Audit of the Department of State Police—Fusion Center Operations Objectives, Scope, and Methodology

In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor (OSA) has conducted an audit of certain activities of the Commonwealth Fusion Center (CFC) within the Department of State Police for the period July 1, 2014 through December 31, 2017.

We performed this audit in accordance with generally accepted government auditing standards, except Sections 6.56–6.59 of Chapter 6 of the US Government Accountability Office’s Government Auditing Standards, which pertain to obtaining sufficient, appropriate evidence to meet the audit objective. See “Scope Limitations” below for details on the data access constraints that prevented us from addressing the audit objective and developing findings and conclusions.

Below is our audit objective, indicating the question we intended our audit to answer and the conclusion we reached regarding our objective.

Section 7.11 of Chapter 7 of the US Government Accountability Office’s Government Auditing Standards states,

Auditors should . . . report any significant constraints imposed on the audit approach by information limitations or scope impairments, including denials or excessive delays of access to certain records or individuals.

During our audit, CFC imposed significant limitations on the audit process because CFC was concerned about the confidentiality of information related to criminal intelligence. Specifically, CFC did not provide access to its information systems or provide specific information regarding its activities that OSA needed in order to conduct audit testing. The following subsections describe the audit procedures we performed and the limitations we encountered.

The CFC Watch Center, located at the Department of State Police headquarters in Framingham, is the central point of contact for all information coming into CFC. It is also the conduit by which CFC disseminates time-sensitive information on threats and suspicious activities. Therefore, it is the most critical operational CFC position.

From discussions with CFC management, OSA understood that all incoming communications, requests for CFC assistance, and Watch Center personnel activity were recorded electronically. In an attempt to assess, and reach a conclusion on, the timeliness of the analysis and dissemination of the information, we requested and obtained the activity log for our audit period.

Limitations

Because CFC redacted personally identifiable information and other classified data, the data in the log lacked sufficient detail to allow for appropriate analysis of the timeliness of analysis and dissemination of (suspicious-activity reports) SARs. We could not determine who (e.g., federal, state, local, or private-sector entities) originated Watch Center activities, when the activities were assigned, when they were completed, or what were their final outcomes (e.g., CFC issued an alert, assisted in an investigation, or provided requested information). In addition, we were not given descriptions for all the activity categories in the log. Examples of these activity categories include open case support, database checks, geographic information system requests, missing persons, threat assessments, wanted persons, requests for information, and open advisories. CFC management cited system limitations and the above-described statutory prohibitions in relation to its inability to provide additional information.

The Nationwide Suspicious Activity Reporting Initiative (NSI) is a federal program³ for the collection and sharing of reports of suspicious activity by people in the United States. According to NSI’s Information Sharing Environment Functional Standard—Suspicious Activity Reporting, “suspicious activity” is “observed behavior reasonably indicative of pre-operational planning associated with terrorism or other criminal activity.” Suspicious activity might be observed by citizens and reported to local law enforcement, or it might be observed directly by state or local law enforcement personnel during routine interactions with the public. Fusion centers play a critical role in the process of managing SARs by collecting, vetting, and analyzing SARs. They also ensure that SARs that are determined to have a connection to terrorism are submitted to the Federal Bureau of Investigation (FBI) and made available to all NSI participants, including law enforcement and Department of Homeland Security (DHS) personnel, for further review.

SARs are typically submitted to CFC via telephone, email, or fax and are analyzed by trained intelligence analysts or investigators. Upon receipt, the information in a report is entered in CFC’s case management system, ACISS, for processing. If, based on the criteria used, the reported activity is determined to have a potential connection to terrorism, a CFC supervisor is responsible for approving the transfer of the relevant information to the FBI and making it available to all NSI participants for further review. The transfer is done via eGuardian, the FBI’s sensitive but unclassified system for receiving and tracking SARs and sharing them with federal and state law enforcement agencies. If the SAR is determined not to have a potential connection to terrorism, it is closed, but if there is reasonable suspicion of criminal activity, it is entered into a criminal intelligence database. In an attempt to assess, and reach a conclusion on, the timeliness of the analysis and dissemination of SARs, we requested and obtained a list of 1,061 SARs received by CFC during the audit period.

Limitations

The data provided lacked sufficient detail to allow for appropriate analysis. The log did not specifically list the date each SAR was analyzed by a CFC intelligence analyst or the date of supervisory review; however, CFC management stated that every CFC supervisor is notified of, and immediately reviews, every SAR upon receipt. Additionally, the date of transfer to the FBI—or, if a SAR was determined not to have a potential connection to terrorism, the date it was closed and the final outcome—could not be provided. Multiple attempts to obtain additional SAR data fields were unsuccessful. CFC management cited discussions with, and recommendations provided by, FBI officials (see Appendix C), as well as the above-described statutory prohibitions, in relation to their inability to provide additional information.

In 2006, the US Department of Justice, the FBI, and DHS developed a document called Fusion Center Guidelines—Developing and Sharing Information in a New Era. Their intent was to provide a consistent, unified message and comprehensive guidelines for developing and operating fusion centers. The guidelines outline the types of entity that should receive information and intelligence from fusion centers and recommend that fusion centers identify their permanent and temporary stakeholders. As a starting point, the guidelines recommend establishing stakeholders in the following functional categories:

• Agriculture, Food, Water, and the Environment
• Banking and Finance
• Chemical Industry and Hazardous Materials
• Criminal Justice
• Education
• Emergency Services (non–law enforcement)
• Energy
• Government
• Health and Public Health Services
• Hospitality and Lodging
• Information and Telecommunications
• Military Facilities and Defense Industrial Base [e.g., military bases, the US Army National Guard, and defense contractors]
• Postal and Shipping
• Private Security
• Public Works
• Real Estate
• Retail
• Social Services
• Transportation

We selected a judgmental sample of 38 stakeholders out of a list of 484 identified stakeholders provided by CFC to assess the extent of each stakeholder’s relationship with CFC and whether the stakeholders were satisfied with CFC products and services. We applied a nonstatistical sampling approach and, as a result, were not able to project our results to the entire population.

From our sample of 38 stakeholders, CFC was able to provide OSA with a contact person for only 29. CFC management indicated that it was difficult for them to get in touch with every stakeholder as requested because some people were unavailable while they were attending training sessions, taking vacations or other approved leaves, or occupied with their agencies’ operational needs. The 29 stakeholder contacts provided by CFC represented the following categories: 16 criminal justice, 4 emergency services (non–law enforcement), 2 education, 2 health and public health services, 1 hospitality and lodging, 1 banking and finance, 1 energy, 1 retail, and 1 transportation. The 9 stakeholders whose contacts could not be identified were in the following categories: 6 criminal justice, 1 government, 1 emergency services (non–law enforcement), and 1 transportation.

Our survey results indicated that the federal, state, and local law enforcement agencies surveyed generally provide information to CFC through information technology systems such as CopLink or other methods of communication such as email, telephone, or fax, which are typically funneled through the Watch Center. These law enforcement agencies typically receive information from CFC that includes email bulletins dealing with situational awareness, intelligence, crime, and counterterrorism. The non–law enforcement state and private-sector entities surveyed indicated that they typically did not provide information to CFC, but did receive information that could include general awareness bulletins. CFC management told us that non–law enforcement state and private-sector entities generally did provide other information, including SARs, subject matter expertise, and other types of information from a variety of sources, such as members of the public, private-sector organizations, and other non–law enforcement agencies.

The stakeholders surveyed all provided positive feedback and reported general satisfaction regarding their relationships with CFC. All stakeholders surveyed indicated that the information received by CFC was timely, relevant, and useful. Of the 29 stakeholders surveyed, 27 indicated that CFC information had influenced their decision-making. The other 2 indicated that the information received was for informational purposes only and therefore did not influence decision-making.

Of the 29 stakeholders surveyed, 17 provided suggestions on how the relationship could improve. The overriding theme of these suggestions was a desire to increase communication and information available to stakeholders. The suggestions included the following:

• bulletins from CFC discussing its capabilities
• annual seminars and user groups within certain functional categories to expand capabilities and inform stakeholders
• CFC hosting stakeholder visits and meeting with stakeholders more frequently to open channels of communication and maintain relationships fractured by personnel changes
• stakeholders’ inclusion on a daily email distribution list
• a smartphone application for even quicker dissemination of information

On December 14, 2017, the OSA advised the [Department of State Police] that they would be conducting an audit of the CFC for the period July 1, 2014 to December 31, 2017. . . . Throughout the audit which concluded in September 2018, the CFC acted in good faith and provided the OSA with as much information and data as it could without violating any existing state or federal laws, policies or directives that were enacted to protect the privacy, civil rights and civil liberties of individual citizens or the safety and security of the public. . . .

[At our initial meeting with the audit team], the CFC recognized and advised the OSA that a performance based audit of the CFC by a non–law enforcement agency would be problematic because of existing (state and federal) laws, policies and directives enacted to safeguard the sharing of intelligence data and to protect the privacy, civil rights and civil liberties of individual citizens as well as the safety and security of the public. The CFC also advised the OSA that these same (state and federal) laws, policies and procedures would preclude the CFC from lawfully sharing certain types of information with them and that the CFC would not be able to provide the OSA with direct access to its databases because of these preclusions.

As detailed above, the time it took OSA to complete this audit was protracted by CFC’s inability to provide the information necessary to meet our audit objective. Although we acknowledge that CFC told us there might be limits to the information it could provide, OSA continued to conduct audit work because CFC’s staff indicated that it would work with OSA to try to develop a strategy or workaround that would allow OSA to obtain the information we would need to meet our audit objective. Unfortunately, alternative strategies that would allow OSA to conclude on our audit objective could not be developed.