Homeland Security: Office of Intelligence and Analysis Should Improve Privacy Oversight and Assessment of Its Effectiveness
Fast Facts
The DHS Office of Intelligence and Analysis collects and shares homeland security data with its partners in law enforcement, the intelligence community, and the private sector. While doing so, it's important to protect U.S. citizens and residents' rights and privacy.
But the office hasn't done some required audits that would ensure that its personnel are following policies to protect these rights. For example, auditing the information systems that contain sensitive data would tell the office whether the personnel who accessed them had the appropriate clearance and permissions.
Our recommendations address this and other issues we found.
Highlights
What GAO Found
GAO found that the Department of Homeland Security (DHS) Office of Intelligence and Analysis collected input from its mission centers and partners to prioritize threats and guide intelligence production during fiscal years 2019 to 2022. Specifically, the office (1) integrated Intelligence Community priorities into a single framework; (2) coordinated with DHS intelligence components to prioritize threats identified in that framework; and (3) solicited input from state, local, and other partners to refine priorities and inform product development.
GAO also found that the Office of Intelligence and Analysis is not fully implementing activities intended to monitor whether personnel are following its policies to protect the privacy, civil rights, and civil liberties of U.S. persons, including U.S. citizens and lawful permanent residents. For example, the office has not conducted two required monitoring activities: audits of information systems and audits of bulk data.
Audits Required by the Intelligence Oversight Guidelines
aBulk data are large quantities of data acquired without the use of discriminants (e.g., specific identifiers or search terms), most of which does not have intelligence value.
The office has not identified who is responsible for conducting these audits. By doing so, and by ensuring that relevant staff conduct these audits, the office will be better positioned to address any failures to protect privacy, civil rights, and civil liberties within its information systems and bulk data transfers.
The Office of Intelligence and Analysis tracks 13 performance measures, but it lacks information about its effectiveness because the performance measures do not clearly align with its strategic goals. For example, the office does not have a performance measure relating to its strategic goal of protecting privacy and civil liberties or of promoting technological innovation. Developing performance measures that clearly align with its strategic goals would give leadership information about the office's overall effectiveness.
In addition, officials said the office intends to use data from questionnaires attached to its intelligence products to better understand its customer interests. However, the office has not assessed whether these data are fulfilling its intent. By conducting such an assessment, the office may be better positioned to produce intelligence that aligns with the interests and needs of its customers.
Why GAO Did This Study
The DHS Office of Intelligence and Analysis provides information to DHS components and other partners to identify and mitigate threats to homeland security. Because such reporting can involve information about U.S. persons, the office issued Intelligence Oversight Guidelines that identify safeguards to protect privacy, civil rights, and civil liberties.
GAO was asked to review how the office sets priorities; protects privacy, civil rights, and civil liberties; and assesses its effectiveness. This report examines (1) how the office prioritizes threats, (2) the extent to which it monitors implementation of its Intelligence Oversight Guidelines, and (3) the extent to which it assesses its effectiveness.
GAO assessed the office's monitoring activities against its guidelines, reviewed performance information, and interviewed officials and a nongeneralizable selection of partners. This included eight DHS intelligence components, seven state and local agencies, and three private-sector partners, selected on the basis of geographic location and other factors.
Recommendations
GAO is making nine recommendations, including that the Office of Intelligence and Analysis (1) identify who is responsible for conducting audits of information systems and bulk data and ensure these audits are conducted, (2) develop performance measures that clearly align with strategic goals, and (3) assess the extent to which customer feedback data improve its understanding of customers' interests. The Department of Homeland Security agreed with our recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of Intelligence and Analysis | The Under Secretary for Intelligence and Analysis should ensure that I&A's intelligence oversight branch documents the reviews it conducts to verify I&A personnel's compliance with I&A's guidelines for protecting privacy, civil rights, and civil liberties. (Recommendation 1) |
We were not able to confirm that I&A completed periodic compliance reviews (document reviews and other checks to verify personnel's compliance with the Intelligence Oversight Guidelines) between January 2017 and September 2022 because I&A officials did not document all the compliance reviews they said they completed. The agency concurred with this recommendation and said it planned to address it by developing a standard operating procedure that directs oversight personnel to document their compliance reviews. As of July 2024, I&A was in the process of drafting this procedure and estimated completing it by December 2024. This recommendation will remain open pending receipt of evidence that I&A has documented its compliance reviews.
|
| Office of Intelligence and Analysis | The Under Secretary for Intelligence and Analysis should establish a goal for the number of compliance reviews that I&A's intelligence oversight branch is to conduct during a given period to verify personnel's compliance with I&A's guidelines for protecting privacy, civil rights, and civil liberties. (Recommendation 2) |
To help ensure that I&A conducts compliance reviews periodically, as required by its Intelligence Oversight Guidelines, I&A officials told us in 2023 that I&A planned to establish a goal for the number of compliance reviews to be completed in a given period. However, I&A had not determined key details for the goal, such as the number and type of compliance reviews to be completed. The agency concurred with this recommendation and, as of July 2024, was in the process of finalizing a performance plan for the Intelligence Oversight Officer that sets a goal of completing six preliminary inquiries or compliance reviews during fiscal year 2024. I&A also plans to include this goal in its forthcoming standard operating procedure for compliance reviews. This recommendation will remain open pending receipt of the performance plan or standard operating procedure, which I&A estimates completing by December 2024.
|
| Office of Intelligence and Analysis | The Under Secretary for Intelligence and Analysis should assess the intelligence oversight branch's performance against its goal for compliance reviews, including identifying any factors preventing it from meeting this goal and any needed corrective actions. (Recommendation 3) |
To help ensure that I&A conducts compliance reviews periodically, as required by its Intelligence Oversight Guidelines, I&A officials told us in 2023 that I&A planned to establish a goal for the number of compliance reviews to be completed in a given period. Once program goals have been established, our work indicates that agencies should assess a program's performance against its goals, and should use the resulting information to detect problems, identify the causes of those problems, and implement corrective actions. The agency concurred with this recommendation and as of July 2024, planned to finalize a goal for compliance reviews by December 2024 and assess the intelligence oversight branch's performance against this goal. This recommendation will remain open pending the receipt of evidence that this assessment was conducted.
|
| Office of Intelligence and Analysis | The Under Secretary for Intelligence and Analysis should establish time frames for completing I&A's standard operating procedure for conducting preliminary inquiries and should finalize this procedure according to these time frames. (Recommendation 4) |
The agency concurred with this recommendation, and in August 2023, it said it planned to issue a standard operating procedure for preliminary inquiries in October 2023. In February 2024, I&A sent GAO its completed standard operating procedure for conducting preliminary inquiries, and the recommendation is closed as implemented.
|
| Office of Intelligence and Analysis |
Priority Rec.
The Under Secretary for Intelligence and Analysis should identify who is responsible for conducting the audits of information systems and bulk data described in I&A's Intelligence Oversight Guidelines, and to whom the results of these audits should be reported. (Recommendation 5) |
We found in 2023 that I&A had not conducted two monitoring activities called for in its Intelligence Oversight Guidelines-audits of information systems and audits of bulk data-because it had not identified who was responsible for conducting these audits. The agency concurred with this recommendation, and in July 2024, said it would develop a standard operating procedure and/or a memo that would identify the entities responsible for conducting these audits and to whom the results should be reported. This recommendation will remain open pending the receipt of this procedure or memo, which I&A estimated completing by December 2024.
|
| Office of Intelligence and Analysis |
Priority Rec.
The Under Secretary for Intelligence and Analysis should ensure that the responsible entities conduct audits of information systems and bulk data, as described in I&A's Intelligence Oversight Guidelines. (Recommendation 6) |
We found in 2023 that I&A had not conducted two monitoring activities called for in its Intelligence Oversight Guidelines-audits of information systems and audits of bulk data. The agency concurred with this recommendation, and in August 2023, said it would assess the performance of the entities responsible for these audits. This recommendation will remain open pending receipt of evidence that these audits were conducted.
|
| Office of Intelligence and Analysis | The Under Secretary for Intelligence and Analysis should develop performance measures for I&A that clearly align with and assess progress toward its strategic goals. (Recommendation 7) |
We found in 2023 that I&A's performance measures generally did not align with its strategic goals, hindering the agency's ability to assess progress toward those goals. The agency concurred with this recommendation. In July 2024, I&A reported that it had reviewed its performance measures and subsequently proposed adjustments to these measures added new measures that align with its fiscal year 2020-2024 strategic plan. I&A reported that it will continue to align performance measures with strategic goals as it develops its fiscal year 2025-2029 strategic plan, which it anticipates completing in December 2024. This recommendation will remain open pending evidence that I&A's performance measures align with its strategic goals.
|
| Office of Intelligence and Analysis | The Under Secretary for Intelligence and Analysis should develop and implement a process to submit the statutorily required annual report related to customer feedback on intelligence products to relevant congressional committees. (Recommendation 8) |
We found in 2023 that I&A had not produced or submitted to Congress required reports on the feedback it collects from customers since 2017 because it was not aware of this reporting requirement. The agency concurred with this recommendation and in March 2024, I&A provided us the report with customer feedback for fiscal year 2023. I&A submitted this report to Congress on March 27, 2024. In July 2024, I&A said it was drafting a memo to ensure that this reporting requirement would be carried out annually. This recommendation will remain open pending receipt of this memo, which I&A estimated it would complete by December 2024.
|
| Office of Intelligence and Analysis | The Under Secretary for Intelligence and Analysis should assess the extent to which customer feedback data meet its need to understand its customers' interests and, if necessary, take steps to collect more appropriate data. (Recommendation 9) |
We found in 2023 that the feedback I&A received from its customers may not have fully reflected I&A's customers' interests. For example, I&A's customer feedback forms contained questions only about the specific product to which the form was attached; they did not contain questions about customers' interests or needs. We also found that I&A had not assessed whether the feedback it was collecting from its customers was improving its understanding of customers' interests. The agency concurred with this recommendation. In March 2024, I&A provided updated feedback forms that included a question about customers' information needs. I&A also provided a report to us in March 2024 that summarized customer feedback received during fiscal year 2023. It also stated that I&A established a Feedback Branch in fiscal year 2024 to increase its efforts to understand customers' needs and to address a recent decline in customer feedback volume. In July 2024, I&A officials told us that the agency was in the process of hiring and onboarding the personnel within this branch who would be able to initiate new strategies to enhance I&A's understanding of its customers' needs and increase customer feedback response rates. This recommendation will remain open pending receipt of evidence that I&A has taken these steps to enhance its understanding of its customers' needs.
|