The Inspector General says the Cybersecurity and Infrastructure Security Agency’s (CISA) Office for Bombing Prevention (OBP) needs to improve its management of the Department of Homeland Security’s counter-improvised explosive devices (C-IED) efforts, as well as its assessment of national, regional, and state C-IED capabilities.
During the past few decades, IEDs have become a priority threat to national security — growing in frequency, magnitude, and complexity since the 9/11 attacks. Although designated to lead day-to-day implementation of Presidential Policy Directive 17: Countering Improvised Explosive Devices within DHS, the Office of Inspector General (OIG) says OBP is not managing component participation or tracking milestone completion dates as required. This occurred, the watchdog says, because it does not have a policy delineating its roles and responsibilities in leading CIED efforts across the Department.
In addition, although required by its Counter–IED Resource Guide, OIG found that OBP does not have the necessary data to assess and report on national, regional, and state C-IED capabilities. Specifically, OIG determined that OBP’s C-IED capability data is outdated because it does not have a policy requiring outreach to first responder special units to update this data.
OBP also does not incorporate vital data from its programs and training into its capability assessments, the audit found.
Finally, OIG stated that OBP cannot generate automated C-IED capability reports to identify national, regional, and state CIED gaps because its systems are not integrated and do not have the functionality to generate comprehensive reports at all levels.
To address the shortcomings, OIG recommends that CISA issue policy that clearly delineates OBP’s day-to-day responsibilities in leading Presidential Policy Directive 17 coordination and implementation efforts across DHS, including a process for identifying, tracking, and elevating participation issues, as well as tracking milestones quarterly. In response, CISA concurred with the recommendation and said its Office of Strategy, Policy, and Plans (OSPP) will issue an internal policy that delineates OBP’s day-to-day responsibilities by August 31, 2022. OBP will also continue to convene quarterly DHS IED Working Group meetings to solicit and record input from components on the status of milestones.
OIG also called for CISA to issue policy requiring OBP to contact its first responder special units on an annual basis and retain records for these efforts. CISA again concurred and aims to meet this recommendation by August 31, 2022 also.
The agency also agreed with OIG’s final recommendation to integrate its C-IED data sources and modernize its reporting system to generate automated reports at the national, regional, and state level. CISA took its National CIED Capabilities Analysis Database (NCCAD) offline and began migrating it to a new Amazon Web Services (AWS) Cloud-based operating environment. OBP is also working with CISA procurement to prepare a contract to finalize development, implementation, and program sustainment of the AWS Cloud-based operating environment. CISA plans to initiate technical deployments to include data visualization capabilities, the data warehouse, NCCAD data feed, incident data feed, and the uploading of spreadsheets that contain a wide range of C-IED programmatic data. These actions are scheduled to be completed and reach Initial Operational Capability by March 2023.
