Homeland Security Advisory System: Preliminary Observations	 
Regarding Threat Level Increases from Yellow to Orange		 
(26-FEB-04, GAO-04-453R).					 
                                                                 
Established in March 2002, the Homeland Security Advisory System 
was designed to disseminate information regarding the risk of	 
terrorist acts to federal, state, and local government agencies  
and the public. However, this system generated concern among	 
federal, state, and local government agencies regarding whether  
they are receiving the necessary information to respond 	 
appropriately to heightened alerts and about the amount of	 
additional costs protective measures entail. Congress requested  
that we review (1) the operations of the Homeland Security	 
Advisory System, including the decision making process for	 
changing the national threat level, notifications to federal,	 
state, and local government agencies of changes in the threat	 
level, and ongoing revisions to the system; (2) guidance and	 
information that federal, state, and local government agencies	 
reportedly used to determine any protective measures to implement
when the threat level is raised to high--or code-orange--alert;  
(3) any protective measures these agencies implemented during	 
code-orange alert periods; (4) any additional costs these	 
agencies reported incurring to implement such measures; and (5)  
any threat advisory systems that federal, state, or local	 
government agencies had in place before the creation of the	 
Homeland Security Advisory System.				 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-04-453R					        
    ACCNO:   A09398						        
  TITLE:     Homeland Security Advisory System: Preliminary	      
Observations Regarding Threat Level Increases from Yellow to	 
Orange								 
     DATE:   02/26/2004 
  SUBJECT:   Counterterrorism					 
	     Emergency preparedness				 
	     National preparedness				 
	     Terrorism						 
	     Decision making					 
	     Government information dissemination		 
	     Cost analysis					 
	     Intergovernmental relations			 
	     Homeland security					 
	     Homeland Security Advisory System			 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-04-453R

United States General Accounting Office Washington, DC 20548

February 26, 2004

The Honorable Christopher Cox
Chairman
The Honorable Jim Turner
Ranking Minority Member
House Select Committee on Homeland Security
House of Representatives

Subject: Homeland Security Advisory System: Preliminary Observations
Regarding Threat Level Increases from Yellow to Orange

Established in March 2002, the Homeland Security Advisory System was
designed to disseminate information regarding the risk of terrorist acts
to federal, state, and local government agencies and the public. However,
this system generated concern among federal, state, and local government
agencies regarding whether they are receiving the necessary information to
respond appropriately to heightened alerts and about the amount of
additional costs protective measures entail.

You requested that we review (1) the operations of the Homeland Security
Advisory System, including the decision making process for changing the
national threat level, notifications to federal, state, and local
government agencies of changes in the threat level, and ongoing revisions
to the system; (2) guidance and information that federal, state, and local
government agencies reportedly used to determine any protective measures
to implement when the threat level is raised to high-or code-orange-
alert; (3) any protective measures these agencies implemented during
code-orange alert periods; (4) any additional costs these agencies
reported incurring to implement such measures; and (5) any threat advisory
systems that federal, state, or local government agencies had in place
before the creation of the Homeland Security Advisory System.

This report summarizes our preliminary observations on each of these
objectives. The code-orange alert periods covered in this preliminary
report and our ongoing work are March 17 to April 16, 2003; May 20 to 30,
2003; and December 21, 2003, to January 9, 2004.

The preliminary observations in this report are based on information
obtained as of February 9, 2004. This includes responses from 15 of the 28
federal agencies to which we sent a questionnaire regarding the Homeland
Security Advisory System and codeorange alert periods, and information
from 8 federal agencies, four states, the District

of Columbia,1 and nine local governments that we contacted during the
design of our methodology. We selected the 8 federal agencies using
agencies' reports to the Office of Management and Budget on the amount of
homeland security funding they received for fiscal year 2003.2 Five of the
8 selected agencies reported receiving the most homeland security funding.
We selected the four states, the District of Columbia, and nine local
governments on the basis of their critical infrastructure assets, such as
national landmarks, ports, and oil pipelines. The Department of Homeland
Security (DHS) generally has not documented the policies and procedures it
has used for assessing intelligence information, determining whether to
raise or lower the threat level, and notifying federal, state, and local
government agencies about changes in threat levels. Thus, our findings
about the operations of the Homeland Security Advisory System are
principally based on interviews with DHS officials. We will continue to
assess the Homeland Security Advisory System and related guidance,
measures implemented during code-orange periods, and the costs incurred
during code-orange alerts. We expect to issue a final report later this
year. On February 23 and 24, 2004, officials representing the Department
of Homeland Security provided oral technical comments on this report,
which we incorporated as appropriate. We conducted our work from July 2003
to February 2004 in accordance with generally accepted government auditing
standards. For more detailed information on our scope and methodology, see
enclosure I.

Results in Brief

Based on analyses of intelligence, the Secretary of Homeland Security, in
consultation with members of the Homeland Security Council,3 determines
whether the national threat level should be elevated or lowered. Once the
Secretary makes this decision, DHS and others begin the process of
notifying federal, state and local government agencies, through various
means, such as conference calls. The department has not yet documented its
protocols for executing notification. DHS officials told us they are
working to develop such documentation. However, they could not provide us
with a specific time frame as to when they expect to complete this effort.
Federal, state, and local government agencies we met with expressed
concern about hearing of threat level changes from media and other sources
prior to receiving notification from DHS. DHS officials maintain that the
Homeland Security Advisory System is evolving and that they are
continually adjusting it to provide additional information regarding
specific threats.

1For this review, we analyzed information from the District of Columbia
with information from states.
2Office of Management and Budget, 2003 Report to Congress on Combating
Terrorism (Washington,
D.C.: September 2003).
3Members of the Homeland Security Council include the President; the Vice
President; the Secretaries
of Defense, Health and Human Services, Homeland Security, Transportation,
and the Treasury; the
Attorney General; the Director of the Federal Emergency Management Agency;
the Director of the
Federal Bureau of Investigation; the Director of Central Intelligence; and
the Assistant to the President
for Homeland Security.

Various sources, including the Federal Emergency Management Agency
(FEMA),4 provided guidance and information to federal, state, and local
government agencies to assist them in developing plans for responding to
each of the advisory system's five threat levels following establishment
of the system in March 2002. Additionally, DHS and others provided
federal, state, and local government agencies with guidance and
information to assist them in determining actions to take in response to
each codeorange alert occurrence. For the most part, the 15 federal
agencies responding to our questionnaire noted that the guidance and
information they received was useful and timely. However, 14 of these 15
federal agencies, along with officials from three states and six local
governments we met with, noted that they would have benefited by receiving
additional information on region-, sector-, site-, and event-specific
threats when deciding additional actions to take for the three most recent
codeorange alerts. We will continue to assess this guidance and
information to determine its consistency and the extent to which the
entities that provided the guidance and information coordinated with other
agencies providing similar information.

Federal agencies responding to our questionnaire indicated that they
maintain a high security posture and, as a result, did not need to
implement a substantial number of additional protective measures to
respond to code-orange alerts. For the most part, these 15 federal
agencies reported enhancing protective measures they already had in place
to respond to the code-orange alerts, such as increasing the frequency of
facility security patrols. To a lesser degree, these federal agencies
indicated that they continued existing protective measures at their
pre-code-orange alert levels, such as the use of intrusion detection
systems. To ensure that protective measures operate as intended, federal
agencies for which we received questionnaire responses reported conducting
tests on the functionality and reliability of protective measures. They
also reported receiving confirmation of the enhancement or implementation
of measures from component entities, offices, or personnel. Protective
measures benefited federal agencies in various ways, but also affected
agency operations, according to the agencies responding to our
questionnaire. For example, while actions taken during code-orange alerts
promoted employees' sense of security, they also resulted in delays for
employees entering facilities. State and local government officials we met
with noted that their agencies implemented various protective measures for
code-orange alerts, including additional law enforcement patrols.

Thirteen federal agencies, one state, and six localities provided
information on the additional costs incurred during at least two of the
three orange alert periods in our review. The cost information the federal
agencies provided was generally estimates. Nine agencies reported
incurring additional costs while 4 stated that they did not incur any
additional costs. Eight of the 9 agencies provided cost estimates, whereas
the ninth provided actual costs extracted from its financial accounting
system. For the 9 agencies that reported incurring additional costs, we
calculated the additional average daily costs incurred during each of the
three orange alert periods. The additional average daily costs varied by
alert period and ranged from as little as about $160 dollars for a small
independent agency to more than $165,000 for a cabinet department. For 8
of the 9 agencies, the additional average daily costs were lower for

4The Federal Emergency Management Agency was incorporated into the
Emergency Preparedness and Response Directorate at the Department of
Homeland Security upon the department's creation in March 2003.

the third alert period than the first alert period. Cost information for
the one state and six localities was limited, and we have little or no
information on how those costs were determined. Thus, we cannot assess the
reliability and comparability of these costs.

Some federal, state, and local government agencies we contacted reported
that they have threat advisory systems in place to ensure government
agencies are notified of impending emergencies such as natural disasters
or terrorist threats, allowing them to prepare a response. These systems,
which were generally in place before the creation of the Homeland Security
Advisory System, are similar to the Homeland Security Advisory System or
have been revised to conform to it and include threat levels with
associated protective measures. For example, one federal agency told us
that it had developed its own five-level alert system 8 years ago to
ensure protection of critical national security assets. While federal,
state, and local government agencies said they raise or lower their
systems' threat levels to correspond to changes in the national threat
level, they also independently change threat levels to respond to specific
threats or for large public events.

Background

Homeland Security Presidential Directive 3 (HSPD-3) established the
Homeland Security Advisory System in March 2002. Through the creation of
the Homeland Security Advisory System, HSPD-3 sought to produce a common
vocabulary, context, and structure for an ongoing discussion about the
nature of threats that confront the nation and the appropriate measures
that should be taken in response to those threats. Additionally, HSPD-3
established the Homeland Security Advisory System as a mechanism to inform
and facilitate decisions related to securing the homeland among various
levels of government, the private sector, and American citizens.

The Homeland Security Advisory System, as shown in figure 1, is comprised
of five color-coded threat conditions, which represent levels of risk
related to potential terror attack. As defined in HSPD-3, risk includes
both the probability of an attack occurring and its potential gravity.

Figure 1: Homeland Security Advisory System

Since its establishment in March 2002, the Homeland Security Advisory
System national threat level has remained at elevated
alert-code-yellow-except for five periods during which the administration
raised it to high alert-code-orange. The periods of code-orange alert
follow:

o  September 10 to 24, 2002;

o  February 7 to 27, 2003;

o  March 17 to April 16, 2003;

o  May 20 to 30, 2003; and

o  December 21, 2003, to January 9, 2004.

The Homeland Security Advisory System is binding on the executive branch.
HSPD-3 directs all federal departments, agencies, and offices, other than
military facilities,5 to conform their existing threat advisory systems to
the Homeland Security Advisory System. These agencies are responsible for
ensuring their systems are consistently implemented in accordance with
national threat levels as defined by the Homeland Security Advisory
System. Additionally, federal departments and agency heads are responsible
for developing protective measures and other antiterrorism or
selfprotection and continuity plans in response to the various threat
levels and operating and maintaining these plans. While HSPD-3 encourages
other levels of government and the private sector to conform to the
system, their compliance is voluntary.

When HSPD-3 first established the Homeland Security Advisory System, it
provided the Attorney General with responsibility for administering the
Homeland Security Advisory System, including assigning threat conditions
in consultation with members of the Homeland Security Council, except in
exigent circumstances. As such, the Attorney General could assign threat
levels for the entire nation, for particular

5The Homeland Security Advisory System does not directly apply to the
armed forces, including their military facilities. Rather, the Department
of Defense's Force Protection Condition system rates threats and sets
specific measures for military facilities.

geographic areas, or for specific industrial sectors. Upon its issuance,
HSPD-3 also assigned responsibility to the Attorney General for
establishing a process and a system for conveying relevant threat
information expeditiously to federal, state, and local government
officials, law enforcement authorities, and the private sector.

In November 2002, Congress enacted the Homeland Security Act of 2002, P.L.
107296, which established the Department of Homeland Security. Under the
Homeland Security Act of 2002, the DHS Under Secretary for Information
Analysis and Infrastructure Protection (IAIP)is responsible for
administering the Homeland Security Advisory System. As such, IAIP is
primarily responsible for issuing public threat advisories and providing
specific warning information to state and local governments and to the
private sector. The act also charges IAIP with providing

6

advice about appropriate protective actions and countermeasures.

In February 2003, in accordance with the Homeland Security Act, the
administration issued Homeland Security Presidential Directive 5 (HSPD-5),
which amended HSPD-3 by transferring authority for assigning threat
conditions and conveying relevant information from the Attorney General to
the Secretary of Homeland Security. HSPD-5 directs the Secretary of
Homeland Security to consult with the Attorney General and other federal
agency heads the Secretary deems appropriate, including other members of
the Homeland Security Council, when determining the threat level, except
in exigent circumstances.

The Advisory System Includes Threat Analysis, Notifications, and Ongoing
Revisions, but Protocols for Notification Have Not Been Documented

According to DHS officials, the intelligence community continuously
gathers and analyzes information regarding potential terrorist activity.
This includes information from such agencies as DHS,7 the Central
Intelligence Agency, the Federal Bureau of Investigation (FBI), and the
Terrorist Threat Integration Center.8 Analyses from these and other
agencies are shared with DHS's IAIP, which is engaged in constant
communication with intelligence agencies to assess potential homeland
security threats.

DHS officials told us that when intelligence information provides
sufficient indication of a planned terrorist attack, and is determined to
be credible, IAIP recommends to the Secretary of Homeland Security that
the national threat level should be raised. To decide whether to lower the
national threat level, DHS officials told us that the department reviews
threat information to determine whether time frames for threats have
passed and whether protective measures in place for the code-orange alerts

6P.L. 107-296, Sec. 201(d)(7).
7DHS's Homeland Security Operations Center (HSOC) and its IAIP Directorate
monitor threats and
conduct information assessments on a daily basis. The HSOC is comprised of
representatives from
DHS component entities, other federal agencies, and local law enforcement
agencies.

8The Terrorist Threat Integration Center is responsible for analyzing and
sharing terrorist-related
information that is collected domestically and abroad. It is an
interagency joint venture that is
comprised of elements of DHS, the FBI's Counterterrorism Division, the
Director of Central
Intelligence Counterterrorist Center, the Department of Defense, and other
agencies.

have been effective in mitigating the threats. DHS officials further told
us that analysis of the threat information and determination of threat
level changes are specific for each time period and situation and include
a certain amount of subjectivity. They said no explicit criteria or other
quantifiable factors are used to decide whether to raise or lower the
national threat level.

Based on a review of the threat information and analyses, DHS officials
said that the Secretary of Homeland Security consults with the other
members of the Homeland Security Council on whether the national threat
level should be changed.9 DHS officials told us that if the Homeland
Security Council members could not agree on whether to change the national
threat level, the president would make the decision. After the
determination has been made to raise or lower the national threat level,
DHS begins its notification process.

DHS used the following methods, among others, to notify entities of
changes in the national threat level, according to responses from our
federal agency questionnaire and discussions with DHS and other government
officials:

o  	Conference calls between the Secretary of Homeland Security and state
governors and/or state homeland security officials;

o  	Telephone calls from Federal Protective Service (FPS, a component of
DHS) officials to federal agencies;

o  	E-mail or telephone communications from Homeland Security Operations
Center (HSOC) representatives to the federal, state, or local agencies
they represent;

o  	HSOC electronic systems such as the Joint Regional Information
Exchange System;

o  	FBI electronic systems such as the National Law Enforcement
Telecommunications System;10 and

o  	E-mail and/or telephone communications with federal agencies' chief of
staff and public affairs offices.

Of the 13 federal agencies responding to our questionnaire that received
notification from DHS for the code-orange alert period December 21, 2003,
to January 9, 2004, 9 reported being notified by more than one method.
These agencies most often reported receiving notification of threat level
increases via electronic communications systems, such as the Washington
Area Warning Alert System. Preliminary questionnaire responses and
discussions with federal, state, and local government officials indicate
that DHS also used multiple methods to notify federal, state, and local
agencies of threat level changes for the other two code-orange alert
periods in our review.

9Under HSPD-5, the Secretary can change the national threat level without
consulting other Homeland
Security Council members in exigent circumstances. However, DHS officials
told us that this did not
occur for any of the three most recent code-orange alerts.
10We will continue to assess the various communication systems DHS
utilizes to notify entities of threat
level changes, including their relationship with one another. We expect to
report the results of this
work to you later this year.

DHS officials stated in recent congressional testimony that the
department's communications of national threat level changes also provide
specific information regarding the intelligence supporting the change in
the threat condition, and that protective measures are developed and
communicated, along with the threat information, prior to a public
announcement of the decision. Some federal, state, and local officials
indicated in meetings and questionnaire responses that they have not
received information on region-, sector-, site-, or event-specific threats
in DHS notifications of threat level changes. Some of these officials
commented that they would like specific information on threats to
determine the most appropriate protective measures for their agencies or
localities. Thirteen of the 15 federal agencies responding to our
questionnaire reported receiving notification of the threat level change
from DHS during the most recent elevation to code-orange. Six of the 13
agencies reported receiving region- or sector-specific threat information;
5 reported receiving information on threat time frames; and 5 reported
receiving site- or eventspecific information. Two of the 15 federal
agencies responding to the questionnaire reported that they did not
receive notification from DHS. In addition, for each codeorange alert
period, 12 of the 15 federal agencies identified insufficient information
on the threat as an impediment to responding to the heightened alert. DHS
officials maintain that they provide federal, state, and local officials
with specific threat information whenever it is available. We will
continue to review DHS's notification methods, including the content of
such notifications. We expect to report the results of this work later
this year.

Some federal agencies, as well as state and local officials we
interviewed, reported hearing about notification of national threat level
changes from other entities, such as the FBI and media sources, before
being notified by DHS. For example, 3 federal agencies and five state and
local entities noted learning about national threat level changes via
media sources prior to being notified by DHS. This raises questions about
whether DHS is always conveying information regarding threat level changes
to government entities expeditiously, as required by HSPD-3.

Officials from one federal agency, one state, and two localities would
prefer to receive notification of threat level changes from DHS prior to
hearing about the changes from media sources. These officials told us that
after the change is reported via media sources, their agencies receive
requests for detailed information on the change from the public and other
entities. They noted that their agencies appear ineffective to the public
and other entities because, without notification of the national threat
level change before it is reported by media sources, they do not have time
to prepare informed responses. DHS officials indicated they were aware
that the media sometimes reported threat level changes before DHS notified
federal, state, and local officials and in the case of the second alert
period in our review, before the decision to raise the threat level was
even made. In addition, DHS officials told us that they send
notifications/advisories to the media to inform them of impending press
conferences, and that the media may speculate about announcements of
threat level changes that may be made at the press conferences.

DHS officials told us that they have not yet formally documented protocols
for notifying federal, state, and local government agencies of national
threat level

changes. They told us that they are working to document their protocols.
However, they could not provide us with a specific time frame as to when
DHS expects to complete this effort. For an entity to control its
operations, it must have relevant, reliable, and timely communications
relating to internal as well as external events.11 As we have previously
reported, to establish channels that facilitate open and effective
communication, agencies should clearly set out procedures, such as
communication protocols, that they will consistently follow when doing
their work.12 Communications protocols would, among other things, help
foster clear understanding and transparency regarding federal agencies'
priorities and operations. Moreover, protocols can help ensure that
agencies interact with federal, state, local, and other entities using
clearly defined and consistently applied policies and procedures.

DHS officials told us that the Homeland Security Advisory System is
constantly evolving based on their ongoing review of the system. To
provide more specific threat information and respond to sector-and
location-specific security needs, DHS officials told us they adjust the
system based on feedback from federal, state, local and private sector
officials; tests of the system; and experience with previous periods of
code-orange alert. For example, during the most recent code-orange alert,
there was heightened concern about the use of aircraft for potential
terrorist attacks and several geographic locations were also reported to
be at particularly high risk. In a recent testimony, the Deputy Secretary
of Homeland Security noted that DHS provided specific recommendations for
protective measures to industry sectors and for geographic areas in
response to specific threat information. When the national threat level
was lowered to yellow on January 9, 2004, DHS recommended that some
sectors, such as the aviation industry, and certain geographic locations
continue on a heightened alert status. According to the Deputy Secretary,
this was the first time since the creation of the Homeland Security
Advisory System that DHS lowered the national threat level but recommended
maintaining targeted protections for a particular industry sector or
geographic location.

DHS officials also told us that the department issues threat advisories
and information bulletins for specific threats that do not require changes
in the national threat level. Threat advisories contain information about
incidents or threats targeting critical national infrastructures or key
assets, such as pipelines. Information bulletins communicate information
of a less urgent nature to nongovernmental entities and those responsible
for the nation's critical infrastructures. The threat advisories and
bulletins we reviewed also include advice on protective measures for law
enforcement agencies.

Federal, State, and Local Agencies Reported Receiving Useful Information
and Guidance, but Would Prefer More Specific Information

Federal agencies responding to our questionnaire reported receiving and
using guidance and information from various sources to develop plans for
responding to

11U.S. General Accounting Office, Standards for Internal Control in the
Federal Government,
GAO/AIMD-00.21.3.1 (Washington, D.C.: November 1999).
12U.S. General Accounting Office, Office of Compliance: Status of
Management Control Efforts to
Improve Effectiveness, GAO-04-400 (Washington, D.C.: Feb. 3, 2004).

each of the five national threat levels. In particular, these federal
agencies indicated that they received and used guidance from FEMA, FPS,
the Department of Justice (DOJ), and the White House. For example, 6
federal agencies reported using DOJ's

                                       13

Vulnerability Assessment of Federal Facilities. This guidance established
security levels for different types of federal facilities and
minimum-security standards for each level. In addition, 5 federal agencies
reported using HSPD-3, which established the Homeland Security Advisory
System and suggested general protective measures for each threat level.
Twelve federal agencies also reported using their agencies' vulnerability
assessments to help them develop appropriate measures to take in
responding to national threat levels.

In addition to developing response plans for each threat level, federal
agencies responding to our questionnaire reported receiving and using both
guidance and information and intelligence from various sources to
determine additional protective measures to implement in response to the
code-orange alerts included in our review. They indicated that the
guidance and information was generally useful and timely. For example, as
shown in table 1, the 15 federal agencies responding to our questionnaire
reported using guidance from a variety of sources to determine actions to
take for the most recent code-orange alert period from December 21, 2003,
to January 9, 2004. Most federal agencies that reported using guidance
from the agencies listed in table 1 noted that the guidance was useful and
timely.

Table 1: Number of Federal Agencies that Used Guidance and Found It Useful
and Timely for the Code-Orange Alert Period December 21, 2003, to January
9, 2004

Source: GAO analysis of data from the first 15 federal agencies responding
to GAO's questionnaire.

aWe asked federal agencies to indicate whether guidance they received was
very useful, somewhat useful,
or of little or no use. Useful reflects respondent ratings of very useful
and somewhat useful.
bWe also asked agencies to indicate whether the guidance they received was
timely by responding yes or no.

Likewise, as shown in table 2, the 15 respondents to the federal agency
questionnaire indicated that they used multiple sources of information and
intelligence in determining actions for the most recent code-orange alert
period. These agencies also generally reported that information and
intelligence from the sources listed in table 2 was useful and timely.

13Department of Justice, Vulnerability Assessment of Federal Facilities
(Washington, D.C.: June 28, 1995).

Table 2: Number of Federal Agencies that Used Information and Intelligence
and Found It Useful and Timely for the Code-Orange Alert Period December
21, 2003, to January 9, 2004

Source of Number of
information/intelligence federal agencies Usefula Timelyb

Source: GAO analysis of data from the first 15 federal agencies responding
to GAO's questionnaire.

a We asked federal agencies to indicate whether the information and
intelligence they received was very useful, somewhat useful, or of little
or no use. Useful reflects respondent ratings of very useful and somewhat
useful. bWe also asked agencies to indicate whether the guidance they
received was timely by responding yes or no.

Results for the other two code-orange alert periods included in our
review-March 17 to April 16, 2003, and May 20 to 30, 2003-were consistent
with those reported in tables 1 and 2 for the code-orange alert period
December 21, 2003, to January 9, 2004.

State and local government officials we met with told us that they also
used guidance and information from several sources, including DHS, to
develop actions to take for the code-orange alert periods. For example,
they told us that their agencies used guidance and information from DHS on
critical infrastructure assets and airport security. They also indicated
that they used information from the FBI and local law enforcement
agencies, such as additional intelligence information, to determine areas
in which to strengthen protective measures.15

For the most part, federal agencies responding to our questionnaire along
with officials we met with from 3 state and 6 local government agencies
indicated that receiving information with greater specificity about
threats would have been helpful in determining additional actions to take
in response to code-orange alerts. For example, 14 of 15 federal agencies
responding to our questionnaire indicated that information on region-,
sector-, site-, or event-specific threats, if available, would have been
helpful. Additionally, all 15 federal agencies reported that information
on threat time frames, if available, would have assisted them in
determining appropriate actions to take in responding to the code-orange
alerts. Fourteen federal agencies also indicated that receiving
information on recommended measures for preventing incidents would have
been helpful in determining appropriate protective measures to implement
or enhance for each code-orange alert period.

14The National Joint Terrorism Task Force is comprised of numerous federal
agencies co-located in the
Strategic Information and Operations Center at FBI headquarters. This task
force provides a central
fusion point for terrorism information and intelligence to the Joint
Terrorism Task Forces, which
include state and local law enforcement officers, federal agents, and
other federal personnel who work
in the field to prevent and investigate acts of terrorism.
15We expect to learn more about the guidance used by states and localities
as we receive responses
from our state questionnaire and will continue to develop this information
through our site visits with
various local officials. We expect to report the results from this work to
you later in this year.

In addition, one state official noted that receiving more specific
information about the type of threat-against bridges and dams, for
example-would enable the state to concentrate its response in those areas,
a more effective approach than simply blanketing the state with increased
general security measures. One local official also noted that specific
information about the location of a threat should be provided to law
enforcement agencies throughout the nation-not just to localities that are
being threatened-thus allowing other local governments to determine
whether there would be an indirect impact on them and to respond
accordingly. DHS officials indicated that the department works with state
and local officials to develop specific protective measures. One official
said that DHS communicates regularly with and provides technical advice to
state and local officials to assist in the development of specialized and
appropriate protective measures.

Federal Agencies Reported Enhancing Existing Protective Measures More
Often than Implementing New Measures, While State and Local Agencies
Reported Implementing Additional Measures

Federal agencies responding to our questionnaire as well as those we
visited indicated that they substantially enhanced security following the
September 11, 2001, terrorist attacks. Thus, these agencies operate at
high security levels regardless of the national threat level. In
responding to our questionnaire, most federal agencies noted that they did
not significantly increase the number of additional protective measures in
response to the code-orange alerts. Federal agencies reported that their
primary response for the three code-orange alerts was to enhance or more
frequently use measures already in place, such as increasing the frequency
of existing facility security patrols. Less often, these agencies
indicated that they continued, or did not change, existing protective
measures as a result of the code-orange alert periods, such as the use of
intrusion detection systems.

During the code orange alert period from December 21, 2003, to January 9,
2004, preliminary responses to the federal agency questionnaire indicate
that about 49 percent of all protective measures these agencies reported
were enhanced in response to the threat level increase. About 37 percent
of all protective measures reported for this period were continued at
their pre-code-orange alert levels, or not changed, by federal agencies in
response to the code-orange alert. About 13 percent of the protective
measures federal agencies reported for the December 21, 2003, to January
9, 2004, code-orange alert period were implemented by these agencies
solely in response to the code-orange alert.16 For instance, one measure
implemented solely in response to the code orange alert period was the
extension of shifts for emergency personnel. Preliminary analysis of
responses regarding the other two periods of code-orange alert is
consistent with those from the December 21, 2003, to January 9, 2004,
period.

As indicated in table 3, among the most commonly reported protective
measures, only one was implemented solely in response to the code-orange
alert period December 21, 2003, to January 9, 2004, according to federal
agencies' questionnaire

16Percentages do not total to 100 percent due to rounding.

responses. Even so, only 2 of the 14 federal agencies that reported having
the measure indicated that they implemented the measure solely in response
to the codeorange alert, while the other 12 agencies indicated that the
measure was already in place. The protective measures most commonly
reported by federal agencies for the code-orange alert period were already
in place and continued at pre-code-orange alert levels or were enhanced
for the code-orange alert period. Preliminary results for the other two
code-orange alert periods in our review were similar to those reported in
table 3.

Table 3: Protective Measures Most Commonly Reported by Federal Agencies
for the December 21, 2003, to January 9, 2004, Code-Orange Alert Period

                                        Number of                   Number of 
                                    agencies that     Number of agencies that 
                                     indicated no agencies that   Implemented 
                          Number of     change in      enhanced   measure for 
                            federal                             
                                    measure that   measure that               
                      agencies that was                     was   code-orange
                           reported already in     already in           onlyc 
                            measure placea           place b    
          Screen mail            15             8             7 
             Activate                                           
           monitoring                                           
              systems            15            11             4 
Activate intrusion                                           
    detection systems            15            14             1 
Implement facility                                           
     security patrols            15             2            13 
     Inspect visitors            14             8             6 
      Escort visitors            14             5             7 

Source: GAO analysis of data from the first 15 federal agencies responding
to GAO's questionnaire.

aNo change in a protective measure indicates that the measure was already
in place prior to the code-orange alert period and continued at the same
level of use or frequency during a code-orange alert. bThe enhancement of
a measure that was already in place refers to the increased use of an
existing protective measure, such as more frequent facility security
patrols or increased volume of mail screened. cThe implementation of a
measure for code-orange only refers to the use of an additional measure
that was not already in place solely to respond to a code-orange alert.

To ensure that protective measures operate as intended and are implemented
as planned, federal agencies for which we received questionnaire responses
indicated that they conducted tests or exercises on these measures within
the past year. These federal agencies also reported receiving confirmation
from component entities, offices, or personnel that protective measures
were enhanced or implemented during the code-orange alert periods. Fifteen
federal agencies responding to our questionnaire reported that they
conducted tests or exercises on the functionality and reliability of
intrusion detection systems, mail and delivery screening equipment and
procedures, monitoring systems, and continuity of operations and emergency
response measures. Fourteen of these agencies indicated that they
conducted tests or exercises on visitor and employee screening procedures
and vehicle inspection equipment and procedures. Furthermore, 12 of these
agencies noted that they confirmed that protective measures were enhanced
or implemented during each of the three code-orange alert periods.

Federal agencies responding to our questionnaire indicated that they
benefited in various ways from the protective measures they implemented
during code-orange alerts, but also noted that their operations were
affected. For example, these federal agencies reported that protective
measures enhanced employees' sense of security,

promoted staff awareness, and provided visible deterrents to possible
threats. On the other hand, they said that their operations were affected
by delaying visitors, employees, and vehicles from entering facilities;
limiting tours, meetings, and conferences; and shifting resources away
from normal daily operations to ensure measures required for code-orange
alerts were implemented.

Additionally, these federal agencies noted that they faced a number of
operational challenges in responding to the code-orange alerts. For
example, 12 of the 15 federal agencies indicated that insufficient
information on threats was an operational challenge. In particular, 6
federal agencies noted that without specific information on threats, they
could not effectively focus resources on protective measures to respond to
possible threats. Other operational challenges identified by some federal
agencies responding to our questionnaire include insufficient personnel
training to implement protective measures, insufficient equipment and
materials, and insufficient facilities and space, particularly to screen
visitors.

Officials from two states and three local governments told us that they
responded to code-orange alerts by implementing a variety of protective
measures, such as enhanced entry screening, additional law enforcement
patrols, and increased surveillance of critical infrastructure. They also
told us that, in some cases, their agencies implemented heightened airport
security measures and increased coordination with other agencies during
the code-orange alert periods.

Cost Data Reported by Federal, State, and Local Government Agencies Is
Limited

Thirteen federal agencies, one state, and six localities provided
information on additional costs, if any, that they incurred during
code-orange alert periods. The cost information federal agencies reported
in response to our questionnaire were generally estimates; the methods the
state and six localities used to develop their information are generally
unknown.

Thirteen of the 15 federal agencies responding to our questionnaire
provided information on whether they incurred additional costs during each
of the three codeorange alert periods in our review. Of these 13 federal
agencies, 9 noted they had incurred additional costs and provided a dollar
amount for those costs; 4 agencies said that they did not incur any
additional costs.

Eight of the 9 agencies that reported incurring additional costs provided
cost estimates. In addition, most of these agencies reported using similar
methods to develop their estimates. Based on our preliminary analysis,
these methods appear to be reasonable. For example, 5 of these agencies
reported using the additional hours accumulated by security personnel
during code-orange alerts multiplied by the hourly rates of security
personnel to develop estimates for additional personnel costs incurred
during code-orange alerts. The 8 agencies' cost estimates do not
necessarily include all nonpersonnel costs that may have been incurred
during one or more of the three code-orange alert periods included in our
survey.

One agency tracked additional costs incurred in response to code-orange
alerts, and thus was able to provide actual cost information. This agency
extracted cost information from its financial accounting system, which was
subjected to auditing procedures. However, as reported in the fiscal year
2005 President's Budget, this agency's financial management performance
had serious flaws as of December 31, 2003. Thus, we have concerns
regarding the reliability of the cost information provided to us. We will
continue to assess this issue and expect to report the results of this
effort to you later this year.

For the 9 agencies that reported incurring additional costs, we calculated
the additional average daily costs incurred during each of the three
code-orange alert periods. The additional average daily costs for these 9
agencies ranged from $172 to $155,000 for the March 17 to April 16, 2003,
period; from $467 to $165,660 for the May 20 to 30, 2003, period; and from
$158 to $142,725 for the December 21, 2003, to January 9, 2004, period.
For each code-orange alert period, the lowest cost was for a small
independent agency and the largest for a cabinet department.

We conducted preliminary analysis on the additional average daily costs
the 9 federal agencies incurred between the first and second alert
periods, and no specific trends emerged. For example, of the 9 agencies
that reported incurring additional costs during code-orange alert periods,
5 agencies had an increase in additional average daily costs between the
first and second alert periods under review, and 3 agencies had a
decrease. One agency's additional costs remained the same for each of the
first two code-orange alert periods. For these 9 agencies, the total
percentage change between the first and second alert periods ranged from a
decrease of approximately 22 percent to an increase of about 179 percent.
However, this 179 percent increase, reported by a small independent
agency, represented only a difference of about $300.

Based on the cost information these agencies reported, 8 of the 9 agencies
incurred fewer additional costs during the third code-orange alert period
than during the first code-orange alert. Percentage decreases in
additional costs between these two periods ranged from about 8 percent to
83 percent. One agency did not experience any difference in additional
costs incurred between the first and third code-orange alert periods under
review.

Even though the percentage decreases are similar for some of the 9 federal
agencies, the actual dollar amount of the decreases could vary
considerably. For example, while 2 federal agencies experienced an 8
percent decline in additional average daily costs between the first and
third alert periods, 1 of these, a small independent agency, had a $14
decline in additional average daily costs, while the other, a larger
cabinet level agency, had a $12,275 decline.

Currently, we do not have sufficient information to explain the
differences in additional costs the 9 federal agencies incurred between
the first and second codeorange alert periods and the overall decline in
additional costs for 8 of the 9 agencies between the first and third
code-orange alert periods. As our analysis of the additional costs
incurred by federal agencies continues, we will continue to examine
differences in the additional costs individual agencies incurred in each
alert period, and, where possible, obtain information about the reasons
for these differences. We expect to report the results of this work to you
later this year.

Two of the 15 federal agencies responding to our questionnaire said that
they did not report cost information for any of the three orange alert
periods in the survey because they did not track additional code-orange
alert costs. These agencies explained that they did not have the
capability to separate additional code-orange alert costs from their total
annual security-related costs.

To date, we have received code-orange alert cost information from one
state and six localities. These state and local cost estimates included
little or no information on how they were developed or on internal control
procedures used to verify the reliability of the costs provided.
Therefore, we were unable to verify the comprehensiveness, consistency,
reliability, or comparability of the cost estimates they provided. Based
on the cost information provided by one state, we calculated the
additional average daily cost for 10 of the state's agencies, which
amounted to just under $400 for the code-orange alert period from March 17
to April 16, 2003. Five of its agencies collectively incurred an
additional average daily cost of just over $90 for the code-orange alert
from May 20 to 30, 2003. No cost information was provided for the December
21, 2003, to January 9, 2004, code-orange alert period.

We do not yet know how the localities developed their cost information.
Thus, we cannot assess the reliability of this information. We calculated
additional average daily costs for the six localities based on the cost
information they provided to us. Five localities had additional average
daily costs for the March 17 to April 16, 2003, period, ranging from a low
of about $8,000 to a high of about $68,000. Two localities had average
daily costs of about $12,000 or less and two had costs of more than
$60,000. For the May 20 to 30, 2003, period, three localities had
additional average daily costs of approximately $100, $6,000, and $9,000,
respectively. One of the localities provided cost information for all
three orange alert periods included in our review-but its information was
limited to costs for 3 agencies. That locality had additional average
daily costs for 3 agencies of about $12,000 in the March 17 to April 16,
2003, period; approximately $9,000 in the May 20 to 30, 2003, period; and
about $11,000 for the December 21, 2003, to January 9, 2004, period.
Finally, one locality had about $5,000 per day in police overtime,
equipment, and contractual costs for each day the locality was at
code-orange during February through May 2003.

We sent a questionnaire to 50 states, the District of Columbia, Puerto
Rico, and 4 territories to collect a variety of information, including
additional costs they incurred during code-orange alerts. However, we did
not receive responses from any states and territories in time to include
the results in this report. We expect to report any cost information
collected through this effort to you later this year. Based on our work to
date, states and localities generally may not systematically and uniformly
collect the additional costs associated with higher (e.g., code-orange)
alert levels; thus, we do not expect to collect reliable, comparable, and
comprehensive state and local government costs. For example, one locality
we visited told us they had tracked some additional code-orange costs by
using a specific job code, but the level of effort involved to get all
agencies to comply had been considerable. To the extent that inconsistent
methods were used in estimating costs, reasonable comparisons of cost
information are limited.

Some Federal, State, and Local Government Agencies Have Similar Advisory
Systems, but Can Change Threat Levels Independently

Of those agencies and entities that we have met with or contacted, 5
federal agencies, 4 states, and one locality have their own threat
advisory systems to ensure that government agencies are notified of
impending emergencies, such as natural disasters or terrorist threats,
allowing them to prepare a response. These systems were generally in place
prior to the establishment of the Homeland Security Advisory System. One
federal agency told us that it had developed its own five-level alert
system 8 years ago to ensure the protection of critical national security
assets. This system and those of the other 9 agencies are similar to the
Homeland Security Advisory System or have been modified to conform to it,
as required for federal executive agencies by HSPD-3. The systems include
varying threat levels with protective measures specified for each. For
example, all federal agencies' threat advisory systems we have identified
to date have five threat levels that correspond to the five levels of the
Homeland Security Advisory System and specify a variety of protective
measures for each level. Protective measures specified in these threat
advisory systems include the implementation of contingency and emergency
response plans; surveillance of critical locations; screening of mail
coming into facilities; limitation of facility entry and exit points; and
coordination with federal, state, and local law enforcement agencies.

Likewise, one state's threat advisory system has five threat levels, while
another state's system has four. Again, these threat levels are similar to
those of the Homeland Security Advisory System. A third state's threat
advisory system has three threat levels that correspond to the Homeland
Security Advisory System's yellow, orange, and red threat conditions.
Protective measures included in these states' systems include inspection
of mail and packages, coordination of emergency response plans,
establishment of command centers, and enhanced security at public events.
The one locality threat advisory system we have identified to date is also
similar to the Homeland Security Advisory System and has four threat
levels with specific actions designated for each.

Federal, state, and local government agencies we reviewed can raise or
lower threat levels for their own advisory systems in response to threats
or events that specifically affect their operations. They can make these
adjustments regardless of whether the national threat level is raised or
lowered at the same time. For instance, for 3 of the federal agencies'
threat advisory systems we identified, managers can raise the alert level
of their specific facilities to respond to local threat conditions.
However, in general, managers cannot lower alert levels for their
facilities below the level specified by an agency head or designated
authority. States and local governments can also raise or lower their own
threat levels based on local threats or events. For example, one state
raised its threat level in early February 2003 in response to the crash of
the space shuttle Columbia, while one locality raised its threat level for
July 4, 2003, due to public events and large crowds in the city, even
though the national threat level remained at yellow.

Agency Comments

On February 23 and 24, 2004, officials representing the Department of
Homeland
Security provided oral technical comments on this report, which we
incorporated as
appropriate.

We plan no further distribution of this report until 14 days after the
date of this letter.
At that time, we will send copies of this report to the Subcommittee on
Technology,
Terrorism, and Government Information, Senate Committee on the Judiciary;
the
Subcommittee on National Security, Emerging Threats, and International
Relations,
House Committee on Government Reform; Senator Joseph Biden; the Secretary
of
Homeland Security; the Director, Office of Management and Budget; and
other
interested parties. Copies will be made available to others on request. In
addition,
this report will be available at no charge on GAO's Web site at
http://www.gao.gov. If
you or your staff have any questions about this report, please contact me
at
(202) 512-8777 or by e-mail at [email protected].

William O. Jenkins, Jr.
Director, Homeland Security and Justice Issues

Enclosures: 4

Enclosure I

                             Scope and Methodology

To address the objectives of our review, we met with and received
information from 8 federal agencies, three states, the District of
Columbia, and seven local governments and obtained information from
another state and two local governments. We met with and received
documentation from these federal agencies, states, the District of
Columbia, and the local governments to obtain preliminary information on
the following: how they were notified of national threat level changes for
the three most recent periods of code-orange alert from March 17 to April
16, 2003; May 20 to 30, 2003; and December 21, 2003, to January 9, 2004;
the guidance and information they reported using to assist in determining
protective measures to implement during the three code-orange alerts; the
protective measures they reported implementing during those periods; the
additional costs they reported incurring as a result of implementing such
measures; and any threat advisory systems they indicated were in place
before the establishment of the Homeland Security Advisory System.

We selected the 8 federal agencies to visit based on the amount of
homeland security funding each agency reported to the Office of Management
and the Budget for fiscal year 2003.17 We visited the 5 federal agencies
that reported receiving the most homeland security funding in fiscal year
2003-the Departments of Energy, Health and Human Services, Homeland
Security, Justice, and State. We visited one federal agency that reported
receiving a moderate amount of homeland security funding, the National
Aeronautics and Space Administration; one federal agency that reported
receiving a small amount of homeland security funding, the U.S. Holocaust
Memorial Museum; and one federal agency that did not report receiving any
homeland security funding in fiscal year 2003, the Department of
Education.

The three states we visited were Maryland, Texas, and Virginia. We also
visited the District of Columbia. The seven local governments we visited
were Baltimore, Maryland; Austin, Dallas, and Travis County, Texas; and
Alexandria, Arlington County, and Fairfax County, Virginia. We also
received information from Montgomery County, Maryland, and Seattle,
Washington. We selected Maryland and Virginia because they have critical
infrastructure assets such as national landmarks and ports. Moreover, we
selected the local governments in these states and the District of
Columbia because they are part of the National Capitol Region, which has
various important infrastructure assets, including landmarks and federal
agency headquarters. We visited Texas, and three local governments in
Texas, because it is a large coastal state with a variety of critical
infrastructure assets, including national landmarks, ports, and oil
pipelines. We also received information from Seattle, Washington, because
it is a large city with critical infrastructure assets such as landmarks
and ports.

We examined documentation provided by the federal agencies, states, and
local governments mentioned above to identify the guidance and information
they used in determining protective measures for the three code-orange
alert periods, the measures they implemented during those periods, the
additional costs they incurred

17Office of Management and Budget, 2003 Report to Congress on Combating
Terrorism.

as a result of the measures implemented, and the threat advisory systems
they had in place prior to the establishment of the Homeland Security
Advisory System. We also obtained information from Georgia on its threat
advisory system.

To obtain more detailed information on federal and state agencies'
guidance, measures, and additional costs for the three code-orange alert
periods, we developed and sent a questionnaire to 28 federal agencies and
another to the 50 states and the District of Columbia, four U.S.
territories18 and Puerto Rico. We received comments on draft versions of
the federal questionnaire from the 8 federal agencies we visited, and we
pre-tested the federal questionnaire with 4 of those agencies-the
Departments of Energy and Homeland Security, the National Aeronautics and
Space Administration, and the U.S. Holocaust Memorial Museum. To develop a
questionnaire to use in surveying states and territories, we adapted the
final version of the federal questionnaire to correspond with information
gathered during our preliminary visits to the 3 states, the District of
Columbia, and the seven local governments and information provided to us
by 1 state and two local governments. We then pre-tested this
questionnaire with 3 states-Delaware, Pennsylvania, and West Virginia.

We sent the questionnaire to the 25 federal agencies that reported
homeland security

19

funding for fiscal year 2003 to the Office of Management and Budget. In
addition, we sent the questionnaire to 3 federal agencies that are Chief
Financial Officers Act20 agencies but did not report homeland security
funding for fiscal year 2003. Thus, we included all Chief Financial
Officers Act agencies in our review, except the Department of Defense.
Although the Department of Defense is a Chief Financial Officers Act
agency and, along with the Army Corps of Engineers-Civil Works, reported
homeland security funding for fiscal year 2003, we excluded these agencies
from our review because these agencies and their component entities did
not follow the Homeland Security Advisory System.

We conducted preliminary analysis on the questionnaire responses received
from 15 federal agencies for this report. While we received questionnaire
responses from additional federal agencies, we did not receive the
responses in time to incorporate the results into this report. We did not
receive responses from any states or territories to our questionnaire in
time to include the results in this report.

For the 15 federal agencies' questionnaire responses, we analyzed the
responses to determine the most commonly reported ways in which these
federal agencies were notified of changes in the Homeland Security
Advisory System national threat level, the types of information included
in the notifications, the methods through which these federal agencies
would like to be notified of national threat level changes, and the types
of information they would like to have included in the notifications.

18The four U.S. territories include American Samoa, Guam, the Northern
Mariana Islands, and the U.S.
Virgin Islands.
19Office of Management and Budget, 2003 Report to Congress on Combating
Terrorism. Of the 25
federal agencies that reported homeland security funding in fiscal year
2003, 22 are Chief Financial
Officers Act agencies.
20P.L. 101-576 (Nov. 15, 1990).

In addition, we analyzed the questionnaire responses to determine the most
commonly reported types of guidance and information received by these
federal agencies in determining protective measures for the code-orange
alerts and federal agencies' perspectives on the usefulness and timeliness
of the guidance and information. We also reviewed the questionnaire
responses to identify agency perspectives on the types of additional
information that would have been helpful in determining protective
measures.

We evaluated the questionnaire responses to identify the most commonly
reported types of measures that the 15 federal agencies implemented during
the three codeorange alert periods, the extent to which these federal
agencies conducted tests on protective measures and received confirmation
on the implementation of measures, the benefits to these federal agencies
from the implementation of measures, and the most commonly reported
operational challenges faced by the 15 federal agencies in implementing
measures.

Furthermore, we analyzed cost data reported by these federal agencies in
the questionnaire responses to determine the average daily additional
costs incurred by federal agencies during the code-orange alert periods.
We analyzed the federal agencies' cost data to determine the percentage
change in additional average daily costs across the three code-orange
alert periods. We evaluated the questionnaire responses to identify
methods used by these federal agencies to determine their actual or
estimated additional costs for each of the code-orange alert periods and
their actual or estimated total costs for each code-yellow alert that
preceded the code-orange alert periods. We reviewed these methods to
assess the level of consistency in the ways that these federal agencies
collected actual cost data or developed costs estimates and also reviewed
procedures reported by federal agencies for reviewing and certifying the
reliability of cost data.

To obtain information on these federal agencies' threat advisory systems,
we analyzed questionnaire responses to determine the number of federal
agencies that had their own threat advisory systems in place prior to the
establishment of the Homeland Security Advisory System as well as the
number of agencies that follow their own threat advisory systems and the
Homeland Security Advisory System. We reviewed documentation of the threat
advisory systems that these federal agencies provided with their
questionnaire responses to identify the characteristics of the systems,
including the systems' threat levels and protective measures and the
systems' conformance to the Homeland Security Advisory System.

On the basis of our work to date, we collected detailed information on the
experiences of Atlanta and Fulton County, Georgia, during the code-orange
alert periods through visits with local government officials. We plan to
collect detailed information from seven additional cities and four
additional counties. We selected locations based on the following
criteria: the local governments' receipt of urban area grants21 from DHS,
geographic location, topography (e.g., inland or border/seaport), and type
of locality (e.g., metropolitan or nonmetropolitan area). We selected some

21The Urban Area Security Initiative grants are awarded based on a
combination of current threat estimates, critical assets within the urban
area, and population density.

cities and counties that received grants from DHS and some that did not.
We also selected cities and counties from different geographic regions and
with different topographic characteristics, as well as cities and counties
that are in both metropolitan and nonmetropolitan areas.

Enclosure II

Federal Agencies Surveyed

Department of Agriculture
Department of Commerce
Department of Education
Department of Energy
Department of Health and Human Services
Department of Homeland Security
Department of Housing and Urban Development
Department of the Interior
Department of Justice
Department of Labor
Department of State
Department of Transportation
Department of the Treasury
Department of Veterans Affairs
Agency for International Development
Corporation for National and Community Service
Environmental Protection Agency
Federal Communications Commission
General Services Administration
National Aeronautics and Space Administration
National Archives and Records Administration
National Science Foundation
Nuclear Regulatory Commission
Office of Personnel Management
Small Business Administration
Smithsonian Institution
Social Security Administration
United States Holocaust Memorial Museum

                                 Enclosure III

                      Enclosure III Federal Questionnaire

Enclosure IV

GAO Contacts and Staff Acknowledgments

GAO Contacts

William O. Jenkins, Jr. (202) 512-8777 Debra B. Sebastian (202) 512-9385

Acknowledgments

In addition to the individuals named above, David P. Alexander, Fredrick
D. Berry, Nancy A. Briggs, Kristy N. Brown, Philip D. Caramia, Christine
F. Davis, Michele Fejfar, Rebecca Gambler, Gladys Toro, Jonathan R. Tumin,
and Kathryn G. Young made key contributions to this report.

(440290)

GAO'S Mission
The General Accounting Office, the audit, evaluation and investigative arm
of Congress, exists to
support Congress in meeting its constitutional responsibilities and to
help improve the performance
and accountability of the federal government for the American people. GAO
examines the use of
public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and
other assistance to help Congress make informed oversight, policy, and
funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and
reliability.

Obtaining Copies of GAO Reports and Testimony
The fastest and easiest way to obtain copies of GAO documents at no cost
is through the Internet.
GAO's Web site (www.gao.gov) contains abstracts and full text files of
current reports and testimony
and an expanding archive of older products. The Web site features a search
engine to help you
locate documents using key words and phrases. You can print these
documents in their entirety,
including charts and other graphics.

Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document files.
To have GAO email this list to you every afternoon, go to www.gao.gov and
select "Subscribe to e-mail alerts" under the "Order GAO Products"
heading.

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C.
20548

To order by Phone:	Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

To Report Fraud, Waste, and Abuse in Federal Programs Contact:

Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: [email protected]

Automated answering system: (800) 424-5454 or (202) 512-7470

Public Affairs
Jeff Nelligan, Managing Director, [email protected] (202) 512-4800 U.S.
General Accounting
Office, 441 G Street NW, Room 7149 Washington, D.C. 20548
*** End of document. ***