[Senate Report 115-380] [From the U.S. Government Publishing Office] Calendar No. 665 115th Congress } { Report SENATE 2d Session } { 115-380 _______________________________________________________________________ DEPARTMENT OF HOMELAND SECURITY DATA FRAMEWORK ACT OF 2018 __________ R E P O R T of the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS UNITED STATES SENATE to accompany S. 2397 TO DIRECT THE SECRETARY OF HOMELAND SECURITY TO ESTABLISH A DATA FRAMEWORK TO PROVIDE ACCESS FOR APPROPRIATE PERSONNEL TO LAW ENFORCEMENT AND OTHER INFORMATION OF THE DEPARTMENT, AND FOR OTHER PURPOSES [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] November 26, 2018.--Ordered to be printed _________ U.S. GOVERNMENT PUBLISHING OFFICE 89-010 WASHINGTON : 2018 COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS RON JOHNSON, Wisconsin, Chairman JOHN McCAIN, Arizona CLAIRE McCASKILL, Missouri ROB PORTMAN, Ohio THOMAS R. CARPER, Delaware RAND PAUL, Kentucky HEIDI HEITKAMP, North Dakota JAMES LANKFORD, Oklahoma GARY C. PETERS, Michigan MICHAEL B. ENZI, Wyoming MAGGIE HASSAN, New Hampshire JOHN HOEVEN, North Dakota KAMALA D. HARRIS, California STEVE DAINES, Montana DOUG JONES, Alabama Christopher R. Hixon, Staff Director Gabrielle D'Adamo Singer, Chief Counsel Michelle D. Woods, Senior Professional Staff Member Margaret E. Daum, Minority Staff Director Charles A. Moskowitz, Minority Senior Legislative Counsel Subhasri Ramanathan, Minority Counsel Laura W. Kilbride, Chief Clerk Calendar No. 665 115th Congress } { Report SENATE 2d Session } { 115-380 ====================================================================== DEPARTMENT OF HOMELAND SECURITY DATA FRAMEWORK ACT OF 2018 _______ November 26, 2018.--Ordered to be printed _______ Mr. Johnson, from the Committee on Homeland Security and Governmental Affairs, submitted the following R E P O R T [To accompany S. 2397] [Including cost estimate of the Congressional Budget Office] The Committee on Homeland Security and Governmental Affairs, to which was referred the bill (S. 2397) to direct the Secretary of Homeland Security to establish a data framework to provide access for appropriate personnel to law enforcement and other information of the Department, and for other purposes, having considered the same, reports favorably thereon with an amendment (in the nature of a substitute) and recommends that the bill, as amended, do pass. CONTENTS Page I. Purpose and Summary..............................................1 II. Background and the Need for Legislation..........................2 III. Legislative History..............................................5 IV. Section-by-Section Analysis......................................5 V. Evaluation of Regulatory Impact..................................6 VI. Congressional Budget Office Cost Estimate........................6 VII. Changes in Existing Law Made by the Bill, as Reported............7 I. PURPOSE AND SUMMARY The purpose of S. 2397, the Department of Homeland Security Data Framework Act of 2018, is to direct the Secretary of Homeland Security to establish, within two years of enactment, a data framework to integrate existing Department of Homeland Security (DHS or the Department) data and systems to provide real-time access to travel and immigration data for appropriate personnel. It specifies types of data that must be included and requires the data framework to be accessible to Department employees with appropriate clearance, duties, and training. It allows the Secretary of Homeland Security to exclude data from the framework in cases where investigations or sources could be compromised. It requires auditing and security mechanisms for safeguarding the data framework. II. BACKGROUND AND THE NEED FOR LEGISLATION S. 2397 authorizes an existing program and requires a deadline for completion. The DHS data framework program has existed since November 2013, when a pilot phase began.\1\ It has been operating since August 2014, when the Department began limited and controlled trials.\2\ Integrating the different Department of Homeland Security (DHS) datasets is critical to efficient and effective operations. By requiring DHS to complete the development of the data framework within two years of the enactment of this Act, the Department will streamline information sharing while ensuring compliance and safeguarding of data. For instance, rather than querying 17 systems owned by six different DHS components, an agent interested in real-time information about a person who may represent a threat to border security will be able to query the framework system as a single point of reference. --------------------------------------------------------------------------- \1\Dep't of Homeland Sec., Privacy Impact Assessment Update for the DHS Data Framework at 2 (Feb. 27, 2015), available at https:// www.dhs.gov/sites/default/files/publications/privacy-pia-046b-dhs-data- framework-20150227.pdf. \2\Id. --------------------------------------------------------------------------- The Department owns around 900 production databases containing organized collections of information and data supporting DHS missions.\3\ The Department's immigration and traveler screening programs are consist of over 320 systems, from which the Intelligence Community (IC) identified approximately 40 that are high-value.\4\ --------------------------------------------------------------------------- \3\Email from DHS Data Framework Director to S. Comm. on Homeland Sec. & Gov't Affairs Staff (June 19, 2018). \4\Id. --------------------------------------------------------------------------- The magnitude of a department-wide data integration system requires a phased and prioritized approach. Of the 40 high- value datasets, the Homeland Security Intelligence Council (HSIC) considers 20 systems owned by six components to be the most important, including: six datasets owned by United States Customs and Border Protection (CBP); five owned by the United States Citizenship and Immigration Services (USCIS); four owned by the Transportation Security Administration (TSA); three owned by the Immigration and Customs Enforcement (ICE); one owned by the United States Coast Guard (USCG); and one owned by the National Protection and Programs Directorate (NPPD).\5\ --------------------------------------------------------------------------- \5\Id. The CBP datasets HSIC considers most important are: the Advance Passenger Information System (APIS); the Automated Commercial Environment (ACE); Border Crossing Information (BCI); the Electronic System for Travel Authorization (ESTA); the Form I-94; and the Passenger Name Record (PNR) The USCIS datasets HSIC considers most important are: the Central Index System (CIS); the CLAIMS 3; the CLAIMS 4; the Refugee, Asylum, and Parole System (RAPS); and the Section 1367 Data Extracted from the Central Index System. The TSA datasets HSIC considers most important are: Aviation Worker Data; General Aviation Data; the Alien Flight Student Program (AFSP); and the Secure Flight Confirmed Matches Data. The ICE datasets HSIC considers most important are: the Enforcement Integrated Database (EID); the TECS Secondary Inspection; and the Student Exchange Visitor Information System (SEVIS). The USCG dataset HSIC considers most important is the Ship Arrival Notification System (SANS). The NPPD dataset is the Automated Biometric Identification System (IDENT) Asylum Data. --------------------------------------------------------------------------- The data framework can grow to include more datasets as it expands the scope of its mission support. An initial operational capability phase began in April 2015 and DHS planned to add data, users, and capabilities in controlled trials.\6\ A 2015 DHS Privacy Impact Assessment Update projected that three to five datasets would be ingested into the framework each year, working up to a total of 20 to 24 added over several years.\7\ It specified that use of the framework ``will remain limited to counterterrorism, border security, and immigration.''\8\ The update expanded users of the framework to include the intelligence offices of the following components: CBP; ICE; USCIS; USCG; TSA; the United States Secret Service; and the Federal Emergency Management Agency.\9\ An additional 17 DHS datasets were approved for inclusion in this initial operational capability phase as of October 11, 2016.\10\ This did not include all 20 datasets identified by HSIC as the most important high-value DHS datasets. --------------------------------------------------------------------------- \6\Privacy Office, Dep't of Homeland Sec., 2016 Data Mining Report to Congress at 55 (2017), available at https://www.dhs.gov/sites/ default/files/publications/2016%20Data%20Mining%20 Report%20FINAL.pdf. \7\Dep't of Homeland Sec., Privacy Impact Assessment Update for the DHS Data Framework, supra note 1, at 2. \8\Id. at 6. \9\Id. at 7. The 17 systems were: ESTA; AFSP; SEVIS; APIS; Form I- 94; PNR; Section 1367; RAPS; SANS; BCI; IDENT; Aviation Worker Data; Airspace Waivers and Flight Authorizations for Certain Aviation Operations (including DCA) Data; Maryland-Three (MD-3) Airports Data; Private Charter and Twelve Five Program Data; Secure Flight Confirmed Matches Data; and Bill of Lading. \10\Privacy Office, Dep't of Homeland Sec., 2016 Data Mining Report to Congress, supra note 6, at 59-60. --------------------------------------------------------------------------- Different rules govern how each dataset can be handled, stored, and shared. As the framework ingests datasets, the Department individually curates each dataset to ensure quality and automate policy compliance as well as appropriate privacy and civil rights and civil liberties protections.\11\ --------------------------------------------------------------------------- \11\Email from DHS Data Framework Director to S. Comm. on Homeland Sec. & Gov't Affairs Staff (June 19, 2018). --------------------------------------------------------------------------- The Department has faced a number of challenges with the implementation of the data framework. A 2017 DHS Office of Inspector General report recorded that nine data systems had been ingested into the framework and projected that 20 datasets would be included in the framework by the end of the 2017 fiscal year.\12\ However, a ``massive data quality and data retention effort'' and ``an overhaul of the unclassified portion of the system enabling high-speed data sharing,'' both undertaken in 2017, led DHS to purge all datasets from the framework and start over.\13\ --------------------------------------------------------------------------- \12\Office of Inspector Gen., Dep't of Homeland Sec., Improvements Needed to Promote DHS Progress toward Accomplishing Enterprise-wide Data Goals at 7 (2017), available at https://www.oig.dhs.gov/sites/ default/files/assets/2017/OIG-17-101-Aug17.pdf. \13\Email from DHS Data Framework Technical Manager to Sen. Johnson staff (June 12, 2018). --------------------------------------------------------------------------- In the fall of 2017, IC partners with access to the framework requested improvements to the refresh rate of the data in the system.\14\ ``The technical infrastructure needed to be upgraded as it was built using technology from the original pilot and could not reliably support operational use, nor could it meet the throughput demands of the customers.''\15\ All data was purged from the data framework while the Department made technical improvements and addressed compliance and security concerns.\16\ The framework has since been upgraded to address those issues.\17\ --------------------------------------------------------------------------- \14\Id. \15\Email from DHS Data Framework Director to S. Comm. on Homeland Sec. & Gov't Affairs Staff (June 19, 2018). \16\Id.; Email from DHS Data Framework Director to S. Comm. on Homeland Sec. & Gov't Affairs Staff (June 18, 2018). \17\Email from DHS Data Framework Director to S. Comm. on Homeland Sec. & Gov't Affairs Staff (June 18, 2018). --------------------------------------------------------------------------- When upgrades were complete, the Department prioritized re- ingesting CBP datasets that ``would close a national security gap for the National Targeting Center.''\18\ According to the DHS Data Framework Director, as of June 2018, ``the data framework pulls over 1.3 billion records from four CBP systems to support internal and external mission partners.''\19\ --------------------------------------------------------------------------- \18\Email from DHS Data Framework Director to S. Comm. on Homeland Sec. & Gov't Affairs Staff (June 19, 2018). \19\Id. --------------------------------------------------------------------------- The datasets appropriately curated and currently operational in the data framework include: the Advance Passenger Information System (APIS); the Electronic System for Travel Authorization (ESTA); Form I-94; and the Passenger Name Record (PNR).\20\ The APIS includes flight manifest data on passengers and crew and provides about 300 million records to the framework.\21\ The ESTA allows Visa Waiver Program travelers authorization to enter the United States and provides about 40 million records to the framework.\22\ The Form I-94, which records all arrival and departure data of non-immigrant visitors to the United States, provides about 750 million records to the framework.\23\ The PNR data includes more travel information about passengers flying to, from, or through the United States and provides about 250 million records to the framework.\24\ --------------------------------------------------------------------------- \20\Email from DHS Data Framework Director to S. Comm. on Homeland Sec. & Gov't Affairs Staff (June 18, 2018). \21\DHS/CBP/PIA-001(g)--Advance Passenger Information System (APIS), Dep't of Homeland Sec., https://www.dhs.gov/publication/ advanced-passenger-information-system-apis-update-national- counterterrorism-center-nctc; see also Email from DHS Data Framework Director to S. Comm. on Homeland Sec. & Gov't Affairs Staff (June 18, 2018). \22\DHS-CBP-PIA-007 Electronic System for Travel Authorization, Dep't of Homeland Sec., https://www.dhs.gov/publication/electronic- system-travel-authorization; see also Email from DHS Data Framework Director to S. Comm. on Homeland Sec. & Gov't Affairs Staff (June 18, 2018). \23\DHS/CBP/PIA-016 I-94 Website Application, Dep't of Homeland Sec., https://www.dhs.gov/publication/us-customs-and-border-protection- form-i-94-automation; see also Email from DHS Data Framework Director to S. Comm. on Homeland Sec. & Gov't Affairs Staff (June 18, 2018). \24\Dep't of Homeland Sec., Agreement between the United States of America and the European Union on the Use and Transfer of Passenger Name Record to the United States Department of Homeland Security, available at http://www.dhs.gov/sites/default/files/publications/ privacy/Reports/dhsprivacy_PNR%20Agreement_12_14_2011.pdf; Privacy Impact Assessments, Dep't of Homeland Sec., http://www.dhs.gov/privacy- impact-assessments; Privacy Act of 1974: U.S. Customs and Border Protection, 77 Fed. Reg. 30,297, available at https://www.gpo.gov/ fdsys/pkg/FR-2012-05-22/html/2012-12396.htm; see also Email from DHS Data Framework Director to S. Comm. on Homeland Sec. & Gov't Affairs Staff (June 18, 2018). --------------------------------------------------------------------------- The Department is in the process of ingesting the TSA Secure Flight Match dataset into the framework.\25\ The Secure Flight Program matches the Terrorist Screening Database watchlist against the information of passengers flying to, from, or through the United States.\26\ --------------------------------------------------------------------------- \25\Email from DHS Data Framework Director to S. Comm. on Homeland Sec. & Gov't Affairs Staff (June 19, 2018). \26\TSA Secure Flight Program: Hearing Before the Subcomm. on Transp. Sec. of the H. Comm. on Homeland Sec., 113th Cong., (Sept. 18, 2014), (statement of Steve Sadler, Assistant Admin., TSA), available at https://www.tsa.gov/news/testimony/2014/09/18/tsa-secure-flight- program. --------------------------------------------------------------------------- Current users of the framework include the DHS Office of Intelligence and Analysis, CBP, the TSA, and classified IC partners.\27\ There are plans to add DHS Counterintelligence and Countering Insider Threat users.\28\ --------------------------------------------------------------------------- \27\Email from DHS Data Framework Director to S. Comm. on Homeland Sec. & Gov't Affairs Staff (June 19, 2018). \28\Id. --------------------------------------------------------------------------- The Department is able to better integrate analysis now that the data framework transfers unclassified information at high-speed to classified networks. A DHS June 2018 update on the progress of the Data Framework Program asserts that the framework ``since February 2018 has provided data from an unclassified CBP system, up to a classified network, and out to an IC partner an average of every hour.''\29\ The same update says that this capability ``has led to multiple findings and at least one `operational action''' in support of the DHS partnership with the IC to combat the Syrian foreign fighter threat.\30\ --------------------------------------------------------------------------- \29\Email from DHS Data Framework Technical Manager to Sen. Johnson Staff (June 12, 2018). \30\Id. --------------------------------------------------------------------------- This is an important program that creates efficiency in support of several core missions of the Department. Specifically, this Act establishes requirements for the use of the data framework by DHS employees, excludes the inclusion of information that may compromise criminal investigations, and include privacy and civil rights protections. In addition, implementation of the data framework is required to be completed within two years of the enactment of this Act. The Act also requires DHS to provide regular updates on the status of the implementation of the framework. By requiring DHS to ensure the data framework is able to include DHS information that supports critical mission operations, this legislation will allow DHS and its partners to better share information in a timely and efficient manner. III. LEGISLATIVE HISTORY Senator Margaret Wood Hassan (D-NH) introduced S. 2397 on February 7, 2018. The bill was referred to the Committee on Homeland Security and Governmental Affairs. The Committee considered S. 2397 at a business meeting on June 13, 2018. Senator Hassan offered a substitute amendment that added a requirement that DHS should describe how the data framework was used to disrupt terrorist activities in any annual homeland security threat assessment. The Committee adopted the amendment and ordered the bill, as amended, reported favorably, both by voice vote. Senators present for both the vote on the amendment and the vote on the underlying bill were: Johnson, Portman, Lankford, Enzi, McCaskill, Carper, Peters, Hassan, Harris, and Jones. IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED Section 1. Short title This section provides the bill's short title, the ``Department of Homeland Security Data Framework Act of 2018.'' Section 2. Department of Homeland Security data framework This section requires the Secretary to develop a framework to integrate DHS datasets and systems to streamline authorized access and appropriate safeguards. Subsection (a) establishes the requirements for inclusion of DHS datasets including homeland security information, terrorism information, weapons of mass destruction information, and national intelligence information. It also requires the inclusion of data relevant to priority mission needs of the Department. Subsection (b) governs use of the framework by Department employees. It establishes that DHS employees with access to the data framework have appropriate clearances, have duties that require such access, and are trained to safeguard the data in the framework. It requires the Secretary to provide DHS employees with access to the framework with guidance that emphasizes that access to the framework entails a duty to share with other offices and components of the Department. It also requires the Secretary to promulgate data standards that require components to share what information they are able in machine-readable format. Subsection (c) allows the Secretary to exclude data from the framework in cases where inclusion may compromise investigations or sources, be inconsistent with the law, or be duplicative. Subsection (d) requires auditing and security mechanisms for safeguarding the data framework including from insider threats, other security risks, or exploitation that disregards appropriate privacy or civil rights and civil liberties protections. Subsection (e) requires a deadline for implementation of the data framework at two years from enactment. At the deadline, the framework is required to be able to include DHS data required to support the Department's critical mission operations. Subsection (f) requires the Secretary to regularly update Congress on the status of the data framework and notify Congress when the framework is fully operational. Subsection (g) defines ``appropriate congressional committee,'' ``homeland,'' ``homeland security information,'' ``national intelligence,'' and ``terrorism information.'' V. EVALUATION OF REGULATORY IMPACT Pursuant to the requirements of paragraph 11(b) of rule XXVI of the Standing Rules of the Senate, the Committee has considered the regulatory impact of this bill and determined that the bill will have no regulatory impact within the meaning of the rules. The Committee agrees with the Congressional Budget Office's statement that the bill contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act (UMRA) and would impose no costs on state, local, or tribal governments. VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE June 28, 2018. Hon. Ron Johnson, Chairman, Committee on Homeland Security and Governmental Affairs, U.S. Senate, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for S. 2397, the Department of Homeland Security Data Framework Act of 2018. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is Mark Grabowicz. Sincerely, Keith Hall, Director. Enclosure. S. 2397--Department of Homeland Security Data Framework Act of 2018 S. 2397 would require the Department of Homeland Security (DHS) to integrate its datasets and information systems to facilitate access to these systems by authorized personnel. DHS is currently carrying out activities similar to those that would be required by the bill; thus, CBO estimates that implementing S. 2397 would have no significant effect on DHS spending. Enacting S. 2397 would not affect direct spending or revenues; therefore, pay-as-you-go procedures do not apply. CBO estimates that enacting S. 2397 would not increase net direct spending or on-budget deficits in any of the four consecutive 10-year periods beginning in 2029. S. 2397 contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform Act. The CBO staff contact for this estimate is Mark Grabowicz. The estimate was reviewed by Theresa Gullo, Assistant Director for Budget Analysis. VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED Because this legislation would not repeal or amend any provision of current law, it would make no changes in existing law within the meaning of clauses (a) and (b) of paragraph 12 of rule XXVI of the Standing Rules of the Senate.