Audit sought to determine whether the Commonwealth Fusion Center gathers and analyzes information on law enforcement, public safety, and terrorism and disseminates it to its stakeholders efficiently and effectively. It examined the period of July 1, 2014, through December 31, 2017.
Audit Audit of the Department of State Police—Fusion Center Operations
|Organization:||Office of the State Auditor|
|Date published:||January 18, 2019|
In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted a performance audit of the Commonwealth Fusion Center (CFC) within the Department of State Police for the period July 1, 2014 through December 31, 2017. This audit was undertaken to determine whether CFC gathers and analyzes information on law enforcement, public safety, and terrorism and disseminates it to its stakeholders1 efficiently and effectively.
During our audit, we encountered scope limitations that prevented us from applying all of the audit procedures we considered necessary to reach a conclusion on our audit objective. Specifically, CFC could not provide direct access to its information systems or share certain types of information regarding CFC activities that we needed in order to conduct audit testing.
In some cases, CFC officials stated that they could not provide us with requested information because doing so was prohibited by state and federal restrictions regarding the dissemination of threat and criminal intelligence information. Specifically, CFC cited two distinct prohibitions against allowing OSA access to certain data and information. First, CFC cited Massachusetts public records law. Under Section 7(26)(n) of Chapter 4 of the General Laws, records related to “emergency preparedness, threat or vulnerability assessments, or . . . the security or safety of persons or buildings, structures, facilities, utilities, transportation or other infrastructure located within the commonwealth” may be exempt from disclosure. Although OSA acknowledges the existence of certain federal prohibitions related to sharing certain public-safety-related information, discussed infra, OSA’s enabling statute, Section 12 of Chapter 11 of the General Laws, supersedes any Massachusetts public records exemption. Further, Sections 7.39–7.43 of the US Government Accountability Office’s Government Auditing Standards, as well as Chapter 6 of the OSA Audit Policy Manual (“Reporting Confidential or Sensitive Information,” p. 149), prohibit OSA from disclosing confidential and sensitive information that would otherwise be exempt from public disclosure and set forth the procedure with which OSA treats such information.
The second prohibition CFC cited was certain federal regulations. Specifically, CFC cited Section 482 of Title 6 of the United States Code (USC), which prohibits state agencies, such as CFC, from disclosing federal homeland security information despite any state or local law to the contrary. Additionally, Sections 23.20(e) and 23.20(f) of Title 28 of the Code of Federal Regulations (CFR) limit the recipients of criminal intelligence information to law enforcement officials with a need and a right to know such information. OSA agrees with CFC that both 6 USC 482 and 28 CFR 23.20(e) and 23.20(f) created irreconcilable obstacles that prohibited OSA from achieving certain of its stated audit goals. See also Appendix C.
In other cases, CFC asserted that requested information was not available. Although we received survey responses from 29 stakeholders that received information from CFC during our audit period indicating that CFC was providing timely and useful information, we could not perform the additional testing we deemed necessary to adequately assess whether CFC gathered, analyzed, and disseminated information on law enforcement, public safety, and terrorism to its stakeholders efficiently and effectively.
1. Stakeholders either contribute information to, or receive product or analysis from, CFC. They include entities from various functional categories, including emergency management, emergency medical services, fire services, healthcare, law enforcement, public health, public utilities, social services, and transportation.