Data Sharing among Agencies Still Slack, GAO Warns
More than 4 years after the 9/11 attacks, govt. policies to help agencies work with terror-related information still are lacking, the GAO said. Duties for pushing federal data- sharing shifted from the White House to OMB and then to the Dept. of Homeland Security (DHS) -- but none has completed the task, the watchdog agency said Mon.
Sign up for a free preview to unlock the rest of this article
If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.
The report follows a 2006 Federal Information Security Management Act (FISMA) scorecard from the House Govt. Reform Committee deeming agencies’ progress “disappointing.” The govt. got a D+ overall on network security in 2005. Failing grades went to DHS, for the 3rd year straight, plus State, Defense, Agriculture, Energy, Health & Human Services, Transportation, and Veterans Affairs. DoJ slid from a B- in 2004 to a D in 2005; Interior drew an F after a C+ in 2004, the scorecard said. Committee Chmn. Davis (R-Va.) called the rankings “unacceptably low” (WID March 17 p4).
GAO studied agencies with 56 designations to protect data deemed unclassified but critical. Most such designations have different meanings at different agencies, investigators found. Absent standards, each agency determines which designations and associated policies to apply to sensitive data it develops or shares, GAO said. More than 1/2 of agencies reported barriers to sharing such information.
Most agencies examined have no policies on which and how many employees have power to designate unclassified data as sensitive, on training them for the task or on doing reviews to assess their practices, GAO said. Without recommended internal controls, there’s more risk of designations being misused, the agency said. The result could be needless bars on materials that could be shared or inadvertent release of content that should be restricted, officials warned.
FISMA progress among agencies is “mixed at best,” GAO Information Security Dir. Gregory Wilshusen told Davis’s committee last month. More systems than previously meet key performance measures, but the percentage of agency systems reviewed fell, as did the number of employees and contractors getting security awareness training, he said. Breach response plans were also rare, Wilshusen said. Given the FISMA scores, GAO analysis is “hardly a surprise,” a Cyber Security Industry Alliance (CSIA) spokesman told us. “What we don’t want is for it to become so unnewsworthy that people give up hope that the federal government will ever get its act together, and just move on. At least, until the next attack,” he said.
“We are missing a sense of urgency about getting information sharing done and, specifically, done right,” House Homeland Security Ranking Member Rep. Thompson (D- Miss.) told us: “This is simply unacceptable in our post- 9/11 world.” Thomas McNamara -- formerly U.S. ambassador to Colombia, now heading information sharing for the Office of the Director of National Intelligence (ODNI) -- “has his work cut out for him,” Thompson said. “His success depends on the Administration giving him the authority to establish and enforce a single set of information sharing policies, as well as the capability to overrule objections by recalcitrant agencies when appropriate,” he said. Otherwise, the govt. risks failing to “connect all the available intelligence dots” to protect Americans, Thompson said.
ODNI declined to comment on GAO’s report, saying it is “very broad” and “addresses a number of intelligence-related issues, including a discussion of the management of [ODNI] and specific recommendations to the Director of National Intelligence.” ODNI said the DoJ had “previously advised” GAO that “the review of intelligence activities is beyond the GAO’s purview,” officials said. DoJ similarly told GAO a 2003 report on information sharing and intelligence activities was not in GAO’s portfolio but didn’t offer a legal analysis with either statement, investigators said.
House Govt. Reform Committee Staff Dir. David Marin said the report findings echo testimony to his committee indicating interagency information sharing is “still being needlessly constrained.” The GAO report “adds powerful evidence” to back a bill the committee approved April 6 to standardize and limit use of data access and handling restrictions, he said. “The uncontrolled use of these ill- defined markings continues to clog the information sharing pathways needed to wage and win the war on terror,” Marin said. Documents stamped “official use only” -- or bearing any of 55 “sensitive but unclassified” labels GAO found -- complicate the openness Congress and the president agree is needed to get a total picture of “diffuse threats that tend to hide in plain sight,” he said.
Twenty-six federal agencies using a slew of “sensitive but unclassified” designations to “effectively restrict the flow of information is a call to action,” Senate Homeland Security Committee Chmn. Collins (R-Me.) told us: “We need more uniform standards for classifying and sharing sensitive information between federal agencies and with tribal, state and local governments and other trusted partners.” She was disappointed that ODNI didn’t respond to GAO’s report, saying the agency plays a crucial role in helping Congress exercise “appropriate oversight of activities in the executive branch.” An ODNI spokesman told us McNamara was reviewing the GAO’s findings and recommendations and “as appropriate, they will be incorporated.”