[Senate Report 115-380]
[From the U.S. Government Publishing Office]
Calendar No. 665
115th Congress } { Report
SENATE
2d Session } { 115-380
_______________________________________________________________________
DEPARTMENT OF HOMELAND SECURITY DATA FRAMEWORK ACT OF 2018
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 2397
TO DIRECT THE SECRETARY OF HOMELAND SECURITY TO
ESTABLISH A DATA FRAMEWORK TO PROVIDE ACCESS FOR
APPROPRIATE PERSONNEL TO LAW ENFORCEMENT AND OTHER
INFORMATION OF THE DEPARTMENT, AND FOR OTHER PURPOSES
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
November 26, 2018.--Ordered to be printed
_________
U.S. GOVERNMENT PUBLISHING OFFICE
89-010 WASHINGTON : 2018
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
RON JOHNSON, Wisconsin, Chairman
JOHN McCAIN, Arizona CLAIRE McCASKILL, Missouri
ROB PORTMAN, Ohio THOMAS R. CARPER, Delaware
RAND PAUL, Kentucky HEIDI HEITKAMP, North Dakota
JAMES LANKFORD, Oklahoma GARY C. PETERS, Michigan
MICHAEL B. ENZI, Wyoming MAGGIE HASSAN, New Hampshire
JOHN HOEVEN, North Dakota KAMALA D. HARRIS, California
STEVE DAINES, Montana DOUG JONES, Alabama
Christopher R. Hixon, Staff Director
Gabrielle D'Adamo Singer, Chief Counsel
Michelle D. Woods, Senior Professional Staff Member
Margaret E. Daum, Minority Staff Director
Charles A. Moskowitz, Minority Senior Legislative Counsel
Subhasri Ramanathan, Minority Counsel
Laura W. Kilbride, Chief Clerk
Calendar No. 665
115th Congress } { Report
SENATE
2d Session } { 115-380
======================================================================
DEPARTMENT OF HOMELAND SECURITY DATA FRAMEWORK ACT OF 2018
_______
November 26, 2018.--Ordered to be printed
_______
Mr. Johnson, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 2397]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 2397) to direct the
Secretary of Homeland Security to establish a data framework to
provide access for appropriate personnel to law enforcement and
other information of the Department, and for other purposes,
having considered the same, reports favorably thereon with an
amendment (in the nature of a substitute) and recommends that
the bill, as amended, do pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and the Need for Legislation..........................2
III. Legislative History..............................................5
IV. Section-by-Section Analysis......................................5
V. Evaluation of Regulatory Impact..................................6
VI. Congressional Budget Office Cost Estimate........................6
VII. Changes in Existing Law Made by the Bill, as Reported............7
I. PURPOSE AND SUMMARY
The purpose of S. 2397, the Department of Homeland Security
Data Framework Act of 2018, is to direct the Secretary of
Homeland Security to establish, within two years of enactment,
a data framework to integrate existing Department of Homeland
Security (DHS or the Department) data and systems to provide
real-time access to travel and immigration data for appropriate
personnel. It specifies types of data that must be included and
requires the data framework to be accessible to Department
employees with appropriate clearance, duties, and training. It
allows the Secretary of Homeland Security to exclude data from
the framework in cases where investigations or sources could be
compromised. It requires auditing and security mechanisms for
safeguarding the data framework.
II. BACKGROUND AND THE NEED FOR LEGISLATION
S. 2397 authorizes an existing program and requires a
deadline for completion. The DHS data framework program has
existed since November 2013, when a pilot phase began.\1\ It
has been operating since August 2014, when the Department began
limited and controlled trials.\2\ Integrating the different
Department of Homeland Security (DHS) datasets is critical to
efficient and effective operations. By requiring DHS to
complete the development of the data framework within two years
of the enactment of this Act, the Department will streamline
information sharing while ensuring compliance and safeguarding
of data. For instance, rather than querying 17 systems owned by
six different DHS components, an agent interested in real-time
information about a person who may represent a threat to border
security will be able to query the framework system as a single
point of reference.
---------------------------------------------------------------------------
\1\Dep't of Homeland Sec., Privacy Impact Assessment Update for the
DHS Data Framework at 2 (Feb. 27, 2015), available at https://
www.dhs.gov/sites/default/files/publications/privacy-pia-046b-dhs-data-
framework-20150227.pdf.
\2\Id.
---------------------------------------------------------------------------
The Department owns around 900 production databases
containing organized collections of information and data
supporting DHS missions.\3\ The Department's immigration and
traveler screening programs are consist of over 320 systems,
from which the Intelligence Community (IC) identified
approximately 40 that are high-value.\4\
---------------------------------------------------------------------------
\3\Email from DHS Data Framework Director to S. Comm. on Homeland
Sec. & Gov't Affairs Staff (June 19, 2018).
\4\Id.
---------------------------------------------------------------------------
The magnitude of a department-wide data integration system
requires a phased and prioritized approach. Of the 40 high-
value datasets, the Homeland Security Intelligence Council
(HSIC) considers 20 systems owned by six components to be the
most important, including: six datasets owned by United States
Customs and Border Protection (CBP); five owned by the United
States Citizenship and Immigration Services (USCIS); four owned
by the Transportation Security Administration (TSA); three
owned by the Immigration and Customs Enforcement (ICE); one
owned by the United States Coast Guard (USCG); and one owned by
the National Protection and Programs Directorate (NPPD).\5\
---------------------------------------------------------------------------
\5\Id. The CBP datasets HSIC considers most important are: the
Advance Passenger Information System (APIS); the Automated Commercial
Environment (ACE); Border Crossing Information (BCI); the Electronic
System for Travel Authorization (ESTA); the Form I-94; and the
Passenger Name Record (PNR) The USCIS datasets HSIC considers most
important are: the Central Index System (CIS); the CLAIMS 3; the CLAIMS
4; the Refugee, Asylum, and Parole System (RAPS); and the Section 1367
Data Extracted from the Central Index System. The TSA datasets HSIC
considers most important are: Aviation Worker Data; General Aviation
Data; the Alien Flight Student Program (AFSP); and the Secure Flight
Confirmed Matches Data. The ICE datasets HSIC considers most important
are: the Enforcement Integrated Database (EID); the TECS Secondary
Inspection; and the Student Exchange Visitor Information System
(SEVIS). The USCG dataset HSIC considers most important is the Ship
Arrival Notification System (SANS). The NPPD dataset is the Automated
Biometric Identification System (IDENT) Asylum Data.
---------------------------------------------------------------------------
The data framework can grow to include more datasets as it
expands the scope of its mission support. An initial
operational capability phase began in April 2015 and DHS
planned to add data, users, and capabilities in controlled
trials.\6\ A 2015 DHS Privacy Impact Assessment Update
projected that three to five datasets would be ingested into
the framework each year, working up to a total of 20 to 24
added over several years.\7\ It specified that use of the
framework ``will remain limited to counterterrorism, border
security, and immigration.''\8\ The update expanded users of
the framework to include the intelligence offices of the
following components: CBP; ICE; USCIS; USCG; TSA; the United
States Secret Service; and the Federal Emergency Management
Agency.\9\ An additional 17 DHS datasets were approved for
inclusion in this initial operational capability phase as of
October 11, 2016.\10\ This did not include all 20 datasets
identified by HSIC as the most important high-value DHS
datasets.
---------------------------------------------------------------------------
\6\Privacy Office, Dep't of Homeland Sec., 2016 Data Mining Report
to Congress at 55 (2017), available at https://www.dhs.gov/sites/
default/files/publications/2016%20Data%20Mining%20 Report%20FINAL.pdf.
\7\Dep't of Homeland Sec., Privacy Impact Assessment Update for the
DHS Data Framework, supra note 1, at 2.
\8\Id. at 6.
\9\Id. at 7. The 17 systems were: ESTA; AFSP; SEVIS; APIS; Form I-
94; PNR; Section 1367; RAPS; SANS; BCI; IDENT; Aviation Worker Data;
Airspace Waivers and Flight Authorizations for Certain Aviation
Operations (including DCA) Data; Maryland-Three (MD-3) Airports Data;
Private Charter and Twelve Five Program Data; Secure Flight Confirmed
Matches Data; and Bill of Lading.
\10\Privacy Office, Dep't of Homeland Sec., 2016 Data Mining Report
to Congress, supra note 6, at 59-60.
---------------------------------------------------------------------------
Different rules govern how each dataset can be handled,
stored, and shared. As the framework ingests datasets, the
Department individually curates each dataset to ensure quality
and automate policy compliance as well as appropriate privacy
and civil rights and civil liberties protections.\11\
---------------------------------------------------------------------------
\11\Email from DHS Data Framework Director to S. Comm. on Homeland
Sec. & Gov't Affairs Staff (June 19, 2018).
---------------------------------------------------------------------------
The Department has faced a number of challenges with the
implementation of the data framework. A 2017 DHS Office of
Inspector General report recorded that nine data systems had
been ingested into the framework and projected that 20 datasets
would be included in the framework by the end of the 2017
fiscal year.\12\ However, a ``massive data quality and data
retention effort'' and ``an overhaul of the unclassified
portion of the system enabling high-speed data sharing,'' both
undertaken in 2017, led DHS to purge all datasets from the
framework and start over.\13\
---------------------------------------------------------------------------
\12\Office of Inspector Gen., Dep't of Homeland Sec., Improvements
Needed to Promote DHS Progress toward Accomplishing Enterprise-wide
Data Goals at 7 (2017), available at https://www.oig.dhs.gov/sites/
default/files/assets/2017/OIG-17-101-Aug17.pdf.
\13\Email from DHS Data Framework Technical Manager to Sen. Johnson
staff (June 12, 2018).
---------------------------------------------------------------------------
In the fall of 2017, IC partners with access to the
framework requested improvements to the refresh rate of the
data in the system.\14\ ``The technical infrastructure needed
to be upgraded as it was built using technology from the
original pilot and could not reliably support operational use,
nor could it meet the throughput demands of the
customers.''\15\ All data was purged from the data framework
while the Department made technical improvements and addressed
compliance and security concerns.\16\ The framework has since
been upgraded to address those issues.\17\
---------------------------------------------------------------------------
\14\Id.
\15\Email from DHS Data Framework Director to S. Comm. on Homeland
Sec. & Gov't Affairs Staff (June 19, 2018).
\16\Id.; Email from DHS Data Framework Director to S. Comm. on
Homeland Sec. & Gov't Affairs Staff (June 18, 2018).
\17\Email from DHS Data Framework Director to S. Comm. on Homeland
Sec. & Gov't Affairs Staff (June 18, 2018).
---------------------------------------------------------------------------
When upgrades were complete, the Department prioritized re-
ingesting CBP datasets that ``would close a national security
gap for the National Targeting Center.''\18\ According to the
DHS Data Framework Director, as of June 2018, ``the data
framework pulls over 1.3 billion records from four CBP systems
to support internal and external mission partners.''\19\
---------------------------------------------------------------------------
\18\Email from DHS Data Framework Director to S. Comm. on Homeland
Sec. & Gov't Affairs Staff (June 19, 2018).
\19\Id.
---------------------------------------------------------------------------
The datasets appropriately curated and currently
operational in the data framework include: the Advance
Passenger Information System (APIS); the Electronic System for
Travel Authorization (ESTA); Form I-94; and the Passenger Name
Record (PNR).\20\ The APIS includes flight manifest data on
passengers and crew and provides about 300 million records to
the framework.\21\ The ESTA allows Visa Waiver Program
travelers authorization to enter the United States and provides
about 40 million records to the framework.\22\ The Form I-94,
which records all arrival and departure data of non-immigrant
visitors to the United States, provides about 750 million
records to the framework.\23\ The PNR data includes more travel
information about passengers flying to, from, or through the
United States and provides about 250 million records to the
framework.\24\
---------------------------------------------------------------------------
\20\Email from DHS Data Framework Director to S. Comm. on Homeland
Sec. & Gov't Affairs Staff (June 18, 2018).
\21\DHS/CBP/PIA-001(g)--Advance Passenger Information System
(APIS), Dep't of Homeland Sec., https://www.dhs.gov/publication/
advanced-passenger-information-system-apis-update-national-
counterterrorism-center-nctc; see also Email from DHS Data Framework
Director to S. Comm. on Homeland Sec. & Gov't Affairs Staff (June 18,
2018).
\22\DHS-CBP-PIA-007 Electronic System for Travel Authorization,
Dep't of Homeland Sec., https://www.dhs.gov/publication/electronic-
system-travel-authorization; see also Email from DHS Data Framework
Director to S. Comm. on Homeland Sec. & Gov't Affairs Staff (June 18,
2018).
\23\DHS/CBP/PIA-016 I-94 Website Application, Dep't of Homeland
Sec., https://www.dhs.gov/publication/us-customs-and-border-protection-
form-i-94-automation; see also Email from DHS Data Framework Director
to S. Comm. on Homeland Sec. & Gov't Affairs Staff (June 18, 2018).
\24\Dep't of Homeland Sec., Agreement between the United States of
America and the European Union on the Use and Transfer of Passenger
Name Record to the United States Department of Homeland Security,
available at http://www.dhs.gov/sites/default/files/publications/
privacy/Reports/dhsprivacy_PNR%20Agreement_12_14_2011.pdf; Privacy
Impact Assessments, Dep't of Homeland Sec., http://www.dhs.gov/privacy-
impact-assessments; Privacy Act of 1974: U.S. Customs and Border
Protection, 77 Fed. Reg. 30,297, available at https://www.gpo.gov/
fdsys/pkg/FR-2012-05-22/html/2012-12396.htm; see also Email from DHS
Data Framework Director to S. Comm. on Homeland Sec. & Gov't Affairs
Staff (June 18, 2018).
---------------------------------------------------------------------------
The Department is in the process of ingesting the TSA
Secure Flight Match dataset into the framework.\25\ The Secure
Flight Program matches the Terrorist Screening Database
watchlist against the information of passengers flying to,
from, or through the United States.\26\
---------------------------------------------------------------------------
\25\Email from DHS Data Framework Director to S. Comm. on Homeland
Sec. & Gov't Affairs Staff (June 19, 2018).
\26\TSA Secure Flight Program: Hearing Before the Subcomm. on
Transp. Sec. of the H. Comm. on Homeland Sec., 113th Cong., (Sept. 18,
2014), (statement of Steve Sadler, Assistant Admin., TSA), available at
https://www.tsa.gov/news/testimony/2014/09/18/tsa-secure-flight-
program.
---------------------------------------------------------------------------
Current users of the framework include the DHS Office of
Intelligence and Analysis, CBP, the TSA, and classified IC
partners.\27\ There are plans to add DHS Counterintelligence
and Countering Insider Threat users.\28\
---------------------------------------------------------------------------
\27\Email from DHS Data Framework Director to S. Comm. on Homeland
Sec. & Gov't Affairs Staff (June 19, 2018).
\28\Id.
---------------------------------------------------------------------------
The Department is able to better integrate analysis now
that the data framework transfers unclassified information at
high-speed to classified networks. A DHS June 2018 update on
the progress of the Data Framework Program asserts that the
framework ``since February 2018 has provided data from an
unclassified CBP system, up to a classified network, and out to
an IC partner an average of every hour.''\29\ The same update
says that this capability ``has led to multiple findings and at
least one `operational action''' in support of the DHS
partnership with the IC to combat the Syrian foreign fighter
threat.\30\
---------------------------------------------------------------------------
\29\Email from DHS Data Framework Technical Manager to Sen. Johnson
Staff (June 12, 2018).
\30\Id.
---------------------------------------------------------------------------
This is an important program that creates efficiency in
support of several core missions of the Department.
Specifically, this Act establishes requirements for the use of
the data framework by DHS employees, excludes the inclusion of
information that may compromise criminal investigations, and
include privacy and civil rights protections. In addition,
implementation of the data framework is required to be
completed within two years of the enactment of this Act. The
Act also requires DHS to provide regular updates on the status
of the implementation of the framework. By requiring DHS to
ensure the data framework is able to include DHS information
that supports critical mission operations, this legislation
will allow DHS and its partners to better share information in
a timely and efficient manner.
III. LEGISLATIVE HISTORY
Senator Margaret Wood Hassan (D-NH) introduced S. 2397 on
February 7, 2018. The bill was referred to the Committee on
Homeland Security and Governmental Affairs.
The Committee considered S. 2397 at a business meeting on
June 13, 2018. Senator Hassan offered a substitute amendment
that added a requirement that DHS should describe how the data
framework was used to disrupt terrorist activities in any
annual homeland security threat assessment. The Committee
adopted the amendment and ordered the bill, as amended,
reported favorably, both by voice vote. Senators present for
both the vote on the amendment and the vote on the underlying
bill were: Johnson, Portman, Lankford, Enzi, McCaskill, Carper,
Peters, Hassan, Harris, and Jones.
IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED
Section 1. Short title
This section provides the bill's short title, the
``Department of Homeland Security Data Framework Act of 2018.''
Section 2. Department of Homeland Security data framework
This section requires the Secretary to develop a framework
to integrate DHS datasets and systems to streamline authorized
access and appropriate safeguards.
Subsection (a) establishes the requirements for inclusion
of DHS datasets including homeland security information,
terrorism information, weapons of mass destruction information,
and national intelligence information. It also requires the
inclusion of data relevant to priority mission needs of the
Department.
Subsection (b) governs use of the framework by Department
employees. It establishes that DHS employees with access to the
data framework have appropriate clearances, have duties that
require such access, and are trained to safeguard the data in
the framework. It requires the Secretary to provide DHS
employees with access to the framework with guidance that
emphasizes that access to the framework entails a duty to share
with other offices and components of the Department. It also
requires the Secretary to promulgate data standards that
require components to share what information they are able in
machine-readable format.
Subsection (c) allows the Secretary to exclude data from
the framework in cases where inclusion may compromise
investigations or sources, be inconsistent with the law, or be
duplicative.
Subsection (d) requires auditing and security mechanisms
for safeguarding the data framework including from insider
threats, other security risks, or exploitation that disregards
appropriate privacy or civil rights and civil liberties
protections.
Subsection (e) requires a deadline for implementation of
the data framework at two years from enactment. At the
deadline, the framework is required to be able to include DHS
data required to support the Department's critical mission
operations.
Subsection (f) requires the Secretary to regularly update
Congress on the status of the data framework and notify
Congress when the framework is fully operational.
Subsection (g) defines ``appropriate congressional
committee,'' ``homeland,'' ``homeland security information,''
``national intelligence,'' and ``terrorism information.''
V. EVALUATION OF REGULATORY IMPACT
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform Act (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
June 28, 2018.
Hon. Ron Johnson,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S.
Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 2397, the Department
of Homeland Security Data Framework Act of 2018.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is Mark
Grabowicz.
Sincerely,
Keith Hall,
Director.
Enclosure.
S. 2397--Department of Homeland Security Data Framework Act of 2018
S. 2397 would require the Department of Homeland Security
(DHS) to integrate its datasets and information systems to
facilitate access to these systems by authorized personnel. DHS
is currently carrying out activities similar to those that
would be required by the bill; thus, CBO estimates that
implementing S. 2397 would have no significant effect on DHS
spending.
Enacting S. 2397 would not affect direct spending or
revenues; therefore, pay-as-you-go procedures do not apply.
CBO estimates that enacting S. 2397 would not increase net
direct spending or on-budget deficits in any of the four
consecutive 10-year periods beginning in 2029.
S. 2397 contains no intergovernmental or private-sector
mandates as defined in the Unfunded Mandates Reform Act.
The CBO staff contact for this estimate is Mark Grabowicz.
The estimate was reviewed by Theresa Gullo, Assistant Director
for Budget Analysis.
VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
Because this legislation would not repeal or amend any
provision of current law, it would make no changes in existing
law within the meaning of clauses (a) and (b) of paragraph 12
of rule XXVI of the Standing Rules of the Senate.