[Infowarrior] - GAO on USG info-sharing of SBU material

[Richard Forno]

http://www.gao.gov/cgi-bin/getrpt?GAO-06-385

More than 4 years after September 11, the nation still lacks governmentwide
policies and processes to help agencies integrate the myriad of ongoing
efforts, including the agency initiatives we identified, to improve the
sharing of terrorism-related information that is critical to protecting our
homeland. Responsibility for creating these policies and processes shifted
initially from the White House to the Office of Management and Budget (OMB),
and then to the Department of Homeland Security, but none has yet completed
the task. Subsequently, the Intelligence Reform Act called for creation of
an Information Sharing Environment, including governing policies and
processes for sharing, and a program manager to oversee its development. In
December 2005, the President clarified the roles and responsibilities of the
program manager, now under the Director of National Intelligence, as well as
the new Information Sharing Council and the other agencies in support of
creating an Information Sharing Environment by December 2006. At the time of
our review, the program manager was in the early stages of addressing this
mandate. He issued an interim implementation report with specified tasks and
milestones to Congress in January 2006, but soon after announced his
resignation. This latest attempt to establish an overall information-
sharing road map under the Director of National Intelligence, if it is to
succeed once a new manager is appointed, will require the Director¹s
continued vigilance in monitoring progress toward meeting key milestones,
identifying any barriers to achieving them, and recommending any necessary
changes to the oversight committees.

The agencies that GAO reviewed are using 56 different sensitive but
unclassified designations (16 of which belong to one agency) to protect
information that they deem critical to their missions‹for example, sensitive
law or drug enforcement information or controlled nuclear information. For
most designations there are no governmentwide policies or procedures that
describe the basis on which an agency should assign a given designation and
ensure that it will be used consistently from one agency to another. Without
such policies, each agency determines what designations and associated
policies to apply to the sensitive information it develops or shares. More
than half the agencies reported challenges in sharing such information.
Finally, most of the agencies GAO reviewed have no policies for determining
who and how many employees should have authority to make sensitive but
unclassified designations, providing them training on how to make these
designations, or performing periodic reviews to determine how well their
practices are working. The lack of such recommended internal controls
increases the risk that the designations will be misapplied. This could
result in either unnecessarily restricting materials that could be shared or
inadvertently releasing materials that should be restricted.

http://www.gao.gov/cgi-bin/getrpt?GAO-06-385