Return to ISE.gov »

 
ISE
Information Sharing Environment
2013 Annual Report to the Congress

NATIONAL SECURITY THROUGH RESPONSIBLE INFORMATION SHARING

Appendices

Appendix A — ISE Performance Data

This Report provides an executive-level summary of ISE activities over the previous year to illustrate the major focus areas and investments by ISE agencies, and provides a basis of performance analysis by the office of the PM-ISE. The following high-level analysis and findings provide:

  • An assessment of the extent to which this Report conforms to the requirements as stated in the law;

  • An assessment of the maturity of the ISE as measured by the ISE Annual Performance Assessment; and

  • Identification of gaps and opportunities for improvement to better inform future investments.

High-Level Analysis of the Annual ISE Performance Assessment Report

The ISE Performance Framework, detailed in Section 6 of this Report, defines three stages of maturity to communicate expected capabilities for the following year.

Maturity Stage 1 — capabilities currently expected for ISE agencies;

Maturity Stage 2 — capabilities that are expected to be developed two to three years from baseline; and

Maturity Stage 3 — capabilities that are expected five to seven years from baseline.

2013 is the first, full performance assessment year after the 2012 baseline year. Analysis in this Report focuses on Maturity Stage 1 initiatives and capabilities, some of which are incorporated into National Strategy for Information Sharing and Safeguarding (National Strategy) implementation plans.[64]Overall, the 2013 ISE Performance Assessment found no statistically significant[65] increase in performance for Maturity Stage 1 initiatives and capabilities when compared to the 2012 baseline analysis.

Early implementation planning for many of the 2013 performance focus areas was incorporated into the 16 priority objectives in the National Strategy, released in December 2012.[66] The implementation roadmap, discussed previously in the Way Forward section, provides actions, milestones, and accountability leads that are aligned with the priority objectives in the National Strategy.

Gaps, Challenges, and Opportunities

In the process of compiling this Report, and based on collaboration with ISE agencies, PM-ISE identified several additional gaps, challenges, and opportunities for improvement of the ISE.

Significant findings on key issues from 2012 are compared in tables below with the findings from this year's assessment on like issues. The tables are aligned to the five goals in the National Strategy and identify areas that (1) were not meeting Maturity Stage 1 expectations as previously reported in 2012 compared with 2013 findings and mitigation activities,[67] (2) are Maturity Stage 2 and 3 areas of assessment that are at risk, and (3) represent additional gaps, challenges, and opportunities for improvement for ISE.

Most departments and agencies are meeting Maturity Stage 1 expectations; however, there are underperforming areas which are identified in this report. 2014 will be the first execution year for Maturity Stage 2 initiatives, and ISE agencies are well positioned to meet the expected goals. Data from the 2013 ISE performance assessment suggest that some select Stage 2 and 3 issues require closer management oversight to meet forecasted expectations.

Near-term actions to address these issues are reflected in the high-level implementation roadmap found in the Way Forward section of this Report. The roadmap includes implementation guidance from the PM-ISE to the agencies, based upon White House priorities for information sharing and safeguarding. PM-ISE and the ISA IPC will monitor ISE agency efforts to implement White House guidance through the governance and performance management processes outlined in Section 6 of this Report.

National Strategy Goal 1 — Collective Action Through Collaboration and Accountability

2012 Findings — Maturity Stage 2 and 3

2013 Findings — Maturity Stage 2 and 3

Public-Private Sector Information sharing Gap

  • According to the National Infrastructure Advisory Council (NIAC), federal-private sector information sharing was still immature, leaving a large gap in public-private sector information sharing.

  • In particular, intelligence sharing between Federal Government and private sector operators of critical infrastructure was lagging behind the "marked improvements" the NIAC observed in the sharing of federal intelligence with state, local, tribal, and territorial (SLTT) governments over the last several years.

  • Many challenges noted in last year's report with respect to sharing information between the federal government and private sector owner/operators of critical infrastructure persist, but there has been a concerted effort on the part of the Federal Government to address the NIAC report findings over the past twelve months. Details of these activities are included in Section 1 of this Report, under the heading, "Private Sector Information Sharing."

Opportunities to Improve Suspicious Activity Reporting Analysis

No corresponding 2012 finding.

  • PM-ISE released a report, "Improving Suspicious Activity Reporting (SAR) Analysis." PM-ISE is working with DHS and FBI to address the findings and recommended mitigation strategies in the report.

  • Fusion centers reported that the inability to download ISE-SAR data from the NSI Federated Search Tool and/or eGuardian limits fusion center analysts' ability to integrate information into their analytic processes.

  • In addition, many fusion centers report they do not have a consistent process for incorporating ISE-SAR into their analytic workflow; and, that the ISE-SAR Functional Standard needs to be updated to bring the document up-to-date with current analysis on behaviors and indicators of violent extremism and mobilization to violence.

  • As of January 2013, 56 federal agencies, representing 226 individual organizations are in various stages of NSI participation, and four additional agencies have been identified that may be able to participate. Of the 56 agencies, 21 are NSI-compliant.

RFI/AWN Common Processes

No corresponding 2012 finding.

  • Federal Operation Centers' have not adopted a common RFI exchange process and lack both a common AWN information exchange process and information exchange protocols.

Tribal Information Sharing Gaps

  • There were opportunities to increase tribal information sharing through the National Network of Fusion Centers.

  • PM-ISE and its federal partners were focused on addressing and improving some of the foundational policy, governance, relationship, and capacity issues related to tribal information sharing.

  • SLT partners were expanding tribal participation through Fusion Liaison Officer (FLO) programs.

  • As noted last year, gaps continue in tribal information sharing. Challenges include lack of resources, reluctance of some states to allow tribal law enforcement access to federal and state databases, tribal reluctance to engage outside law enforcement entities, and insufficient training on fusion center capabilities.

  • PM-ISE, in coordination with DOI, BIA, DOJ, OTJ, NCTC, FBI, DHS, and IACP convened the Tribal Information Sharing Working Group (TISW) to examine information sharing in Indian County. As of April 2013, the TISW identified eight major findings that hinder tribal information sharing and is developing recommendations for mitigation.

ISE Agency Incentives for Information Sharing and Safeguarding Activities

No corresponding 2012 finding.

  • Responses to the 2013 ISE Performance Assessment Questionnaire show mixed results with respect to agency adoption and implementation of incentive tools for information sharing and safeguarding.

  • 90% of responding agencies—a 10% increase from last year—reported that "information sharing and collaboration" is an evaluated performance objective for employees with direct ISE responsibilities.

  • Responding agencies reported a decrease in the nomination of candidates for information sharing and collaboration awards from last year.[68]

The Need to Transform Information Sharing Business Models

  • Resource constraints, especially among state, local, and tribal (SLT) law enforcement agencies, necessitate the transformation of information sharing business models.

  • A significant cost savings could be realized through consolidation, regionalization, and reuse of open standards and trusted IT platforms.

  • As diverse resources are applied to particular justice and public safety problems (including terrorism), systems at all levels of government need to factor in case deconfliction. Development of common, agreed-upon, national deconfliction standards will help ensure common awareness in the operational environment.

  • The 2012 finding that cost savings could be realized is still valid.

  • Global Justice Sharing Initiative put out a call to action in November 2012 to develop single-sign-on capabilities; leverage cloud solutions; develop shared services; ensure interoperability between law enforcement systems; and, collaborate with Federal partners to coordinate federal funding, policy support, and adoption of common standards and technologies.

  • To further interoperability between law enforcement deconfliction systems, PM-ISE is sponsoring a nationwide deconfliction strategy should be initiated to include identifying deconfliction standards and interface deconfliction systems.

National Strategy Goal 2 — Information Discovery and Access Through Common Standards

2012 Findings — Maturity Stage 2 and 3

2013 Findings — Maturity Stage 2 and 3

Entity Data Tagging

  • 65% of ISE agencies reported little or no progress in working towards metadata tagging solutions—this reduces agencies' ability to automate access decisions based upon user and data attributes, and hinders the ability to discover and retrieve data, perform analysis, and maintain provenance and lineage on terrorism-related data.

  • Agencies reported progress on working towards metadata tagging solutions.

    • DoD CIO is implementing the DoD Joint Information Environment and the Office of the Director of National Intelligence is implementing IC Information Technology Enterprise (IC ITE)—both are using DoD Architecture Framework (DoDAF) artifacts which enable cross domain sharing.

    • DHS and Department of Transportation are developing data tagging implementation plans for discovery and access control on their networks.

Data Aggregation

  • Centralized data correlation and data storage introduces privacy and security challenges that limit mission effectiveness.

  • The development of data aggregation reference architecture could alleviate these challenges by establishing a roadmap for centralized correlation with decentralized data producers. In addition, unstructured data, such as free-form text documents, presents further technical and human resource challenges.

  • The challenges to enterprise data correlation noted in last year's findings persist.

  • Development of data aggregation architecture is a priority objective of the National Strategy, as are priority objectives to adopt metadata standards to facilitate discovery, access, and monitoring across networks and security domains, and define and implement common standards to support automated discovery and access decisions.

National Strategy Goal 3 — Optimizing Mission Effectiveness Through Shared Services and Interoperability

2012 Findings — Maturity Stage 2 and 3

2013 Findings — Maturity Stage 2 and 3

Assured Network Interoperability

  • Approximately one-half of ISE agencies implemented interconnection plans for SBU/CUI networks supporting ISE-related missions.

  • A constrained fiscal environment, fragmented architectures, and policy challenges hindered agency efforts in this area.

  • To help address these gaps, the SBU/CUI Interoperability Working Group was focusing on identity and access management (IdAM) solutions to provide a simplified sign-on capability between mission partners' SBU and CUI networks.

  • Resource constraints continue to impact interoperability efforts for SBU/CUI networks, with only 40% of ISE agencies this year reporting having implemented interconnection plans for SBU/CUI networks supporting ISE related missions.[69]

  • In 2012 Integration Sub-Committee established the Identity Federation Coordination working group to improve governance of identity-related efforts across the federal government and across all security domains.

ISE Mission System Acquisition Processes

  • Only about 50% of ISE agencies considered ISE functional and technical standards when issuing grants or requests for proposals (RFP) for ISE-related system acquisitions.

  • PM-ISE, in partnership with GSA, began several efforts to address the standards-based acquisition issue and to develop a baseline set of standards for information exchange.

  • PM-ISE intended to leverage the output of these efforts and, in coordination with GSA and our partner organizations, will make recommendations to foster information sharing standards in acquisition and grant language.

  • Only about 50% of ISE agencies consider ISE functional and technical standards when issuing grants or RFPs for ISE-related systems.

  • While guidance actions were issued for updating grant and acquisition language to support the use of common standards, 43% of agencies have not provided best-practice recommendations to support this initiative.

  • PM-ISE is working with GSA to leverage National Strategy implementation actions to accelerate the use of information sharing standards in acquisition language, and to foster reuse of these standards across the ISE mission partners. HHS, as a co-chair of the Council on Financial Assistance Reform, is actively working on incorporating standards guidance in grant language guidance.

Federated Identity Management

  • 33% of ISE agencies did not accept IT security certification bodies of evidence from other federal agencies, nor do they make accreditation decisions without retesting.

  • In collaboration with GSA and the Federal Chief Information Officers (CIO) Council, PM-ISE was attempting to bridge that capability gap through the Backend Attribute Exchange (BAE) pilot, which endeavors to securely access various credentials that may originate from multiple authoritative sources to make access control decisions.

  • Federated identity management progress continues incrementally.

    • The percentage of agencies (from the 2012 population) that did not practice IT security reciprocity with other federal agencies decreased to 10% from 33%

    • All responding agencies reported progress in implementing federated identity management solutions aligning to the FICAM roadmap

  • The BAE pilot continues to progress, with PM-ISE and GSA developing an initial test scenario in which an ISE mission partner will use BAE to access information from an external portal, such as the Regional Information Sharing System (RISS).

  • In addition, ISA IPC Information Integration Subcommittee (IISC) led the Federal Cloud Credential Exchange project to provide a shared service for validation of third party credentials, and the IISC's Federated Identity Management Working Group developed a guide for federal agencies on how to accept third party credentials.

Legislative Support for Shared Services

No corresponding 2012 finding.

  • Many of the current budget models for IT do not allow for flexibility, pooling, and extending the availability of funding. Support for removing limits on transferring funding across appropriations and agencies will better allow for provisioning common administrative IT services.

Establishing an Enterprise Architecture Management Capability

No corresponding 2012 finding.

  • PM-ISE began developing an ISE Interoperability Framework (I2F) which will align enterprise architecture frameworks used by ISE partners and promote tools and methodologies that advance interoperability.[70]

National Strategy Goal 4 — Strengthening Safeguarding of Information

2012 Findings — Maturity Stage 2 and 3

2013 Findings — Maturity Stage 2 and 3

Classified Information Sharing and Safeguarding Governance Gaps

  • With the collective progress in developing Federal Government-wide governance structures for Secret networks and in solidifying key priorities and milestones for implementation, the Federal Government was positioned for continued improvements in classified information sharing and safeguarding in the next year.

  • Our continuing efforts in the these priority areas will improve security by strengthening the identification of individuals accessing classified systems, limiting access on a basis of the individual's "need-to-know" through technical controls, reducing the opportunity for information to be removed from the secure environment, improving efforts against insider threats, and improving audit capabilities.

Opportunity with Cybersecurity Information Sharing

  • Cybersecurity can be improved through effectively sharing cyber-vulnerability and intrusion information.

  • ISE's information sharing processes can enable cybersecurity information sharing.

  • Comprehensive National Cybersecurity Initiative Five led the Federal Cybersecurity Centers[71] to document requirements for sharing cybersecurity information into an information sharing architecture (ISA). Implementation of the ISA was selected as one of the President's Cybersecurity Advisor's top priorities for FY 2014.

  • Federal Emergency Management Agency's National Exercise Division conducted National Level Exercise (NLE) 2012,[72] a series of exercise events that examined the ability of the United States to execute a coordinated response to a series of significant cyber incidents. One of the four overarching objectives that guided NLE 2012 was to examine the ability to share information across all levels of government and with the private sector as well as the general public, to create and maintain cyber incident situational awareness, and coordinate response and recovery efforts.

National Strategy Goal 5 — Protecting Privacy, Civil Rights, and Civil Liberties

2012 Findings — Maturity Stage 2 and 3

2013 Findings — Maturity Stage 2 and 3

Consistent, Government-wide Application of Privacy Protections

  • Compliance with the requirements of the ISE Privacy Guidelines remained incomplete.

  • Six years after the issuance of the ISE Privacy Guidelines, a small number of ISE agencies were still developing ISE privacy policies.

  • Within the past 12 months, there has been a 30% increase in the number of completed ISE privacy policies.

  • One positive development was the direct engagement by the senior leadership of those agencies without ISE privacy policies, many of whom have committed to the completion of their agency's ISE privacy policy by the end of 2012.

  • ISE agencies continue to develop and implement privacy protection policies as required by the Guidelines to Ensure that the Information Privacy and Other Legal Rights of Americans are Protected in the Development and Use of the Information Sharing Environment.[73]

  • Department of Defense (DoD) has revised its directive to conform DoD with ISE Privacy Guidelines in lieu of issuing a separate DoD privacy policy.

  • PM-ISE and the ISA IPC Privacy and Civil Liberties Subcommittee have monitored progress of and provided technical assistance to remaining ISE departments and agencies.

Privacy Compliance

  • Of the agencies with privacy policies, 79% made no progress in verifying that their ISE-enabling business processes are in compliance with their ISE privacy policy.

  • Approximately 33% of agencies with ISE privacy policies completed those policies within the past 12 months—agencies were still in the initial stages of implementing ISE privacy protections and policies.

  • Agencies with established policies reported consistent progress in implementing ISE policies, including the proactive integration of protections into the development of new systems and initiatives.

  • The Privacy and Civil Liberties Subcommittee of the Information Sharing and Access Interagency Policy Committee (ISA IPC) was developing a compliance review self-assessment tool that will assist federal ISE mission partners in identifying gaps and will result in more detailed and measured performance reporting.

  • While there have been initiatives to measure and ensure privacy compliance, there currently is not an effective ISE-wide performance measurement for internal agency compliance, oversight, and accountability mechanisms to ensure consistent application of P/CR/CL protections.[74]

Privacy Compliance

  • Of the agencies with privacy policies, 79% had made no progress in verifying that their ISE-enabling business processes are in compliance with their ISE privacy policy.

  • Approximately 33% of agencies with ISE privacy policies completed those policies within the reporting period—agencies were still in the initial stages of implementing ISE privacy protections and policies.

  • However, agencies with established policies reported consistent progress in implementing ISE policies, including the proactive integration of protections into the development of new systems and initiatives, contributing to the maturity of agency protection capabilities.

  • Agency reporting shows an increase in maturity for the implementation of ISE privacy protections and policies since last year—yet, while 87% of agencies reported having adequate review or audit mechanism in place to verify personnel compliance with the ISE Privacy Guidelines, only 79% of agencies reported have ISE privacy protection policies in place.

  • A standardized model for compliance in the form of a compliance self-assessment tool is being finalized by the P/CL Subcommittee to further assist federal ISE mission partners in identifying gaps and providing more detailed and measured performance reporting.

As discussed in the body of this Report, the ISE Performance Framework allows the office of the PM-ISE to assess improvements to the nations' ability to detect, analyze, and respond to terrorism, WMD, and homeland security threats. ISE agency performance data is discussed throughout this Report. The framework for the assessment and the details of the data are described below.

Seventy-five percent of the 2013 ISE PAQ (detailed later in this appendix) was constant from the 2012 questionnaire. The remaining questions were expanded to focus on newly identified gaps from the 2012 assessment and new mission areas identified through strategic planning by federal governance bodies. Publishing the 2012 National Strategy in December of 2012, allowed for the 2013 ISE Performance Assessment to be explicitly aligned to its goals and sub-goals, giving the ISE a clear strategic footing for monitoring progress.

Responses to the 2013 ISE PAQ are scored on a 0-1 scale; the aggregate scores for responses to questions within each capability area are calculated as a percentage of the total possible score.

Title: Overall 2013 ISE Performance by Goal and Capability Area - Description: Performance by goal in terms of community, process, and technology: drive collective action through collaboration and accountability; improving information discover and access through common standards; optimize mission effectiveness and interoperability; protect privacy, civil rights, and civil liberties through consistency and compliance.

Figure 9. Overall 2013 ISE Performance by Goal and Capability Area

The goals and sub‐goals are aligned to the Administration’s strategic guidance, priorities, and to the required ISE attributes per IRTPA Section 1016(b)(2). Each ISE performance assessment question is aligned to a specific subtopic, maturity stage, and to the capability areas of community, process, and technology. These alignments allow PM-­‐ISE to use agency responses to the ISE PAQ to determine ISE-­‐wide progress against both the Administration’s priorities and the attributes of the ISE, while maturing community involvement, and process and technology adoption and use. As 2012 was a baseline year for PM‐ISE’s performance methodology and a year for finalizing the National Strategy, responses to "Maturity Stage 1" questions remain the focus of this year’s performance assessment and are highlighted.

Table A-1. Overall 2013 ISE Performance by Goal, Sub-goal, and Maturity Stage.

Maturity

Goal

Sub-goal

Stage 1

Stage 2

Stage 3

Drive Collective Action through Collaboration and Accountability

Encourage Progress through Performance Management, Training, and Incentives

A A N/A

Improve Governance and Remove Barriers to Collaboration

A A N/A

Mature the Use of Common Operating Models

A B B

Streamline the Development of Information Sharing Agreements

N/A B N/A

Improve Information Discover and Access Through Common Standards

Develop Clear Policies and Rules for Discovery and Access

A B N/A

Drive the use of Information Sharing Standards

A B N/A

Enhance Enterprise-wide Data Correlation

N/A A N/A

Improve Identity, Authentication, and Authorization Controls

A B B

Optimize Mission Effectiveness through Shared Services and Interoperability

Improve Assured Data Services, and Network Interoperability

B B B

Leverage Collective Demand through Acquisition

B B N/A

Share Services that Benefit All Partners

A C B

Protect Privacy, Civil Rights, and Civil Liberties through Consistency and Compliance

Build Protections into the Development of Information Sharing Operations

N/A A N/A

Ensure Accountability and Compliance Mechanisms

A A A

Increase Consistent Government-wide Application of Privacy Protections

A C N/A

Legend: A = Meets expectation of the ISE. B = Partially meets expectations of the ISE. C = Does not meet expectation of the ISE. N/A The question is not applicable at this level of maturity.

PM-ISE's methodology for measuring the capabilities expected at each maturity stage is included in the table below. Each ISE Performance Assessment Question measures performance at a specific maturity stage.

Table A-2. ISE Performance Framework Capability Areas and Maturity Stages.

Maturity Stage 1

Current Environment

Maturity Stage 2

2-3 Year Time Horizon

Maturity Stage 3

5-7 Year Time Horizon

Community

Designed to measure a baseline awareness of and participation in the ISE.

Designed to measure agencies' familiarity with the goals of the ISE and their ability to measure themselves against those goals and an increased level of involvement in the ISE community.

Designed to measure agencies equating responsible information sharing progress to mission performance. Shows that agencies are linking information sharing metrics to mission performance metrics.

Process

Designed to measure compliance with ISE processes in agencies' planning efforts.

Designed to measure compliance with ISE processes and functional standards.

Designed to measure the degree to which mission partners have incorporated ISE processes in the execution of their missions.

Technology

Designed to measure compliance with ISE technical direction in agencies' acquisition planning efforts.

Designed to measure the degree to which the information systems used by agencies are compliant with ISE technical standards and interoperable with those in other agencies.

Designed to measure the degree to which mission partners have incorporated and are complying with ISE technical standards in the execution of their missions.

The following sixteen departments and agencies participated in the 2013 ISE PAQ:

Air Force Intelligence

Department of Justice

Central Intelligence Agency

Department of State

Department of Commerce

Department of Transportation

Department of Defense

Department of the Treasury

Department of Energy

National Counterterrorism Center

Department of Health and Human Services

National Geospatial-Intelligence Agency

Department of Homeland Security

National Reconnaissance Office

Department of Interior

Office of the Director of National Intelligence

Trends from the 2012 ISE Performance Assessment Questionnaire

Due to the planning efforts around the new National Strategy, there has been little change from the 2012 to the 2013 assessment responses on the whole. With agencies that have participated in both the 2012 and 2013 assessments, there were generally consistent overall response scores (or a very slightly positive overall trend), with a notable exception in the privacy area, where significant improvement was made.

Agency responses are detailed below. For those questions carried over from the 2012 ISE PAQ, comparisons are provided detailing how the ISE departments and agencies changed year over year. In addition, agencies were requested to provide narrative examples of activity for all relevant questions and comments that further explain their response choice. Agency narratives that best represent the activities and trends in the ISE over the past year, both positive and negative, accompany each graphic to enrich the response data.

The graphics below detail the trends from the 2012 to 2013 responses where the same agencies answered in both years to show a direct comparison. The legend accompanying the graphics in the upper corner of the page describes that the inner pie chart displays the 2013 response while the staggered outer ring displays 2012 data. The colors represent the same response from each year. For example, the Yes-No questions are either designated by the color green ('Yes') or red ('No') for both the inner pie chart and outer ring. An outer ring will not be displayed for those questions only asked in 2013.

The percentages depicted below are based on the total number of responding agencies for this question. For example, if only 15 out of the 16 agencies responded to a "Yes/No" question and 10 responded "Yes," the resulting percentage would be 67% (10 out of 15).

The 2013 ISE PAQ population differed slightly from 2012. Army Intelligence, Marine Corps Intelligence, and the Defense Intelligence Agency responded to the 2012 ISE PAQ but did not submit responses to the 2013 ISE PAQ. In 2012, the Federal Bureau of Investigation responded independently to the ISE PAQ, but its responses in 2013 were consolidated with the Department of Justice submission along with the Drug Enforcement Agency and the Bureau for Alcohol, Tobacco, and Firearms. In addition, the 2013 ISE PAQ allowed agency sub-components to answer and consolidate responses for agency scoring. The question by question analysis below shows all (sub-agency) responses, where applicable.

Due to the assessment population differences, PM-ISE only performed trending analysis on the common respondents and questions between 2012 and 2013. It is for this reason that data cannot as a whole be directly compared between the 2012 and 2013 ISE Annual Reports.

Collective Action Through Collaboration and Accountability

Description: Does your agency utilize eGuardian (FBI)? 2012: Yes = 80% 2013: Yes = 73%

DOJ: Yes - The Protective Operation Group, Security Operations Section, Security Division, utilizes eGuardian in conducting protective intelligence threat assessments and risk assessments in support of protection strategies for threatened employees. It is also utilized for Domain assessments in support of travel of executives and information on persons who have demonstrated an inappropriate interest in the FBI or its personnel.

DOI: Yes - We use eGuardian as our SAR shared space.

DoD: Yes - Currently, there are 1396 DoD eGuardian accounts.

DOT: Yes - E-Guardian is primarily used by the Department of Transportation member assigned to the FBI's National Joint Terrorism Task Force.

Description: Does your agency partipate in the Nationwide Suspicious Activity Reporting Initiative? 2012: Yes = 67% 2013: Yes = 73%

DOJ: Yes - Both the department and components participate in SAR. The Bureau of Justice Assistance (BJA), within the Office of Justice Programs (OJP) is the program manager for the NSI. BJA works extensively with state & local law enforcement, which includes providing training materials and coordinating the national rollout of the NSI.

DOS: No - Diplomatic Security (DS) is aware of the NSI and anticipates providing SARs in the future. DS has been upgrading SIMAS to make it compliant with the SBU Interoperability Fabric being implemented by the National SARs Initiative.

HHS: Yes - HHS is establishing a liaison effort with the FBI to input SAR information into eGuardian. HHS is beginning to implement a department wide notification process which will provide guidance to the physical security staff how to report events.

Description: Does your agency provide SAR training (either directly or indirectly)? 2012: Yes = 67% 2013: Yes = 73%

DHS: Yes - DHS does provide analytic training on the use of SAR for Component personnel and state and local analysts.

DOJ: Yes - BJA/OJP develops SAR training materials in conjunction with federal SLT authorities and fusion centers.

DOT: Yes - For Department of Transportation (DOT) employees in general, training was provided on how to submit a "Quick SAR" via DOT's Intranet. As for individual designated officials from each of the DOT modes of transportation, these officials were provided training on how to use Blue Mercury—that is, access the database, input information, and monitor the flow of information into Blue Mercury from their individual modes.

NGA: Yes - eGuardian training is provided directly to those individuals who have eGuardian user accounts. Also, annual Antiterrorism Level I training (both instructor-led and via CBT) for all employees includes SAR training.

Description: Does your agency have a live SAR database? 2012: Yes = 40% 2012: Yes = 67%

DHS: Yes - Authorized DHS participants use the SAR Vetting Tool (SVT); a tool developed by NSI that enables DHS participants to evaluate whether a properly collected SAR meets the criteria to be considered an ISE-SAR and should be contributed to the DHS ISE-SAR Server.

HHS: Yes - We currently utilize the LEO accounts to enter information into eGuardian-Guardian. In the near future we will have direct access to eGuardian to facilitate the entering and sharing of information.

Description: Does your agency have a process in place to validate SARs? 2012: Yes = 47% 2013: Yes = 64%

DHS: Yes - DHS uses the ISE-SAR vetting approach defined within the ISE Functional Standard.

DOT: Yes - Each SAR received in the Office of Intelligence, Security, and Emergency Response is vetted by one of the intelligence analysts to determine the validity of the SAR. Once vetted, and if there is a terrorism nexus, the SAR is sent forward to NSI.

NGA: Yes - SARs are validated by the responsible JTTF. NGA conducts preliminary investigations to determine potential threats, and develops necessary mitigation measures to counter and/or defeat terrorist operations.

Description: What percentage of critical milestones has the NSI-related Security Incident Management and Analysis System (SIMAS) program met successfully? 2012: 100% 2013: 61-80 Percent, 100%

DOS: The current SIMAS project (75% complete) will result in the replacement of the existing system. The new system will capture and store SAR related data in a NIEM compliant manner. The current project will establish the foundation from which a new future project may be executed that will result in the transmission of this data to external entities. The current milestones are not inclusive of the efforts that will be needed to implement a data sharing infrastructure, approvals and associated inter-agency agreements.

Description: What percentage of State and Major Urban Fusion Centers has your agency provided training to in CIKR issues? 2012: 100% 2013: 81-100 Percent, 100%

DOJ: The NSI PMO provided SAR awareness training for private sector security officers to all 78 fusion centers.

DHS: 86%. This covers the 52 "Major and Urban" fusion centers. Although there are 25 additional recognized fusion centers, there has been no staff trained from primary fusion centers in Hawaii, New Hampshire, New Mexico, Oregon, Puerto Rico, South Dakota, nor the U.S. Virgin Islands. Training has been provided through the delivery of the National Protection and Programs Directorate/Infrastructure Protection (NPPD/IP) Field Resource Toolkit, and the Introduction and Intermediate Risk Analysis Courses for Fusion Center Analysts

Description: Does your agency use a government-wide template in developing information sharing agreements? 2012: Yes = 20% 2013: Yes = 50%

DHS: Yes - uses a standard MOA template for use with all Federal Departments/Agencies. The Information Sharing and Collaboration Branch facilitates these agreements.

DOJ: No - By corporate policy, the FBI uses a standard template for all FBI MOUs. The FBI, however, is unaware of the existence of a single government-wide MOU template or associated process to ensure consistency and coherence among and between interagency information sharing agreements.

DoD: No - The DoD does not use a government wide template in developing information sharing agreements. However, DoD is an active participant in National Strategy for Information Sharing and Safeguarding (NSISS) implementation plan activities, to include Priority Object 2 which include work to develop such a template based on common legal and policy compliance requirements.

TREAS: Yes - IRS only: The GLD Office maintains templates for business MOU/MOAs. Cybersecurity maintains the ISA templates which follow NIST SP 800-47 Appendices A&B.

Description: Does your agency participate in the National Joint Terrorism Task Forces? 2012: Yes = 87% 2013: Yes = 80%

DoD: Yes - Currently, the U.S. Army Criminal Investigative Command (CID) has two Agents at the National Joint Terrorism Task Force (NJTTF) and one Agent at the Dallas JTFF.

DOT: Yes - The Department of Transportation (DOT) has assigned a member of the Office of Intelligence, Security, and Emergency Response, Intelligence Division fulltime to support the NJTTF working a range of LE and IC related issues that impact DOT.

TREAS: No - IRS-CI has allocated one full-time Senior Analyst to the NJTTF.

DOI: Yes - We have a full-time and a part-time person assigned to the FBI NJTTF.

DOS: Yes - We participate in 28 locations.

Description: Does your agency participate in the Joint Terrorism Task Forces (FBI)? 2012: Yes = 80% 2013: Yes = 87%

TREAS: Yes - OIA participates on a limited basis, as mission dictates. IRS-CI has over 62 Special Agents that are on JTTFs across the country. These agents hold positions of either full-time/part-time or liaison. The classification of their position is based on the availability of the CI agent and work in the area of assignment.

DOI: Yes - We have full-time, part-time and liaison officer positions.

Description: What percentage of State and Major Urban Fusion Centers has your agency provided training to in analytics? 2012: 50% 2013: 81-100 Percent, 100%

DOJ: 81-100% - BJA: 95% of fusion centers (74 of 78) have received analytic training.

Description: Does your agency participate in te

DOJ: Yes - The FBI's OPEU program manages the FBI's engagement with fusion centers in terms or providing personnel, subject matter expertise, FBI Net connectivity, funding for miscellaneous equipment, and a Fusion Center Directors Orientation Program that brings decision makers to FBIHQ to discuss best practices for intelligence and information sharing.

DOS: Yes - Diplomatic Security participates in the Northern Virginia Regional Intelligence Coordination Center. DS Agents assigned to JTTF squads may sit in a Fusion Center in situations where their FBI Squad is so detailed. IE - JTTF LA.

DOC: Yes - Commerce routinely reviews products produced by the Fusion Centers and when relevant information is noted, we incorporate it into internal intelligence overview documents.

Description: What percentage of State and Major Urban Fusion Centers has your agency provided training to in P/CR/CL issues? 2012: 100% 2013: 81-100 percent, 100%

DHS: 81-100% - To date, DHS has conducted a one and a quarter day, train-the-trainer course for fusion center privacy/civil liberties officers (delivered with support from the PM-ISE) for trained the privacy/civil liberties officers from 68 of the 77 currently recognized fusion centers.

DOJ: 81-100% - 95% of fusion centers (74 of 78) have received training that included P/CR/CL.

Description: What percentage of State and Major Urban Fusion Centers has your agency provided training to in counterintelligence? 2013: 0-20 Percent = 50%, 61-80 Percent = 50% 2013: 0-20 Percent = 50%, 61-80 Percent = 0%, 81-100 Percent = 50%

DOJ: 0-20% - The NSI PMO does not provide specific counterintelligence training. The NSI PMO provides SAR and SAR awareness training to help identify terrorism related behaviors. These trainings have been developed for law enforcement, fire/EMS, probation/parole/corrections officers, 9-1-1 call operators, emergency management personnel, and private sector security. NOTE: While DOJ does not provide specific CI training, the FBI is committed to placing more analysts at Fusion Centers with CI expertise, in accordance with the RAC policy, to improve counterintelligence capabilities at Fusion Centers.

DHS: 81-100% - DHS conducted 7 Counterintelligence Fundamentals Workshops to State and Major Urban Area Fusion Centers in FY 12 covering a total of 165 State, Local, Tribal and Federal LE personnel.

Description: Has your agency delivered a plan to align resource decisions to the Resource Allocation Criteria (RAC) policy to DHS? 2013: Yes = 7%, No = 93%

DOJ: Yes - In 2011, the FBI approved a strategy for engagement with fusion centers. One aspect of the strategy related to staffing fusion centers with FBI personnel. The strategy, which was shared with DHS, affirmed the FBI's commitment to provide support and resources to fusion centers consistent with the RAC. In 2012, the FBI, informed by the RAC, developed a personnel resource allocation plan to place more Intelligence Analysts into fusion centers.

DoD: No - The Department of Defense does not provide federally funded personnel or financial support dedicated specifically to State and Major urban Area Fusion Centers. However, the National Guard maintains relationships with its state and federal partners which, in some cases, have personnel working in fusion centers. An example is the National Guard Counter Drug Program (NC CDP), which maintains a physical presence in several DHS recognized centers supporting state counter drug programs as authorized under 32 U.S.C. section 112.

Description: What percentage of State and Major Urban Fusion Centers has your agency provided training to in SARs? 2012: 81-100 Percent = 100% 2013: 0-20 Percent = 50%, 81-100 Percent = 50%

DOJ: 81-100% - BJA has trained a total of 291,502 Line officers reaching all 50 states, the District of Columbia, Puerto Rico, the U.S. Virgin Islands, and Guam. In addition, BJA trained a total of 2196 law enforcement analysts within fusion centers and the federal government. The NSI has partnered with six national and international associations to deploy the Hometown Security Partners Training for Parole/Probation/911 Call Takers/Critical Infrastructure/Fire Service/Emergency Management. The trainings have been endorsed by all six associations. To date, approximately 65,000 people have taken these new trainings. The NSI is working with FDNY to institutionalize the SAR training within their training academy. NSI partnered with the International Association of Campus Law Enforcement Administrators, which has endorsed the line officer training.

  • The NSI worked with the IACP and other state,local, and federal partners to develop the Unified Message document, stating the importance of SAR reporting and training. This document has been endorsed by 10 agencies/associations and widely distributed across the country including to governors, homeland security advisors, fusion center directors, chiefs of police, sheriffs, and criminal investigative executives.

  • The NSI is working with the National Maritime Intelligence Office to develop a maritime SAR training, and conducting training at ports regarding port security and SAR awareness.

  • The NSI conducted more than 70 speaking engagements in 2012, reaching Homeland Security Advisors, Chiefs of Police, State Colonels, Sheriffs, Critical Infrastructure/Key resource partners, Tribal law enforcement executives, Private Sector Security Executives, Probation/Parole/Corrections Executives, Fire/EMS Chiefs and personnel, Fusion Center Directors, and Federal partners.

Description: To what extent is information gathered from international partners integrated into watchlisting and screening process? 2012: Never = 0%, Rarely = 20%, Sometimes = 40%, Often = 40%, Always = 0% 2013: Never = 29%, Rarely = 0%, Sometimes = 14%, Often = 57%, Always = 0%

DHS: Sometimes - Through agreements facilitated by Preventing and Combating Serious Crime (PCSC) and the Five Country Conference (FCC) DHS ingests international data that matches to existing watchlist records. These matches are also subject to manual review by NPPD/US-VISIT analysts.

DoD: Often - International partner information provided via formally established information sharing agreements is regularly used to develop DoD watchlist nominations when said information is consistent with national watchlisting policy and guidance requirements. However, special analytic consideration is applied in cases where there is potential for erroneous international partner information targeting foreign political dissidents/activists. In other cases, such as when the U.S. Army generates an eGuardian report that contains information that should go into a watchlist/screening process the servicing Joint Terrorism Task Force (JTTF) or Legal Authority (LEGAT) will add that information.

Description: To what extent does your agency incorporate fusion center information into its own products and servcies? 2012: None = 25%, Littile = 8%, Some = 42%, Extensive = 25% 2013: None = 31%, Littile = 15%, Some = 38%, Extensive = 15%

DHS: Extensive - DHS' Office of Intelligence and Analysis (I&A) is continually working to enhance intelligence support to and analytic collaboration with these partners. These efforts have included the facilitation and development of joint analytic products produced with fusion centers, leveraging State, Local, Tribal, and Territorial (SLTT) subject matter expertise through a variety of fellowships and analytical exchanges, soliciting SLTT input to capture and validate intelligence and information needs, and leveraging SLTT feedback to tailor I&A products and services to better serve our field partners. DHS also heavily leverages the fusion centers to incorporate SLTT information and perspectives into national-level intelligence community assessments pertaining to, for example, southwest border violence, threats, and Mexican cartel influence over U.S.-based gangs. Additionally, over a dozen DHS intelligence reports were cited as sources in the upcoming version of the National Intelligence Estimate titled "Terrorist Threats to the U.S. Homeland to 2016." To provide a state and local perspective on the terrorist threat nationwide for this assessment, DHS also received responses from numerous fusions centers from across the country which ranked the threat actors they view as the most concerning in their jurisdictions. To further expand on these efforts DHS I&A recently stood up the Field Analytic Support Taskforce (FAST). FAST advocates for fusion center intelligence requirements and collaborates with analysts from across I&A's Analysis Directorate and federal interagency partners to identify, develop, and share intelligence products with SLTT partners. Key to this effort is the management and sponsorship joint analysis and production efforts with fusion centers. DHS has recognized that the best way to integrate fusion center information into I&A products is to produce products jointly with SLTT analysts. To that end, dozens of products across I&A's Analysis and Production Directorate that have been produced on everything from border security issues and major special events to suspicious activity reporting (SAR). SAR has been a key SLTT data set that DHS I&A analysts have leveraged for producing products that highlight emerging tactics may provide clarity to trends or patterns in pre-operational terrorist activity.

DOT: Little - In 2011 DOT's Federal Highway Administration (FHWA) worked closely with Fusion Centers as it developed and distributed a publication entitled, "Information-sharing Guidebook for Transportation Management Centers, Emergency Operations Centers, and Fusion Centers." The guidebook provides an overview of the common mission and functions of transportation management centers, emergency operations centers, and fusion centers, and focuses on the types of information these centers produce and manage, and how the sharing of such information among the centers can be beneficial during both day-to-day operations and during incidents.

Information Discovery and Access Through Common Standards

Description: Does your agency have a definied MOU/MOA development process that covers discovery and access to data by external partners and systems? 2012: Yes = 67%, No = 33% 2013: Yes = 87%, No = 13%

DHS: Yes - I&A has the lead on the Information Sharing Access Agreements (ISAA) process. This process allows the Department to facilitate information sharing agreements with external partners including the private sector and the intelligence community.

DOJ: Yes - The FBI internal process for developing MOUs/MOAs consists of these steps: Identify appropriate authority; determine need for MOU/MOA; Draft MOU/MOA; and continue to negotiate throughout the process. All finalized MOUs/MOAs are to be registered with the Corporate Policy Office. By corporate policy, all MOUs/MOAs that deal with information sharing are coordinated with or brought to the attention of the Chief Information Sharing Officer.

TREAS: Yes - FinCEN: FinCEN has issued 347 MOUs to allow our partner agencies to access BSA data. The IRS Governmental Liaison Office have defined MOU/MOA development process for proposed business relationships with state, local, and federal agencies.

Description: Does your agency plan to adopt Federal Identity, Credential, and Access Management (FICAM) standards? 2012: Yes = 100% 2013: Yes = 82%, No = 18%

DHS: Yes - DHS plans on adopting and implementing FICAM as part of its Information Sharing solution. FICAM standards will be adopted in both the Secret and Unclassified domains.

DOJ: Yes - For Unclassified Systems: The FBI is in the process of evaluating FICAM standards to determine how they would affect current systems and requirements. It is expected that the evaluation will be completed during CY 2013. For Classified Systems: The FBI plans to adopt FICAM standards in future out-years as funding becomes available for the development, piloting, testing and evaluation, and implementation of its Provisioning and Access Control System (PAC).

USAF: Yes - The AF has adopted FICAM standards.

DoD: Yes - FICAM standards and segment architecture are being included in our Department level strategic and implementation guidance. FICAM will manifest itself in DoD's implementation of the Joint Information Environment (JIE). JIE looks to establish a secure joint environment across the Department and also include linkage to other DoD agencies, Federal and State partners, and International partners (e.g., Mission Partner Environment (MPE)).

Description: To what extent does your agency use PKI for ISE-related information and mission systems? 2012: None = 14%, Little = 14%, Some = 29%, Extensive = 43% 2013: None = 7%, Little = 7%, Some = 40%, Extensive = 47%

DOC: Some - Commerce participate with the IC for PKI certifications for IC related networks. Commerce is also a Tier I member of the CNSS Secret PKI initiative and anticipates IOC in Q4 FY2013.

HHS: Some - At HHS, the issuance of PIV credentials and their associated PKI digital certificates for application access is complete so individuals at HHS have a credential that could be used for access to ISE related information and mission systems but the implementation of PIV mandatory logins to applications is seeing a slower adoption rate.

NGA: Extensive - PKI is the preferred choice of authentication on all fabrics.

USAF: Extensive - PKI is fully implemented on the unclassified, secret, and top secret general user networks.

Description: Can members of your agency obtain PKI certificates for ISE-related systems? 2012: Yes = 79%, No = 21% 2013: Yes = 93%, No = 7%

DOJ: Yes - The FBI currently provides PKI certificates to all FBI personnel requiring access to the JWICS community. In addition, PKI certificates are issued to all FBI personnel who have access to the Secret Network for authentication and digital signing of documents. FBI PKI certificates issued were up from 30,000 to 40,000 subscribers for inter-agency email correspondence use for encryption and digital signing via SIPRNet.

NRO: Yes - DoD PKI credentials are issued for unclassified and secret networks. IC PKI and CAD PKI credentials are issued for SCI networks.

DoD: Yes - All DoD employees and some contractors are issued the DoD Common Access Card, which is the DoD PIV. The CAC contains certificates that can be used to access and encrypt ISE related unclassified information and systems. The DoD also issues NSS Secret Fabric tokens to their employees and contractors to access and encrypt classified information and systems. A separate PKI token is issued to DoD employees and contractors for use on JWICS.

DOC: Yes - Commerce participates with the IC for PKI certifications for IC related networks. Secret fabric PKI certificates pending delivery of the CNSS shared PKI solution in June 2013.

Description: To what extent has your agency implemented FICAM standards? 2012: None = 0%, Little = 36%, Some = 55%, Extensive = 9% 2013: None = 0%, Little = 7%, Some = 73%, Extensive = 20%

DoD: Extensive - DoD has fully implemented identity and credentialing processes and is now improving on dynamic access and accepting federated credentials.

HHS: Some - HHS is aggressively implementing the FICAM standards across the Agency. HHS has a complete and robust PKI infrastructure which is used to issue PIV credentials to all HHS employees and contractors. HHS is moving toward implementing mandatory PIV logins to all Desktop computers and is currently at 48% completion for mandatory desktop logins. The legacy applications across the Agency are also implementing mandatory PIV logins but the adoption rate is slower. HHS has representation on many of the FICAM working groups and is tracking activities in the different FICAM working groups.

DOJ: Some - Various Components have begun implementing mandatory PIV card login at the desktop. Implementation of digital signing for forms has also begun. DOJ is in the process of rolling out mandatory PIV Card login for desktops and laptops at the hardware level. DOJ is also in the process of deploying identity federation services to allow the sharing of identities among federal law enforcement and across the broader law enforcement community.

Description: Does your agency have an accessible authoriative source (on one or more classification levels) for attribute information on users, for the purpose of making access control decisions? 2012: Yes = 93%, No = 7% 2013: Yes = 80%, No = 20%

DOJ: Yes - During CY 2012, the FBI continued to manage and maintain the Enterprise Directory Service (EDS), an integrated Commercial Off-the-Shelf (COTS) solution, on its Secret enclave known as FBINET. EDS is an automated directory for applications and certain privileged users that retrieves user identity attributes from a centralized service compiled from multiple authoritative sources for access control decisions. This solution has been running successfully for the past two years.

NRO: Yes - has a UAAS federated attribute service providing authoritative authorization attributes via JWICS (SCI) to the IC.

HHS: Yes - has implemented an Agency-wide Access Management System (AMS) to support centralized authentication for many internal and external applications.

USAF: Yes - Public Key Infrastructure (PKI) is implemented on the unclassified, Secret, and Top Secret networks for network access, and access to select network resources (databases, data repositories, etc.).

Description: Has your agency submitted a data access management Plan of Action and Milestones (POA&M) based on privacy, civil rights and civil liberties attributes, Attribute Based Access Control (ABAC), and Federal Identity, Credential, and Access Management (FICAM)? 2013: Yes = 24%, No = 76%

DHS: The ICAM Segment Architecture (Mar 2010) is based on the FICAM and DHS Privacy Impact Assessment (PIA) and System of Records Notice (SORN). The Information Sharing Access Policy Framework (Dec 2011) defines the principles and business architecture for access control. PRIV, CR/CL, and OGC were partners in the development of this document. Work is currently underway to develop a Data Tagging Plan (for Discovery and Access Control) that will be implemented in FY13 on two use cases (pilot programs)—the Common Entity Index (CEI) and Cerberus.

DOJ: No, However, the FBI's Enterprise Data Management Office (EDMO) is developing the FBI strategy and implementation guidance for management of all data stored, used and shared by the FBI and sponsoring the implementation of effective data management practices and stewardship to include a draft data access registry. In addition, the CJIS is working with the ISE to establish a plan and requirements for ABAC. The CJIS will chair the PM/ISE Shared Services group through June 2013 with the goal of addressing Shared Services.

DOS: The Department has developed and implemented a PIV Card Issuer (PCI) Operations Plan as required under the National Institute of Standards and Technology's Special Publication 800-79-1.

Description: Does your agency have a single authoritative repository related to ISE Technical or Functional Standards? 2012: Yes = 50%, No = 50% 2013: Yes = 53%, No = 47%

DHS: No - has implemented the Enterprise Architecture Information Repository (EAIR) Technical Reference Model (TRM) for all Technical Standards to include ISE Technical or Functional Standards. The EA IR TRM is currently in early development stages for documenting Technical and Functional Standards. The ISSA identifies the ISE EAF, PAIS, and evolving ISA IPC IISC identified standards as guidance for information sharing related standards.

DOJ: Yes - The FBI Enterprise Standards Profile (ESP) which is based on the Federal Enterprise Architecture Technical Reference Model captures ISE Technical Standards that were adopted by Bureau enterprise and mission systems The ESP is managed by the FBI's Chief Technology Officer.

DoD: Yes - has incorporated ISE Technical Standards into the DoD Standards program and the DoD IT Standards Registry where applicable to support cross domain information sharing. The DISR is the DoD single authority Standards Registry for all IT standards which is under the governance of the DoD CIO.

HHS: Yes - The HHS Enterprise Architecture Repository is the single authoritative repository for technical standards, including those adopted for the ISE.

Description: To what extent has your agency incorporated Common Information Sharing Technical Standards into your architectures? 2012: None = 13%, Little = 33%, Some = 20%, Extensive = 33% 2013: None = 0%, Little = 27%, Some = 33%, Extensive = 40%

DHS: Some - had developed, and is implementing its Information Sharing Segment Architecture (ISSA). The ISSA document provides reference to both the ISE EA Framework and PAIS for direction. Further ISE EAF standards have been incorporated into the DHS Enterprise Architecture Information Repository (EA IR) under the Technical Reference Model (TRM) which is prescribed for use within DHS.

DOJ: Extensive - Specifically, SAR and IdAM. The Department has implemented numerous IEPDs across many platforms including N-DEx, SAR, NGI, and many others. This effort received top priority so as to provide uniform up-to-date platforms for all three enclaves at the FBI to support ISE-related system requirements and standards. As internal processes are upgraded, Common Information Sharing Technical Standards are incorporated into the FBI architectures in phases.

DoD: Extensive - The DoD Senior Architect Engineer is the current Co-Chair of the ISA IPC Information Integration Standards Working Group. The DNI Senior Standards lead Engineer is the other Co-Chair. All Information Sharing standards and interoperability actions in the Joint Enterprise Standards Committee are brought to the IPC Standards Working Group to ensure alignment.

Description: How often does your agency reference mission segment architectures (e.g., SAR) when implementing ISE mission business processes? 2012: Never = 20%, Rarely = 27%, Sometimes = 27%, Often = 20%, Always = 7% 2013: Never = 15%, Rarely = 8%, Sometimes = 23%, Often = 46%, Always = 8%

DOS: Often - CA/CST references aspects of ISE standards in the technical section of CA/CST Enterprise Architecture Documentation (i.e. NIEM, and as a guiding principle for data sharing and IT contractual efforts).

DOT: Often - The Department of Transportation (DOT) reviews the ISE mission segments during the development of the annual DOT EA Road Map submission in April. The SAR system is included in the Enterprise Information Management Segment.

DOJ: Often - The Department has a number of segment architectures related to Information Sharing including the Information Sharing Segment Architecture (ISSA) and Justice Information Sharing Segment Architecture (JISSA).

Description: Does your agency have an authoritative council for standards development? 2012: Yes = 67%, No = 33% 2013: Yes = 60%, No = 40%

NGA: Yes - NGA chairs the Geospatial Intelligence Standards Working Group (GWG) which is a National System for Geospatial-Intelligence (NSG) community forum to govern geospatial standards for the NSG

DOJ: Yes - (1) During CY 2012 the FBI continued to manage the Advisory Policy Board (APB) which serves as the authoritative body for standards development for the FBI's law enforcement (LE) IT systems. (2) The FBI continued to also manage and chair the Electronic Biometric Transmissions Specification (EBTS) Working Group which coordinates ANSI/NIST, NIEM, and APB standards to ensure continued compliance by federal, state, local, and tribal user communities with the EBTS which is the transmission specification for the FBI's Next Generation Identification (NGI) and the Integrated Automated Fingerprint Identification System (IAFIS). Under FBI chairmanship, this working group finalized EBTS Version 9.4, December 2012 and completed the corresponding XML Information Exchange Package Documentation (IEPD) V3.1. (3) The FBI continued to manage a Technology Development and Deployment Board (TDDB) chaired by its Chief Technology Officer (CTO). This Board's Technical Assessment Team serves as an authoritative council for ISE Technical Standard adoption for FBI enterprise and mission systems.

Description: To what extent has your agency incorporated ISE Functional Standards into the management and implementation of its ISE-related mission business processes? 2012: None = 21%, Little = 29%, Some = 14%, Extensive = 36% 2013: None = 20%, Little = 20%, Some = 13%, Extensive = 47%

DHS: Extensive - They are a core segment. A next step will be to document the relationship between the ISSA and other segments.

DOE: Some - We follow NIST/CNSSI and IETF standards for networks protocols and guidelines.

DOJ: Extensive - The Department distributes memos that set forth rules, conditions, guidelines, and characteristics of data and mission products supporting ISE business processes.

DOT: None -The Department of Transportation (DOT) has not yet established or included the Information Sharing Environment (ISE) Functional Standards for Information Sharing. However, the plan is to mature our EA governance processes and add ISE Functional Standards to the DOT Data Reference Model (DRM), and ISE Technical Standards to the DOT Infrastructure Reference Model (IRM) and Application Reference Model (ARM) where applicable.

Description: To what extent has your agency incorporated ISE Technical Stanards into enterprise architectures and IT capability? 2012: None = 14%, Little = 29%, Some = 21%, Extensive = 36% 2013: None = 7%, Little = 20%, Some = 33%, Extensive = 40%

DOJ: Extensive -The Bureau incorporates ISE Technical Standards as part of its IT governance process. There is a Technical Assessment Team under the FBI Technology Development and Development Board that addresses these standards. This technical team assesses candidate and on-going IT projects to ensure alignment with the FBI enterprise architectures. As the FBI IT infrastructure is upgraded in phases for all three enclaves, ISE Technical Standards are incorporated into its IT capability. ISE Technical Standards are referenced in the Enterprise Standards Profile (ESP) maintained by the FBI.

DoD: Extensive - DoD has incorporated ISE Technical Standards into the DoD Standards program and the DoD IT Standards Registry where applicable to support cross domain information sharing. DoD Technical Standards document methodologies and practices to design and implement data sharing and interoperability and interconnectivity. All DoD architectures have to conform to the DoD Architecture Framework which is in alignment with the ISE Architecture Framework. In addition, the new Version DoD IEA published August 2012 had the same design principles as in the ISE EAF which articulates ISE Technical Standards into EA and IT capabilities. New efforts in Information Sharing with other Departments and Agencies are reviewed by the Standards Technical Working Groups as a matter of policy and considered for inclusion in the DoD IT Standards Registry.

Description: What percentage of TECS-modernization milestones have been successfully hit? 2013: 21-40 percent = 0%, 81-100 Percent = 100%

DHS: 81-100 Percent - For the TECS Modernization effort, its activities are divided between two components: CBP is responsible for the development, testing, integration, and deployment of the technology piece, and ICE is spearheading the development and transition of the case management files. To date, both efforts have remained on schedule and are hitting their established milestones (100%).

Description: Has your agency aligned their SBU architecture authentication consistent with Federal Identity, Credential, and Access Management (FICAM)? 2013: Yes = 47%, No = 53%

DoD: Yes - The DoD is in alignment with the architecture authentication consistent with Federal Identity, Credential, and Access Management (FICAM). DoD CIO has assigned a SES to ensure conformance and to partner in the lead and implementation.

DOC: No - Overall FICAM plan, to include architecture, is under development.

DHS: Yes - HSIN R3 is built using guidance from the DHS ICAM Segment Architecture and the Fed CIO FICAM guidance.

Description: Has your agency incorporated access policies that protecct privacy, civil rights and civil liberties using a common government-wide template for each data source into their SBU architecture? 2013: Yes = 63%, No = 38%

DHS: Yes - The Information Sharing Access Policy Framework (ISAPF) defines the access policies for DHS architecture. DHS is in the process of building out externalized access control in two use cases, one on the SBU network, and one in the classified space. Both use cases will apply a unified process for access control and will leverage (and extend where necessary) the Intelligence Community Information Technology Environment (IC-ITE) guidelines for data tagging.

DOJ: Yes - The department and components follow policies to protect privacy, civil rights and civil liberties. A common government-wide template for data sources is in the development stage. When such a template is finalized, the FBI will incorporate it into its access policies for its SBU architecture. In addition, biometric standards, access control standards, authentication standards are all common across the CJIS enterprise for its systems.

Description: Has your agency aligned their SBU architecture with the publication of geospatial Critical Information Requirements (CIRs) and authoritative source(s) necessary to meet Presidential Policy Directive 8 Mission Areas in open standards available for search, discovery, and access? 2013: Yes = 47%, No = 53%

DHS: Yes - DHS is continuing to align as part of overall maturity

DOC: Yes - NOAA actively participates in the geospatial standards committees.

DOI: No - The plan is to use geospatial data within IMARS.

DOJ: Yes - As far as limited responsibility DOJ has for HSPD 8. DOJ submitted a list of Mission Essential Systems to DHS. In addition, DOJ provided HSIP geospatial shape files for the field offices, resident agencies and district court jurisdictions. Also, CJIS has aligned its SBU architecture with NIEM standards for inter-agency information distribution.

Description: To what extent does your agency have documented policies and/or implementing guidelines on IT security reciprocity stating the conditions under which you will accept the security certification and/or accreditation/authorization of another organizaton? This refers to agency-specific implementing guidelines for policies such as ICD 503, NIST 800-53 and CNSSI 1253. 2012: Some = 100% 2013: Some = 100%

TREAS: The IRM in this case accepts the security certification and/or accreditation/authorization of another organization as part of Interconnection Security Agreements. DO/HQ: Treasury Directive Publication Intelligence Information Systems Security Policy Manual TD P 15-03 fully documents the Office of Intelligence and Analysis' (OIA) position on Reciprocity in Section 2.4 beginning on page 8. TD P 15-03 complies with the Reciprocity requirements from ICD 503, NIST -53, and CNSSI 1253.

Description: Has your agency implemented an accessible authoritative source at any classification level? 2012: Yes = 71%, No = 29% 2013: Yes = 87%, No = 13%

HHS: For applications with a FIPS 199 rating of "High" or "Moderate", HHS requires two factor logins. Of these "High" and "Moderate" applications, currently 15% of all user accounts to applications require the use of PIV credential for two-factor logins. HHS is currently focusing on implementing PIV mandatory logins and for HHS Enterprise application, of which 23 out of 39 "High" and "Moderate" applications are integrated with mandatory PIV logins.

USAF: Yes, the complete infrastructure necessary to support PKI enablement and implementation is in place on the unclassified, Secret, and Top Secret levels. Additionally the AF is a member of DIA's Full Service Directory (FSD) on the TS/SCI network JWICS. FSD is the authoritative source for access controls and PKI certificates.

Description: Does your agency accept (and make accreditation decisions without retesting) IT security certification bodies of evidence? i.e., does your agency practice IT security reciprocity, for State, Local, or Tribal (SLT) governments? 2012: No = 100% 2013: Yes = 38%, No = 62%

DHS: Yes - HSIN will accept FISMA-certified security accreditations after a review by the program. The DHS CISO is prepared to accept other agencies IT security certification body of evidence on a case by case basis, but to date have not encountered any systems from state, local or tribal governments.

DOJ: Yes - Trust relationships have been established with state, local, and tribal governments without reciprocity and with triennial audits. Certification and accreditation (aka security assessments) requirements are federal mandates only for federal information systems. We are not aware of state, local or tribal requirements to perform certification and accreditation on a scale comparable to what the federal government does. This agency would be hard pressed to accept reciprocity from these agencies regardless of bodies of evidence presented and would require some level of testing, etc. on our part.

Description: Does your agency accept (and make accreditation decisions without retesting) IT security certification bodies of evidence? i.e., does your agency practice IT security reciprocity for other organizations (e.g., private sector, foreign governments)? 2012: Yes = 20%, No = 80% 2013: Yes = 36%, No = 64%

DOT: Yes - The Department practices reciprocity. However if and when DOT accepts accreditation decisions from another organization, the retesting of controls in this environment must be considered.

DoD: Yes - The Department complies with the policy and procedures implemented through the DoD Information Assurance Certification and Accreditation Process (DIACAP) for all entities requesting accreditation. Regarding the private sector, the Department has enabled DIBNet-Unclassified to accept all DoD-approved PKI certificates to include those cross-certified under the Federal Bridge (i.e., private sector certificates that have been through the DoD testing process for approval).

Description: From how many organizaions does your agency accept (and make accreditation decisions without retesting) IT security certification bodies of evidence? i.e., does your agency practice IT security reciprocity for other federal agencies or departments, how many? 2012: 0 = 27%, 1-3 = 33%, 4 or more = 40% 2013: 0 = 10%, 1-3 = 30%, 4 or more = 60%

DOI: 4 or more - DOI practices reciprocity and accepts the IT security assessment evidence for information systems that have achieved provisional authority to operate (Provisional ATO) by the Joint Authorization Board (JAB) through the Federal Risk Authorization and Management Program (FedRAMP). Additionally, DOI accepts the assessment body of evidence from other agencies provided it was obtained through one of the FedRAMP approved Third Party Assessment Organizations (3PAOs). DOI may accept assessment results from agencies that have completed Assessment and Authorizations (A&As) for other information systems that relied upon assessors other than those recognized by FedRAMP only after a review of the processes, methods, tools, techniques, and results to help determine whether or not the degree of rigor applied was in alignment with standards issued by the National Institute of Standards and Technology (NIST). Any retesting that may be required would only focus on those areas of perceived inadequacy.

Optimizing Mission Effectiveness Through Shared Services and Interoperability

Description: Does your agency have a plan to implement a capability to interconnect SBU/CUI networks in order to share terrorism and homeland security information? 2012: Yes = 57%, No = 43% 2013: Yes = 53%, No = 47%

DOJ: Yes, LEO,RISSNet and Federated Identity Broker are now available to SLTs. Also, during CY 2012, the FBI's Criminal Justice Information Service (CJIS) continued to implement interconnected access to its SBU networks for sharing of law enforcement information relevant to terrorism and homeland security with members of the Law Enforcement Community.

DOS: The Department currently provides shared data on its third party shared space provider ODNI's Intelink-U which is part of the ISE SBU/CUI Interoperability initiative. In addition, at the DS Bureau level there is a plan for implementing secure and automated data exchange interfaces on a case-by-case basis with other agencies. This plan cannot commence until the sources systems are redesigned and include the capability for both export of data to NIEM compliant structures and CUI designations. This plan address only point-to-point, system-to-system, level data exchanges and not full integration of networks.

Description: To what extent has your agency implemented interconnection plans for SBU/CUI networks supporting ISE-related missions? 2012: None = 38%, Little = 15%, Some = 31%, Extensive = 15% 2013: None = 53%, Little = 13%, Some = 27%, Extensive = 7%

DHS: Some - Technical design is underway with RISS.net to support interoperability this FY.

DOJ: Extensive - The FBI currently shares all ISE SARs from eGuardian to the NSI Shared Spaces. The Counterterrorism Division's (CTD) Guardian Management Unit is working closely with the NSI to facilitate an automatic technological solution to share all Information Sharing Environment (ISE) SARs from the NSI Shared Spaces into eGuardian. During CY 2012, the FBI's Criminal Justice Information Service (CJIS) built and installed the Trusted Broker which allows external users supporting ISE-related missions to federate into CJIS without using a

Description: Does your agency plan to fund the integration of CUI requirements into information systems as they are developed and/or upgraded on or before September 30, 2014? 2013: Yes = 59%, No = 41%

DHS: No - Current HSIN Release 3 development does not include CUI requirements because they were not available or approved when HSIN R3 development began. Plans for CUI requirements will be included in the next major upgrade.

DoD: No - Costs associated with implementing the CUI Program have not been programmed or budgeted for within the Department of Defense. As stated in the DoD CUI Compliance Plan submitted in February 2012 to the National Archives and Records Administration (NARA) as the CUI Executive Agent, the IT systems cost impacts to implement CUI are assessed to be significant. Finally, the DoD looks forward to receipt of OMB guidance addressing programming requirements [for partial, full, and/or phased CUI implementation] and receipt of the national CUI policy through the Federal Register process in order for DoD to properly resource for this program.

DOI: Yes - DOI will wait for the pending Federal CUI Program's implementation timeline and requirements. Following the Federal CUI Program timeline release, the Department of the Interior will execute its existing "Department Of the Interior CUI Implementation Plan, December 2011."

Description: Does your agency plan to fund the development of CUI self-inspection programs including reviews and assessments to evaluate program effectiveness, measure the level of compliance, and monitor the progress of CUI implementation on or before September 30, 2014? 2013: Yes = 35%, No = 65%

DOJ: No - The FBI intends to develop appropriate CUI self-inspection programs to evaluate program effectiveness and measure compliance. However, no budget requests have yet been made for this funding. Until the specific government-wide CUI standards are set and adopted (by the CUI Office at NARA) in the upcoming Federal CUI implementing directive, cost estimates cannot accurately be assessed and completed. Therefore, it is unlikely that the funding for a CUI self-inspection program will be achieved on or before September 30, 2014.

Description: Are ISE Functional Standards considered when issuing mission system RFPs and/or Grants (for ISE-related systems)? 2012: Yes = 43%, No = 57% 2013: Yes = 43%, No = 57%

DOJ: Yes - ISE Functional Standards are noted on OMB 300s and Exhibit 53s for Bureau ISE-related systems.

DoD: Yes - ISE Functional Standards are considered as that are incorporated into the DoD Standards Program and the DoD IT Standards Registry (DISR) where and when applicable to support cross domain information sharing. This is accomplished by the Chief Architect and Chief Engineer as part of their Program/Project development and functional/operational review/consideration of the mission/business objectives.

Description: Are ISE Technical Standards considered when issuing mission system RFPs and/or Grants (for ISE-related systems)? 2012: Yes = 54%, No = 46% 2013: Yes = 47%, No = 53%

DHS: Yes - Technical standards are typically included in the statement of work, which are a part of RFQ. ISE functional standards are also considered as appropriate.(ADM)

DOS: Yes - The Bureau of Consular Affairs, Office of Consular Systems and Technology incorporates ISE/NIEM standard language in all IT relevant RFPs.

Description: Has your agency provided information sharing and safeguarding standards activities (current or planned, public or private) to PM-ISE and OMB? 2013: Yes = 56%, No = 44%

DHS: Yes - supported standards-based acquisition efforts by providing a copy of ISSA to PM-ISE. The ISSA works to generates standards and capabilities across DHS.

DOS: Yes - We've responded to all OMB-requested actions, and any data calls emitted by PM-ISE.

DOT: Yes - The Department of Transportation (DOT) has responded to each of the Classified Information Sharing and Safeguarding Office's requests for inputs to the Key Information Sharing and Safeguarding Indicators (KISSI) throughout 2012.

Description: What percentage of cricial milestones has the HSIN integration successfully met? 2013: 41-60 Percent = 100%, 61-80 Percent = 0%

DHS: 41-60 Percent - 50%. The capability for entering and searching DHS Suspicious Activity Reports through a SharePoint workflow is dependent upon HSIN 3.2 deployment, scheduled to be completed by Q2 FY13. The SAR workflow design is underway & scheduled to be completed Spring, 2013 with concurrent Critical Infrastructure development also completed. Subsequent System Integration and User Acceptance Testing will be performed within HSIN, and then followed by federated testing with the NOC/COP. Concurrent with this effort; attributes are being defined to ensure SARS are securely accessed by authorized individuals with collaborative work with FICAM Working Groups.

Description: Has your agency identified and published SBU geospatial data (cataloged and registered) in the Semantic Ontology and Registry on the DGS Geospatial Information Infrastructure? 2013: Yes = 13%, No = 87%

DOJ: Yes - DOJ provided HSIP geospatial shape files for the field offices, resident agencies, and district court jurisdictions. The data includes area of responsibility,

Description: Has your agency submitted their implementation schedule for agency-specific production, delivery, and maintenance for each SBU geospatial dataset for registration to the ISA-IPC? 2013: No = 100%

DOT: No - The Department of Transportation has not submitted an implementation schedule for agency-specific production, delivery, and maintenance for each SBU geospatial dataset for registration to the ISA-IPC.

Description: To what extent are ISE Functional Standards used when issuing mission system RFPs and/or Grants (for ISE-related systems)? 2012: Never = 46%, Rarely = 0%, Sometimes = 31%, Often = 23%, Always = 0% 2013: Never = 43%, Rarely = 14%, Sometimes = 7%, Often = 36%, Always = 0%

DOJ: Often - This practice is dependent on the FBI's IT Program and Project Managers uniformly listing standards on OMB 300s and Exhibit 53s. For example, ISE Functional Standards are extensively and commonly used in RFPs for the Bureau's Law Enforcement systems. In March 2012, the FBI conducted a data call at the request of OMB to identify standards for its system requirements reflected in Exhibit 53s. The results of the data call will be provided to the Finance Division's IT Contracting Unit who issues IT RFPs as well as the FBI CIO's Contract and Acquisition Management Unit (CAMU). CAMU is composed of highly skilled and trained acquisition professionals well versed in IT procurement. CAMU offers acquisition support, requisition processing, and Contracting Officer's Representative (COR) services for enterprise IT Programs and Projects. CAMU has documented and proofed IT acquisition processes where ISE Functional Standards could be incorporated as more than a checkpoint.

DOS: Often - The Bureau of Consular Affairs, Office of Consular Systems and Technology incorporates ISE/NIEM standard language in all IT relevant RFPs.

DOT: Rarely - Only when a system has been identified as ISE-related, as is the case with the DOT Suspicious Activity Reporting (SAR) system, BlueMercury. Once DOT establishes its Architecture Working Group (see question 30), we will be able to promulgate clearer guidance on the consideration of ISE Functional Standards.

Description: To what extent are ISE Technical Standards used when issuing mission system RFPs and/or Grants (for ISE-related systems)? 2012: Never = 46%, Rarely = 0%, Sometimes = 23%, Often = 31%, Always = 0% 2013: Never = 46%, Rarely = 8%, Sometimes = 8%, Often = 38%, Always = 0%

DHS: Sometimes - Technical standards are typically included in the statement of work, which are a part of RFQ. DHS incorporates ISE Technical Standards in conduct of mission system lifecycle activities—to include RFPs and/or grants.

DoD: Often - Both the ISE Functional and Technical Standards are considered and used in supporting Secure Information Sharing systems, services and applications. The extent to which they are incorporated into RFP is at the decision of the Chief Engineer. However, the Chief Architect and Chief Engineers are guided by the DoD Standards Program and the standards in the DoD IT Standards Registry (DISR) where and when applicable to support cross domain information sharing. This is accomplished by the Chief Architect and Chief Engineer as part of their Program/Project development and functional/operational review/consideration of the mission/business objectives.

Description: Has your agency provided updated grant or acquisition policies, standards-based requirements, and grants references where applicable to account for federal best practices, policy and toolkit recommendations, and alignment with the ISE CISS to PM-ISE? 2013: Yes = 38%, No = 63%

DHS: Yes - In FY2012, the NIEM PMO provided a supplemental resource for NIEM as part of the Homeland Security Program.

HHS: No - HHS' Office of Grants and Acquisition Policy and Accountability has not updated its grants or acquisition policies for ISE related-matters, and therefore has not provided updates to PM-ISE. HHS' policies reflect the implementation of federal-wide policy guidance (such as the OMB circulars governing grants administration) or regulations (such as the Federal Acquisition Regulation) and where appropriate, implement HHS' unique requirements that are based in statute (such as Appropriation Acts). Until such time that ISE-related standards are required by such federal-wide regulation or guidance or by statute, HHS does not foresee updating its grants or acquisition policies to address ISE-related standards.

Description: To what level has access to terrorism information from ISE partners improved by utilizing their designated ISE Shared Space? 2012: None = 40%, Extensive = 60% 2013: None = 31%, Little = 8%, Some = 38%, Extensive = 23%

DOJ: Extensive - To date, over 26,000 SAR entries have been submitted by stakeholders to the NSI, including the FBI, and tens of thousands of queries of that data have been made by analysts. The entries have been successfully leveraged from an investigative perspective by the FBI, and analysts are utilizing this information to advance their situational awareness and produce intelligence products related to suspicious activity reporting.

DoD: Extensive - The NGB indicates that NGB now shares threat related information with over 8000 law enforcement agencies.

DOI: Extensive - Our ability to become more aware has improved through the use of eGuardian. Shared spaces containing SAR information makes it easier to connect situations or events that need closer inspection or investigation.

Description: To what extent has your agency's ability to discover, access, and retrieve information needed to accomplish the mission improved based on services shared from external agencies and systems? 2012: None = 20%, Little = 13%, Some = 40%, Extensive = 27% 2013: None = 15%, Little = 0%, Some = 31%, Extensive = 54%

DHS: Extensive - In the TS/SCI domain, the ability to discover, access, and retrieve information has improved. DHS has been able to retrieve, access, and discover information through community shared resources, such as LNI. DHS has also deployed H-Space, which has helped the department in facilitating information sharing of terrorism-related information. H-Space is available in the Secret domain.

DOJ: Extensive - The department and components utilize N-DEx, NSI, LEO,RISSNet, HSIN, Intelink-U, NLETS, NGI, NCIC, and NICS. A specific example of this is the deployment of Advanced Fingerprint Technology (AFIT) for NGI. This allowed for 129.3 million transactions since implementation on 2/25/11. IAFIS has also been upgraded to handle 98,000 Ten Print Rap Sheet transactions per day.

Description: To what degree is there improvement in your agency's terrorism information sharing processes (since last year's survey) with other ISE partners by implementing an ISE Shared Space in your organization? 2012: None = 29%, Little = 0%, Some = 57%, Extensive = 14% 2013: None = 29%, Little = 14%, Some = 57%, Extensive = 0%

DHS: Some - The implementation of the NSI has improved the flow of SARs between USCG and DHS I&A. Another example, NPPD/US-VISIT participated in a PM-ISE pilot for information sharing between the SBU environment and the intelligence community. Specifically, this involved the exchange of information between NPPD/US-VISIT, ADIS, and two intelligence community partners (Data Aggregation Pilot). Last example, USSS has implemented 22 fixed HSDN systems and 13 tactical HSDN systems over the last two years, expanding our ability to conduct information sharing at the Secret Level at fixed field offices, protective divisions and during NSSE's. Additionally, a Cross Domain/Multi Level Security system has been implemented increasing our ability to collaborate from a single work stations across classification levels.

DOJ: Some - To date, over 13,900 unclassified incidents have been pushed from Guardian to eGuardian and the NSI Shared Spaces. In addition, during late 2012/early 2013, technical advancements took place in that has led to the implementation of an auto-push feature that is now employed in 50 fusion centers. This auto-push allows SAR data entered in the Shared Space to be seamlessly transmitted to eGuardian.

DoD: Some - As of the end of 1st Qtr FY 13, U.S. Army CID has 100% of CID Battalions with eGuardian access and 52 of 72 reported Provost Marshal Offices have 100% implementation of eGuardian. The NGB reports that all states & territories are now online with nationwide SAR programs.

Protecting Privacy, Civil Rights, and Civil Liberties

Description: Is your agency operating under an approved privacy policy consistent with the ISE Privacy Guidelines? 2012: Yes = 67%, No = 33% 2013: Yes = 93%, No = 7%

DHS: Yes - The DHS Privacy Office and Office for Civil Rights and Civil Liberties issued a joint Privacy and Civil Liberties Policy Guidance Memorandum, Memorandum Number: 2009-01 entitled, "The Department of Homeland Security's Federal Information Sharing Environment Privacy and Civil Liberties Protection Policy."

Description: Has your agency (outside of the Privacy Act) developed and provided an ongoing training program specific to the implementation of the ISE Privacy Guidelines to personnel authorized to share protected information through the ISE and for reporting violation? 2013: Yes = 60%, No = 40%

DHS: Yes - I&A intelligence professionals assigned to a State and Major Urban Area Fusion Center also receive training on their responsibilities to protect privacy within the ISE—the Privacy Office also provides a great deal of ISE privacy training at State and Major Urban Area Fusion Centers as well.

DOJ: Yes - All employees are required to take annual training which includes a privacy component. In addition, other training is provided specifically on how to appropriate share information. The Terrorist Screen Center contains information about the ISE Privacy Guidelines in its training.

DoD: Yes - Annual privacy training is required for the DoD workforce and future iterations of this training will identify ISE requirements.

DOC: Yes - Commerce utilizes the ISE training "ISE Core Awareness Training" to provide a common understanding of the ISE to all employees who need to access the ISE.

Description: Has your agency taken steps to facilitate appropriate public awareness of its policies and procedures for implementing the ISE Privacy Guidelines? 2013: Yes = 65%, No = 35%

DHS: Yes - DHS has taken a number of steps to foster public awareness of our ISE Privacy and Civil Liberties Protection Policy. First, the policy is available to the public at the DHS Privacy Office website at www.dhs.gov/privacy. Second, the Privacy Office's work to implement ISE privacy protections is detailed in each of the Privacy Office's Annual Reports to Congress since the creation of the requirement. Finally, ISE requirements are mentioned in appropriate Privacy Impact Assessments and other material produced by the Privacy Office including training and public presentations.

Description: Does the agency's ISE Privacy and Civil Liberties Official receive reports of errors in cases involving information which may impact the privacy or civil liberties of individuals? 2013: Yes = 78%, No = 22%

DOS: Yes - The Department does not have an ISE Privacy and Civil Liberties Official. The process to address an error involving information which may impact the privacy or civil liberties of individuals is administered by the Department's Senior Agency Official for Privacy together with the Office of the Legal Adviser and, where appropriate, with the Bureau of Diplomatic Security. In the case of litigation, legal process is served on the Executive Director of the Office of the Legal Adviser.

HHS: No - We do not have this as a routine practice. However, we do have multiple methods available for members of the public to contact HHS and register objections if information is complete and inaccurate. Our Office for Civil Rights, in particular, is charged with receiving such concerns not only for HHS systems, but for any information held by a HIPAA-covered entity (including almost all health care plans and providers in the United States).

Description: Is your agency's P/CL office (led by a P/CL officer or Secior Agency Official for Privacy) actively involved in planning, development, and oversight of information sharing and safeguarding activities? 2013: Yes = 83%, No = 17%

DHS: Yes - The DHS Chief Privacy Office and the Officer for Civil Rights and Civil Liberties serve as the agency's ISE Privacy and Civil Liberties Officials. Each is actively involved in planning, development, and oversight of sharing and safeguarding activities. For the Privacy Officer, this includes conducting and publishing Privacy Impact Assessments (PIAs) on systems that utilize information covered by the ISE Privacy Guidelines. PIAs are undertaken during the planning and development staged and includes an examination of privacy issues and implementation of the Fair Information Practice Principles, which also serve as the basis for our ISE Privacy Protection Policies. Where ISE covered information is shared under an MOU, the Privacy Office is involved in reviewing compliance with ISE Protection and general privacy protection policies. The Privacy Office also participates in oversight activities. This includes, for instance, participating in reviews of compliance with information sharing access agreement terms and conditions, including ISE requirements. This further includes conducting Privacy Compliance Reviews (PCR); the Privacy Office recently completed a review of DHS's participation in the National SAR Initiative, which is part of the Department's ISE information sharing program.

Description: Does your agency review protect information for accuracy before it is made available to the ISE? 2013: Yes = 82%, No = 18%

DHS: Yes - Data Quality is one of the DHS Fair Information Practice Principles. Each system that maintains ISE covered information must take steps to ensure data is appropriately timely, relevant and complete.

DOT: Yes - The Department of Transportation's (DOT) Privacy Officer along with the DOT ISE Program Manager conducts reviews of protected information for accuracy before it is made available to the ISE.

DOI: Yes - The DOI Privacy Policy for the ISE outlines requirements to ensure data is accurate in accordance with Federal laws and the Code of Fair Information Practice Principles, and also requires action to correct inaccurate information and notify appropriate officials. First line supervisors review information before it is entered into IMARS, and can also cross check information in the system for accuracy before it is entered.

Description: Has your agency adopted and implemented procedures to facilitate the prevention, identification, and correction of any errors in protected information with the objective of ensuring that such information is accurate and has not erroneously been shared through the ISE? 2013: Yes = 89%, No = 11%

DHS: Yes - The DHS Fair Information Practice Principles and ISE Privacy Protection Policy outline the procedures designed to prevent, identify, and correct protected information. These protections are also reflected in appropriate PIAs and include Data Quality, Individual Participation, Access, Redress, and Accountability. ISAAs establishing terms and conditions for sharing under the ISE also include provisions for parties notify each other if information they learn calls into question the accuracy of the data of the other.

DOJ: Yes - Both the department and components have a robust audit capability as well as an Inspection Division and Office of Integrity and Compliance which assist in preventing and correcting any errors.

Description: Has your agency put in place internal procedures to address complaints from persons regarding protected information about them that is under the agency's control? 2013: Yes = 82%, No = 18%

DHS: Yes - Part of our ISE Privacy Protection Policy included information on how to file a complaint or requests for corrections. Access and Redress are part of the DHS Fair Information Practice Principles.

HHS: Yes - Individuals can register complaints via a number of channels, including exercising Privacy Act rights; appealing decisions related to the receipt of benefits; or by registering a complaint with the Secretary for HIPAA-related violations. Also, under HIPAA, individuals have the right to request amendments to their health care records, and HIPAA covered entities (including HHS) are required to accept such requests if they are reasonable and appropriate.

NGA: Yes - NGA Privacy and Civil Liberties Office published a policy and accompanying manuals in February 2013 that outlines procedures for addressing complaints from individuals regarding their protected information.

Description: Does your agency notify ISE participants who receive the agency's protected information of all applicable access, use, retention, or disclosure limitation in cases where personally identifiable information of individuals is being shared (i.e., protected information)? 2013: Yes = 71%, No = 29%

DHS: Yes - Such notice, for instance, appears as terms and conditions in Information Sharing Access Agreements.

DOJ: Yes - The FBI takes steps to protect its information - this is accomplished through some automatic caveats as well as MOUs. The FBI also reviews information being shared and provides provisions to protect its information as appropriate to comply with the Privacy Act and EO 12333.

DOC: No - There are no sharing agreements in place

HHS: No - We intend to facilitate this once the ISE policy is final. In general, however, the system HHS uses to share PI and PII (eGuardian) is not structured to specifically prompt the inclusion of information related to access, use, retention, or disclosure limitations. Users will be encouraged to provide this information, if there is any. Note that the only ISE participant with whom HHS shares PI and PII is the FBI, which makes assessments related to such aspects of the data before further sharing the information with participants in the ISE.

Description: Has your agency implemented adequate review and audit mechanisms to enable the agency's ISE PCL Official and other authorized officials to verify that the agency and its personnel are complying with the ISE Privacy Guidelines? 2013: Yes = 88%, No = 13%

DHS: Yes - The Privacy and Civil Rights and Civil Liberties Offices at DHS are negotiating, implementing, and reviewing information sharing agreements and other mechanisms for information sharing in order to meet compliance with ISE privacy requirements. DHS regularly meets with National Counter-Terrorism Center (NCTC) to review implementation of all information sharing agreements. For example, the Privacy Office recently conducted a Privacy Compliance Review of DHS's participation in the National SAR Initiative. The Privacy Office also reviews DHS intelligence reporting—either finished intelligence or raw reporting—that is to be shared within the ISE, before that information is disseminated to ISE partners.

DOJ: Yes - The FBI is able to determine whether individuals have taken the required trainings; PCLU reviews privacy impact assessments and privacy threshold analyses to ensure proper compliance. The FBI has also created Division Privacy Officers to assist in the review of day to day issues that may arise. DOJ's policy is reviewed when information sharing initiatives are proposed and associated documentation created.

DOE: Yes - Management reviews are conducted quarterly and managers must document compliance.

DOI: Yes - The DOI Office of Law Enforcement and Security has a Compliance Division that conducts internal audits of intelligence systems, and with support from an ISE Privacy Official checks to ensure privacy and civil liberties are appropriately protected. DOI recently conducted a privacy review of IMARS, DOI's law enforcement system to evaluate adequacy of privacy protections and compliance with privacy laws and policies. Departmental policy requires DOI bureaus and offices to ensure that intelligence files are reviewed on an ongoing basis, but, at a minimum, reviewed annually, and to purge information not needed for retention. Doing this purging; only administrative records are kept, not records of the

Managing and Fostering a Culture of Responsible Information Sharing

Description: Does your agency have a dedicated Senior Information Sharing Executive per E.O. 13587? 2012: Yes = 80%, No = 20% 2013: Yes = 93%, No = 7%

DHS: Yes - The Under Secretary of Intelligence and Analysis is the designated Senior Information Sharing Executive for DHS.

DOJ: Yes - The Chief Information Sharing Officer (CISO) is the dedicated FBI Senior Information Sharing Official required by E.O. 13587, and also serves as the FBI representative on the ISA IPC. Under the terms of a recent internal realignment, the CISO is now a direct report to the FBI Chief Knowledge Officer (CKO). The CKO reports directly to the Associate Deputy Director of the FBI and has Bureau-wide responsibility and authority. The CKO has been designated as the Principal FBI Official for Information and Intelligence Sharing Policy, and chairs the FBI Information Sharing Policy Board.

DoD: Yes - The DoD CIO currently fulfills this role. Additionally, the Joint Staff has a chair on the Information Sharing and Access Interagency Policy Committee (ISA-IPC).

DOC: Yes - The Senior Advisor for National Security and Critical Infrastructure Protection has been designated as the Senior Official for Information Sharing and Safeguarding.

Description: What degree has your agency implemented any mission-specific training that supports information sharing and collaboration? 2012: Little to no training = 13%, Some training = 60%, Extensive training = 27% 2013: Little to no training = 14%, Some training = 43%, Extensive training = 43%

DOJ: Extensive Training - Training is completed at the Program level. (i.e. N-DEx, BATS, etc.) For instance, the N-DEx Program Office engages in best practices and professional standards to market, outreach, and conduct training events with local state, regional, tribal, and federal criminal justice agencies. N-DEx training opportunities support the mission to achieve and maintain the projected level of commitment of participation and fully expand the footprint of N-DEx as the only nationally-scaled information sharing system. N-DEx offers self-paced Computer Based Training supported by user training as needed. N-DEx personnel also provide Train-the-Trainer courses and materials and offer specific training to assist agencies with managing administrative duties related to N-DEx, conducting 20 training events in the past year. Mission-specific training for information sharing and collaboration exists on multiple levels. Agents and Intelligence Analysts are introduced to these concepts within their first weeks of employment through New Agents' Training and the Intelligence Basic Course. The Bureau promotes and facilitates external training opportunities for FBI and IC employees in analytic techniques, working groups, tabletop exercises (including international Weapons of Mass Destruction simulations) The Counterterrorism Division has instructed more than 600 Task Force Officers since 2011 in information-sharing protocols in response to the Fort Hood shootings, and maintains a close relationship with state and local law enforcement through annual training symposia. During the reporting period, the FBI provided Data Exploitation, Targeting and Integration for Results (DEXTIR) training to students from the National Geospatial-Intelligence Agency, Department of Homeland Security, Greensboro North Carolina Police Department and U.S. Air Force Office of Special Investigations.

DOS: Some Training - The Department currently offers many types of training through the Foreign Service Institute that support aspects of the Information Sharing Environment, specifically Safeguarding. Examples of these courses are as follows: Classified and SBU Info: ID and Marking; Information Sharing Environment 101; Cybersecurity Awareness; Information Assurance for Systems Managers.

HHS: Some Training - The Office of Security and Strategic Information (OSSI), Directorate of Counterintelligence and Intelligence has created a Department wide mandatory CI and Intelligence awareness training on HHS U for all employees, and CI training for a cadre of CI professionals throughout the department.

Description: What degree of success have these trainings produced improvements to information safeguarding and stewardship? 2012: None = 8%, Little = 15%, Some = 31%, Extensive = 31% 2012: None = 8%, Little = 8%, Some = 54%, Extensive = 46%

DOJ: Some - The FBI requires all employees to complete annual training requirements regarding information sharing and safeguarding of information. Success is measured by employees completing mandated training and being held accountable for all aspects of content in the performance of their duties. In the WMDD realm, these trainings have better prepared individuals in handling any type of CBRN threat or incident. The WMDD has also certified approximately 30 WMD Coordinators to date. During 2012, the FBI's VA received up to 14,000 individual hits a month—nearly half of the Bureau employee workforce. During 2012, approximately 40,000 readers signed up for e-mail alerts to notify them about upcoming content on the LEB website. The training courses offered by CTD have educated Agents, Analysts, Task Force Officers, and the FBI's federal/state/local law enforcement partners about current domestic and international terrorist groups' ideologies, techniques, and threat levels. This ongoing exchange of information and knowledge continues to serve as a vital link in the FBI's ability to prevent and deter terrorist attacks against the United States and its citizens. The training educates our partners about federal laws, policies, and procedures to ensure that our partners have the requisite knowledge, training and tools needed to work with FBI Agents to infiltrate domestic and international terrorist organizations, thwart impending attacks, and obtain justice against those who participate in attacks against the United States. The training has produced a high degree of success, as evidenced by the efficient and appropriate information-sharing that occurred following the Boston Marathon bombing. Federal, State and local authorities were collocated at various facilities; further investigation into protocols confirmed that 'lessons learned' from prior security situations had been implemented properly.

DHS: Some - Some components have reported that these trainings have been successful; however, other components reported that there were no formal metrics in place to capture the data.

Description: Do employees that support ISE-related priorities have information sharing and collaboration as a component of their performance appraisals? 2012: Yes = 73%, No = 27% 2013: Yes = 85%, No = 15%

DoD: Yes - Several Assistant Secretary of Defense for Homeland Defense employees have information sharing/collaboration as an evaluation component of their performance appraisals and employees under the Defense Civilian Intelligence Personnel System have a mandatory performance element that emphasizes collaboration, teamwork and information sharing.

HHS: Yes - All personnel within the HHS Office of Security and Strategic Information (OSSI), the office coordinating ISE for the Department, have integrated within their performance plans a critical element capturing ISE information sharing and collaboration objectives.

DOJ: Yes - FBI Senior Executives are rated on "Collaboration and integration" as part of their performance evaluations. In addition, one of the critical elements within an Intelligence Analyst's performance appraisal is Engagement and Collaboration. This critical element measures the analyst's ability to "provide information and knowledge to achieve results" and "build and leverage diverse collaborative networks of coworkers, peers, customers, stakeholders, and team, within an organization or across the IC." Employees supporting ISE-related priorities do have 'information sharing and collaboration' as part of their performance appraisals. Special Agents and Intelligence Analysts have elements of information sharing and collaboration in their very job descriptions and are two of the core competencies to which all FBI employees are expected to adhere. In addition, most Performance Plans include a Critical Element (CE) entitled, "Acquiring, Applying, and Sharing Job Knowledge."

Description: Do employees without direct ISE responsibilties have information sharing and collaboration as a performance objective? 2012: Yes = 57%, No = 43% 2013: Yes = 62%, No = 38%

DHS: Yes - This is a requirement for Customs and Border Protection (CBP), Transportation Security Administration (TSA), Immigration and Customs Enforcement (ICE), United States Secret Service (USSS), United States Citizenship and Immigration Services (USCIS), and NPPD/IP.

DOJ: Yes - DEA has incorporated this as a component of their performance appraisal for all DEA I/As.

DOI: Yes - DOI law enforcement personnel have performance standards that include collaboration and information sharing. However, the vast numbers of our 73,000 employees do not.

NGA: No - There is no agency mandate that employees without ISE- related priorities have 'Engagement and Collaboration' (as defined in Question 3) as a Performance Objective.

Description: Does your agency update the workforce on new information sharing agreements/initatives? 2013: Yes = 88%, No = 13%

USAF: Yes - Formal Briefings and posting of policy guidance and directives.

NGA: Yes - New information sharing agreements and initiatives are shared primarily via the Information Sharing Working Group (ISWG) whose members will disseminate it to their respective organizations.

Description: Does your agencyhave a governance body responsible for information sharing and safeguarding that plans and oversees the agency self-assessment process per E.O. 13587? 2013: Yes = 67%, No = 33%

DHS: Yes - The Information Sharing and Safeguarding Governance Board is the DHS Enterprise-wide body for information sharing and safeguarding.

DOJ: Yes - The department is in the process of reestablishing a department wide governance body to ensure responsible sharing and safeguarding of information.

The ATF has internal Governance Board.

The FBI Access Policy Group, with oversight by the Information Sharing Policy Board, oversees the FBI insider threat self-assessment process.

DoD: No - The DoD does not use a formal governance body to oversee the self-assessment process. Instead of a governance body, the DoD holds meetings led by the DoD CIO/Cybersecurity Directorate with POCs from OUSD(I), Security, and USD(P) to coordinate on EO 13587 actions including the self-assessment. Since the DoD CIO/Cybersecurity Directorate reports to the principals there is a tight linkage with existing DoD governance entities.

Description: Does your agency offer information sharing-related awards (monetary or non-monetary)? 2012: Yes = 60%, No = 40% 2013: Yes = 50%, No = 50%

DHS: Yes - NPPD, ICE, CBP, and Coast Guard, offer awards (monetary and non-monetary) for information sharing achievements.

HHS: Yes - ISE is an element of OSSI employees PMAPs and to obtain qualifying scores for a monetary award, success in information sharing and collaboration is required.

DOT: Yes - Members of the Intelligence Division receive both monetary and non-monetary awards for their work in information sharing.

DOJ: Yes - The FBI, through its Office of the Chief Knowledge Officer, conducts a yearly canvass for nominations for the Knowledge Awards. The goal of this program is to "Increase people-to-people connectivity by sharing best practices, establish partnerships across the FBI by connecting people with common issues and interests; provide support by recognizing issues/gaps and providing solutions identified through submissions and incentivize and recognize excellence in knowledge management and sharing."

Description: Has nomination of candidates for information sharing and collaboration awards increased, decreased, or stayed the same since it was first offered? 2012: Decreased = 0%, Stayed about the same = 67%, Increased = 33% 2013: Decreased = 0%, Stayed about the same = 71%, Increased = 29%

DOJ: Increased - Additional recognition for outstanding DIBs and other outstanding writing of reports to the IC from the Chief of Intelligence (monetary).

FBI: The CISO recognizes individuals or groups for information sharing awards, and the nomination of candidates for FBI information sharing awards has steadily increased since the inception of the program. The Information Sharing Awards Program is being integrated into the FBI Knowledge Awards Program under the purview of the Office of the Chief Knowledge Officer. Submissions for these awards have increased since they were first offered in 2010; specific data regarding candidate numbers are unavailable at this time.

HHS: Increased - Inasmuch as OSSI has been established as an integrated security organization within the past couple of years, it is with this past year's performance cycle that we have seen the capturing of this element. As such, those efforts to underscore the collaboration and information sharing mandate, are now being recognized in the PMAPs for employees.

Appendix B — Mission-based Test Scenarios

Title: Performance Test Scenario Guide - Description: Image of the Performance Test Scenario Guide document cover. Test scenarios are used to demonstrate information sharing capabilities in a mission context; the use of test scenarios allows the enterprise to determine if the ISE is achieving its desired capabilities. PM-ISE also encourages agencies to create scenarios independently and has provided a "cookbook" to assist with agency development of a complete performance framework. Additional information for developing scenarios was provided to agencies on the ISE Blog.[75] These resources allow agencies to possess and develop their own compatible performance frameworks to further capabilities in key ISE mission areas. These integrated performance frameworks, with line-of-sight from program to agency to ISE-level metric tracking, help guide ISE performance management, which will expand as the ISE collectively matures. The annual ISE Performance Assessment Questionnaire assesses ISE-level functions that enable the delivery of mission services and capabilities against a spectrum of maturity.

Table B-1. ISE Capability Areas and Maturity Spectrum.

Maturity Stage 1

2012-2013 Environment

Maturity Stage 2

2-3 Year Time Horizon

Maturity Stage 3 5-7 Year Time Horizon

COMMUNITY

Community Awareness

Community Involvement

Community Integration

PROCESS

Process Exploration

Process Adoption

Process Harmonization and Compliance

TECHNOLOGY

Technology & Standards Awareness

Technology & Standards Exploration

Technology & Standards Integration

Test scenarios remain a key component of the ISE Performance Framework, as they reflect the mission impacts of responsible information sharing to the ISE community of operators, investigators, and analysts.

Last year's report references the ten test scenarios developed in 2011. This year, six of those scenarios are used to assess the progress of the ISE with respect to information sharing capabilities in specific high-value mission areas:

  • Improving role-based access to ISE-suspicious activity reports (SAR) and underlying case file content—implementation of privacy policy automation (1)

  • Improved law enforcement maritime response to a weapon-of-mass-destruction threat by enhancing first responders' situational awareness (2)

  • Improving cross-domain access to distributed information through federated search (3)

  • Removing impediments to federal acquisition and enabling out-of-the-box future interoperability through standards (4)

  • Using machine generated SARs to aid detection of threats to critical infrastructure and key resources (CIKR) (7)

  • Using the National Information Exchange Model (NIEM) as an enabler to share international counterterrorism data on gang-related activity for watchlisting and screening (8)

These test scenarios illustrate government response to a public safety, law enforcement, counterterrorism, or homeland security situation over three time horizons; now, two to three years in the future, and five to seven years in the future. Each response demonstrates the analysts', operators', and investigators' improved ability to execute their mission objectives based on investments in information sharing. The remaining four scenarios are used by the office of the PM-ISE to shape conversations around the definitions for future capabilities within shared mission areas among ISE agencies. These scenarios are:

  • Enabling event deconfliction through common standards to promote officer safety (5)

  • Incentivizing information sharing of insider threat information within agencies and throughout government (6)

  • International humanitarian aid and disaster relief coordination efforts (9)

  • Improving public health response to biological threats with increased information to first responders (10)

With agency participation, PM-ISE staff crafted an additional scenario driven by National Security Staff and Office of Management and Budget (OMB) priorities. With cybersecurity being one of the primary focus areas for this Administration, addressing challenges in information sharing among federal cyber centers, as well as with state and local partners, is a key element to improving our nations' security.

  • Driving enhanced shared situational awareness for cyber threat information among federal partners and fusion centers (11)

The following graphics represent the six scenarios used to assess ISE progress based on the results of the 2013 performance assessment questionnaire, followed by the four used to define future capabilities, and the newest scenario referencing cybersecurity.

SCENARIO #01: Improving Role-based Access to ISE-SAR and Underlying Case File Content — Implementation of Privacy Policy Automation

Situation

An analyst working in the State X Fusion Center ["XFC"] analyzes a series of possible terrorism-related arson incidents occurring near a number of CIKR facilities. A witness from one of the incidents reports seeing a red vehicle. Other arson scenes also note witnesses saw a red vehicle. XFC analyst conducts a Federated Search in the NSI and determines that State Y Fusion Center's ISE-SAR database has an entry indicating arson activity with similar circumstances as the arson incidents occurring in State X.

Maturity Stage 1 (Now)

Maturity Stage 2 (2-3 Years)

Maturity Stage 3 (5-7 Years)

Manual approval to access data based on unreliable, un-standardized "need-to-know"

Community Awareness

Process Exploration

Technology & Standards Awareness

Policies and procedures in place to allow expedited sharing

Community Involvement

Process Adoption

Technology & Standards Exploration

Role-based access to ISE-SAR, including privacy policy automation

Community Integration

Process Harmonization & Compliance

Technology & Standards Integration

Overall Assessment

Community is Aware

Process Adoption with standardized information sharing agreements are still required to enable the capabilities described in this scenario

Related Metrics from 2013 ISE Performance Assessment Questionnaire, Scenario: Privacy

Capability

Question

Stage 1

Stage 2

Stage 3

Community

Is your agency operating under an approved privacy policy consistent with the ISE Privacy Guidelines?

A

N/A

N/A

Process

Does your agency's ISE Privacy and Civil Liberties (P/CL) Official receive reports of errors in cases involving information which may impact the privacy or civil liberties of individuals?

A

N/A

N/A

Process

Does your agency notify ISE participants who receive the agency's protected information of all applicable access, use, retention, or disclosure limitations in cases where personally identifiable information of individuals is being shared?

N/A

N/A

A

Process

Does your agency review protected information for accuracy before it is made available to the ISE?

N/A

A

N/A

Process

Does your agency use a government-wide template in developing information sharing agreements?

N/A

B

N/A

Process

Has your agency (outside of the Privacy Act) developed and provided an ongoing training program specific to the implementation of the ISE Privacy Guidelines to personnel authorized to share protected information?

A

N/A

N/A

Process

Has your agency adopted and implemented procedures to facilitate the prevention, identification, and correction of any errors in protected information to ensure accuracy and that it has not erroneously been shared?

N/A

A

N/A

Process

Has your agency implemented adequate review and audit mechanisms to enable the agency's ISE P/CL Official and other authorized officials to verify that the agency and its personnel are complying with the ISE Privacy Guidelines?

N/A

N/A

A

Process

Has your agency put in place internal procedures to address complaints from persons regarding protected information about them that is under the agency's control?

N/A

A

N/A

Process

Has your agency taken steps to facilitate appropriate public awareness of its policies and procedures for implementing the ISE Privacy Guidelines?

A

N/A

N/A

Process

Is your agency's P/CL office (led by a P/CL officer or Senior Agency Official for Privacy) actively involved in planning, development, and oversight of information sharing and safeguarding activities? Please give examples.

N/A

A

N/A

Legend: A = Meets expectation of the ISE. B = Partially meets expectations of the ISE. C = Does not meet expectation of the ISE. N/A The question is not applicable at this level of maturity.

SCENARIO #02: Improved Law Enforcement Maritime Response to a WMD Threat by Enhancing First Responders' Situational Awareness

Situation

The vast Great Lakes region along the northern border is a favored area for illicit smuggling. Interdiction is especially difficult due to the fact that at different intervals along the border, various federal, state, local, tribal, and/or territorial law enforcement agencies hand off or share jurisdiction. In addition to local authorities, the Coast Guard, Customs and Border Protection, and Immigration and Customs Enforcement conduct operations across jurisdictions in the Great Lakes region. An intelligence analyst at federal Agency X receives credible reporting that a cargo ship transiting Lake Superior is carrying a WMD device.

Maturity Stage 1 (Now)

Maturity Stage 2 (2-3 Years)

Maturity Stage 3 (5-7 Years)

Manual coordination through local Fusion Center with point-to-point communications and a non-integrated response

Community Awareness

Process Exploration

Technology & Standards Awareness

Integrated response directed by Fusion Centers through common operating models and procedures

Community Involvement

Process Adoption

Technology & Standards Exploration

Total situational awareness through integrated systems, accelerated responses, and a safer interdiction process

Community Integration

Process Harmonization & Compliance

Technology & Standards Integration

Overall Assessment

Community moving from Awareness to Adoption

Process Exploration and Adoption are ongoing with efforts around improving training, governance, and access

Related Metrics from 2013 ISE Performance Assessment Questionnaire, Scenario: Maritime

Capability

Question

Stage 1

Stage 2

Stage 3

Community

Does your agency have a dedicated Senior Information Sharing Executive per Executive Order (EO) 13587?

A

N/A

N/A

Community

Does your agency update the workforce on new information sharing agreements/initiatives? If YES, how?

A

N/A

N/A

Community

Does your agency offer information sharing related awards (monetary or non-monetary)?

N/A

B

N/A

Community

Has nomination of candidates for information sharing and collaboration awards increased, decreased, or stayed the same since it was first offered?

N/A

B

N/A

Process

Do employees that support ISE-related priorities have "information sharing and collaboration" as a component of their performance appraisals?

A

N/A

N/A

Process

Do employees without direct ISE responsibilities have "information sharing and collaboration" as a performance objective?

B

N/A

N/A

Process

To what degree has your agency implemented any mission-specific training that supports information sharing and collaboration? Please provide examples.

B

N/A

N/A

Process

Does your agency have a governance body responsible for information sharing and safeguarding that plans and oversees the agency self-assessment process per EO 13587?

N/A

B

N/A

Process

To what extent is your agency utilizing the Library of National Intelligence (LNI)?

N/A

B

N/A

Process

What degree of success has training produced improvements to information safeguarding and stewardship?

N/A

B

N/A

Legend: A = Meets expectation of the ISE. B = Partially meets expectations of the ISE. C = Does not meet expectation of the ISE. N/A The question is not applicable at this level of maturity.

SCENARIO #03: Improving Cross-domain Access to Distributed Information through Federated Search

Situation

Employees at an insurance company have noticed suspicious behavior from one of their co-workers. A group of employees reported to a terrorist hotline that they noticed one of their associates repeatedly going to terrorist-leaning websites and printing out bomb making schematics from a company shared printer. Upon receipt of this tip, a tactical intelligence analyst from Agency X must then assess if there is enough credible information to open a full anti-terror investigation.

Maturity Stage 1 (Now)

Maturity Stage 2 (2-3 Years)

Maturity Stage 3 (5-7 Years)

Individual checks through databases from sensitive to top secret, manual collation and analysis of data

Community Awareness

Process Exploration

Technology & Standards Awareness

Common identity standards enable easier access and search through disparate networks and databases

Community Involvement

Process Adoption

Technology & Standards Exploration

Single point of entry for each classification level, federated search and easy analysis

Community Integration

Process Harmonization & Compliance

Technology & Standards Integration

Overall Assessment

Community Adoption and Integration are ongoing with efforts in security reciprocity

Process Exploration and Adoption are ongoing with integration of FICAM planning efforts

Technology & Standards Involvement and Integration efforts still required in security reciprocity and attribute exchanges

Related Metrics from 2013 ISE Performance Assessment Questionnaire, Scenario: Federated Search

Capability

Question

Stage 1

Stage 2

Stage 3

Community

From how many organizations does your agency accept (and make accreditation decisions without retesting) IT security certification bodies of evidence? i.e., does your agency practice IT security reciprocity.

N/A

N/A

B

Community

To what extent has your agency's ability to discover, access, and retrieve information needed to accomplish the mission improved based on services shared from external agencies and systems? Please provide examples.

N/A

N/A

B

Process

Does your agency have a defined Memorandum of Understanding or Agreement (MOU/MOA) development process that covers discovery and access to data by external partners and systems?

A

N/A

N/A

Process

Does your agency plan to fund the development of Controlled Unclassified Information (CUI) self-inspection programs including reviews and assessments to evaluate program effectiveness, measure the level of compliance, and monitor the progress of CUI implementation on or before Sep. 30, 2014?

B

N/A

N/A

Process

Does your agency plan to fund the integration of CUI requirements into information systems as they are developed and/or upgraded on or before Sep. 30, 2014?

B

N/A

N/A

Process

Has your agency aligned their Sensitive but Unclassified (SBU) architecture with the publication of geospatial Critical Information Requirements and authoritative source(s) necessary to meet Presidential Policy Directive 8 Mission Areas in open standards?

N/A

B

N/A

Process

Has your agency incorporated access policies that protect privacy, civil rights and civil liberties using a common government-wide template for each data source into their SBU architecture?

N/A

A

N/A

Process

Has your agency submitted a data access management Plan of Action and Milestones based on privacy, civil rights and civil liberties attributes, Attribute Based Access Control, and Federal Identity, Credential, and Access Management (FICAM)?

N/A

C

N/A

Process

Has your agency submitted their implementation schedule for agency-specific production, delivery, and maintenance for each SBU geospatial dataset for registration to the ISA IPC?

N/A

C

N/A

Technology

Does your agency plan to adopt FICAM standards?

A

N/A

N/A

Technology

Does your agency have an accessible authoritative source (on 1 or more classification levels) for attribute information on users, for the purpose of making access control decisions?

N/A

A

N/A

Technology

Has your agency aligned their SBU architecture authentication consistent with FICAM?

N/A

B

N/A

Technology

Has your agency identified and published SBU geospatial data (cataloged and registered) in the Semantic Ontology and Registry on the DHS Geospatial Information Infrastructure?

N/A

C

N/A

Technology

To what extent has your agency implemented FICAM standards? Please explain.

N/A

B

N/A

Technology

Has your agency implemented an accessible authoritative source at any classification level?

N/A

N/A

A

Technology

To what extent does your agency have documented policies and/or implementing guidelines on IT security reciprocity stating the conditions under which you will accept the security certification and/or accreditation/authorization of another organization?

N/A

N/A

B

Legend: A = Meets expectation of the ISE. B = Partially meets expectations of the ISE. C = Does not meet expectation of the ISE. N/A The question is not applicable at this level of maturity.

SCENARIO #04: Removing Impediments to Federal Acquisition and Enabling Out-of-the-Box future Interoperability through Standards

Situation

Investigative efforts, such as undercover operations, create the potential for conflict between agencies which are unknowingly working in close proximity to each other or agencies which may be coordinating an event on the same suspect at the same time. .A Project Manager from Agency X plans to acquire an event registry solution to aid with officer deconfliction to determine if there are event conflicts with any new police action at the federal, state, local, and tribal levels of government.

Maturity Stage 1 (Now)

Maturity Stage 2 (2-3 Years)

Maturity Stage 3 (5-7 Years)

Decentralized standards governance

Community Awareness

Process Exploration

Technology & Standards Awareness

Government-wide standards oversight gives a common point of entry to acquisition and accelerates future interoperability

Community Involvement

Process Adoption

Technology & Standards Exploration

Single standards repository with common governance integrated with GSA policies streamline acquisition and enable out of the box interoperability

Community Integration

Process Harmonization & Compliance

Technology & Standards Integration

Overall Assessment

Process Exploration and Adoption efforts proceeding with the increasing usage of open standards in grants and acquisitions

Technology & Standards Awareness and Exploration efforts ongoing through standards policy updates

Related Metrics from 2013 ISE Performance Assessment Questionnaire, Scenario: Standards-based Acquisition

Capability

Question

Stage 1

Stage 2

Stage 3

Process

Are ISE functional standards considered when issuing mission system requests for proposals (RFPs) and/or grants (for ISE-related systems)?

B

N/A

N/A

Process

Does your agency have a single authoritative repository related to ISE Technical or Functional Standards?

N/A

B

N/A

Process

Has your agency provided updated grant or acquisition policies, standards-based requirements, and grants references where applicable to account for federal best practices, policy and toolkit recommendations, and alignment with the ISE common information sharing standards to PM-ISE?

N/A

B

N/A

Process

To what extent are ISE functional standards used when issuing mission system RFPs and/or grants (for ISE-related systems)?

N/A

C

N/A

Technology

Are ISE technical standards considered when issuing mission system RFPs and/or Grants (for ISE-related systems)?

B

N/A

N/A

Technology

Has your agency provided information sharing and safeguarding standards activities (current or planned, public or private) to PM-ISE and OMB?

B

N/A

N/A

Technology

To what extent are ISE technical standards used when issuing mission system RFPs and/or grants (for ISE-related systems)?

N/A

C

N/A

Legend: A = Meets expectation of the ISE. B = Partially meets expectations of the ISE. C = Does not meet expectation of the ISE. N/A The question is not applicable at this level of maturity.

SCENARIO #05: Enabling Event Deconfliction through Common Standards to Promote Officer Safety

Situation

Law enforcement agencies use an intranet-based Officer Safety Event Deconfliction System to store and maintain data on planned law enforcement events. Often, investigative efforts such as undercover operations, arrests, raids and other high risk situations create the potential for conflict between federal, state, local and tribal law enforcement agencies. They unknowingly work in close proximity to each other or may be coordinating an event on the same suspect at the same time. Federal law enforcement officers from Agency X are planning a raid on a home where it is believed a group of suspected drug traffickers are in possession of a large amount of illegal drugs.

Maturity Stage 1 (Now)

Maturity Stage 2 (2-3 Years)

Maturity Stage 3 (5-7 Years)

Point-to-point event conflict resolution

Community Awareness

Process Exploration

Technology & Standards Awareness

Standards oversight and common operating models enable a more efficient manual process

Community Involvement

Process Adoption

Technology & Standards Exploration

Standards-compliant, automated deconfliction enables total situational awareness

Community Integration

Process Harmonization & Compliance

Technology & Standards Integration

Overall Assessment

No related ISE-level metrics from 2013 ISE Performance Assessment.

Program-level Metrics, Scenario: Officer Deconfliction

Capability

Question

Stage 1

Stage 2

Stage 3

Community

% of involved agencies that have conflict resolution plans with include information sharing

A

Inc

Inc

Community

% of involved agencies that have individual event resolution plans

A

Inc

Inc

Community

% of involved agencies have consolidated and coordinated conflict resolution plans

N/A

A

Inc

Process

# of officer conflict incidents

N/A

N/A

A

Process

Avg. required time to conduct event conflict assessments (includes system checks and personal communications)

N/A

A

Dec.

Process

% of involved agencies with standards-compliant information sharing MOUs

N/A

N/A

A

Technology

% of system owners compliant with ISE technical/functional standards

A

Inc

Inc

Technology

% of involved agencies with FICAM compliant system access

N/A

N/A

A

Legend: A = This metric is first applicable at this stage of maturity. Inc = This metric is expected to increase as maturity increases. Dec = This metric is supposed to decrease as maturity increases. N/A = This metric is not yet applicable at this level of maturity.

SCENARIO #06: Incentivizing Information Sharing of Insider Threat Information within Agencies and Throughout Government

Situation

Federal Agency X employee has become aware of anomalous behavior by an employee from Federal Agency Y on Agency X's classified network that potentially could compromise national security information. Agency X employee must begin a structured engagement with Agency Y and involve senior personnel from both agencies to analyze behavior on this and other networks to which the employee has access.

Maturity Stage 1 (Now)

Maturity Stage 2 (2-3 Years)

Maturity Stage 3 (5-7 Years)

Impediments to information sharing result in heterogeneous responses to insider threats

Community Awareness

Process Exploration

Technology & Standards Awareness

Increased incentives lower the barriers to sharing, enabling integrated insider threat responses

Community Involvement

Process Adoption

Technology & Standards Exploration

Incentivized sharing of insider threat information enables efficient, automated, cross-domain protection of government networks and systems

Community Integration

Process Harmonization & Compliance

Technology & Standards Integration

Overall Assessment

No related ISE-level metrics from 2013 ISE Performance Assessment.

Program-level Metrics, Scenario: Insider Threat

Capability

Question

Stage 1

Stage 2

Stage 3

Community

% of agencies that have a senior official accountable for classified information

A

Inc

Inc

Community

# of nominations for information sharing awards per agency

A

Inc

Inc

Community

% of personnel who have received mission training on information sharing

N/A

A

Inc

Process

% of agencies with formalized processes for sharing classified information

A

Inc

Inc

Process

% of incident response programs coordinated with ISE functional standards

N/A

A

Inc

Technology

% of agencies that have implemented personal identity verification (PIV) compliant programs

A

Inc

Inc

Legend: A = This metric is first applicable at this stage of maturity. Inc = This metric is expected to increase as maturity increases. Dec = This metric is supposed to decrease as maturity increases. N/A = This metric is not yet applicable at this level of maturity.

SCENARIO #07: Using Machine Generated SARs to Aid Detection of Threats to CIKR

Situation

There is a concentration of Critical Infrastructure and Key Resource (CIKR) facilities in Virginia's Hampton Roads region, including shipping, transportation, rail, power, communications, emergency services, banking & finance, chemical, and many others. Recently, there has been an unusual spike in physical perimeter breach warnings at high-value chemical, telecommunications, and shipping facilities, all located closely in Norfolk, Portsmouth, Chesapeake, and Virginia Beach. Additionally, the Chesapeake power plant is experiencing increases in network security warnings and potential data breaches.

Maturity Stage 1 (Now)

Maturity Stage 2 (2-3 Years)

Maturity Stage 3 (5-7 Years)

Distributed, heterogeneous response to threats depend on CIKR sector and law enforcement jurisdictional factors

Community Awareness

Process Exploration

Technology & Standards Awareness

Policies and procedures in place to allow expedited sharing

Community Involvement

Process Adoption

Technology & Standards Exploration

Role-based access to ISE SAR, including privacy policy automation

Community Integration

Process Harmonization & Compliance

Technology & Standards Integration

Overall Assessment

Community Integrating through participation in common task forces and mission functions

Process Adoption efforts are ongoing with continuous training

Technology & Standards Awareness efforts still required to interconnect the intelligence enterprise

Related Metrics from 2013 ISE Performance Assessment Questionnaire, Scenario: SAR 2.0

Capability

Question

Stage 1

Stage 2

Stage 3

Community

Does your agency participate in the National Joint Terrorism Task Forces?

N/A

A

N/A

Community

Does your agency participate in the National Network of Fusion Centers (state and major urban areas)?

N/A

B

N/A

Process

Does your agency have a process in place to validate SARs?

B

N/A

N/A

Process

Has your agency delivered a plan to align resource decisions to the Resource Allocation Criteria policy to DHS?

N/A

C

N/A

Process

To what extent has your agency incorporated ISE functional standards into the management and implementation of its ISE-related mission business processes?

N/A

B

N/A

Process

To what extent does your agency incorporate fusion center information into its own products and services? Please explain.

N/A

N/A

C

Process

To what extent is information gathered from international partners integrated into the watchlisting and screening process?

N/A

N/A

C

Technology

Does your agency have a live SAR database?

B

N/A

N/A

Technology

Does your agency have a plan to implement a capability to interconnect SBU/CUI networks in order to share terrorism and homeland security information?

B

N/A

N/A

Technology

Does your agency provide SAR training (either directly or indirectly)?

A

N/A

N/A

Technology

Does your agency utilize eGuardian (FBI)?

B

N/A

N/A

Technology

To what extent has your agency implemented interconnection plans for SBU/CUI networks supporting ISE-related missions?

C

N/A

N/A

Technology

To what extent has your agency incorporated ISE technical standards into enterprise architectures and IT capability?

N/A

B

N/A

Legend: A = Meets expectation of the ISE. B = Partially meets expectations of the ISE. C = Does not meet expectation of the ISE. N/A The question is not applicable at this level of maturity.

SCENARIO #08: Using the National Information Exchange Model (NIEM) as an Enabler to Share International Counterterrorism Data on Gang-related Activity for Watchlisting and Screening

Situation

Gang-related activities are prevalent near border regions of the United States. Drug trafficking, human trafficking, smuggling, and other serious crimes by gangs are often used by terrorist organizations as a means to finance their activities. Governments on both sides of the border are increasing their focus on gang-related activity, not only to reduce crime, but to stem funds destined for terrorist groups. While analyzing stolen vehicle trends, a tactical intelligence analyst from border state Fusion Center X notices that there is a very low recovery rate of stolen automobiles. A tactical intelligence analyst at state Fusion Center Y is analyzing trends of stolen automobiles and notices that there is little to no information on a significant portion of these vehicles, making him think they may no longer be in the United States.

Maturity Stage 1 (Now)

Maturity Stage 2 (2-3 Years)

Maturity Stage 3 (5-7 Years)

Manual coordination with point-to-point communication between international partners

Community Awareness

Process Exploration

Technology & Standards Awareness

Bridging manual coordination with agreed-upon automated sharing of key data to international partners

Community Involvement

Process Adoption

Technology & Standards Exploration

Automated transfer of applicable data between countries with feedback loops in place to improve future watchlisting and screening efforts

Community Integration

Process Harmonization & Compliance

Technology & Standards Integration

Overall Assessment

Community Awareness and Involvement

Process Exploration and Adoption efforts proceeding with the increasing usage of enterprise and segment architectures

Technology & Standards Exploration and Integration efforts ongoing via PKI and the use of common standards

Related Metrics from 2013 ISE Performance Assessment Questionnaire, Scenario: Globalizing NIEM

Capability

Question

Stage 1

Stage 2

Stage 3

Community

Does your agency engage with industry Standards Development Organizations to further voluntary consensus standards?

A

N/A

N/A

Community

Does your agency have an authoritative council for standards development?

N/A

B

N/A

Process

Can members of your agency obtain public key infrastructure (PKI) certificates for ISE-related systems?

A

N/A

N/A

Process

How often does your agency reference 'mission segment architectures' (e.g. SAR) when implementing ISE mission business processes?

N/A

B

N/A

Technology

To what extent does your agency use PKI for ISE-related information and mission systems?

A

B

N/A

Technology

To what extent has your agency incorporated Common Information Sharing Technical Standards into your architectures?

N/A

B

N/A

Technology

To what level has access to terrorism information from ISE partners improved by utilizing their designated ISE Shared Space?

N/A

N/A

C

Legend: A = Meets expectation of the ISE. B = Partially meets expectations of the ISE. C = Does not meet expectation of the ISE. N/A The question is not applicable at this level of maturity.

SCENARIO #09: International Humanitarian Aid and Disaster Relief Coordination Efforts

Situation

It is common for multiple organizations, including U.S. and foreign government organizations, NGOs, and private relief organizations, to respond to the same humanitarian disaster recovery efforts around the globe. Success in coordinating efforts between all of these organizations is dependent upon efficiently sharing the right information with the right people in a format that allows them to act in time to do the most good. A natural disaster occurs in Foreign Country X and their government requests humanitarian aid and disaster relief from the international community.

Maturity Stage 1 (Now)

Maturity Stage 2 (2-3 Years)

Maturity Stage 3 (5-7 Years)

Manual coordination of disaster relief efforts run through mobile MEU command with multiple international and NGOs

Community Awareness

Process Exploration

Technology & Standards Awareness

On the fly Community of Interest (COI) for coordination run through the MEU; manual access processes and coordination required for verification

Community Involvement

Process Adoption

Technology & Standards Exploration

Pre-built COI run through the local embassy with many responders pre-integrated

Community Integration

Process Harmonization & Compliance

Technology & Standards Integration

Overall Assessment

No related ISE-level metrics from 2013 ISE Performance Assessment.

Program-level Metrics, Scenario: Humanitarian Aid and Disaster Relief

Capability

Question

Stage 1

Stage 2

Stage 3

Community

% of involved groups relying on manual, point-to-point communications

A

Dec

Dec

Community

% of involved agencies that have individual event resolution plans

A

Inc

Inc

Process

# of responder conflict incidents

A

Dec

Dec

Process

# of deconfliction incidents required during humanitarian aid/disaster relief effort

A

Dec

Dec

Process

MEU medical and engineering team response time

N/A

A

Dec

Process

Community of Interest startup time

N/A

A

Dec

Process

Coordination level of effort (man-hours)

A

Dec

Dec

Technology

% of responders with verified identities during aid efforts

N/A

N/A

A

Technology

# of access problems within community of interest

N/A

A

Dec

Legend: A = This metric is first applicable at this stage of maturity. Inc = This metric is expected to increase as maturity increases. Dec = This metric is supposed to decrease as maturity increases. N/A = This metric is not yet applicable at this level of maturity.

SCENARIO #10: Improving Public Health Response to Biological Threats with Increased Information to First Responders

Situation

In order to protect both first responders and safeguard the population during a terrorist threat, public health information and decisionmaking must be integrated into the incident response. Credible information of a terrorist threat against a bio-technology firm specializing in infectious disease research has been discovered by Federal Agency X.

Maturity Stage 1 (Now)

Maturity Stage 2 (2-3 Years)

Maturity Stage 3 (5-7 Years)

Lack of cleared health personnel and non-uniform relationships between state justice and health groups require a high level of manual coordination

Community Awareness

Process Exploration

Technology & Standards Awareness

Policies and procedures in place to allow expedited sharing and integrate health response

Community Involvement

Process Adoption

Technology & Standards Exploration

Automated system access along with policy frameworks allow for quicker, integrated responses

Community Integration

Process Harmonization & Compliance

Technology & Standards Integration

Overall Assessment

No related ISE-level metrics from 2013 ISE Performance Assessment.

Program-level Metrics, Scenario: Public Health Response

Capability

Question

Stage 1

Stage 2

Stage 3

Community

% of state health agencies with cleared personnel

A

Inc

Inc

Community

% of state health and state justice agencies with jointly agreed-upon CONOPS for chemical/bio threat response

N/A

A

Inc

Community

% of state health agencies with access to federal information systems for chemical/bio threat intelligence sharing

N/A

A

Inc

Community

% of state health agencies with personnel having direct physical access to Fusion Centers

N/A

A

Inc

Community

% of state health agencies with system access at Fusion Centers

N/A

A

Inc

Process

Avg. Fusion Center threat notification time

A

Dec

Dec

Process

Avg. federal health agency notification time

A

Dec

Dec

Process

Avg. state health agency notification time

A

Dec

Dec

Process

% of relevant information that cannot be released to state health officials during response

N/A

A

Dec

Legend: A = This metric is first applicable at this stage of maturity. Inc = This metric is expected to increase as maturity increases. Dec = This metric is supposed to decrease as maturity increases. N/A = This metric is not yet applicable at this level of maturity.

SCENARIO #11: Driving Enhanced Shared Situational Awareness for Cyber Threat Information Among Federal Partners and Fusion Centers

Situation

Cyberspace is a growing avenue for threats—including terrorism-related threats—to the national security of the United States. Media reports on the Stuxnet and Flame viruses have highlighted the capability of cyber-based attacks on critical infrastructure to result in physical damage. This and other nearly daily revelations have raised public concerns regarding the vulnerability of U.S. critical infrastructure. A key mitigation for these cyber-based threats is the ability to securely share sensitive and classified cyber threat and incident information quickly, using commonly understood terminology, among a broad constituency of federal and non-federal partners, while maintaining important privacy and civil liberties protections.

Maturity Stage 1 (Now)

Maturity Stage 2 (2-3 Years)

Maturity Stage 3 (5-7 Years)

Human-speed, fractured sharing processes leave gaps in coverage and response

Community Awareness

Process Exploration

Technology & Standards Awareness

Expedited sharing between federal cyber centers as well as fusion centers drives enhanced decision-making ability

Community Involvement

Process Adoption

Technology & Standards Exploration

Standard cyber sharing processes in place with the ability for true federated common operational pictures among federal, state, and local partners

Community Integration

Process Harmonization & Compliance

Technology & Standards Integration

Overall Assessment

No related ISE-level metrics from 2013 ISE Performance Assessment.

Program-level Metrics, Scenario: Cybersecurity Information Sharing

Capability

Question

Stage 1

Stage 2

Stage 3

Community

% of physical CIKR facilities in Fusion Center area of responsibility (AOR) reporting and participating in cyber incident sharing

A

Inc

Inc

Process

% of fusion centers using Cyber Threat information standard to share information

A

Inc

Inc

Process

Avg. time to disseminate incident information from Fusion Centers to all relevant CIKR facilities in AOR

N/A

A

Dec

Process

% of involved agencies with formalized processes for sharing classified information

A

Inc

Inc

Legend: A = This metric is first applicable at this stage of maturity. Inc = This metric is expected to increase as maturity increases. Dec = This metric is supposed to decrease as maturity increases. N/A = This metric is not yet applicable at this level of maturity.

This page intentionally left blank

Appendix C — ISE Investments

Partner agencies continue to make strategic information technology (IT) investments. Investment data captured via OMB's Exhibit 53 reporting provides a means to examine overall IT spending across the Federal Government as well as agency-level IT spending. It also provides visibility into IT investments aligned with strategic information sharing.

At the Federal Government‐level, IT spending aligned with one or more ISE priorities remained consistent with FY 2011 spending at approximately 14%. Figure C-­‐1 depicts the percentage of IT budgets aligned with at least one of the ISE priorities broken out by agency and presents a comparison between last and this year’s ISE‐aligned IT investments. The Department of Homeland Security (DHS), Department of Justice (DOJ), and the Department of Interior (DOI) are the agencies with the largest percentage of IT spending aligned with ISE priorities, which is also consistent with last year’s reporting.

While this rank ordering remains nearly unchanged from last year’s reporting, there are changes within individual agencies. For example, compared to last year, the Department of Defense (DoD) increased its ISE‐aligned IT investment by 2.5%, DHS by 2.0%, and DOJ by 3.7% representing the largest increase within an agency.

Title: Figure C-1 - Description: Agency IT Portfolio Aligned to ISE Priority Areas (year to year comparison)

Figure C-1. Agency IT Portfolios Aligned to ISE Priority Areas (year to year comparison)

Similar to last year’s reporting, three quarters of IT investments aligned to ISE priority areas directly supported agency‐specific missions, indicating that agencies remain focused on supporting their respective mission objectives that further the value of information sharing and safeguarding. Figure C‐2 depicts this along with other allocations.

Title: Figure C-2 - Description: ISE-IT Investment Alignment to Parts of the Exhibit 53

Figure C-2. ISE IT Investment Alignment to Parts of the Exhibit 53

The Exhibit 53 reporting allowed for an examination and analysis of federal IT spending alignment to the ISE priority areas focused around the primary lines of business (LOB) within the Federal Enterprise Architecture Business Reference Model (FEA BRM).

As highlighted in Figure C‐3 below, the FEA BRM IT Infrastructure Maintenance LOB accounted for over one‐third (35%) of IT investments. The analysis also showed significant primary mapping to other mission LOBs such as Access to Care (6%); Intelligence, Surveillance, and Reconnaissance (6%); Border and Transportation Security (6%); Criminal Investigation and Surveillance (5%); and, another health‐related LOB, Health Care Delivery Services (3%). Combined, the five health‐related LOBs comprised over 10% of total ISE priority‐related IT spending. Healthcare IT expenditures aligned to ISE‐related priorities are dominated by Health and Human Services (HHS) and the DoD and are mostly related to their efforts with electronic healthcare records systems and information systems supporting the delivery of care.

Title: Figure C-3 - Description: ISE IT Investment Alignment — FEA Mapping pie chart.

Figure C-3. ISE IT Investment Alignment – FEA Mapping

Through OMB’s Exhibit 53, federal agencies continue to report on and the office of the PM‐ISE conducts analysis of ISE‐related IT spending. Year‐to‐year comparisons provide insight to data consistency, evolving priorities, and overall trends. Going forward, PM‐ISE will continue to work with OMB during subsequent reporting cycles to maintain data quality and data relevancy. PM‐ISE will also continue to support innovative opportunities to further responsible information sharing and safeguarding.

Appendix D — Acronyms

ABAC - Attribute-Based Access Control

ACT-IAC - American Council for Technology — Industry Advisory Council

ADA - - Air Domain Awareness

ADIIE - Air Domain Intelligence Integration Element

ADIS - Arrival Departure Information System

AEISS - Air Event Information Sharing Service

AFI - Analytic Framework for Intelligence

AHC - All Hazards Consortium

AKIAC - Alaska Information Analysis Center

APB - Advisory Policy Board (FBI)

ATS - Automated Targeting System

AWN - Alerts, Warnings, and Notifications

BAE - Backend Attribute Exchange

BCOT - Building Communities of Trust

BIA - Bureau of Indian Affairs

BJA - Bureau of Justice Assistance

BRIC - Boston Regional Intelligence Center

BSA - Bank Secrecy Act

BSA SAR - Bank Secrecy Act Suspicious Activity Report

CAC - Common Access Card

CBP - U.S. Customs and Border Protection (DHS)

CBRN - Chemical, Biological, Radiological, and Nuclear

CCD - Consular Consolidated Database

CDC - Cleared Defense Contractors or Centers for Disease Control and Prevention

CFIX - Central Florida Intelligence Exchange

CIKR - Critical Infrastructure and Key Resources

CICC - Criminal Intelligence Coordinating Council

CIO - Chief Information Officer

CIS - Citizenship and Immigration Services

CJIS - Criminal Justice Information Services (FBI)

CMS - Centers for Medicare and Medicaid Services

CNCI - Comprehensive National Cybersecurity Initiative

COC - Critical Operational Capabilities

CONOP - Concept of Operations

COP - Common Operating Picture

CPI - Crime Problem Indicator

CPSC - Consumer Product Safety Commission

CS/IA - Cybersecurity and Information Assurance

CSET - Cybersecurity Self-Evaluation Tool

CSP - Common Service Provider

CSS - Coastal Surveillance System

CT - Counterterrorism

CTAC - Commercial Targeting Analysis Center

CTAU - Cyber Threat Analysis Unit

CTCEU - Counterterrorism and Criminal Exploitation Unit (DHS ICE)

CTO - Chief Technology Officer

CTR - Currency Transaction Report

CUI - Controlled Unclassified Information

CYFS - Children, Youth, and Family Services

DAWG - Data Aggregation Working Group

DCMP - Domestic Common Maritime Picture

DEA - Drug Enforcement Administration

DECS - Defense Industrial Base (DIB) Enhanced Cybersecurity Services

DHS - Department of Homeland Security

DIB - Defense Industrial Base

DICE - De-confliction and Information Coordination Endeavor

DISA - Defense Information Systems Agency

DIVS - Data Integration and Visualization System (FBI)

DNDO - Domestic Nuclear Detection Office

DOC - Department of Commerce

DOD - Department of Defense

DODAF - Department of Defense Architecture Framework

DOE - Department of Energy

DOI - Department of the Interior

DOJ - Department of Justice

DOT - Department of Transportation

DSAC - Domestic Security Alliance Council

DSEA - Domestic Security Executive Academy

EA - Enterprise Architecture

ECS - Enhanced Cybersecurity Services

EO - Executive Order

EPA - Environmental Protection Agency

ESSA - Enhance Shared Situational Awareness

ESTA - Electronic System for Travel Authorization

FAA - Federal Aviation Administration

FACA - Federal Advisory Committee Act

FASS - Federated Attribute Sharing on the Secret Fabric

FAST - Field Analytic Support Task Force (DHS)

FBI - Federal Bureau of Investigation

FCCX - Federal Cloud Credential Exchange

FCPP - Fusion Center Performance Program (DHS)

FDA - Food and Drug Administration

FEAF - Federal Enterprise Architecture Framework

FICAM - Federal Identity, Credentialing and Access Management

FIG - Field Intelligence Group

FIPS - Federal Information Processing Standard

FISMA - Federal Information Security Management Act

FIWG - Federated Identity Working Group

FLO - Fusion Liaison Officer

FRAC - First Responder Authentication Credential

GAC - Global Advisory Committee

GADCOI - Global Air Domain Community of Interest

GAO - Government Accountability Office

GENC - Geopolitical Entities, Prescription Drug Monitoring Program (PDMP) Information Exchange

PMO - Program Management Office

PPD - Presidential Policy Directive

RFI - Request for Information

RFP - Request for Proposal

RISC - Repository for Individuals of Special Concern

RISS - Regional Information Sharing System

RISSafe - Regional Information Sharing System's Officer Safety De-confliction System

RISSNET - Regional Information Sharing Systems Network

RMAS - Regional Movement Alert System

RMS - Records Management System

RMT - RFI Management Tool

ROIC - Regional Operations and Intelligence Center

S&T - Science and Technology

SAFENet - Secure Automated Fast Event Tracking Network

SAR - Suspicious Activity Report(ing)

SARBAR - Suspicious Activity Report Batch Analysis Review

SBU - Sensitive But Unclassified

SCC - Standards Coordinating Council

SDFC - South Dakota Fusion Center

SDO - Standards Development Organization

SEOC - State Emergency Operations Center

SEVIS - Student Exchange and Visitor Information System

SEVP - Student and Exchange Visitor Program

SIG - Special Interest Group

SIPRNET - Secret Internet Protocol Router Network

SISSC - Senior Information Sharing and Safeguarding Steering Committee

SLPO - State and Local Program Office (DHS)

SLTT - State, Local, Tribal, and Territorial

SOA - Service Oriented Architecture

SPS - Single Point of Service

SSO - Simplified Sign-On

STAC - Southeastern Wisconsin Threat Analysis Center

STIX - Structured Threat Information eXpression

SWG - Standards Working Group

TASPO - Targeting and Analysis Systems Program Office (DHS CBP)

TDDB - Technology Development and Deployment Board (FBI)

TFC - Tennessee Fusion Center

TISW - Tribal Information Sharing Working Group

TLOA - Tribal Law and Order Act

TSA - Transportation Security Administration

TSC - Terrorist Screening Center

UCore - Universal Core (DoD)

UML - Unified Modeling Language

UMTT - Unified Message Task Team (IACP)

US-CERT - Cyber Emergency Response Team

USCG - United States Coast Guard

USNORTHCOM United States Northern Command

USSS - United States Secret Service

VA - Department of Veterans Affairs

ViCAP - Violent Criminal Apprehension Program

VWP - Visa Waiver Program

WIS3 - Workshop on Information Sharing and Safeguarding Standards

WMD - Weapons of Mass Destruction

WSIN - Western States Information Network

XML - Extensible Markup Language

[64] The National Strategy employed an extensive gap analysis which resulted in the creation of 16 Priority Objectives required to implement the vision for the Strategy. These gaps will not be covered comprehensively in this analysis, but are discussed elsewhere in this Report.

[65] Statistical significance - at least 0.05.

[66] 75% of the questions in the 2013 Performance Assessment Questionnaire (PAQ) were constant from the 2012 questionnaire. The remaining 25% of questions were expanded to focus on newly identified gaps from the 2012 assessment and new mission areas identified through strategic planning by federal governance bodies. Publishing the 2012 National Strategy in December of 2012 allowed for the 2013 ISE Performance Assessment to be explicitly aligned to National Strategy goals and sub-goals, giving the ISE a clear strategic footing for monitoring progress.

[67] Further details can be found in the body of the report.

[68] It is unclear what caused the decline—one possible explanation is that specific incentives for information sharing are less likely to be awarded as information sharing and collaboration are gradually becoming key components of job functions, especially those jobs that require interagency collaboration. This supposition is supported by the increase in employee information sharing performance objectives and the fact that 71% of agencies, up from 62% last year, report that they offer mission-specific training that supports information sharing and collaboration. Although there is no supporting data, it is also possible that the current fiscal environment has made it necessary to cut back on monetary awards. Further analysis is being done to understand these results.

[69] IdAM solutions will continue to be a focus area until this gap is closed.

[70] I2F addresses GAO's High Risk List action item - GAO recommended establishing an enterprise architecture management capability to guide projects designed to further implement the ISE.

[71] Federal Cybersecurity Centers are: NSA/CSS Threat Operations Center (NTOC), DHS National Cybersecurity Communications and Integration Center (NCCIC), US-Cyber Emergency Response Team (US-CERT), National Cybersecurity Investigative Joint Task Force (NCI-JTF), Intelligence Community Incident Response Center (IC-IRC), USCYBERCOM Joint Operations Center (JOC).

[72] Federal Emergency Management Agency Quick Look Report National Level Exercise 2012, March 2013.

[73] Section 1016(d) of the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) calls for the issuance of guidelines to protect privacy and civil liberties in the development and use of the "information sharing environment" (ISE).

[74] The development of these measures is a priority for the ISA IPC Privacy and Civil Liberties Subcommittee.

[75] "Improving the Performance of Info Sharing Programs: A Guide to Building Performance Test Scenarios," October 26, 2012; http://www.ise.gov/blog/adrienne-l-walker/improving-performance-info-sharing-programs-guide-building-performance-test