Homeland Security

Greater Attention to Key Practices Would Help Address Security Vulnerabilities at Federal Buildings Gao ID: GAO-10-236T November 18, 2009

The Federal Protective Service (FPS) within the Department of Homeland Security (DHS) is responsible for providing law enforcement and related security services for nearly 9,000 federal facilities under the control and custody of the General Services Administration (GSA). In 2004 GAO identified a set of key protection practices from the collective practices of federal agencies and the private sector, which included allocation of resources using risk management, strategic management of human capital, leveraging of technology, information sharing and coordination, and performance measurement and testing. This testimony is based on past reports and testimonies and discusses (1) limitations FPS faces in protecting GSA buildings and resulting vulnerabilities; and (2) actions FPS is taking. To perform this work, GAO used its key practices as criteria, visited a number of GSA buildings, surveyed tenant agencies, analyzed pertinent laws and DHS and GSA documents, conducted covert testing at 10 judgmentally selected high-security buildings in four cities, and interviewed officials from DHS, GSA, and tenant agencies, and contractors and guards.

FPS's approach to securing GSA buildings reflects some aspects of key protection practices; however, GAO found limitations in each area and identified vulnerabilities. More specifically: (1) FPS faces obstacles in allocating resources using risk management. FPS uses an outdated risk assessment tool and a subjective, time-consuming process to assess risk. In addition, resource allocation decisions are the responsibility of GSA and tenant agencies. This leads to uncertainty about whether risks are being mitigated. Also, FPS continues to struggle with funding challenges that impede its ability to allocate resources effectively. (2) FPS does not have a strategic human capital management plan to guide its current and future workforce planning efforts, making it difficult to discern how effective its transition to an inspector-based workforce will be. Furthermore, because contract guards were not properly trained and did not comply with post orders, GAO investigators concealing components for an improvised explosive device passed undetected by FPS guards at 10 of 10 high-security facilities in four major cities. (3) FPS lacks a systematic approach for leveraging technology, and inspectors do not provide tenant agencies with an analysis of alternative technologies, their cost, and the associated reduction in risk. As a result, there is limited assurance that the recommendations inspectors make are the best available alternatives, and tenant agencies must make resource allocation decisions without key information. (4) FPS has developed information sharing and coordination mechanisms with GSA and tenant agencies, but there is inconsistency in the type of information shared and the frequency of coordination. (5) FPS lacks a reliable data management system for accurately tracking performance measurement and testing. Without such a system, it is difficult for FPS to evaluate and improve the effectiveness of its efforts, allocate resources, or make informed risk management decisions. FPS is taking actions to better protect GSA buildings, in part as a result of GAO's recommendations. For example, FPS is developing a new risk assessment program and has recently focused on improving oversight of its contract guard program. Additionally, GAO has recommended that FPS implement specific actions to make greater use of key practices and otherwise improve security. However, FPS has not completed many related corrective actions and FPS faces implementation challenges as well. Nonetheless, adhering to key practices and implementing GAO's recommendations in specific areas would enhance FPS's chances for future success, and could position FPS to become a leader and benchmark agency for facility protection in the federal government.

GAO-10-236T, Homeland Security: Greater Attention to Key Practices Would Help Address Security Vulnerabilities at Federal Buildings This is the accessible text file for GAO report number GAO-10-236T entitled 'Homeland Security: Greater Attention to Key Practices Would Help Address Security Vulnerabilities at Federal Buildings' which was released on November 18, 2009. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Testimony: Before the House Committee on Homeland Security: United States Government Accountability Office: GAO: For Release on Delivery: Expected at 10:00 a.m. EST: Wednesday, November 18, 2009: Homeland Security: Greater Attention to Key Practices Would Help Address Security Vulnerabilities at Federal Buildings: Statement of Mark L. Goldstein, Director: Physical Infrastructure Issues: GAO-10-236T: GAO Highlights: Highlights of GAO-10-236T, a testimony to the Chairman, Committee on Homeland Security, House of Representatives. Why GAO Did This Study: The Federal Protective Service (FPS) within the Department of Homeland Security (DHS) is responsible for providing law enforcement and related security services for nearly 9,000 federal facilities under the control and custody of the General Services Administration (GSA). In 2004 GAO identified a set of key protection practices from the collective practices of federal agencies and the private sector, which included allocation of resources using risk management, strategic management of human capital, leveraging of technology, information sharing and coordination, and performance measurement and testing. This testimony is based on past reports and testimonies and discusses (1) limitations FPS faces in protecting GSA buildings and resulting vulnerabilities; and (2) actions FPS is taking. To perform this work, GAO used its key practices as criteria, visited a number of GSA buildings, surveyed tenant agencies, analyzed pertinent laws and DHS and GSA documents, conducted covert testing at 10 judgmentally selected high-security buildings in four cities, and interviewed officials from DHS, GSA, and tenant agencies, and contractors and guards. What GAO Found: FPS‘s approach to securing GSA buildings reflects some aspects of key protection practices; however, GAO found limitations in each area and identified vulnerabilities. More specifically: * FPS faces obstacles in allocating resources using risk management. FPS uses an outdated risk assessment tool and a subjective, time- consuming process to assess risk. In addition, resource allocation decisions are the responsibility of GSA and tenant agencies. This leads to uncertainty about whether risks are being mitigated. Also, FPS continues to struggle with funding challenges that impede its ability to allocate resources effectively. * FPS does not have a strategic human capital management plan to guide its current and future workforce planning efforts, making it difficult to discern how effective its transition to an inspector-based workforce will be. Furthermore, because contract guards were not properly trained and did not comply with post orders, GAO investigators concealing components for an improvised explosive device passed undetected by FPS guards at 10 of 10 high-security facilities in four major cities. * FPS lacks a systematic approach for leveraging technology, and inspectors do not provide tenant agencies with an analysis of alternative technologies, their cost, and the associated reduction in risk. As a result, there is limited assurance that the recommendations inspectors make are the best available alternatives, and tenant agencies must make resource allocation decisions without key information. * FPS has developed information sharing and coordination mechanisms with GSA and tenant agencies, but there is inconsistency in the type of information shared and the frequency of coordination. * FPS lacks a reliable data management system for accurately tracking performance measurement and testing. Without such a system, it is difficult for FPS to evaluate and improve the effectiveness of its efforts, allocate resources, or make informed risk management decisions. FPS is taking actions to better protect GSA buildings, in part as a result of GAO‘s recommendations. For example, FPS is developing a new risk assessment program and has recently focused on improving oversight of its contract guard program. Additionally, GAO has recommended that FPS implement specific actions to make greater use of key practices and otherwise improve security. However, FPS has not completed many related corrective actions and FPS faces implementation challenges as well. Nonetheless, adhering to key practices and implementing GAO‘s recommendations in specific areas would enhance FPS‘s chances for future success, and could position FPS to become a leader and benchmark agency for facility protection in the federal government. What GAO Recommends: GAO makes no new recommendations in this testimony. DHS concurred with GAO‘s past recommendations for FPS, but FPS has not completed many related corrective actions. View [hyperlink, http://www.gao.gov/products/GAO-10-236T] or key components. For more information, contact Mark L. Goldstein at (202) 512-2834 or goldsteinm@gao.gov. [End of section] Mr. Chairman and Members of the Committee: We are pleased to be here to discuss the Federal Protective Service's (FPS) efforts to ensure the protection of the more than 1 million government employees, as well as members of the public, who work in and visit the nearly 9,000 federal facilities that are under the control and custody of the General Services Administration (GSA). There has not been a large-scale attack on a domestic federal facility since the terrorist attacks of September 11, 2001, and the 1995 bombing of the Alfred P. Murrah Federal Building in Oklahoma City. Nevertheless, the shooting death this past year of a guard at the U.S. Holocaust Memorial Museum--though not a federal facility--demonstrates the continued vulnerability of public buildings. Moreover, the challenge of protecting federal real property is one of the major reasons for GAO's designation of federal real property management as a high-risk area. [Footnote 1] FPS--within the Department of Homeland Security (DHS)--is authorized to protect the buildings, grounds, and property that are under the control and custody of GSA, as well as the persons on the property; to enforce federal laws and regulations aimed at protecting GSA buildings and persons on the property; and to investigate offenses against these buildings and persons.[Footnote 2] FPS conducts its mission by providing security services through two types of activities: (1) physical security activities--conducting building risk assessments of facilities and recommending countermeasures aimed at preventing incidents at facilities--and (2) law enforcement activities-- proactively patrolling facilities, responding to incidents, conducting criminal investigations, and exercising arrest authority. To accomplish its mission of protecting federal facilities, FPS currently has a budget[Footnote 3] of around $1 billion, nearly 1,200 full time employees, and about 15,000 contract security guards deployed at federal facilities across the country. We have identified a set of key facility protection practices from the collective practices of federal agencies and the private sector to provide a framework for guiding agencies' protection efforts and addressing challenges.[Footnote 4] The key practices essentially form the foundation of a comprehensive approach to building protection. We have used these key practices to evaluate how FPS protects GSA buildings and will focus on the following five key practices for this testimony:[Footnote 5] * Allocation of resources using risk management. Identify threats, assess vulnerabilities, and determine critical assets to protect, and use information on these and other elements to develop countermeasures and prioritize the allocation of resources as conditions change. * Strategic management of human capital. Manage human capital to maximize government performance and ensure accountability in asset protection through, for example, recruitment of skilled staff, training, and retention. * Leveraging of technology. Select technologies to enhance asset security through methods like access control, detection, and surveillance systems. This involves not only using technology, but also ensuring positive returns on investments in the form of reduced vulnerabilities. * Information sharing and coordination. Establish means of coordinating and sharing security and threat information internally, within large organizations, and externally, with other government entities and the private sector. * Performance measurement and testing. Use metrics, such as implementation timelines, and active testing, such as unannounced on- site assessments, to ensure accountability for achieving program goals and improving security at facilities. This testimony is based on past reports and testimonies[Footnote 6] and discusses (1) limitations FPS faces in protecting GSA buildings and resulting vulnerabilities and (2) actions FPS is taking to address challenges. Work for these past reports and testimonies included using our key practices as a framework for assessing facility protection efforts by FPS management and at individual buildings. We also visited FPS regions and selected GSA buildings to assess FPS activities firsthand. We surveyed a sample of 1,398 federal officials who work in GSA buildings in FPS's 11 regions and are responsible for collaborating with FPS on security issues. Additionally, we reviewed training and certification data for 663 randomly selected guards in 6 of FPS's 11 regions. Because of the sensitivity of some of the information in our prior work, we cannot specifically identify the locations of the incidents discussed. We also conducted covert testing at 10 judgmentally selected high-risk facilities in four cities. For all of our work, we reviewed related laws and directives, interviewed officials and analyzed documents and data from DHS and GSA, and interviewed tenant agency representatives, contractors, and guards. The previous work on which this testimony is based was conducted in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. FPS Faces Challenges in Many Areas, Raising Concerns about Vulnerabilities: Risk Management Approach Is Inadequate and Has Limitations: FPS assesses risk and recommends countermeasures to GSA and tenant agencies; however, FPS's ability to influence the allocation of resources using risk management is limited because resource allocation decisions are the responsibility of GSA and tenant agencies, which may be unwilling to fund the countermeasures FPS recommends. We have found that under the current risk management approach, the security equipment that FPS recommends and is responsible for acquiring, installing, and maintaining may not be implemented if tenant agencies are unwilling to fund it.[Footnote 7] For example, in August 2007 FPS recommended a security equipment countermeasure--the upgrade of a surveillance system shared by two high-security locations that, according to FPS officials, would cost around $650,000. While members of one building security committee (BSC) told us they approved spending between $350,000 and $375,000 to fund their agencies' share of the countermeasure, they said that the BSC of the other location would not approve funding; therefore, FPS could not upgrade the system it had recommended. In November 2008 FPS officials told us that they were moving ahead with the project by drawing on unexpended revenues from the two locations' building-specific fees and the funding that was approved by one of the BSCs. Furthermore, FPS officials, in May 2009, told us that all cameras had been repaired and all monitoring and recording devices had been replaced, and that the two BSCs had approved additional upgrades and that FPS was implementing them. As we reported in June 2008, we have found other instances in which recommended security countermeasures were not implemented at some of the buildings we visited because BSC members could not agree on which countermeasures to implement or were unable to obtain funding from their agencies.[Footnote 8] Compounding this situation, FPS takes a building-by-building approach to risk management, using an outdated risk assessment tool to create building security assessments (BSA), rather than taking a more comprehensive, strategic approach and assessing risks among all buildings in GSA's inventory and recommending countermeasure priorities to GSA and tenant agencies. As a result, the current approach provides less assurance that the most critical risks at federal buildings across the country are being prioritized and mitigated. Also, GSA and tenant agencies have concerns about the quality and timeliness of FPS's risk assessment services and are taking steps to obtain their own risk assessments. For example, GSA officials told us they have had difficulties receiving timely risk assessments from FPS for space GSA is considering leasing. These risk assessments must be completed before GSA can take possession of the property and lease it to tenant agencies. An inefficient risk assessment process for new lease projects can add costs for GSA and create problems for both GSA and tenant agencies that have been planning for a move. Therefore, GSA is updating a risk assessment tool that it began developing in 1998, but has not recently used, to better ensure the timeliness and comprehensiveness of these risk assessments. GSA officials told us that in the future they may use this tool for other physical security activities, such as conducting other types of risk assessments and determining security countermeasures for new facilities. Additionally, although tenant agencies have typically taken responsibility for assessing risk and securing the interior of their buildings, assessing exterior risks will require additional expertise and resources. This is an inefficient approach considering that tenant agencies are paying FPS to assess building security. Finally, FPS continues to struggle with funding challenges that impede its ability to allocate resources to more effectively manage risk. FPS faces challenges in ensuring that its fee-based funding structure accounts for the varying levels of risk and types of services provided at federal facilities. FPS funds its operations through security fees charged to tenant agencies. However, FPS's basic security fee, which funds most of its operations, does not account for the risk faced by specific buildings, the level of service provided, or the cost of providing services, raising questions about equity.[Footnote 9] FPS charges federal agencies the same basic security fee regardless of the perceived threat to a particular building or agency. In fiscal year 2009, FPS charged 66 cents per square foot for basic security. Although FPS categorizes buildings according to security levels based on its assessment of each building's risk and size, this assessment does not affect the security fee FPS charges. For example, level I facilities typically face less risk because they are generally small storefront- type operations with a low level of public contact, such as a Social Security Administration office. However, these facilities are charged the same basic security fee of 66 cents per square foot as a level IV facility that has a high volume of public contact and may contain high- risk law enforcement and intelligence agencies and highly sensitive government records. We also have reported that basing government fees on the cost of providing a service promotes equity, especially when the cost of providing the service differs significantly among different users, as is the case with FPS. In our June 2008 report, we recommended that FPS improve its use of the fee-based system by developing a method to accurately account for the cost of providing security services to tenant agencies and ensuring that its fee structure takes into consideration the varying levels of risk and service provided at GSA facilities.[Footnote 10] We also recommended an evaluation of whether FPS's current use of a fee-based system or an alternative funding mechanism is the most appropriate manner to fund the agency. While DHS agreed with these recommendations, FPS has not fully implemented them. Improvements Needed in Human Capital Planning and Contract Guard Management: FPS does not have a strategic human capital plan to guide its current and future workforce planning efforts, including effective processes for training, retention, and staff development. Instead, FPS has developed a short-term hiring plan that does not include key human capital principles, such as determining an agency's optimum staffing needs. Moreover, FPS has been transitioning to an inspector-based workforce, thus eliminating the police officer position and relying primarily on FPS inspectors for both law enforcement and physical security activities. FPS believes that this change will ensure that its staff has the right mix of technical skills and training needed to accomplish its mission. However, FPS's ability to provide law enforcement services under its inspector-based workforce approach may be diminished because FPS will rely on its inspectors to provide these services and physical security services simultaneously. In the absence of a strategic human capital plan, it is difficult to discern how effective an inspector-based workforce approach will be. The lack of a human capital plan has also contributed to inconsistent approaches in how FPS regions and headquarters are managing human capital activities. For example, FPS officials in some of the regions we visited said they implement their own procedures for managing their workforce, including processes for performance feedback, training, and mentoring. Additionally, FPS does not collect data on its workforce's knowledge, skills, and abilities. These elements are necessary for successful workforce planning activities, such as identifying and filling skill gaps and succession planning. We recently recommended that FPS improve how it collects data on its workforce's knowledge, skills, and abilities to help it better manage and understand current and future workforce needs; and use these data in the development and implementation of a long-term strategic human capital plan that addresses key principles for effective strategic workforce planning. [Footnote 11] DHS concurred with our recommendations. Furthermore, FPS did not meet its fiscal year 2008 mandated deadline of increasing its staffing level to no fewer than 1,200 full-time employees by July 31, 2008, and instead met this staffing level in April 2009.[Footnote 12] FPS's staff has steadily declined since 2004 and critical law enforcement services have been reduced or eliminated. For example, FPS has eliminated its use of proactive patrol to prevent or detect criminal violations at many GSA buildings. According to some FPS officials at regions we visited, not providing proactive patrol has limited its law enforcement personnel to a reactive force.[Footnote 13] Additionally, officials stated that in the past, proactive patrol permitted its police officers and inspectors to identify and apprehend individuals that were surveilling GSA buildings. In contrast, when FPS is not able to patrol federal buildings, there is increased potential for illegal entry and other criminal activity. In one city we visited, a deceased individual had been found in a vacant GSA facility that was not regularly patrolled by FPS. FPS officials stated that the deceased individual had been inside the building for approximately 3 months. FPS does not fully ensure that its contract security guards have the training and certifications required to be deployed to a GSA building. [Footnote 14] We have noted that the effectiveness of a risk management approach depends on the involvement of experienced and professional security personnel.[Footnote 15] Further, that the chances of omitting major steps in the risk management process increase if personnel are not well trained in applying risk management. FPS requires that all prospective guards complete about 128 hours of training including 8 hours of X-ray and magnetometer training. However, in one region, FPS has not provided the X-ray or magnetometer training to its 1,500 guards since 2004. Nonetheless, these guards are assigned to posts at GSA buildings. X-ray training is critical because guards control access points at buildings. Insufficient X-ray and magnetometer training may have contributed to several incidents at GSA buildings in which guards were negligent in carrying out their responsibilities. For example, at a level IV[Footnote 16] federal facility in a major metropolitan area, an infant in a carrier was sent through an X-ray machine due to a guard's negligence.[Footnote 17] Specifically, according to an FPS official in that region, a woman with her infant in a carrier attempted to enter the facility, which has child care services. While retrieving her identification, the woman placed the carrier on the X-ray machine. Because the guard was not paying attention and the machine's safety features had been disabled,[Footnote 18] the infant in the carrier was sent through the X-ray machine. FPS investigated the incident and dismissed the guard; however, the guard subsequently sued FPS for not providing the required X-ray training. The guard won the suit because FPS could not produce any documentation to show that the guard had received the training, according to an FPS official. In addition, FPS officials from that region could not tell us whether the X-ray machine's safety features had been repaired. Additionally, we found that FPS does not have a fully reliable system for monitoring and verifying guard training and certification requirements. We reviewed 663 randomly selected guard records and found that 62 percent of the guards had at least one expired certification, including a declaration that guards have not been convicted of domestic violence, which make them ineligible to carry firearms. We also found that some guards were not provided building-specific training, such as what actions to take during a building evacuation or a building emergency.[Footnote 19] This lack of training may have contributed to several incidents where guards neglected their assigned responsibilities. For example, * at a level IV facility, the guards did not follow evacuation procedures and left two access points unattended, thereby leaving the facility vulnerable; * at a level IV facility, the guard allowed employees to enter the building while an incident involving suspicious packages was being investigated; and, * at a level III facility,[Footnote 20] the guard allowed employees to access the area affected by a suspicious package, which was required to be evacuated. FPS has limited assurance that its guards are complying with post orders.[Footnote 21] It does not have specific national guidance on when and how guard inspections should be performed. FPS's inspections of guard posts at GSA buildings are inconsistent and the quality varied in the six regions we examined. We also found that guard inspections are typically completed by FPS during regular business hours and in locations where FPS has a field office, and seldom on nights or weekends. However, on an occasion when FPS officials conducted a post inspection at night, they found a guard asleep at his post after taking a pain-killer prescription drug. FPS also found other incidents at high- security facilities where guards neglected or inadequately performed their assigned responsibilities. For example, a guard failed to recognize or did not properly X-ray a box containing handguns at the loading dock at a facility. FPS became aware of the situation because the handguns were delivered to FPS. Because guards were not properly trained and did not comply with post orders, our investigators--with the components for an improvised explosive device (IED) concealed on their persons--passed undetected through access points controlled by FPS guards at 10 of 10 level IV facilities in four major cities where GAO conducted covert tests. [Footnote 22] The specific components for this device, items used to conceal the device components, and the methods of concealment that we used during our covert testing are classified, and thus are not discussed in this testimony. Of the 10 level IV facilities our investigators penetrated, 8 were government owned and 2 were leased facilities. The facilities included district offices of a U.S Senator and a U.S. Representative as well as agencies of the Departments of Homeland Security, Transportation, Health and Human Services, Justice, State, and others. The two leased facilities did not have any guards at the access control points at the time of our testing. Using publicly available information, our investigators identified a type of device that a terrorist could use to cause damage to a federal facility and threaten the safety of federal workers and the general public. The device was an IED made up of two parts--a liquid explosive and a low- yield detonator--and included a variety of materials not typically brought into a federal facility by employees or the public. Although the detonator itself could function as an IED, investigators determined that it could also be used to set off a liquid explosive and cause significantly more damage. To ensure safety during this testing, we took precautions so that the IED would not explode. For example, we lowered the concentration level of the material.[Footnote 23] To gain entry into each of the 10 level IV facilities, our investigators showed a photo identification (a state driver's license) and walked through the magnetometers without incident. Our investigators also placed their briefcases with the IED material on the conveyor belt of the X-ray machine, but the guards detected nothing. Furthermore, our investigators did not receive any secondary searches from the guards that might have revealed the IED material that they brought into the facilities. At security checkpoints at 3 of the 10 facilities, our investigators noticed that the guard was not looking at the X-ray screen as some of the IED components passed through the machine. A guard questioned an item in the briefcase at one of the 10 facilities but the materials were subsequently allowed through the X-ray machines. At each facility, once past the guard screening checkpoint, our investigators proceeded to a restroom and assembled the IED. At some of the facilities, the restrooms were locked. Our investigators gained access by asking employees to let them in. With the IED completely assembled in a briefcase, our investigators walked freely around several floors of the facilities and into various executive and legislative branch offices, as described above. Systematic Approach for Cost-Effectively Leveraging Technology Is Lacking: Leveraging technology is a key practice over which FPS has somewhat more control, but FPS does not have a comprehensive approach for identifying, acquiring, and assessing the cost-effectiveness of the security equipment that its inspectors recommend. Individual FPS inspectors have considerable latitude in determining which technologies and other countermeasures to recommend, but the inspectors receive little training and guidance in how to assess the relative cost- effectiveness of these technologies or determine the expected return on investment. FPS officials told us that inspectors make technology decisions based on the initial training they receive, personal knowledge and experience, and contacts with vendors. FPS inspectors receive some training in identifying and recommending security technologies as part of their initial FPS physical security training. Since FPS was transferred to DHS in 2003, its refresher training program for inspectors has primarily focused on law enforcement. Consequently, inspectors lack recurring technology training. Additionally, FPS does not provide inspectors with specialized guidance and standards for cost-effectively selecting technology. In the absence of specific guidance, inspectors follow the Department of Justice minimum countermeasure standards[Footnote 24] and other relevant Interagency Security Committee standards,[Footnote 25] but these standards do not assist users in selecting cost-effective technologies. Moreover, the document that FPS uses to convey its countermeasure recommendations to GSA and tenant agencies--the BSA executive summary-- includes cost estimates but no analysis of alternatives. As a result, GSA and tenant agencies have limited assurance that the investments in technologies and other countermeasures that FPS inspectors recommend are cost-effective, consistent across buildings, and the best available alternatives. For example, at one location we visited, an explosives detection dog was used to screen mail that is distributed elsewhere.[Footnote 26] In 2006, FPS had recommended, based on the results of its risk analysis, the use of this dog and an X-ray machine, although at the time of our visit only the dog was being used. Moreover, the dog and handler work 12-hour shifts Monday through Friday when most mail is delivered and shipped, and the dog needs a break every 7 minutes. The GSA regional security officials[Footnote 27] we spoke with questioned whether this approach was more effective and efficient than using an on-site enhanced X-ray machine that could detect biological and chemical agents as well as explosives and could be used anytime. In accordance with its policies, FPS conducted a BSA of the site in 2008 and determined that using an enhanced X-ray machine and an explosives detection dog would bring the projected threat rating of the site down from moderate to low. FPS included estimated one-time installation and recurring costs in the BSA and executive summary, but did not include the estimated cost and risk of the following mail screening options: (1) usage of the dog and the additional countermeasure; (2) usage of the additional countermeasure only; and (3) usage of the dog only. Consequently, tenant agency representatives would have to investigate the cost and risk implications of these options on their own to make an informed resource allocation decision. Information Sharing and Coordination Practices Lack Consistency: It is critical that FPS--as the provider of law enforcement and related security services for GSA buildings--and GSA--as the manager of these properties--have well-established lines of communication with each other and with tenant agencies to ensure that all parties are aware of the ever-changing risks in a dynamic threat environment and that FPS and GSA are taking appropriate actions to reduce vulnerabilities. While FPS and GSA top management have established communication channels, the types of information shared at the regional and building levels are inconsistent, and overall, FPS and GSA disagree over what information should be shared. For example, the memorandum of agreement between DHS and GSA specifies that FPS will provide quarterly briefings at the regional level, but FPS had not been providing them consistently across all regions. FPS resumed the practice in October 2008, however, GSA security officials said that these briefings mostly focused on crime statistics and did not constitute comprehensive threat analyses. Additionally, FPS is only required to meet formally with GSA property managers and tenant agencies as part of the BSA process--an event that occurs every 2 to 5 years, depending on a building's security level. We identified information sharing gaps at several level III and IV sites that we visited, and found that in some cases these deficiencies led to decreased security awareness and increased risk.[Footnote 28] * At one location, we observed during our interview with the building security committee (BSC) that the committee members were confused about procedures for screening visitors who are passengers in employees' cars that enter the building via the parking garage. One of the tenants recounted an incident in which a security guard directed the visitor to walk through the garage to an appropriate screening station. According to the GSA property manager, this action created a safety hazard. The GSA property manager knew the appropriate screening procedure, but told us there was no written policy on the procedure that members could access. Additionally, BSC members told us that the committee met as needed. * At one location, FPS had received inaccurate square footage data from GSA and had therefore overcharged the primary tenant agency for a guard post that protected space shared by all the tenants. According to the GSA property manager, once GSA was made aware of the problem, the agency obtained updated information and worked with the tenant agencies to develop a cost-sharing plan for the guard post, which made the primary tenant agency's security expenses somewhat more equitable. BSC members told us that the committee met regularly. * At one location, members of a BSC told us that they met as needed, although even when they hold meetings, one of the main tenant agencies typically does not participate. GSA officials commented that this tenant adheres to its agency's building security protocols and does not necessarily follow GSA's tenant policies and procedures, which GSA thinks creates security risks for the entire building. * At one location, tenant agency representatives and officials from FPS told us they met regularly, but GSA officials told us they were not invited to these meetings. GSA officials at this location told us that they invite FPS to their property management meetings for that location, but FPS does not attend. GSA officials also said they do not receive timely incident information for the site from FPS and suggested that increased communication among the agencies would help them be more effective managers of their properties and provide tenants with better customer service. * At one location, GSA undertook a major renovation project beginning in April 2007. FPS, GSA, and tenant agency representatives did not all meet together regularly to make security preparations or manage security operations during construction. FPS officials told us they had not been invited to project meetings, although GSA officials told us that they had invited FPS and that FPS attended some meetings. In May 2008, FPS discovered that specific surveillance equipment had been removed. As of May 2009, FPS officials told us they did not know who had removed the equipment and were working with tenant agency representatives to recover it. However in June 2009 tenant agency representatives told us that they believed FPS was fully aware that the equipment had been removed in December 2007.[Footnote 29] Additionally, we conducted a survey of GSA tenant agencies and found that they had mixed views about some of the services they pay FPS to provide.[Footnote 30] Notably, the survey results indicated that the roles and responsibilities of FPS and tenant agencies are unclear, primarily because on average about one-third of tenant agencies could not comment on how satisfied or dissatisfied they were with FPS's level of communication of its services, partly because they had little to no interaction with FPS officers. Although FPS plans to implement education and outreach initiatives to improve customer service to tenant agencies, it will face challenges because of its lack of complete and accurate contact data. During the course of our review, we found that approximately 53 percent of the e-mail addresses and 27 percent of the telephone numbers for designated points of contacts were missing from FPS's contact database and the database required a substantial amount of revising. Complete and accurate contact information for FPS's customers is critical for information sharing and an essential component of any customer service initiative. Therefore, to improve its services to GSA and tenant agencies, we recommended that FPS collect and maintain an accurate and comprehensive list of all facility-designated points of contact, as well as a system for regularly updating this list; and develop and implement a program for education and outreach to GSA and tenant agencies to ensure they are aware of the current roles, responsibilities, and services provided by FPS.[Footnote 31] DHS concurred with our recommendations. Furthermore, while FPS and GSA acknowledge that the two organizations are partners in protecting and securing GSA buildings, FPS and GSA fundamentally disagree over how much of the information in the BSA should be shared. Per the memorandum of agreement, FPS is required to share the BSA executive summary with GSA and FPS believes that this document contains sufficient information for GSA to make decisions about purchasing and implementing FPS's recommended countermeasures. However, GSA officials at all levels cite limitations with the BSA executive summary saying, for example, that it does not contain enough contextual information on threats and vulnerabilities to support FPS's countermeasure recommendations and justify the expenses that GSA and tenant agencies would incur by installing additional countermeasures. Moreover, GSA security officials told us that FPS does not consistently share BSA executive summaries across all regions. Instead, GSA wants to receive BSAs in their entirety so that it can better protect GSA buildings and the tenants who occupy them. According to GSA, building protection functions are an integral part of its property preservation, operation, and management responsibilities. In a post-September 11th era, it is vital that federal agencies work together to share information to advance homeland security and critical infrastructure protection efforts. Information is a crucial tool in fighting terrorism, and the timely dissemination of that information to the appropriate government agency is absolutely critical to maintaining the security of our nation. The ability to share security-related information can unify the efforts of federal agencies in preventing or minimizing terrorist attacks. However, in the absence of comprehensive information-sharing plans, many aspects of homeland security information sharing can be ineffective and fragmented. In 2005, we designated information sharing for homeland security as a governmentwide high-risk area because of the significant challenges faced in this area[Footnote 32]--challenges that are still evident today. It is critical that FPS and GSA--which both have protection functions for GSA buildings, their occupants, and those who visit them-- reach consensus on sharing information in a timely manner to support homeland security and critical infrastructure protection efforts. We recently recommended that FPS reach consensus with GSA on what information contained in the BSA is needed for GSA to fulfill its responsibilities related to the protection of federal buildings and occupants, and accordingly, establish internal controls to ensure that shared information is adequately safeguarded; guidance for employees to use in deciding what information to protect with sensitive but unclassified designations; provisions for training on making designations, controlling, and sharing such information with GSA and other entities; and a review process to evaluate how well this information sharing process is working, with results reported to the Secretary of Homeland Security.[Footnote 33] While DHS concurred with this recommendation, we are concerned that the steps it described in its response were not comprehensive enough to address the intent of the recommendation. For example, DHS did not explicitly commit to reaching consensus with GSA in identifying building security information that can be shared, or to the steps we outlined in our recommendation--steps that in our view comprise a comprehensive plan for sharing and safeguarding sensitive information. Therefore, it is important that FPS engage GSA in identifying what building security information can be shared and follow the information sharing and safeguarding steps we included in our recommendation to ensure that GSA acquires the information it needs to protect the 9,000 buildings under its control and custody, the federal employees who work in them, and those who visit them. Performance Measurement Is Limited: We have reported that FPS is limited in its ability to assess the effectiveness of its efforts to protect GSA buildings.[Footnote 34] To determine how well it is accomplishing its mission to protect GSA buildings, FPS has identified some output measures that are a part of the Office of Management and Budget's Performance Assessment Rating Tool. These measures include determining whether security countermeasures have been deployed and are fully operational, the amount of time it takes to respond to an incident, and the percentage of BSAs completed on time. Some of these measures are also included in FPS's federal facilities security index, which is used to assess its performance. However, FPS has not developed outcome measures to evaluate the net effect of its efforts to protect GSA buildings. While output measures are helpful, outcome measures are also important because they can provide FPS with broader information on program results, such as the extent to which its decision to move to an inspector-based workforce will enhance security at GSA facilities or help identify the security gaps that remain at GSA facilities and determine what action may be needed to address them. In addition, FPS does not have a reliable data management system that will allow it to accurately track these measures or other important measures such as the number of crimes and other incidents occurring at GSA facilities. Without such a system, it is difficult for FPS to evaluate and improve the effectiveness of its efforts to protect federal employees and facilities, allocate its limited resources, or make informed risk management decisions. For example, weaknesses in one of FPS's countermeasure tracking systems make it difficult to accurately track the implementation status of recommended countermeasures such as security cameras and X-ray machines. Without this ability, FPS has difficulty determining whether it has mitigated the risk of GSA facilities to crime or a terrorist attack. FPS Is Taking Steps to Better Protect GSA Buildings, but Has Not Fully Implemented Actions and Faces Significant Challenges: While FPS is taking some actions in each of the key practice areas to improve its ability to better protect GSA buildings. Additionally, GAO has recommended that FPS implement specific actions to promote greater usage of key protection practices and otherwise improve security. However, FPS has not completed many related corrective actions and FPS faces implementation challenges as well. FPS Is Developing a New Program to Assess Risk, Manage Human Capital, and Measure Performance: FPS is developing the Risk Assessment and Management Program (RAMP), which could enhance its approach to assessing risk, managing human capital, and measuring performance. With regard to improving the effectiveness of FPS's risk management approach and the quality of BSAs, FPS believes RAMP will provide inspectors with the information needed to make more informed and defensible recommendations for security countermeasures. FPS also anticipates that RAMP will allow inspectors to obtain information from one electronic source, generate reports automatically, enable FPS to track selected countermeasures throughout their life cycle, address some concerns about the subjectivity inherent in BSAs, and reduce the amount of time inspectors and managers spend on administrative work. Additionally, FPS is designing RAMP so that it will produce risk assessments that are compliant with Interagency Security Committee standards, compatible with the risk management framework set forth by the National Infrastructure Protection Plan,[Footnote 35] and consistent with the business processes outlined in the memorandum of agreement with GSA. According to FPS, RAMP will support all components of the BSA process, including gathering and reviewing building information; conducting and recording interviews; assessing threats, vulnerabilities, and consequences to develop a detailed risk profile; recommending appropriate countermeasures; and producing BSA reports. FPS also plans to use RAMP to track and analyze certain workforce data, contract guard program data, and other performance data such as the types and definitions of incidents and incident response times. Although FPS intends for RAMP to improve its approach to risk assessment, human capital management, and performance measurement, it is not clear that FPS has fully addressed some implementation issues. For example, one issue concerns the accuracy and reliability of the information that will be entered into RAMP. According to FPS, the agency plans to transfer data from several of its legacy systems, including the Contract Guard Employment Requirements Tracking System (CERTS), into RAMP. In July 2009, we testified on the accuracy and reliability issues associated with CERTS.[Footnote 36] FPS subsequently conducted an audit of CERTS to determine the status of its guard training and certification. However, the results of the audit showed that FPS was able to verify the status for about 7,600 of its 15,000 guards. According to an FPS official, one of its regions did not meet the deadline for submitting data to headquarters because its data were not accurate or reliable and therefore about 1,500 guards were not included in the audit. FPS was not able to explain why it was not able to verify the status of the remaining 5,900 guards. In 2008, we recommended that FPS develop and implement specific guidelines and standards for measuring its performance and improve how it categorizes, collects, and analyzes data to help it better manage and understand the results of its efforts to protect GSA facilities and DHS concurred with our recommendation.[Footnote 37] RAMP could be the vehicle through which FPS implements these recommendations, but the use of inaccurate and unreliable data will hamper performance measurement efforts. Furthermore, it is unclear whether FPS will meet the implementation goals established in the program's proposed timeline. FPS began designing RAMP in early 2007 and expects to implement the program in three phases, completing its implementation by the end of fiscal year 2011. However, in June 2008, we reported that FPS was going to implement a pilot version of RAMP in fiscal year 2009,[Footnote 38] but in May 2009, FPS officials told us they intend to implement the first phase in the beginning of fiscal year 2010. Until RAMP components are fully implemented, FPS will continue to rely on its current risk assessment tool, methodology, and process, potentially leaving GSA and tenant agencies dissatisfied. Additionally, FPS will continue to rely on its disparate workforce data management systems and CERTS or localized databases that have proven to be inaccurate and unreliable. We recently recommended that FPS provide the Secretary of Homeland Security with regular updates on the status of RAMP including the implementation status of deliverables, clear timelines for completion of tasks and milestones, and plans for addressing any implementation obstacles.[Footnote 39] [insert footnote: GAO-10-142.] DHS concurred with our recommendation and stated that FPS will submit a monthly report to the Secretary. FPS's Actions to Improve Guard Management May Be Difficult to Implement and Maintain: FPS took on a number of immediate actions with respect to contract guard management in response to our covert testing. * In July 2009, the Director of FPS instructed Regional Directors to accelerate the implementation of FPS's requirement that two guard posts at Level IV facilities be inspected weekly. * FPS, in July 2009, also required more X-ray and magnetometer training for inspectors and guards. For example, FPS has recently issued an information bulletin to all inspectors and guards to provide them with information about package screening, including examples of disguised items that may not be detected by magnetometers or X-ray equipment. Moreover, FPS produced a 15-minute training video designed to provide information on bomb component detection. According to FPS, each guard was required to read the information bulletin and watch the DVD within 30 days. Despite the steps FPS has taken, there are a number of factors that will make implementing and sustaining these actions difficult. First, FPS does not have adequate controls to monitor and track whether its 11 regions are completing these new requirements. Thus, FPS cannot say with certainty that it is being done. According to a FPS regional official, implementing the new requirements may present a number of challenges, in part, because new directives appear to be based primarily on what works well from a headquarters or National Capital Region perspective, and not a regional perspective that reflects local conditions and limitations in staffing resources. In addition, another regional official estimated that his region is meeting about 10 percent of the required oversight hours and officials in another region said they are struggling to monitor the delivery of contractor-provided training in the region. Second, FPS has not completed any workforce analysis to determine if its current staff of about 930 law enforcement security officers will be able to effectively complete the additional inspections and provide the X-ray and magnetometer training to 15,000 guards, in addition to their current physical security and law enforcement responsibilities. According to the Director of FPS, while having more resources would help address the weaknesses in the guard program, the additional resources would have to be trained and thus could not be deployed immediately. FPS Is Developing a Program to Standardize Equipment and Contracting: FPS is also taking steps to implement a more systematic approach to technology acquisition by developing a National Countermeasures Program, which could help FPS leverage technology more cost- effectively. According to FPS, the program will establish standards and national procurement contracts for security equipment, including X-ray machines, magnetometers, surveillance systems, and intrusion detection systems. FPS officials told us that instead of having inspectors search for vendors to establish equipment acquisition, installation, and maintenance contracts, inspectors will call an FPS mission support center with their countermeasure recommendations and the center will procure the services through standardized contracts. According to FPS, the program will also include life-cycle management plans for countermeasures. FPS officials said they established an X-ray machine contract and that future program contracts will also explore the use of the schedule as a source for national purchase and service contracts. According to FPS, the National Countermeasures Program should provide the agency with a framework to better manage its security equipment inventory; meet its operational requirement to identify, implement, and maintain security equipment; and respond to stakeholders' needs by establishing nationwide resources, streamlining procurement procedures, and strengthening communications with its customers. FPS officials told us they believe this program will result in increased efficiencies because inspectors will not have to spend their time facilitating the establishment of contracts for security equipment because these contracts will be standardized nationwide. Although the National Countermeasures Program includes improvements that may enhance FPS's ability to leverage technology, it does not establish tools for assessing the cost-effectiveness of competing technologies and countermeasures and implementation has been delayed. Security professionals are faced with a multitude of technology options offered by private vendors, including advanced intrusion detection systems, biotechnology options for screening people, and sophisticated video monitoring. Having tools and guidance to determine which technologies most cost-effectively address identified vulnerabilities is a central component of the leveraging technology key practice. FPS officials told us that the National Countermeasures Program will enable inspectors to develop countermeasure cost estimates that can be shared with GSA and tenant agencies. However, incorporating a tool for evaluating the cost-effectiveness of alternative technologies into FPS's planned improvements in the security acquisition area would represent an enhanced application of this key practice. Therefore, we recently recommended that FPS develop a methodology and guidance for assessing and comparing the cost-effectiveness of technology alternatives, and DHS concurred with our recommendation.[Footnote 40] Another concern is that FPS had planned to implement the program throughout fiscal year 2009, but extended implementation into fiscal year 2010, thus it is not clear whether FPS will meet the program's milestones in accordance with updated timelines. Until the National Countermeasures Program is fully implemented, FPS will continue to rely on individual inspectors to make technology decisions. For example, FPS had anticipated that the X-ray machine and magnetometer contracts would be awarded by December 2008, and that contracts for surveillance and intrusion detection systems would be awarded during fiscal year 2009. In May 2009, FPS officials told us that the X-ray machine contract was awarded on April 30, 2009, and that they anticipated awarding the magnetometer contract in the fourth quarter of fiscal year 2009 and an electronic security services contract for surveillance and intrusion detection systems during the second quarter of fiscal year 2010. We recently recommended that FPS provide the Secretary of Homeland Security with regular updates on the status of the National Countermeasures Program, including the implementation status of deliverables, clear timelines for completion of tasks and milestones, and plans for addressing any implementation obstacles. DHS concurred with this recommendation and stated that FPS will submit a monthly report to the Secretary.[Footnote 41] Key Practices Provide a Framework for Improvement for FPS and Other Agencies: Finally, as we stated at the outset, the protection of federal real property has been and continues to be a major concern. Therefore, we have used our key protection practices as criteria to evaluate the security efforts of other departments, agencies, and entities and have made recommendations to promote greater usage of key practices in ensuring the security of public spaces and of those who work at and visit them. For example, we have examined how DHS[Footnote 42] and the Smithsonian Institution[Footnote 43] secure their assets and identified challenges. Most recently, we evaluated the National Park Service's (Park Service) approach to national icon and park protection.[Footnote 44] We found that although the Park Service has implemented a range of security program improvements in recent years that reflected some aspects of key practices, there were also limitations. Specifically, the Park Service (1) does not manage risk servicewide or ensure the best return on security technology investments; (2) lacks a servicewide approach to sharing information internally and measuring performance; and (3) lacks clearly defined security roles and a security training curriculum. With millions of people visiting the nation's nearly 400 park units annually, ensuring their security and the protection of our national treasures is paramount. More emphasis on the key practices would provide greater assurance that Park Service assets are well protected and that Park Service resources are being used efficiently to improve protection. FPS faces challenges that are similar, in many respects, to those that agencies across the government are facing. Our key practices provide a framework for assessing and improving protection practices, and in fact, the Interagency Security Committee is using our key facility protection practices as key management practices to guide its priorities and work activities. For example, the committee established subcommittees for technology best practices and training, and working groups in the areas of performance measures and strategic human capital management. The committee also issued performance measurement guidance in 2009.[Footnote 45] Without greater attention to key protection practices, FPS will be ill equipped to efficiently and effectively fulfill its responsibilities of assessing risk, strategically managing its workforce and contract guard program, recommending countermeasures, sharing information and coordinating with GSA and tenant agencies to secure GSA buildings, and measuring and testing its performance as the security landscape changes and new threats emerge. Furthermore, implementing our specific recommendations related to areas such as human capital and risk management will be critical steps in the right direction. Overall, following this framework--adhering to key practices and implementing recommendations in specific areas--would enhance FPS's chances for future success and could position FPS to become a leader and benchmark agency for facility protection in the federal government. Mr. Chairman, this concludes our testimony. We are pleased to answer any questions you might have. Contact Information: For further information on this testimony, please contact Mark L. Goldstein at (202) 512-2834 or by e-mail goldsteinm@gao.gov. Individuals making key contributions to this testimony include Tammy Conquest, John Cooney, Elizabeth Eisenstadt, Brandon Haller, Denise McCabe, David Sausville, and Susan Michal-Smith. [End of section] Footnotes: [1] GAO, High Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: Jan. 1, 2009). [2] 40 U.S.C. � 1315. [3] Funding for FPS is provided through revenues and collections of security fees charged to building tenants in FPS-protected property. The revenues and collections are credited to FPS's appropriation and are available until expended for the protection of federally owned and leased buildings and for FPS's operations. [4] GAO, Homeland Security: Further Actions Needed to Coordinate Federal Agencies' Facility Protection Efforts and Promote Key Practices, [hyperlink, http://www.gao.gov/products/GAO-05-49] (Washington, D.C.: Nov. 30, 2004). [5] We did not include the key practice of aligning assets to mission because GSA, not FPS, controls the asset inventory. [6] This testimony draws upon five primary sources. We reported on FPS's allocation of resources using risk management, leveraging of technology, and information sharing and coordination in GAO, Homeland Security: Greater Attention to Key Practices Would Improve the Federal Protective Service's Approach to Facility Protection, [hyperlink, http://www.gao.gov/products/GAO-10-142] (Washington, D.C.: Oct. 23, 2009). We reported on FPS's strategic management of human capital in GAO, Homeland Security: Federal Protective Service Has Taken Some Initial Steps to Address Its Challenges, but Vulnerabilities Still Exist, [hyperlink, http://www.gao.gov/products/GAO-09-1047T] (Washington, D.C.: Sept. 23, 2009); GAO, Homeland Security: Preliminary Results Show Federal Protective Service's Ability to Protect Federal Facilities Is Hampered By Weaknesses in Its Contract Security Guard Program, [hyperlink, http://www.gao.gov/products/GAO-09-859T] (Washington, D.C.: July 8, 2009); and GAO, Homeland Security: Federal Protective Service Should Improve Human Capital Planning and Better Communicate with Tenants, [hyperlink, http://www.gao.gov/products/GAO-09-749] (Washington, D.C.: July 30, 2009). We reported on FPS's performance management and testing in GAO, Homeland Security: The Federal Protective Service Faces Several Challenges That Hamper Its Ability to Protect Federal Facilities, [hyperlink, http://www.gao.gov/products/GAO-08-683] (Washington, D.C.: June 11, 2008). [7] [hyperlink, http://www.gao.gov/products/GAO-10-142]. [8] [hyperlink, http://www.gao.gov/products/GAO-08-683]. [9] Some of the basic security services covered by this fee include law enforcement activities at GSA facilities, preliminary investigations, the capture and detention of suspects, and completion of BSAs. [10] [hyperlink, http://www.gao.gov/products/GAO-08-683]. [11] [hyperlink, http://www.gao.gov/products/GAO-09-749]. [12] This mandate in DHS's fiscal year 2008 appropriation act was effective for fiscal year 2008 only, since mandates in annual appropriation acts are presumed to be applicable for that fiscal year unless specified to the contrary. DHS's appropriation act for fiscal year 2009 also mandated that FPS have no fewer than 1,200 full-time employees. See Pub. L. No. 110-161, Div. E, 121Stat. 1844, 2051-2052 (2007) and Pub. L. No. 110-329, Div D. 1222 Stat. 3574, 3659-3660 (2008). [13] [hyperlink, http://www.gao.gov/products/GAO-08-683]. [14] [hyperlink, http://www.gao.gov/products/GAO-09-859T]. [15] [hyperlink, http://www.gao.gov/products/GAO-05-49]. [16] At the time of our review, a level IV facility had more than 450 federal employees, more than 150,000 square feet, a high volume of public contact, and tenant agencies that could include high-risk law enforcement and intelligence agencies, courts, judicial offices, and highly sensitive government records. [17] X-ray machines are hazardous because of the potential radiation exposure. In contrast, magnetometers do not emit radiation and are used to detect metal. [18] With this safety feature disabled, the X-ray machine's belt was operating continuously although the guard was not present. [19] [hyperlink, http://www.gao.gov/products/GAO-09-859T]. [20] At the time of our review, a level III facility had between 151 and 450 federal employees, 80,000 to 150,000 square feet, and a moderate to high volume of public contact. [21] [hyperlink, http://www.gao.gov/products/GAO-09-859T]. [22] [hyperlink, http://www.gao.gov/products/GAO-09-859T]. [23] Tests that we performed at a national laboratory in February 2006 and July 2007 demonstrated that a terrorist using these devices could cause severe damage to a federal facility and threaten the safety of federal workers and the general public. Our investigators obtained the components for these devices at local stores and over the Internet for less than $150. [24] U.S. Department of Justice, Vulnerability Assessment of Federal Facilities, (Washington, D.C., June 28, 1995). The Department of Justice standards recommend minimum security measures for federal buildings. [25] Following the Oklahoma City bombing, Executive Order 12977 called for the creation of an interagency security committee to address the quality and effectiveness of physical security requirements for federal facilities by developing and evaluating security standards. The Interagency Security Committee has representation from all major federal departments and agencies. [26] [hyperlink, http://www.gao.gov/products/GAO-10-142]. [27] In 2006 GSA established the Building Security and Policy Division within its Public Buildings Service to oversee its security operations and policies and liaise with FPS. Additionally, the division developed the Regional Security Network, which consists of several staff per GSA region to further enhance coordination with FPS at the regional and building levels, and to carry out GSA security policy in collaboration with FPS and tenant agencies. [28] [hyperlink, http://www.gao.gov/products/GAO-10-142]. [29] In June 2009 tenant agency representatives told us that at all times, they had been aware of the location of the equipment and assured proper safeguarding of the equipment during the reconstruction process. [30] [hyperlink, http://www.gao.gov/products/GAO-09-749]. [31] [hyperlink, http://www.gao.gov/products/GAO-09-749]. [32] GAO, High-Risk Series: An Update, [hyperlink, http://www.gao.gov/products/GAO-05-207] (Washington, D.C.: Jan. 1, 2005). [33] [hyperlink, http://www.gao.gov/products/GAO-10-142]. [34] [hyperlink, http://www.gao.gov/products/GAO-08-683]. [35] The National Infrastructure Protection Plan was founded through Homeland Security Presidential Directive 7 and sets forth national policy on how the plan's risk management framework and sector partnership model are to be implemented by sector-specific agencies. FPS is the agency responsible for the Government Facilities sector. [36] [hyperlink, http://www.gao.gov/products/GAO-09-859T]. [37] [hyperlink, http://www.gao.gov/products/GAO-08-863]. [38] [hyperlink, http://www.gao.gov/products/GAO-08-683]. [39] [hyperlink, http://www.gao.gov/products/GAO-10-142]. [40] [hyperlink, http://www.gao.gov/products/GAO-10-142]. [41] [hyperlink, http://www.gao.gov/products/GAO-10-142]. [42] GAO, Federal Real Property: DHS Has Made Progress, but Additional Actions Are Needed to Address Real Property Management and Security Challenges, [hyperlink, http://www.gao.gov/products/GAO-07-658] (Washington, D.C.: June 22, 2007). In this report, we used the key practices to assess DHS's security operations with respect to the government-owned and leased buildings in its real property portfolio, but did not specifically focus on FPS. [43] GAO, Smithsonian Institution: Funding Challenges Affect Facilities' Conditions and Security, Endangering Collections, [hyperlink, http://www.gao.gov/products/GAO-07-1127] (Washington, D.C.: Sept. 28, 2007). [44] GAO, Homeland Security: Actions Needed to Improve Security Practices at National Icons and Parks, [hyperlink, http://www.gao.gov/products/GAO-09-983] (Washington, D.C.: Aug. 28, 2009). [45] Interagency Security Committee, Use of Physical Security Performance Measures, (Washington, D.C., June 16, 2009). [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO‘s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO‘s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: