and requirements for very different kinds of information,” the report states.

More than half of the 26 agencies reported they have problems sharing information, the report states. The Homeland Security Department, for instance, told GAO that it had posted SBU information for state and local partners to public Internet sites.

Most agencies lack controls on the kinds, number and training of employees who can make designations, the report states. The government does not have requirements for those kinds of internal controls.

“Not having these recommended internal controls for effective programs in place increases the probability that the designations could be misapplied, potentially restricting the sharing of material unnecessarily or resulting in dissemination of information that should be restricted,” according to the report.

Additionally, many users are not connected to information-sharing systems and thus lack the information they need to fight terrorism, the report states.

The Office of the Director of National Intelligence (ODNI) is responsible for creating a governmentwide Information Sharing Environment (ISE). John Russack, ODNI’s former information-sharing program manager, told Congress last November that he lacked the money and staff to fulfill his responsibilities.

Russack resigned Jan. 26. In March, President Bush nominated Thomas McNamara to fill the position. McNamara has served in the Bush administration as special assistant to the president for national security affairs and senior director for international programs and African affairs.

Consequently, the report predicts that ODNI will have difficulty meeting a June 14 deadline by which it and the National Counterterrorism Center must:

• Perform a comprehensive review of all federal information-sharing activities, particularly with state, local and private-sector partners.


• Develop and release information-sharing standards to those partners.


• Develop recommendations for sharing information with foreign partners.


• Develop privacy guidelines and ways to hold employees accountable.

To fix these problems, ODNI and OMB should work together to carry out the requirements established in President Bush’s December 2005 mandate that guides ISE’s development, the report states. The two agencies should create a single inventory of SBU designations that consolidates designations where possible and helps agencies apply them consistently.

ODNI should assess the progress and any barriers to progress toward the milestones detailed in the Interim Implementation Plan it issued in January, the report states. The office should recommend any changes to the structure or approach to ISE.

The office declined to comment on the draft report because it said GAO does not have the authority to review intelligence activities.

GAO officials strongly disagreed and said it does not involve reviewing true intelligence work but broadly applicable procedures for governmentwide information sharing.

“The use of such a sweeping definition to limit GAO’s work would seriously impair Congress’ oversight of executive branch information-sharing activities,” the report states.

OMB should work with ODNI and other agencies to create and issue a directive requiring all federal agencies to follow GAO’s Standards for Internal Controls in the Federal Government, the report recommends. The document also says the directive should train and guide employees on when to use SBU designations and how to share SBU information and that it should include a review process for quality assurance.

OMB officials did not say whether they agree with GAO’s findings. They said they would work with ODNI once the information program manager and others complete governmentwide policies and procedures.