[Senate Report 115-380]
[From the U.S. Government Publishing Office]


                                                       Calendar No. 665
  
115th Congress }                                           {  Report
                                  SENATE
 2d Session    }                                           { 115-380
 
                                                             
_______________________________________________________________________

                                     

                                                       


       DEPARTMENT OF HOMELAND SECURITY DATA FRAMEWORK ACT OF 2018

                               __________

                              R E P O R T

                                 of the

                   COMMITTEE ON HOMELAND SECURITY AND

                          GOVERNMENTAL AFFAIRS

                          UNITED STATES SENATE

                              to accompany

                                S. 2397

            TO DIRECT THE SECRETARY OF HOMELAND SECURITY TO
            ESTABLISH A DATA FRAMEWORK TO PROVIDE ACCESS FOR
           APPROPRIATE PERSONNEL TO LAW ENFORCEMENT AND OTHER
         INFORMATION OF THE DEPARTMENT, AND FOR OTHER PURPOSES
         

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]


               November 26, 2018.--Ordered to be printed
               
               
                               _________ 
                                  
               U.S. GOVERNMENT PUBLISHING OFFICE
 89-010                WASHINGTON : 2018                     
 
               
               
        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                    RON JOHNSON, Wisconsin, Chairman
JOHN McCAIN, Arizona                 CLAIRE McCASKILL, Missouri
ROB PORTMAN, Ohio                    THOMAS R. CARPER, Delaware
RAND PAUL, Kentucky                  HEIDI HEITKAMP, North Dakota
JAMES LANKFORD, Oklahoma             GARY C. PETERS, Michigan
MICHAEL B. ENZI, Wyoming             MAGGIE HASSAN, New Hampshire
JOHN HOEVEN, North Dakota            KAMALA D. HARRIS, California
STEVE DAINES, Montana                DOUG JONES, Alabama

                  Christopher R. Hixon, Staff Director
                Gabrielle D'Adamo Singer, Chief Counsel
          Michelle D. Woods, Senior Professional Staff Member
               Margaret E. Daum, Minority Staff Director
       Charles A. Moskowitz, Minority Senior Legislative Counsel
                 Subhasri Ramanathan, Minority Counsel
                     Laura W. Kilbride, Chief Clerk
                     
                     
                     
                     
                     


                                                       Calendar No. 665
                                                       
115th Congress    }                                         {   Report
                                  SENATE
 2d Session       }                                         {  115-380
 
======================================================================



 
       DEPARTMENT OF HOMELAND SECURITY DATA FRAMEWORK ACT OF 2018

                                _______
                                

               November 26, 2018.--Ordered to be printed

                                _______
                                

 Mr. Johnson, from the Committee on Homeland Security and Governmental 
                    Affairs, submitted the following

                              R E P O R T

                         [To accompany S. 2397]

      [Including cost estimate of the Congressional Budget Office]

    The Committee on Homeland Security and Governmental 
Affairs, to which was referred the bill (S. 2397) to direct the 
Secretary of Homeland Security to establish a data framework to 
provide access for appropriate personnel to law enforcement and 
other information of the Department, and for other purposes, 
having considered the same, reports favorably thereon with an 
amendment (in the nature of a substitute) and recommends that 
the bill, as amended, do pass.

                                CONTENTS

                                                                   Page
  I. Purpose and Summary..............................................1
 II. Background and the Need for Legislation..........................2
III. Legislative History..............................................5
 IV. Section-by-Section Analysis......................................5
  V. Evaluation of Regulatory Impact..................................6
 VI. Congressional Budget Office Cost Estimate........................6
VII. Changes in Existing Law Made by the Bill, as Reported............7

                         I. PURPOSE AND SUMMARY

    The purpose of S. 2397, the Department of Homeland Security 
Data Framework Act of 2018, is to direct the Secretary of 
Homeland Security to establish, within two years of enactment, 
a data framework to integrate existing Department of Homeland 
Security (DHS or the Department) data and systems to provide 
real-time access to travel and immigration data for appropriate 
personnel. It specifies types of data that must be included and 
requires the data framework to be accessible to Department 
employees with appropriate clearance, duties, and training. It 
allows the Secretary of Homeland Security to exclude data from 
the framework in cases where investigations or sources could be 
compromised. It requires auditing and security mechanisms for 
safeguarding the data framework.

              II. BACKGROUND AND THE NEED FOR LEGISLATION

    S. 2397 authorizes an existing program and requires a 
deadline for completion. The DHS data framework program has 
existed since November 2013, when a pilot phase began.\1\ It 
has been operating since August 2014, when the Department began 
limited and controlled trials.\2\ Integrating the different 
Department of Homeland Security (DHS) datasets is critical to 
efficient and effective operations. By requiring DHS to 
complete the development of the data framework within two years 
of the enactment of this Act, the Department will streamline 
information sharing while ensuring compliance and safeguarding 
of data. For instance, rather than querying 17 systems owned by 
six different DHS components, an agent interested in real-time 
information about a person who may represent a threat to border 
security will be able to query the framework system as a single 
point of reference.
---------------------------------------------------------------------------
    \1\Dep't of Homeland Sec., Privacy Impact Assessment Update for the 
DHS Data Framework at 2 (Feb. 27, 2015), available at https://
www.dhs.gov/sites/default/files/publications/privacy-pia-046b-dhs-data-
framework-20150227.pdf.
    \2\Id.
---------------------------------------------------------------------------
    The Department owns around 900 production databases 
containing organized collections of information and data 
supporting DHS missions.\3\ The Department's immigration and 
traveler screening programs are consist of over 320 systems, 
from which the Intelligence Community (IC) identified 
approximately 40 that are high-value.\4\
---------------------------------------------------------------------------
    \3\Email from DHS Data Framework Director to S. Comm. on Homeland 
Sec. & Gov't Affairs Staff (June 19, 2018).
    \4\Id.
---------------------------------------------------------------------------
    The magnitude of a department-wide data integration system 
requires a phased and prioritized approach. Of the 40 high-
value datasets, the Homeland Security Intelligence Council 
(HSIC) considers 20 systems owned by six components to be the 
most important, including: six datasets owned by United States 
Customs and Border Protection (CBP); five owned by the United 
States Citizenship and Immigration Services (USCIS); four owned 
by the Transportation Security Administration (TSA); three 
owned by the Immigration and Customs Enforcement (ICE); one 
owned by the United States Coast Guard (USCG); and one owned by 
the National Protection and Programs Directorate (NPPD).\5\
---------------------------------------------------------------------------
    \5\Id. The CBP datasets HSIC considers most important are: the 
Advance Passenger Information System (APIS); the Automated Commercial 
Environment (ACE); Border Crossing Information (BCI); the Electronic 
System for Travel Authorization (ESTA); the Form I-94; and the 
Passenger Name Record (PNR) The USCIS datasets HSIC considers most 
important are: the Central Index System (CIS); the CLAIMS 3; the CLAIMS 
4; the Refugee, Asylum, and Parole System (RAPS); and the Section 1367 
Data Extracted from the Central Index System. The TSA datasets HSIC 
considers most important are: Aviation Worker Data; General Aviation 
Data; the Alien Flight Student Program (AFSP); and the Secure Flight 
Confirmed Matches Data. The ICE datasets HSIC considers most important 
are: the Enforcement Integrated Database (EID); the TECS Secondary 
Inspection; and the Student Exchange Visitor Information System 
(SEVIS). The USCG dataset HSIC considers most important is the Ship 
Arrival Notification System (SANS). The NPPD dataset is the Automated 
Biometric Identification System (IDENT) Asylum Data.
---------------------------------------------------------------------------
    The data framework can grow to include more datasets as it 
expands the scope of its mission support. An initial 
operational capability phase began in April 2015 and DHS 
planned to add data, users, and capabilities in controlled 
trials.\6\ A 2015 DHS Privacy Impact Assessment Update 
projected that three to five datasets would be ingested into 
the framework each year, working up to a total of 20 to 24 
added over several years.\7\ It specified that use of the 
framework ``will remain limited to counterterrorism, border 
security, and immigration.''\8\ The update expanded users of 
the framework to include the intelligence offices of the 
following components: CBP; ICE; USCIS; USCG; TSA; the United 
States Secret Service; and the Federal Emergency Management 
Agency.\9\ An additional 17 DHS datasets were approved for 
inclusion in this initial operational capability phase as of 
October 11, 2016.\10\ This did not include all 20 datasets 
identified by HSIC as the most important high-value DHS 
datasets.
---------------------------------------------------------------------------
    \6\Privacy Office, Dep't of Homeland Sec., 2016 Data Mining Report 
to Congress at 55 (2017), available at https://www.dhs.gov/sites/
default/files/publications/2016%20Data%20Mining%20 Report%20FINAL.pdf.
    \7\Dep't of Homeland Sec., Privacy Impact Assessment Update for the 
DHS Data Framework, supra note 1, at 2.
    \8\Id. at 6.
    \9\Id. at 7. The 17 systems were: ESTA; AFSP; SEVIS; APIS; Form I-
94; PNR; Section 1367; RAPS; SANS; BCI; IDENT; Aviation Worker Data; 
Airspace Waivers and Flight Authorizations for Certain Aviation 
Operations (including DCA) Data; Maryland-Three (MD-3) Airports Data; 
Private Charter and Twelve Five Program Data; Secure Flight Confirmed 
Matches Data; and Bill of Lading.
    \10\Privacy Office, Dep't of Homeland Sec., 2016 Data Mining Report 
to Congress, supra note 6, at 59-60.
---------------------------------------------------------------------------
    Different rules govern how each dataset can be handled, 
stored, and shared. As the framework ingests datasets, the 
Department individually curates each dataset to ensure quality 
and automate policy compliance as well as appropriate privacy 
and civil rights and civil liberties protections.\11\
---------------------------------------------------------------------------
    \11\Email from DHS Data Framework Director to S. Comm. on Homeland 
Sec. & Gov't Affairs Staff (June 19, 2018).
---------------------------------------------------------------------------
    The Department has faced a number of challenges with the 
implementation of the data framework. A 2017 DHS Office of 
Inspector General report recorded that nine data systems had 
been ingested into the framework and projected that 20 datasets 
would be included in the framework by the end of the 2017 
fiscal year.\12\ However, a ``massive data quality and data 
retention effort'' and ``an overhaul of the unclassified 
portion of the system enabling high-speed data sharing,'' both 
undertaken in 2017, led DHS to purge all datasets from the 
framework and start over.\13\
---------------------------------------------------------------------------
    \12\Office of Inspector Gen., Dep't of Homeland Sec., Improvements 
Needed to Promote DHS Progress toward Accomplishing Enterprise-wide 
Data Goals at 7 (2017), available at https://www.oig.dhs.gov/sites/
default/files/assets/2017/OIG-17-101-Aug17.pdf.
    \13\Email from DHS Data Framework Technical Manager to Sen. Johnson 
staff (June 12, 2018).
---------------------------------------------------------------------------
    In the fall of 2017, IC partners with access to the 
framework requested improvements to the refresh rate of the 
data in the system.\14\ ``The technical infrastructure needed 
to be upgraded as it was built using technology from the 
original pilot and could not reliably support operational use, 
nor could it meet the throughput demands of the 
customers.''\15\ All data was purged from the data framework 
while the Department made technical improvements and addressed 
compliance and security concerns.\16\ The framework has since 
been upgraded to address those issues.\17\
---------------------------------------------------------------------------
    \14\Id.
    \15\Email from DHS Data Framework Director to S. Comm. on Homeland 
Sec. & Gov't Affairs Staff (June 19, 2018).
    \16\Id.; Email from DHS Data Framework Director to S. Comm. on 
Homeland Sec. & Gov't Affairs Staff (June 18, 2018).
    \17\Email from DHS Data Framework Director to S. Comm. on Homeland 
Sec. & Gov't Affairs Staff (June 18, 2018).
---------------------------------------------------------------------------
    When upgrades were complete, the Department prioritized re-
ingesting CBP datasets that ``would close a national security 
gap for the National Targeting Center.''\18\ According to the 
DHS Data Framework Director, as of June 2018, ``the data 
framework pulls over 1.3 billion records from four CBP systems 
to support internal and external mission partners.''\19\
---------------------------------------------------------------------------
    \18\Email from DHS Data Framework Director to S. Comm. on Homeland 
Sec. & Gov't Affairs Staff (June 19, 2018).
    \19\Id.
---------------------------------------------------------------------------
    The datasets appropriately curated and currently 
operational in the data framework include: the Advance 
Passenger Information System (APIS); the Electronic System for 
Travel Authorization (ESTA); Form I-94; and the Passenger Name 
Record (PNR).\20\ The APIS includes flight manifest data on 
passengers and crew and provides about 300 million records to 
the framework.\21\ The ESTA allows Visa Waiver Program 
travelers authorization to enter the United States and provides 
about 40 million records to the framework.\22\ The Form I-94, 
which records all arrival and departure data of non-immigrant 
visitors to the United States, provides about 750 million 
records to the framework.\23\ The PNR data includes more travel 
information about passengers flying to, from, or through the 
United States and provides about 250 million records to the 
framework.\24\
---------------------------------------------------------------------------
    \20\Email from DHS Data Framework Director to S. Comm. on Homeland 
Sec. & Gov't Affairs Staff (June 18, 2018).
    \21\DHS/CBP/PIA-001(g)--Advance Passenger Information System 
(APIS), Dep't of Homeland Sec., https://www.dhs.gov/publication/
advanced-passenger-information-system-apis-update-national-
counterterrorism-center-nctc; see also Email from DHS Data Framework 
Director to S. Comm. on Homeland Sec. & Gov't Affairs Staff (June 18, 
2018).
    \22\DHS-CBP-PIA-007 Electronic System for Travel Authorization, 
Dep't of Homeland Sec., https://www.dhs.gov/publication/electronic-
system-travel-authorization; see also Email from DHS Data Framework 
Director to S. Comm. on Homeland Sec. & Gov't Affairs Staff (June 18, 
2018).
    \23\DHS/CBP/PIA-016 I-94 Website Application, Dep't of Homeland 
Sec., https://www.dhs.gov/publication/us-customs-and-border-protection-
form-i-94-automation; see also Email from DHS Data Framework Director 
to S. Comm. on Homeland Sec. & Gov't Affairs Staff (June 18, 2018).
    \24\Dep't of Homeland Sec., Agreement between the United States of 
America and the European Union on the Use and Transfer of Passenger 
Name Record to the United States Department of Homeland Security, 
available at http://www.dhs.gov/sites/default/files/publications/
privacy/Reports/dhsprivacy_PNR%20Agreement_12_14_2011.pdf; Privacy 
Impact Assessments, Dep't of Homeland Sec., http://www.dhs.gov/privacy-
impact-assessments; Privacy Act of 1974: U.S. Customs and Border 
Protection, 77 Fed. Reg. 30,297, available at https://www.gpo.gov/
fdsys/pkg/FR-2012-05-22/html/2012-12396.htm; see also Email from DHS 
Data Framework Director to S. Comm. on Homeland Sec. & Gov't Affairs 
Staff (June 18, 2018).
---------------------------------------------------------------------------
    The Department is in the process of ingesting the TSA 
Secure Flight Match dataset into the framework.\25\ The Secure 
Flight Program matches the Terrorist Screening Database 
watchlist against the information of passengers flying to, 
from, or through the United States.\26\
---------------------------------------------------------------------------
    \25\Email from DHS Data Framework Director to S. Comm. on Homeland 
Sec. & Gov't Affairs Staff (June 19, 2018).
    \26\TSA Secure Flight Program: Hearing Before the Subcomm. on 
Transp. Sec. of the H. Comm. on Homeland Sec., 113th Cong., (Sept. 18, 
2014), (statement of Steve Sadler, Assistant Admin., TSA), available at 
https://www.tsa.gov/news/testimony/2014/09/18/tsa-secure-flight-
program.
---------------------------------------------------------------------------
    Current users of the framework include the DHS Office of 
Intelligence and Analysis, CBP, the TSA, and classified IC 
partners.\27\ There are plans to add DHS Counterintelligence 
and Countering Insider Threat users.\28\
---------------------------------------------------------------------------
    \27\Email from DHS Data Framework Director to S. Comm. on Homeland 
Sec. & Gov't Affairs Staff (June 19, 2018).
    \28\Id.
---------------------------------------------------------------------------
    The Department is able to better integrate analysis now 
that the data framework transfers unclassified information at 
high-speed to classified networks. A DHS June 2018 update on 
the progress of the Data Framework Program asserts that the 
framework ``since February 2018 has provided data from an 
unclassified CBP system, up to a classified network, and out to 
an IC partner an average of every hour.''\29\ The same update 
says that this capability ``has led to multiple findings and at 
least one `operational action''' in support of the DHS 
partnership with the IC to combat the Syrian foreign fighter 
threat.\30\
---------------------------------------------------------------------------
    \29\Email from DHS Data Framework Technical Manager to Sen. Johnson 
Staff (June 12, 2018).
    \30\Id.
---------------------------------------------------------------------------
    This is an important program that creates efficiency in 
support of several core missions of the Department. 
Specifically, this Act establishes requirements for the use of 
the data framework by DHS employees, excludes the inclusion of 
information that may compromise criminal investigations, and 
include privacy and civil rights protections. In addition, 
implementation of the data framework is required to be 
completed within two years of the enactment of this Act. The 
Act also requires DHS to provide regular updates on the status 
of the implementation of the framework. By requiring DHS to 
ensure the data framework is able to include DHS information 
that supports critical mission operations, this legislation 
will allow DHS and its partners to better share information in 
a timely and efficient manner.

                        III. LEGISLATIVE HISTORY

    Senator Margaret Wood Hassan (D-NH) introduced S. 2397 on 
February 7, 2018. The bill was referred to the Committee on 
Homeland Security and Governmental Affairs.
    The Committee considered S. 2397 at a business meeting on 
June 13, 2018. Senator Hassan offered a substitute amendment 
that added a requirement that DHS should describe how the data 
framework was used to disrupt terrorist activities in any 
annual homeland security threat assessment. The Committee 
adopted the amendment and ordered the bill, as amended, 
reported favorably, both by voice vote. Senators present for 
both the vote on the amendment and the vote on the underlying 
bill were: Johnson, Portman, Lankford, Enzi, McCaskill, Carper, 
Peters, Hassan, Harris, and Jones.

        IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED

Section 1. Short title

    This section provides the bill's short title, the 
``Department of Homeland Security Data Framework Act of 2018.''

Section 2. Department of Homeland Security data framework

    This section requires the Secretary to develop a framework 
to integrate DHS datasets and systems to streamline authorized 
access and appropriate safeguards.
    Subsection (a) establishes the requirements for inclusion 
of DHS datasets including homeland security information, 
terrorism information, weapons of mass destruction information, 
and national intelligence information. It also requires the 
inclusion of data relevant to priority mission needs of the 
Department.
    Subsection (b) governs use of the framework by Department 
employees. It establishes that DHS employees with access to the 
data framework have appropriate clearances, have duties that 
require such access, and are trained to safeguard the data in 
the framework. It requires the Secretary to provide DHS 
employees with access to the framework with guidance that 
emphasizes that access to the framework entails a duty to share 
with other offices and components of the Department. It also 
requires the Secretary to promulgate data standards that 
require components to share what information they are able in 
machine-readable format.
    Subsection (c) allows the Secretary to exclude data from 
the framework in cases where inclusion may compromise 
investigations or sources, be inconsistent with the law, or be 
duplicative.
    Subsection (d) requires auditing and security mechanisms 
for safeguarding the data framework including from insider 
threats, other security risks, or exploitation that disregards 
appropriate privacy or civil rights and civil liberties 
protections.
    Subsection (e) requires a deadline for implementation of 
the data framework at two years from enactment. At the 
deadline, the framework is required to be able to include DHS 
data required to support the Department's critical mission 
operations.
    Subsection (f) requires the Secretary to regularly update 
Congress on the status of the data framework and notify 
Congress when the framework is fully operational.
    Subsection (g) defines ``appropriate congressional 
committee,'' ``homeland,'' ``homeland security information,'' 
``national intelligence,'' and ``terrorism information.''

                   V. EVALUATION OF REGULATORY IMPACT

    Pursuant to the requirements of paragraph 11(b) of rule 
XXVI of the Standing Rules of the Senate, the Committee has 
considered the regulatory impact of this bill and determined 
that the bill will have no regulatory impact within the meaning 
of the rules. The Committee agrees with the Congressional 
Budget Office's statement that the bill contains no 
intergovernmental or private-sector mandates as defined in the 
Unfunded Mandates Reform Act (UMRA) and would impose no costs 
on state, local, or tribal governments.

             VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE

                                                     June 28, 2018.
Hon. Ron Johnson,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S. 
        Senate, Washington, DC.
    Dear Mr. Chairman: The Congressional Budget Office has 
prepared the enclosed cost estimate for S. 2397, the Department 
of Homeland Security Data Framework Act of 2018.
    If you wish further details on this estimate, we will be 
pleased to provide them. The CBO staff contact is Mark 
Grabowicz.
            Sincerely,
                                                Keith Hall,
                                                          Director.
    Enclosure.

S. 2397--Department of Homeland Security Data Framework Act of 2018

    S. 2397 would require the Department of Homeland Security 
(DHS) to integrate its datasets and information systems to 
facilitate access to these systems by authorized personnel. DHS 
is currently carrying out activities similar to those that 
would be required by the bill; thus, CBO estimates that 
implementing S. 2397 would have no significant effect on DHS 
spending.
    Enacting S. 2397 would not affect direct spending or 
revenues; therefore, pay-as-you-go procedures do not apply.
    CBO estimates that enacting S. 2397 would not increase net 
direct spending or on-budget deficits in any of the four 
consecutive 10-year periods beginning in 2029.
    S. 2397 contains no intergovernmental or private-sector 
mandates as defined in the Unfunded Mandates Reform Act.
    The CBO staff contact for this estimate is Mark Grabowicz. 
The estimate was reviewed by Theresa Gullo, Assistant Director 
for Budget Analysis.

       VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED

    Because this legislation would not repeal or amend any 
provision of current law, it would make no changes in existing 
law within the meaning of clauses (a) and (b) of paragraph 12 
of rule XXVI of the Standing Rules of the Senate.