Before I get into the story it, let me be v-e-r-y clear…I am NOT here to debate the effectiveness or morality of red-light/speed enforcement systems, nor am I here to cast dispersions on any of the organizations involved in the press release…this blog posting is strictly about using the Gatso press release to emphasize a point about security and privacy - when we engage in innovative law enforcement technology solutions, we need to take extra care to adequately address the security and privacy of personally identifiable information.

Here’s the press release from Gatso-USA:

GATSO USA Forms Unique, Strategic Partnership with Nlets

Earlier this month, GATSO USA was approved as a strategic partner by the Board of Directors of the National Law Enforcement Telecommunications System (Nlets). Nlets is….general narrative about NLETS was deleted. The approval of GATSO is an exciting first for the photo-enforcement industry.

Nlets will be hosting GATSO’s back office and server operations within the Nlets infrastructure. GATSO will have access to registered owner information for all 50 states plus additional provinces in Canada. The strategic relationship has been described as a “win-win” for both organizations.

From Nlets’ perspective, there are key benefits to providing GATSO with hosted service. Most importantly, it virtually guarantees personal data security. Due to this extra step of storing personal data behind the DMV walls of Nlets, the public can be assured that security breaches — such as the recent incident with PlayStation users — are avoided.

From GATSO’s perspective, hosting the system with Nlets will provide a ruggedized, robust connection to comprehensive registered owner information — without the security issues faced by other vendors in this industry. Nlets was created over 40 years ago…more stuff about NLETS was deleted).

The main points I took away from this press release were:

1. Nlets is going to host the back-end server technology that GATSO needs to look up vehicle registration information of red-light runners;
2. Gatso is going to have access to vehicle registration information for all vehicles/owners in ALL 50 states in the U.S. and (some) provinces in Canada; and
3. And, because it’s behind Nlets firewalls, security is not an issue.

Again, please don’t call me a party-pooper as I am a huge advocate for finding innovative ways to use technology to make law enforcement’s job easier. However, I am also painfully aware (as many of you are) of the many security and privacy related missteps that have happened over the last few years with technology efforts that meant well, but didn’t do enough to make sure that they covered the bases for security and privacy matters. These efforts either had accidental leakage of personal information, left holes in their security posture that enables direct attacks, or created opportunities for nefarious evil-doers with legitimate access to use that access to sensitive information for other than honorable purposes.

After I read the press release, I thought that it would be a good case-study for the topic of this blog - it involved innovative use of technolgy for law enforcement, a psuedo-government agency (Nlets), two foreign-owned private companies, and LOTS of PII sharing - some might even say it had all the makings of a Will Smith movie.

To help set the stage, here are a few facts I found online:

• Gatso-USA is a foreign company, registered in New York State, operating out of Delaware; its parent company is a Dutch company, GATSOmeter BVGatso.
• Gatso does not appear to vet all of the red-light/speed violations itself; it uses another company – Redflex Traffic Systems to help with that (Redflex is not mentioned in the press release).
• Redflex seems to be a U.S. company, but it has a (foreign) parent company based in South Melbourne, Australia.
• Finally, there are no-sworn officers involved in violation processing. Red-light/speed enforcement cameras are not operated by law enforcement agencies; they outsource that to Gatso, who installs and operates the systems for local jurisdictions (with Redflex) for free, (Gatso/Redflex is given a piece of the fine for each violation).

There are no real surprises here either; there are many foreign companies that provide good law enforcement technologies to jurisdications across the U.S., and outsourcing traffic violations is not new…BUT what is new here is that a sort-of-government agency (Nlets), has now provided two civilian companies (with foreign connections) access to Personally Identifiable Information (PII) (vehicle registrations) for the entire U.S. and parts of Canada…should we be worried?

Maybe; maybe not. Here are nine questions I would ask:

1. Personnel Security: Will Nlets have a documented process to vet the U.S. and overseas Gatso and Redflex staff who will have access to this information through direct or VPN access to Nlets systems?
2. Data Security: Will Gatso or Redflex maintain working/test copies of any of the registration information outside of the Nlets firewall? If so, are there documented ways to make sure this information is protected outside the firewall?
3. Data Access: Will Gatso/Redflex have access to the entire registration record? or, will access be limited to certain fields?
4. Code Security: Will any of the code development or code maintenance be done overseas in the Netherlands or Australia? If so, will all developers be vetted?
5. Network Security: Will overseas developers/site suport staff have access to the data behind Nlets firewalls? What extra precautions will be taken to protect Nltes systems/networks from abuse/attack?
6. Code Security: Will Nlets conduct any security testing on code loaded on the servers behind their firewalls?
7. Stakeholder Support: Have all 50 U.S. states, and provinces in Canada, been made aware of this new information sharing relationship? Do they understand all of the nuances of the relationship? And, are they satisfied that their constituents personal information will be protected?
8. Audit/Logging: Will all queries to vehicle registration information logged? Is someone checking the logs? How will Nlets know if abuses of authorized access are taking place?
9. Public Acceptance: How do states inform their constituents that their personal vehicle registration information is being made available to foreign owned company? Will they care?

How these questions are answered will determine whether or not we should worry…

Did I miss any other important questions?

Beyond this particular press release and blog posting, I suggest that you consider asking these kinds of questions whenever your agency is considering opening/connecting its data systems to outside organizations or private companies—it may just prevent your agency from becoming a headline on tonights news, like St. Louis –> St. Louis Police Department computer hacked in cyber-attack .

The bottom-line is that whenever you take advantage of opportunities to apply innovative technologies to public safety, make sure that you cover ALL the bases to protect your sensitve data and PII from leakage, direct attacks, or misuse and abuse.

As always, your thoughts and comments are welcome.

r/Chuck

The SMART Office is authorized by law to administer the standards for sex offender registration and notification that are set forth in SORNA. It is further authorized to cooperate with and provide assistance to states, local governments, tribal governments, and other public and private entities in relation to sex offender registration and notification and other measures for the protection of the public from sexual abuse or exploitation. The SMART Office is a key federal partner and resource for jurisdictions as they continue to develop and strengthen their sex offender registration and notification programs

IMPORTANT AREAS OF REFORM UNDER SORNA

• Extends the jurisdictions in which registration is required beyond the 50 states, the District of Columbia, and the principal U.S. territories, to include federally recognized Indian tribes.
• Incorporates a more comprehensive group of sex offenders and sex offenses for which registration is required.
• Requires registered sex offenders to register and keep their registration current in the jurisdictions in which they reside, work, or go to school.
• Requires sex offenders to provide more extensive registration information.
• Requires sex offenders to make periodic in person appearances to verify and update the registration information.
• Expands the amount of information available to the public regarding registered sex offenders.
• Makes changes in the required minimum duration of registration for sex offenders.

OVERVIEW

SORNA was passed in July 2006, with a 3 year implementation schedule. A one year extension was added bringing the deadline to July 27, 2011; there will be no more extensions. Jurisdictions that fail to substantially implement SORNA by July 27, 2011 are subject to a mandatory 10% reduction in funding under 42 U.S.C. 3750 et seq. (“Byrne Justice Assistance Grant” funding).

TOPICS ADDRESSED IN SUPPLEMENTARY GUIDELINES

1. Juvenile Delinquents (post of Juveniles)
2. Internet Identifiers (concern over identifying children protected by the Kid’s Act 2008)
3. International Travel (offenders must give 21 days notice to travel)
4. Domestic Information Sharing – discussion portal
5. Acknowledgement (notice forms) assuring offender has notice forms
6. Ongoing Implementation Assurance
7. Retroactive Classes
8. Newly recognized tribes

TRIBAL IMPLEMENTATION UPDATE

• 45 Tribes have submitted materials to review.
• 125 Tribes are trained in TTSORS
• 23 Tribes on NSOPW
• 22 Tribes are utilizing TTSORS

CHALLENGES FOR SORNA TRIBES

• Tribes face more challenges with hardware and software.
• Many need more assistance in SORNA.
• Problems with Tribes submitting DNA and Fingerprints.

NEW TOOLS AND ASSISTANCE FOR TRIBES

• New technology assistant grant.
• Indian Country TA grant.
• Tool kit for Tribes.
• Updated Model Tribal Code
• TLOA – Tribal Law and Order Act

QUESTIONS SUBMITTED TO THE PANEL

Q1. When will the first penalty for non-compliance offence?

Answer: The first penalty will take place in FY12; again the final deadline is July 27th 2011.

Q2. What constitutes a State working towards implementation?

Answer: NCJA know the status of all states, some states have done very little, and they will need a plan to know how to use the 10% funding. Most jurisdictions are working towards implementation.

Q3. Will there be a 3rd deadline extension

Answer: Absolutely not, no more deadline extensions, the deadline stands at July 27th 2011.

Q4. States and Tribes – Can States use the grants for more staffing?

Answer: Absolutely, most grants have been used for staffing. Areas include:

Project Managers, Office Managers, Law Enforcement Officers, Data Entry Personnel, Police Officers.

Q5. One State has a problem with Sex Offenders going underground?

Answer: Yes, this is to avoid registration, they are non-compliant with SORNA, but they will be prosecuted as it is a violation of registration.

Q6. There are some concerns over juveniles registering; can you provide clarification?

Answer: All Juvenile Sex Offenders should be registered on SORNA. Juveniles are from ages 14 and over, these include all Juvenile Sex Offenders, delinquents, serial sex offenders, and juveniles with a history of aggravated sexual abuse. Some cases are exempt; i.e. Romeo and Juliet cases are excluded from SORNA.

Q7. Can some States go above SORNA with issues?

Answer: Yes, some States have done. Indiana, Alaska and Maine, the NCJA are working with them on certain issues. States can go over and beyond the requirements if needed.

Q8. Should we be concerned about privacy rights of individual Sex Offenders?

Answer: All Sex Offender registrations are public

Q9. How are tribes implementing SORNA?

Answer: Most tribes are collaborating with their States. The vast majority of Tribes will be working on implementing SORNA for many years. Help is needed for some Tribes.

Q10. If a State has been working very hard to implement SORNA, and does not have the review ready by the deadline, will the State still be penalized, or will it be taken into account the hard work achieved?

Answer: If the States submits what has been reviewed on July 27th 2011, it will be considered and noted that hard work and communication has taken place to implement, so no penalties will ensue, provided the hard work will continue. Unfortunately Tribes are not included in this.

Q11. Any other suggestions to support help in implementing SORNA in various States?

Answer: The problem here is that there is no one organization in place to oversee or overview the implementation of SORNA in every State. This is a problem, and every State is working independently. Also there still are ongoing problems with Tribes, this is a concern and they do need help.

SOME ADDIITONAL COMMENTS

• I think it is in every parent’s interest that SORNA is implemented for the safety of their children. I do not know if parents in each state are aware of SORNA, if they are not, public meetings should be held to inform all parents of what SORNA is and how it can help track all sex offenders in and around their general area.
• I am concerned about the slowness of SORNA implementation; many States need additional assistance in implementing SORNA. A point was raised that there was no one organization to assist in tracking every States’ implementation of SORNA and to produce up to date reports on the advancement of each State in implementing SORNA.
• I feel such an organization could be created to assist States that are slow to implement, or are just not sure as to what is required of them. This organization could oversee all States, and keep up to date information available to the NCAJ and the Government as to where the States are at with implementing SORNA, who needs more help in meeting the deadline, and also helping with any concerns that some States may have re: privacy laws etc that may be slowing them down with their advancement.
• I am also concerned about SORNA implementation with the Indian Tribes. Each Tribe is different, and has different problems in implementing SORNA, and they have concerns that are slowing them down too. They also need help in different areas, software, hardware, submitting DNA and fingerprinting. It is essential that they receive help and assistance, and possibly look into more funding for them. If they are penalized by not meeting the deadline they will lose 10% of their funding, and this will hinder them even more, and may even cause them to lose interest in SORNA. So we may need another independent organization set up to help the Tribes to implement SORNA.

The bottom line is that our children have a right to be protected, and by not having SORNA in place, we are letting our children down. Parents should be made aware of SORNA, and should write to their local government offices to inquire as to what stage SORNA implementation is at in their State.

March 17, 2009

Hi Jeff,

With sincere apologies to Sean Connery, I am dismayed that people are still bringing a knife to an information sharing gun fight—the importance of information sharing, data discoverability, security protections, metrics and incentives, and empowerment have been documented many times over since I became involved in information sharing in 1999 and have proved to be of little value to making information sharing happen.

I believe a significant reason for this is that information sharing has been seen as the “main thing.” Information sharing should NEVER be seen as the main thing; it is simply a means to an end. I have never forgotten what Scott McNealy of Sun Microsystems said—“The main thing is to keep the main thing the main thing.” And, the main thing for government is safe streets, clean air and water, a strong economy, etc…NOT information sharing.

The “guns” that we need to bring to the information sharing table are simply engaged executive leadership and accountability for mission results.

Of the many significant information sharing projects around the country that I have been a part of, I can tell you that the most important ingredient for successful information sharing is: “An agency executive who actively communicates an operational imperative for mission success and then holds their managers accountable for using information sharing as a critical enabler for achieving desired mission results.” [I have a few blog posts on the subject at http://www/nowheretohide.org/wordpress]

While I agree that good security, good technology, good project management, good metrics and the like are necessary, none of this will matter if the need for information sharing is relegated two or three levels down the organization chart or is just seen as an edict from above—federal, state, and municipal agencies are already choking on multiple (and often conflicting and unfunded) mandates.

With my apologies to our President, the PM-ISE, and the Markle Foundation there is nothing more they can print on a sheet of paper to make information sharing happen—hundreds of executive orders, national strategies, task force reports, and security policies have been published—what more could they possibly say?

I believe it now comes down to the individual will of executive leadership in those federal, state and municipal agencies who hold the information that should be made shareable and their capacity to make it happen within their respective agencies. And that Jeff is the one area where I do believe that President Obama and our Congress can help—by simply ensuring that the people they choose to lead those agencies a) truly embody the will, character, and leadership qualities to achieve the mission and b) understand the value that information sharing brings to help make that happen.

r/Chuck Georgo
chuck@nowheretohide.org

Best Collaboration and Information Sharing

Fusion Center Empowers Utah’s Crime Stoppers, Utah Department of Public Safety, Statewide Information & Analysis Center

The Utah Statewide Information & Analysis Center (SIAC), managed by the Utah Department of Public Safety, is a public safety partnership collaboration with all of the state’s law enforcement and public safety agencies to collect, analyze and disseminate intelligence appropriately for enhanced protection of Utah’s citizens, communities and critical infrastructure. As the state’s intelligence fusion (terrorism and response) center, SIAC replaced a legacy system that lacked effective data management practices and included manual, duplicative efforts. SIAC implemented a new set of technologies which utilized existing assets, integrated domain-specific applications, and improved business processes for information collection and management, and analysis and information sharing with Utah’s 29 county Sheriff’s Offices, 180 law enforcement agencies, and more than 26 specialized task forces.

Fusion Core Solution is an open and extensible information sharing and analysis product, based on the National Information Exchange Model (NIEM) and Information Sharing Environment-Suspicious Activity Reporting (ISE-SAR) Functional Standard, developed to help municipal, county, regional, state, and federal intelligence and fusion centers improve operations through workflow management, information sharing, and geospatial intelligence technologies. For more information about Fusion Core Solution see http://www.microsoft.com/fusion

In the report, they published the results of their fifth annual study on the costs of data breaches for U.S.-based companies. They surveyed 45 companies represnting 15 various industry sectors–significant contributors were financial, retail, services and healthcare companies.

Numbers-wise, the companies they interviewed lost between 5,000 and 101,000 records, at a cost range between $750,000 and $31 million.

What was really interesting was that the average per-record cost of the loss was determined to be $204.00–and how many records does your law enforcement/public safety agency hold?

Some factors they considered in computing the cost of the breach included:

• Direct costs - communications costs, investigations and forensics costs and legal costs
• Indirect costs - lost business, public relations, and new customer acquisition costs

The report also lists a number of causes for the data breaches, such as:

• 82% of all breaches involved organizations that had experienced more than one data breach
• 42% of all breaches studied involved errors made by a third party
• 36% of all breaches studied involved lost, misplaced or stolen laptops or other mobile computing devices
• 24% of all breaches studied involved some sort of criminal or other malicious attack or act (as opposed to mere negligence).

You can download the full report here: http://www.encryptionreports.com/download/Ponemon_COB_2009_US.pdf

Thoughts and comments welcomed…r/Chuck

A few concerns I have include:

1. None of the Data.gov principles in the CONOP address the “real-world effects” we hope to achieve through data.gov–from an operational programs perspective. All seven principles in the CONOP address “internal” activities (means). We need to address success in terms of what citizens will realize through the Data.gov effort.

2. The entire Data.gov effort appears to be driven out of context from any government performance planning and evaluation process. Shouldn’t the need for data transparency be driven by specific strategic management questions?  Where are the links to the President’s Management Agenda? Agency strategic plans?

3. There are more than 200 Congressional Committees with varying degrees of oversight of over a similar number of agencies in the Executive Branch. How will Data.gov impact Congress’ efforts to monitor (oversee) agency performance? What will happen when there is a disparity between a) what an agency says it’s doing, b) what oversight committee(s) say they are doing, and c) how the public views that agency’s performance based on data posted on Data.gov?

4. Transparency, Participation and Collaboration (TPC) are the buzz words of the month, but what does that really mean?  The opening sentence of the CONOP states “Data.gov is a flagship Administration initiative intended to allow the public to easily find, access, understand, and use data that are generated by the Federal government.” Do we really expect the general public to access and analyze the data at Data.gov? If so, do we really understand how the public will want to see/access the information? More importantly, are we (agencies) fully prepared to digest and respond to received public feedback?

5. Who will pay the agencies to support data transparency? Do we really understand the burden involved in achieving open government? The last thing federal agencies need is another unfunded mandate.

6. Finally, how do we know the data that’s made accessible via Data.gov is good data (correct)? The GPRA required OIG review and certification of agency data published in annual performance reports. What can we expect in the way of quality from near-real-time access to agency performance data? Will we require the same data quality process for data feeds posted on Data.gov? Will agencies be funded to do it right? 

I provide similar commentary on this issue and an analysis of the recent Executive Order in a December 17th blog posting here: http://www.nowheretohide.org/2009/12/17/open-government-directive-another-ambiguous-unfunded-and-edental-mandate/

Don’t get me wrong, I am all for open government, but let’s do it right. Let’s give the techies a couple of days off and let’s take a good hard look at the non-technical issues that could really hurt this effort if they’re not properly addressed.

Your comments and thoughts welcomed.

Thanks…r/Chuck

1. We fully understand why we want it and are clear about what we are really asking for;
2. We understand the burden involved in achieving open government and that we fund the agencies to do it right;
3. We are clear about the performance questions that we want the [transparent] data to answer;
4. We have an understanding for how the public will want to see/access the information; and
5. We are fully prepared to digest and respond to received public feedback .

After reading the 3,185 words of the Office of Management and Budget (OMB) Open Government Directive (with attachment), I am very sorry to report that IMO none of the five critiera (conditions) listed above have been met by the language contained in the document. From what I read:

• It would appear that no one in the approval chain asked any hard questions about the language–much of the language used is very vague and leaves a lot of room for interpretation (or misinterpretation);
• There is no mention of how agencies will be funded to build the capacity to meet the additional workload that the requirements of the memorandum are certain to cause.
• The focus of the document to “get agency data on the web” and “solicit (direct) public feedback” appears to be totally out of context of any other strategic management, performance assessment, or planning framework.  This appears to ba an end-run around other oversight committees and organizations, like Congress. Will Federal agencies be able to deal with direct feedback from hundreds or thousands of citizens? I am reminded of the old adage “be careful what you ask for”…;
• The document tells agencies to “publish information online in an open format that can be retrieved, downloaded, indexed, and searched by commonly used web search applications;” however, this can be satisfied in many ways–.txt, .csv, .doc, .pdf, .html,.xml, etc.–some formats will make it very cumbersome for the “public” to view, analyze and understand the data.
• Finally, the memorandum sets what I believe to be some very unrealistic expectations from both a performance and timeline perspective. For example, how can agencies be expected to review and respond to public input from the web when these same agencies are already overwhelmed with their current day-to-day tasks?

Here are a couple examples to ponder:

On Page 2 – “To increase accountability, promote informed participation by the public, and create economic opportunity, each agency shall take prompt steps to expand access to information by making it available online in open formats”

• Nowhere in the memorandum are the terms “accountability” or “informed participation” defined
• What does “create economic opportunity” really mean?
• It would appear that this mandate circumvents established management processes for holding Federal agencies accountable for efficient and effective performance? (OMB,GAO, Congress)

On Page 3 – “Each agency shall respond to public input received on its Open Government Webpage on a regular basis…Each agency with a significant pending backlog of outstanding Freedom of Information requests shall take steps to reduce any such backlog by ten percent each year.”

• What do the mean by “respond to public feedback on a regular basis?”
• All feedback? Some feedback?
• What does “regular basis” mean? Within 24 hours? Weekly? Annually?

If we really want Federal agencies to be more “open” with their data and information, we must be willing to commit the effort required to:

What are your thoughts and comments on this issue?

Thanks…r/Chuck

1. Resist the urge to see information sharing as an outcome. Information sharing is a means to an end, not the end itself. Each federal agency, every state and regional fusion center, and all law enforcement intelligence units should have a clear set of information requirements, questions if you will, that information sharing and the intelligence process should work to answer–hold agencies accountable for having clear and valid requirements. This has been a common practice in the intelligence community for decades and should be a practice for all information sharing elements.
2. Build clear accountability into the information sharing process. Every federal agency, fusion center and law enforcement agency should have one person, preferably an impassioned, well-respected leader, that can ensure that their agencies requirements are  well documented and communicated horizontally across federal boundaries and vertically to local, state, and municipal agencies, and (where applicable) private sector organizations.
3. Establish clear linkage of information sharing to agency operational performance measures. Just as staffing, information technology, facilities, and utilities are seen as strategic resources in a performance-based budget, information sharing must be seen as a resource to be strategically used to help an agency achieve its mission. When measuring the success of information sharing, focus on the extent to which it helped achieve agency goals–just as counting cases in law enforcement is a misleading way to judge public safety success, counting RFIs, records shared, SARs submitted is not a good way to gauge information sharing success–successful information sharing can only be measured through the extent to which it helps agencies (at all levels) achieve their operational goals.
4. Discourage agencies from using stovepiped portals for information sharing. All shareable data should be available as a “service” for consumer agencies to ingest into their systems and not through a dedicated portal that users will need a discrete login to access. You can read my previous “Portal-mania” blog post for more detail here, but all federal agencies should be required to make their data accessible through National information Exchange Model (NIEM) based web services. This will enable consumer agencies to integrate multiple data streams into their workflow and will reduce the number of websites and portals analysts are required to access to perform their work.
5. Give the same amount of attention to what is shared and how it is shared. Over the last few years, a significant amount of effort has gone into how information is shared at the expense of understanding the depth and breadth of information actually being shared. Many regional and national information sharing efforts still only contain basic levels of information, or worse are just pointer systems that require additional human effort to gain access to the actual record. Encourage agencies to communicate to each other what specific information is being shared, and what is not being shared, and help everyone understand the consequences of their decisions.
6. Encourage maximum use of NIEM and the Information Exchange Package Descriptions (IEPD) contained it its clearinghouse. NIEM has emerged as the dictionary of shareable data elements. When you string together sets of these data elements to satisfy a specific business need, an IEPD is born. The NIEM IEPD clearinghouse contains more than 150 IEPDs, many of which apply to national security, law enforcement and public safety missions. While many federal agencies have pledged their support of NIEM, more effort is needed to ensure that they first seek to use IEPDs already contained in the clearinghouse and do not develop one-off IEPDs designed to meet very narrow applications.
7. Finally, foster a culture of transparency to help communicate an appreciation of personal civil rights and civil liberties.  All information sharing and intelligence operations should engage in proactive efforts to help alleviate any fears that individual privacy and liberties are violated by any of the actions taken by those agencies. In my September 3, 2009 blog posting I list ten questions a fusion center director should ask of their own intelligence operations. I’d like to offer up these questions as a beginning framework for any information sharing or intelligence operation. They also serve as a good framework for evaluating the extent to which information sharing and intelligence operations are in fact seriously working to do the right thing.

In closing, I hope you can see how these seven points help to frame how you might structure a results oriented evaluation of information sharing across our federal agencies and with our state and regional fusion center, and private sector partners. Taken together you will be able to report the extent to which agencies have:

• Documented their information sharing requirements – what needs to be shared;
• Someone who can be directly held accountable for effective and proper information sharing;
• Linked their need for information to specific operational goals and strategies;
• Implemented mechanisms that makes it easy for other agencies to access their information;
• Ensured that they are sharing the right information (most meaningful) information;
• Taken advantage of NIEM as a way to save money and expedite information sharing; and
• Taken measures to proactively diffuse public (and media) perceptions of information misuse.

I wish you well in your new role as Senior Director for Information Sharing Policy.

Regards,

Chuck Georgo
chuck@nowheretohide.org

Whether you like the idea of a fusion center or not, they are here to stay. At last count, there were about 70 of them, and DHS recently spoke of helping to get even more going.  At their core, I believe a fusion center is responsible for doing three basic things: 

1. Accepting and vetting reports of unusual behavior (criminal or terrorism related);
2. Providing intelligence support to major case and tactical law enforcement operations; and
3. Proactively supporting federal, state, and local homeland security and community safety objectives. 

To do this well, the majority of fusion centers in operation today are required to rely on an assortment of manual processes, a patchwork of incompatible software applications, and dozens of disparate information sources. Walk into the typical fusion center today and you’ll probably find that an analyst answering the phone has to enter the request for their services into one application for management purposes, enter the same information into a second application for sharing purposes, then has to manually bring up and login to anywhere from 5-15 different data sources to search for information related to the service request, then has to open up at least one or more applications to write up  and package up the requested response, and then, more than likely, has to either manually fax it to whomever asked for the information or call them back on the telephone to give them the answer–a pretty painful and tedious way to work.

Today though, Microsoft announced release of a project that I have been helping them to develop for quite some time–the Fusion Core Solution.  Microsoft hopes, through use of Office, SharePoint and ESRI’s ArcGIS to help ease the pain described above.  The FCS uses SharePoint as a horizontal integration and workflow management platform to help an analyst go from taking in a fusion center service request, to searching for information, to analyzing that information, to producing the intelligence product without having to leave the SharePoint environment at all.

At a non-technical level, the FCS will enable fusion centers to do a couple of pretty cool things:

1. Provides a common look and feel across multiple analytic tools and business processes.
2. Greatly reduces the number of user names and passwords analyst must remember.
3. Organizes requests for fusion center services, and tracks progress of fusion center work.
4. Helps to better document and comply with 28 CFR Part 23, CUI and PCII requirements.
5. Provides multiple analyst-to-analyst and fusion center-to-fusion center collaboration tools
6. Helps to keep track of fusion center and extended staff capabilities and availability.

From a technical perspective, FCS fully supports NIEM conformant information exchanges and establishes a framework for supporting the service-oriented principles of the Justice Reference Architecture (JRA) as it applies to information and data sharing.

In a nutshell, “Fusion Core Solution is for a Fusion Center what Microsoft Windows is to a personal computer“–you can think of FCS as the “operating system” for a Fusion Center.

For more info, check out the Fusion Core Solution website, or email me.

r/Chuck

Added 8/4/2009: Click HERE to see Joe Rozek, Microsoft’s Executive Director of Homeland Security, and Former Senior Director for Domestic Counterterrorism at The White House Office of Homeland Security talk about Fusion Core Solution

It’s no secret, the National Information Exchange Model (NIEM) is a huge success.  Not only has it been embraced horizontally and vertically for law enforcement information sharing at all levels of government, but it is now spreading internationally.  A check of the it.ojp.gov website lists more than 150 justice-related Information Exchange Package Documentation (IEPD) based on NIEM–it’s been adopted by N-DEX, ISE-SAR, NCIC, IJIS PMIX, NCSC, OLLEISN, and many other CAD and RMS projects. 

For at least the last four years, Search.org has been maintaining the Justice Information Exchange Model (JIEM) developed by Search.org.  JIEM documents more than 15,000 justice information exchanges across  9 justice processes, 75 justice events, that affect 27 different justice agencies. 

So if JIEM establishes the required information exchanges required in the conduct of justice system business activities, and NIEM defines the syntactic and semantic model for the data elements within those justice information exchanges…then…

Wouldn’t it make sense for JIEM exchanges to call-out specific NIEM IEPDs?

And vice-versa, wouldn’t it make sense for NIEM IEPDs to identify the specific JIEM exchanges they correspond to?

Here’s a diagram that illustrates this…

Let me know what you think..

r/Chuck

chuck@nowheretohide.org - www.nowheretohide.org