Homeland Security
Actions Needed to Improve Security Practices at National Icons and Parks Gao ID: GAO-09-983 August 28, 2009The September 11 terrorist attacks have heightened concerns about the security of the nation's icons and parks, which millions of people visit every year. The National Park Service (Park Service) within the Department of the Interior (Interior) is responsible for securing nearly 400 park units that include icons and other parks. In 2004, GAO identified a set of key protection practices that include: allocating resources using risk management, leveraging technology, information sharing and coordination, performance measurement and testing, and strategic management of human capital. As requested, GAO determined whether the Park Service's security efforts for national icons and parks reflected key practices. To meet this objective, GAO used its key practices as criteria, reviewed five icons and parks to gain firsthand knowledge, analyzed Interior documents, and interviewed Interior officials.
The Park Service has implemented a range of security improvements since the September 11 terrorist attacks and has worked to integrate security into its primary mission to preserve national icons and parks for the public's enjoyment. For example, it has established a senior-level security manager position and taken steps to strengthen security at the icons, and is developing a risk management program for small parks. These efforts exhibit some aspects of the key protection practices, but GAO found limitations in each of the areas. The Park Service does not allocate resources using risk management servicewide or cost-effectively leverage technology. While the Park Service, with assistance from Interior, has conducted risk assessments and implemented countermeasures to enhance security at the icons, some critical vulnerabilities remain. Moreover, the Park Service has not advanced this risk management approach for icons to the rest of its national parks. Without a servicewide risk management approach, the Park Service lacks assurance that security efforts are focused where they are needed. Furthermore, while icons and parks may use a variety of security technologies and other countermeasures, they do not have guidance for evaluating the cost-effectiveness of these investments, thus limiting assurances of efficiency and cost-effectiveness. Additionally, the Park Service faces limitations with sharing and coordinating information internally and lacks a servicewide approach for routine performance measurement and testing. Although the Park Service collaborates with external organizations, it lacks comparable arrangements for internal security communications and, as a result, parks are not equipped to share information with one another on common security problems and solutions. Furthermore, the Park Service has not established security performance measures and lacks an analysis tool that could be used to evaluate program effectiveness and inform an overall risk management strategy. Thus, icons and parks have little information on the status and performance of security that they can use to manage daily activities or that Park Service management can use to manage security throughout the organization. Finally, strategic human capital management is an area of concern because of the Park Service's lack of clearly defined security roles and a security training curriculum. For example, staff that are assigned security duties are generally not required to meet qualifications or undergo specialized training. Absent a security training curriculum, there is less assurance that staff are well-equipped to effectively identify and mitigate risks at national icons and parks.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-09-983, Homeland Security: Actions Needed to Improve Security Practices at National Icons and Parks
This is the accessible text file for GAO report number GAO-09-983
entitled 'Homeland Security: Actions Needed to Improve Security
Practices at National Icons and Parks' which was released on
September 28, 2009.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Chairman, Committee on Homeland Security, House of
Representatives:
United States Government Accountability Office:
GAO:
August 2009:
Homeland Security:
Actions Needed to Improve Security Practices at National Icons and
Parks:
GAO-09-983:
GAO Highlights:
Highlights of GAO-09-983, a report to the Chairman, Committee on
Homeland Security, House of Representatives.
Why GAO Did This Study:
The September 11 terrorist attacks have heightened concerns about the
security of the nation‘s icons and parks, which millions of people
visit every year. The National Park Service (Park Service) within the
Department of the Interior (Interior) is responsible for securing
nearly 400 park units that include icons and other parks. In 2004, GAO
identified a set of key protection practices that include: allocating
resources using risk management, leveraging technology, information
sharing and coordination, performance measurement and testing, and
strategic management of human capital. As requested, GAO determined
whether the Park Service‘s security efforts for national icons and
parks reflected key practices. To meet this objective, GAO used its key
practices as criteria, reviewed five icons and parks to gain firsthand
knowledge, analyzed Interior documents, and interviewed Interior
officials.
What GAO Found:
The Park Service has implemented a range of security improvements since
the September 11 terrorist attacks and has worked to integrate security
into its primary mission to preserve national icons and parks for the
public‘s enjoyment. For example, it has established a senior-level
security manager position and taken steps to strengthen security at the
icons, and is developing a risk management program for small parks.
These efforts exhibit some aspects of the key protection practices, but
GAO found limitations in each of the areas.
The Park Service does not allocate resources using risk management
servicewide or cost-effectively leverage technology. While the Park
Service, with assistance from Interior, has conducted risk assessments
and implemented countermeasures to enhance security at the icons, some
critical vulnerabilities remain. Moreover, the Park Service has not
advanced this risk management approach for icons to the rest of its
national parks. Without a servicewide risk management approach, the
Park Service lacks assurance that security efforts are focused where
they are needed. Furthermore, while icons and parks may use a variety
of security technologies and other countermeasures, they do not have
guidance for evaluating the cost-effectiveness of these investments,
thus limiting assurances of efficiency and cost-effectiveness.
Additionally, the Park Service faces limitations with sharing and
coordinating information internally and lacks a servicewide approach
for routine performance measurement and testing. Although the Park
Service collaborates with external organizations, it lacks comparable
arrangements for internal security communications and, as a result,
parks are not equipped to share information with one another on common
security problems and solutions. Furthermore, the Park Service has not
established security performance measures and lacks an analysis tool
that could be used to evaluate program effectiveness and inform an
overall risk management strategy. Thus, icons and parks have little
information on the status and performance of security that they can use
to manage daily activities or that Park Service management can use to
manage security throughout the organization.
Finally, strategic human capital management is an area of concern
because of the Park Service‘s lack of clearly defined security roles
and a security training curriculum. For example, staff that are
assigned security duties are generally not required to meet
qualifications or undergo specialized training. Absent a security
training curriculum, there is less assurance that staff are well-
equipped to effectively identify and mitigate risks at national icons
and parks.
What GAO Recommends:
GAO is making six recommendations to the Secretary of the Interior.
These include instructing the Park Service to develop a more
comprehensive risk management approach, guidance and standards for
leveraging technology, strategies to improve communications and to
clearly define staff roles, and programs related to performance
measurement, testing, and training. Interior concurred with the report‘
s recommendations.
View [hyperlink, http://www.gao.gov/products/GAO-09-983] or key
components. For more information, contact Mark L. Goldstein at (202)
512-2834 or goldsteinm@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
The Park Service Does Not Manage Risk Servicewide or Ensure the Best
Return on Security Technology Investments:
The Park Service Lacks a Servicewide Approach to Sharing Information
Internally and Measuring Performance:
Human Capital Management Lacks a Security Focus:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Comments from the Department of the Interior:
Appendix III: GAO Contact and Staff Acknowledgments:
Tables:
Table 1: Examples of Technologies and Other Countermeasures that Icons
and Parks Use to Enhance Security:
Table 2: Examples of Information Sharing and Coordination at Park
Service Regions, Icons, and Parks:
Table 3: Examples of Security-related Tests, Exercises, and Drills:
Table 4: Security Positions at Regions, and Examples of Activities:
Table 5: Security Positions at Icons and Parks, and Examples of
Activities:
Table 6: Security Training Examples:
Figures:
Figure 1: Perimeter Fencing at the African Burial Ground:
Figure 2: Performance Measures, Uses, and Results:
Abbreviations:
African Burial Ground: African Burial Ground National Monument:
DHS: Department of Homeland Security:
FAA: Federal Aviation Administration:
FBI: Federal Bureau of Investigation:
FLETC: Federal Law Enforcement Training Center:
FPS: Federal Protective Service:
Gateway Arch: Jefferson National Expansion Memorial:
Gettysburg: Gettysburg National Military Park:
Grand Canyon: Grand Canyon National Park:
GSA: General Services Administration:
HSPD-7: Homeland Security Presidential Directive 7:
IG: Inspector General:
Interior: Department of the Interior:
ISC: Interagency Security Committee:
JTTF: Joint Terrorism Task Force:
OLES: Office of Law Enforcement and Security:
Park Service: National Park Service:
Park Police: U.S. Park Police:
Statue of Liberty: Statue of Liberty National Monument:
Smithsonian: Smithsonian Institution:
TSA: Transportation Security Administration:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
August 28, 2009:
The Honorable Bennie G. Thompson:
Chairman:
Committee on Homeland Security:
House of Representatives:
Dear Mr. Chairman:
The September 11 terrorist attacks have heightened concerns about the
security of the nation's icons and parks, which millions of people
visit every year. Attacks on these assets could have profound
psychological and economic effects. The National Park Service (Park
Service), within the Department of the Interior (Interior), is
responsible for protecting close to 400 park units that include 5 units
Interior has identified as national icons and other types of parks.
[Footnote 1] While the Park Service has taken some steps to enhance
security, especially at icons and parks along the southwest border,
protecting these treasured assets can be a complex and contentious task
for the agency, which must also ensure that the public has access to
them. In 2002, the Secretary of the Interior established the Office of
Law Enforcement and Security (OLES) to oversee Interior's security
efforts and to ensure their consistent application across its bureaus
and offices. OLES and the Park Service identified five national icons
as critical assets as part of the government's homeland security
initiatives. Additionally, the U.S. Park Police (Park Police) provides
law enforcement and security services for icons and parks in
Washington, D.C.; New York City; and San Francisco.
We have reported on the challenges agencies face in protecting national
icons. Such challenges include balancing security with public access,
addressing jurisdictional issues and competing stakeholder interests,
and leveraging limited resources.[Footnote 2] We have also identified a
set of key protection practices--established from the collective
practices of federal agencies and private sector entities--that can
provide a framework for guiding agencies' efforts to protect physical
assets, such as park properties and facilities, and address challenges.
[Footnote 3] The key practices essentially form the foundation of a
comprehensive, strategic approach to park protection. We have used
these key practices as criteria to evaluate how the Department of
Homeland Security (DHS)[Footnote 4] and the Smithsonian Institution
[Footnote 5] (Smithsonian) secure their assets. Furthermore, the
Interagency Security Committee[Footnote 6] (ISC), chaired by DHS, is
using our key protection practices to guide its priorities and work
activities. The following are the key practices we used for this
review:
* Allocation of resources using risk management: Identify threats,
assess vulnerabilities, and determine critical assets to protect; use
information on these and other elements to develop countermeasures; and
prioritize the allocation of resources as conditions change.
* Leveraging of technology: Select technologies to enhance asset
security through methods like access control, detection, and
surveillance systems. This involves not only using technology, but
ensuring that there are positive returns on investment in the form of
reduced vulnerabilities.
* Information sharing and coordination: Establish means of coordinating
and sharing security and threat information internally, within large
organizations, and externally, with other government entities and the
private sector.
* Performance measurement and testing: Use metrics, such as
implementation timelines, and active testing, such as unannounced on-
site assessments, to ensure accountability for achieving program goals
and improving security at facilities.
* Strategic management of human capital: Manage human capital to
maximize government performance and assure accountability in asset
protection through, for example, recruitment of skilled staff,
training, and retention.
You requested that we determine whether the Park Service's approach to
securing national icons and parks reflects key protection practices. In
response, on June 19, 2009, we issued a sensitive but unclassified
report. As that report contained information that was deemed to be
either law enforcement sensitive or for official use only, this version
of the report is intended to communicate our findings as related to
each of the key protection practices that we reviewed and our
recommendations while omitting sensitive information about icon and
park security, including specific vulnerabilities, security breaches,
and steps that Interior, Park Service, and Park Police have taken to
address them.
To meet the reporting objective, we used our key practices as a
framework for assessing the Park Service's protection efforts. We
interviewed Interior officials at the national, regional, and asset
levels, including officials from the Office of the Inspector General
(IG), OLES, Park Service, and Park Police. We reviewed five icons and
parks to learn firsthand how the Park Service protects highly visible
assets. We selected these assets because they have high public
visitation, present other potential security considerations such as
recent or planned facility construction, and are geographically
diverse. We selected:
* Two icons: the Statue of Liberty National Monument (Statue of
Liberty) in New York City, and the Jefferson National Expansion
Memorial (Gateway Arch) in St. Louis.
* Three parks: the African Burial Ground National Monument (African
Burial Ground) in New York, Gettysburg National Military Park
(Gettysburg) in Pennsylvania, and Grand Canyon National Park (Grand
Canyon) in Arizona.[Footnote 7]
In doing our work, we also reviewed pertinent documents and policies,
related directives, and prior and ongoing GAO studies. We conducted
this performance audit from January 2008 through June 2009 in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objective. Appendix I contains a more
detailed discussion of our scope and methodology.
Results in Brief:
The Park Service has implemented a range of security program
improvements since the September 11 terrorist attacks. As an important
steward of America's highly valued national icons and parks, the Park
Service has worked to integrate security into its primary mission to
preserve the natural and cultural resources and values of the national
park system for the enjoyment, education, and inspiration of those who
visit them. For example, it has established a senior-level security
manager position and taken steps to strengthen security at the icons,
and it is developing a risk management program for small parks. These
efforts exhibit some aspects of key protection practices, but also have
limitations. More specifically:
* The Park Service does not have a systematic approach for allocating
resources using risk management throughout its vast and diverse
inventory of national icons and parks to address security issues. The
Park Service, with assistance from Interior's OLES, has assessed risks
and implemented security improvements at the five icons and some border
parks, although we noted some cases in which recommended security
measures were not implemented at icons and vulnerabilities remain. At
other parks, however, risk assessments are done on an ad-hoc basis and
the Park Service has not conducted a servicewide assessment of
vulnerabilities. Instead, officials at individual parks use their
discretion to request risk assessments from the Park Service or obtain
them from other sources. For example, officials at the Grand Canyon--
with more than 4 million visitors annually--independently obtained a
risk assessment from an outside counterterrorism organization, but the
chief ranger was concerned that it was not thorough and that
vulnerabilities remain. Without a servicewide risk management approach,
the Park Service lacks assurance that security efforts are adequate and
focused where they are needed. Furthermore, without risk assessment
tools and other security guidance, some Park Service officials at
regional offices are developing their own approaches to risk management
without leveraging best practices and lessons learned throughout the
Park Service.
* The Park Service does not have guidance or standards that officials
at individual icons and parks can use to leverage technology by
evaluating the cost-effectiveness of security countermeasures. As a
result, there is limited assurance that technology investments produce
the greatest security benefits. Without guidance and standards,
officials at icons and parks may rely on other methods such as trial
and error to identify systems and equipment that best suit their needs.
For example, officials at the Statue of Liberty were planning to lease
magnetometers and X-ray machines to screen visitors, while officials at
the Gateway Arch intend to continue purchasing the same equipment.
Officials at both icons were making these decisions based on preference
without assessing which approach was more cost-effective. These
alternative methods may lead to inefficient resource allocation since
icon and park officials have competing resource demands and regular
developments in technology necessitate upgrades. Officials from the two
icons and one of the regions said that guidance for investing in
technology would be helpful.
* The Park Service has information sharing and coordination
arrangements with external organizations at the national, regional,
icon, and park levels. However, the Park Service lacks comparable
arrangements for internal security communications, and as a result,
officials at icons and parks are not equipped to share information with
one another on common security problems and solutions. For example,
there is no servicewide Web portal for sharing security information
internally, an approach other organizations have established. Thus,
while officials at the Gateway Arch said they have collaborated with
other federal agencies--such as the Transportation Security
Administration (TSA) to form a federal screeners group to share best
practices and learn about new technologies--the Park Service is limited
in its ability to leverage these lessons learned throughout the
organization--an activity that a shared Web portal could enable. In the
absence of a servicewide security Web portal, some regional offices are
developing their own Web sites, but functionality, content, and usage
vary from region to region.
* The Park Service does not have a servicewide approach for routine
performance measurement and testing of its security efforts. The Park
Service has not established security performance measures and lacks an
analysis tool that it could use to track performance measures such as
the number of risk assessments conducted, change in the total number of
security-related incidents, identified security staff, and security
training courses provided and attended. Without an overarching
performance measurement and testing framework, officials at each
region, icon, and park take their own approach to identifying security
performance measures and tests. However, this ad hoc approach provides
little assurance that performance measures and tests are effective and
adequate, and that lessons learned can be identified and leveraged
throughout the Park Service. Moreover, officials at regions, icons, and
parks use their own tracking tools to record and report security
incidents limiting the extent to which such information can be
consolidated, analyzed, and leveraged to enhance security throughout
the park system. Because of the limited activity in this area, icon and
park personnel have little information on the status and performance of
security methods that they can use to manage day-to-day activities or
that Park Service management can use to manage security efforts
throughout the organization.
* Strategic human capital management is an area of concern because of
the Park Service's lack of clearly defined security roles and a
security training curriculum. Although the Park Service requires
regions to assign security responsibilities to law enforcement staff,
and icon and park superintendents designate physical security
coordinators, these staff do not have to meet any qualifications,
demonstrate expertise, or undergo any specialized training, and
oversight of their activities is limited. For example, at the time of
our review, neither the Park Service nor the Park Police employed a
full-time security manager at the Statue of Liberty, despite such
recommendations from the Interior IG and OLES. Moreover, park officials
have not designated a physical security coordinator, and instead, have
distributed those duties among several Park Police managers. While
officials from regions, icons, and parks told us that they coordinate
and participate in a variety of security training sessions, there is no
overarching Park Service-specific training program or curriculum.
Instead, security training is decentralized and thus there is little
assurance that Park Service employees have the knowledge, skills, and
awareness needed to contribute to overall park security.
In order to better oversee and more efficiently manage the protection
of the vast and diverse inventory of national icons and parks, we are
recommending that the Secretary of the Interior take six actions.
Specifically, the Secretary should instruct the Director of the
National Park Service, in consultation with OLES, to develop and
implement: (1) a more comprehensive, routine risk management approach
for security; (2) guidance and standards for leveraging security
technology; (3) an internal communications strategy for security to
address communications gaps, including a timeline for the development
of a servicewide Web portal for security; (4) a servicewide performance
management and testing program that includes specific measures and an
evaluation component; (5) a strategy for more clearly defining security
roles and responsibilities within the Park Service; and (6) a
servicewide security training program and related curriculum. We
provided a draft of this report to Interior for official review and
comment. Interior agreed with our assessment that actions are needed to
improve security practices at national icons and parks, and agreed with
the report's recommendations. Interior also provided additional
information--including general comments from the Park Police--which is
discussed near the end of this letter. Interior's official comments are
contained in appendix II. Additionally, the Park Police provided
technical comments that we incorporated, where appropriate.
Background:
Interior is responsible for the safety and security of more than 67,000
employees, 280,000 volunteers, 1 million daily visitors, and 500
million acres of public lands that include national icons and parks.
After September 11, the Secretary of the Interior took steps to address
serious organizational and management problems in the law enforcement
and security components of the department. Of particular concern,
according to the Interior IG, was the lack of coordination among these
components and the absence of a meaningful single point of contact that
the Secretary and senior managers could depend upon for reliable
information and advice.[Footnote 8] The Secretary approved a Deputy
Assistant Secretary for Law Enforcement and Security in July 2002, and
established OLES to oversee the department's law enforcement and
security efforts and ensure their consistent application across
Interior's bureaus and offices. Specific to icon protection, in 2003,
Homeland Security Presidential Directive 7 (HSPD-7) designated Interior
as the sector-specific agency for the National Monuments and Icons
critical infrastructure sector, and Interior selected OLES to carry out
sector responsibilities.[Footnote 9] To fulfill its duties, OLES
officials developed a national monuments and icons sector-specific plan
in which they defined national icons as: (1) monuments, physical
structures, or objects; (2) recognized both nationally and
internationally as representing the nation's heritage, traditions, and/
or values or are recognized for their national, cultural, religious,
historical, or political significance; and (3) serve the primary
purpose of memorializing or representing significant aspects of our
nation's heritage, traditions, or values and serve as points of
interest for visitors and educational activities.[Footnote 10] In
accordance with its assigned duties, OLES officials also developed a
uniform risk assessment and ranking methodology to quantify risk,
identify needed security enhancements, and measure risk-reduction
benefits at icons. OLES officials used this methodology to assess risks
at the icons during 2004 and 2006. OLES has also issued sector annual
reports and established a sector government coordinating council.
The Park Service's mission is the unimpaired preservation of the
natural and cultural resources and values of the national park system.
The Park Service is responsible for managing the national icons and the
national park system. In 2008, the Park Service welcomed almost 275
million visitors to its nearly 400 national park units throughout the
United States, American Samoa, Guam, Puerto Rico, and the Virgin
Islands. Within the Visitor and Resource Protection division of the
Park Service, the Law Enforcement, Security, and Emergency Services
branch provides policy formulation, oversight, support services,
guidance, and leadership to assist park managers and law enforcement
staff in accomplishing the Park Service's visitor protection goals and
objectives. This branch is led by a chief and has one position
dedicated to security and intelligence management. Park superintendents
and rangers manage and provide security and law enforcement services at
icons and parks throughout the United States in conjunction with their
other duties. These other duties include the management of public use,
dissemination of scientific and historical information, and protection
and management of natural and cultural resources. The Park Police,
which is a Park Service component, provides law enforcement and
security services for national icons and parks in Washington, D.C.; New
York City; and San Francisco. The Park Police has also staffed law
enforcement specialists in four of seven Park Service regions including
the National Capital, Northeast, Intermountain, and Pacific West
regions.[Footnote 11]
We have identified a set of six key protection practices from the
collective practices of federal agencies to provide a framework for
guiding agencies' protection efforts and addressing challenges.
[Footnote 12] The following are the key practices we used for this
review:
* Allocation of resources using risk management: Identify threats,
assess vulnerabilities, and determine critical assets to protect; use
information on these and other elements to develop countermeasures; and
prioritize the allocation of resources as conditions change.
* Leveraging of technology: Select technologies to enhance asset
security through methods like access control, detection, and
surveillance systems. This involves not only using technology, but
ensuring that there are positive returns on investment in the form of
reduced vulnerabilities.
* Information sharing and coordination: Establish means of coordinating
and sharing security and threat information internally, within large
organizations, and externally, with other government entities and the
private sector.
* Performance measurement and testing: Use metrics, such as
implementation timelines, and active testing, such as unannounced on-
site assessments, to ensure accountability for achieving program goals
and improving security at facilities.
* Strategic management of human capital: Manage human capital to
maximize government performance and assure accountability in asset
protection through, for example, recruitment of skilled staff,
training, and retention.
We have used the key practices to evaluate the efforts of the
Smithsonian to protect its assets,[Footnote 13] DHS to protect its
facilities,[Footnote 14] and federal agencies to protect icons and
facilities on the National Mall.[Footnote 15] For example, in 2007, we
found that while the Smithsonian follows key practices to protect its
assets, it faces challenges related to ensuring that museum and
facility directors are aware of information on security and funding
constraints. Similarly, in 2005, we found that federal
agencies[Footnote 16] on the National Mall--the Park Service,
Smithsonian, National Gallery of Art, Department of Agriculture, and
U.S. Botanic Garden--were using five of the six key practices to
implement security enhancements. Also, in 2007, we reported that DHS
had taken actions intended to improve the security of its facilities,
but its efforts fell short in certain key areas, such as DHS components
not fully implementing risk management.
Moreover, the ISC--a body that addresses the quality and effectiveness
of security requirements for federal facilities through developing and
evaluating security standards for federal facilities--is using our key
protection practices as key management practices to guide its
priorities and work activities. For example, ISC established
subcommittees for technology best practices and training, and working
groups in the areas of performance measures and strategic human capital
management. ISC also issued performance measurement guidance in 2009.
[Footnote 17]
The Park Service Does Not Manage Risk Servicewide or Ensure the Best
Return on Security Technology Investments:
While the Park Service, with the assistance of OLES, has assessed risks
at the icons and southwest border parks, it has not adopted a
servicewide approach to risk management, including policies, guidance,
and tools to support risk assessments at the remaining parks.
Furthermore, although icon and park officials have acquired a variety
of technologies to enhance security, they do not have guidance to
evaluate the cost-effectiveness of proposed or actual countermeasures.
The Park Service Has Focused Risk Management Efforts on Icons and
Border Parks but Vulnerabilities Remain:
We have reported that most risk management approaches generally involve
identifying the assets that are most critical to protect in terms of
mission and significance, identifying potential threats, assessing
vulnerabilities, and evaluating mitigation alternatives for their
likely effect on risk and their cost.[Footnote 18] The Park Service and
OLES generally employed such an approach in identifying five icons as
critical assets to protect, assessing risks, and implementing
countermeasures. Specifically, OLES conducted its first round of icon
risk assessments during 2004, through which it identified
vulnerabilities that the icons shared. Officials at the icons worked on
implementing the assessments' recommendations; therefore OLES's 2006
icon risk assessments and 2007 compliance reviews noted significant
security improvements, including new surveillance and monitoring
equipment, some barriers installed to protect against vehicle
explosions, and enhanced visitor screening stations and procedures.
In addition to prioritizing icon security, during 2008 the Secretary of
the Interior directed the Park Service to focus on border park security
through its "Safe Borderlands" initiative, and as a result, the Park
Service has also taken steps to balance security and public access at
southwest border parks. About 41 percent of the land along the U.S.
southwest border is under the control and custody of Interior's land
management bureaus, including five parks that are under the Park
Service. These border parks face security challenges related to drug
smuggling and other unlawful activities in the area, which have also
caused significant environmental damage. The Safe Borderlands
initiative aims to strengthen Interior's--including the Park Service's-
-law enforcement capabilities, improve its radio communications, and
lessen the environmental impact of illegal activities. The Park Service
and other Interior bureaus have assessed risks and increased staffing
along the southwest border, and have installed security features, such
as vehicle barricades and sensors at certain border locations, in an
effort to prevent illegal aliens and drug smugglers from entering.
According to Park Service officials from the Intermountain Region, all
border parks in their region have ground sensors to detect illegal
traffic and some have alarm systems.
Despite the significant improvements made in icon security, we noted
some cases in which recommended security countermeasures were not
implemented and vulnerabilities remain.[Footnote 19] Park officials at
the Statue of Liberty told us that the icon security plan had not been
updated since its creation in 2002; however, later in our review, Park
Police officials told us they updated this plan during 2008.[Footnote
20] Park officials at the Gateway Arch have also made notable security
improvements, such as moving the dispatch center away from the arch.
However, vulnerabilities still exist at the park, and security breaches
have occurred. Officials from both icons told us that, while they
identify and prioritize security needs, security projects compete with
other operational needs, and these officials must prioritize and
balance competing interests as best they can.
The Park Service Lacks a Systematic Approach for Allocating Resources
Using Risk Management:
Park Service officials at the national, regional, icon, and park levels
told us that security awareness has increased throughout the
organization, largely because of Interior's initiative to assess
security risks at the icons, and the resources the Park Service has
allocated to address these concerns; yet the Park Service has not
formally applied risk management principles for the rest of its
national parks inventory. We have reported that allocating resources
using risk management is a systematic and analytical process to
consider the likelihood that a threat will endanger an asset--
structure, individual, or function--and identify, evaluate, select, and
implement actions that reduce the risk or mitigate the consequences of
an event.[Footnote 21] However, the Park Service does not require that
other parks undergo risk assessments and therefore there has been no
comprehensive servicewide assessment, prioritization, and mitigation of
vulnerabilities. Instead, Park Service officials use their discretion
to request risk assessments from the Park Service or another entity,
and as a result, risk assessments can vary in their scope and
methodology from park to park. Even if Park Service officials obtain
risk assessments, they may not use them to guide park operations, or
they may find it challenging to interpret and implement recommended
actions because they are unfamiliar with the risk assessment process.
Of the three parks we reviewed, only the African Burial Ground had
received a comprehensive risk assessment because it is in a high-
security federal facility that is under the control and custody of the
General Services Administration (GSA) and is protected by the Federal
Protective Service (FPS).[Footnote 22] The risk assessments of the
other two parks were limited in scope.
* The African Burial Ground is adjacent to a high security multitenant
federal building in New York City and the visitor center is inside the
building. Therefore, the Park Service authorized FPS to provide law
enforcement and security services--such as conducting security
assessments and recommending countermeasures through a memorandum of
understanding. Furthermore, because the Park Service is a tenant in a
GSA building, it receives certain protection services from GSA. For
example, FPS, GSA, and the Park Service collaborated to identify
perimeter fencing for GSA to install around the monument that
maintained park aesthetics and provided protection based on FPS and GSA
security standards (see figure 1). Also, according to the Northeast
regional chief ranger, the former regional physical security specialist
completed a risk assessment of the park in 2006. In accordance with the
memorandum, FPS will continue to address security vulnerabilities at
the African Burial Ground, such as visitor screening, in collaboration
with the park.
Figure 1: Perimeter Fencing at the African Burial Ground:
[Refer to PDF for image: photograph]
Source: GAO.
[End of figure]
* In 2008, the Gettysburg Foundation--a private, nonprofit educational
organization working with the Park Service at Gettysburg--hired a
security consulting firm to complete a risk assessment specifically for
the new visitor center and museum that it constructed on its land
within the park. The assessment included recommendations for protecting
artifacts, infrastructure, visitors, and staff, and the Gettysburg
Foundation implemented some of the countermeasures. For example, the
Gettysburg Foundation purchased surveillance cameras, and Park Service
rangers monitor them. The Park Service is responsible for protecting
visitors and providing a safe environment for visitors and staff.
Moreover, the risk assessment was only for the visitor center and
museum, not the park as a whole. According to the chief ranger, the
park faces security challenges from the numerous roads leading into it
and its open borders.
* In 2006, Park Service officials at the Grand Canyon--with more than 4
million visitors annually--requested a risk assessment through their
participation in the Arizona Joint Terrorism Task Force (JTTF).
[Footnote 23] The Arizona Counter Terrorism Information Center
fulfilled the request and identified points of vulnerability and
potential security improvements at the park. The center's assessment
cited concerns with the location of the dispatch center and wiring
system, and Park Service officials are taking steps to mitigate these
risks, such as moving the dispatch center to a more secure location and
upgrading the wiring. Additionally, Park Service officials enhanced
security for the fee collection booths by having surveillance cameras
installed. However, even though the assessment contained actionable
items, the chief ranger told us it lacked details that would have made
it more helpful. The chief ranger considered assigning a Park Service
staff person to the center to learn more about the risk assessment
methodology, but the time commitment was prohibitive.
In addition to lacking a systematic approach for assessing risk
throughout its inventory, the Park Service lacks guidance and tools
that officials at icons and parks can use to develop risk management
strategies. The Park Service's 40-chapter law enforcement manual, which
was updated in 2008, focuses primarily on law enforcement policies and
responsibilities. One chapter on physical security[Footnote 24] broadly
outlines the duties of the physical security coordinator and delineates
closed-circuit television policy, but does not include other guidance
such as risk assessment procedures and how to use technology to enhance
security. Park Service officials we spoke with had mixed views on the
manual. Officials from three of the four regions we spoke with said the
manual lacks comprehensive physical security information and guidance,
while officials from the fourth region considered the manual to be
useful. While officials at the Gateway Arch and Gettysburg told us that
they used the manual and found it useful for physical security,
officials at the Statue of Liberty and the Grand Canyon said they did
not use the manual to guide park security operations. The
superintendent at the African Burial Ground told us that other Park
Service staff advising the park refer to the manual. Park Police
officials told us that they do not use the Park Service's law
enforcement manual. Instead, they rely on the Park Police law
enforcement manual for security guidance at locations where the Park
Police are responsible for physical security, such as the Statue of
Liberty.
The Park Service also relies on Interior's physical security manual
which sets forth the policies designed to safeguard Interior personnel
and facilities, including buildings, grounds, and other property. OLES
developed the manual using the Department of Justice's facility
security level standards and minimum security countermeasure standards.
[Footnote 25] OLES officials told us that they adopted ISC's updated
facility security level standards,[Footnote 26] and notified bureau
security managers of changes. The Park Service's Acting Chief of the
Law Enforcement, Security, and Emergency Services division and the
Security and Intelligence Program Manager told us that they are
developing a process for updating icons' and parks' individual facility
security levels based on the revised standards. However, the department-
level physical security manual is focused on general facility
protection and officials from the regions, icons, and parks told us it
would be more useful if it were tailored to park-specific security
issues. For example, officials from two of the regions we spoke with
found the manual unhelpful, though officials from the other two regions
considered the manual the main driver for security policy. Park Service
officials at the icons and parks we spoke with had mixed reviews as
well. For example, officials at the Gateway Arch and Gettysburg told us
that they used the manual and found it useful--much as they did the
Park Service's law enforcement manual--while officials at the Statue of
Liberty and the Grand Canyon said they did not use the manual to guide
park security operations.
While officials at icons and parks are required to develop and
implement physical security plans and conduct physical security
surveys, there is no standardized approach, tools, or guidance for
carrying out these responsibilities. In the absence of a standardized
approach, some Park Service officials from the regions are developing
their own risk assessment tools and guidance for parks to use. Although
officials from the regions are taking actions that could help parks
allocate resources using risk management in accordance with the key
practice, these initiatives are being developed independently without a
servicewide strategy.
* The Intermountain regional office has provided parks with a physical
security plan template and workbook with guidance on how to assess risk
and identify appropriate countermeasures.
* The Midwest regional office is updating a small parks assessment
program that it originally created during 2002 by developing a physical
security assessment checklist for Park Service rangers to identify
deficiencies at parks.
* The Northeast regional office plans to create a team made up of
rangers and cultural staff that they can send to parks to work with
staff to assess security and develop strategies to mitigate
vulnerabilities.
At the national level, the Park Service recognizes that parks should
have tools available to help them assess risks and that physical
security plans and assessments should be standardized. Therefore, the
Park Service is developing a physical security handbook to standardize
physical assessment processes servicewide. Park Service officials are
using a U.S. Geological Survey physical security handbook and
Interior's physical security manual to develop the Park Service's
physical security handbook. The Park Service is also developing a small
park assessment program based on the Midwest Region's program, which it
intends to test in one region before implementing it servicewide.
However, the Park Service has not considered the other regions'
approaches and is therefore missing an opportunity to leverage best
practices and lessons learned, and create buy-in for a new security
program. For example, the Acting Chief of the Law Enforcement,
Security, and Emergency Services division and the Security and
Intelligence Program Manager were unfamiliar with the Intermountain
Region's physical security template and workbook, explaining that
officials at each regional office take their own approach to physical
security.
Lacking a systematic approach for assessing risk throughout the Park
Service's inventory of icons and parks has negative effects. First and
foremost, the Park Service lacks assurance that decisions about
security are based on an assessment of potential threats and
countermeasures. Although highly visible icons are the most plausible
terrorist targets, it is not unreasonable to presume that parks with
high visitor volumes or other national parks, monuments, memorials, and
facilities that have symbolic value may also be targets. Second, risk
management practices provide the foundation for a comprehensive
protection program. Hence, efforts in the other key practice areas--
leveraging technology, information sharing and coordination,
performance measurement and testing, and human capital management--are
diminished if they are not part of a risk management approach which can
be the vehicle for using these practices. Lastly, as previously
discussed, individual efforts by officials at regions, icons, and parks
to develop risk management tools and security approaches in the absence
of overarching guidance are not conducive to sharing lessons learned
and leveraging efficiencies.
The Park Service Does Not Have Guidance or Standards That Would Assist
Icons and Parks in Leveraging Technology:
Officials at icons and parks use a variety of technologies and other
countermeasures--such as video and surveillance monitoring equipment,
visitor screening equipment, vehicle barriers, and door locks--to
enhance security operations (see table 1). We have reported that by
efficiently using technology to supplement and reinforce other security
measures, agencies can more effectively address vulnerabilities
identified through the risk management process with appropriate
countermeasures.[Footnote 27]
Table 1: Examples of Technologies and Other Countermeasures that Icons
and Parks Use to Enhance Security:
Icon or park: African Burial Ground;
Technologies and other countermeasures: The park worked with FPS and
GSA to identify and install perimeter fencing that would balance
security with the aesthetics of the monument.
Icon or park: Gateway Arch;
Technologies and other countermeasures: The park installed bollards for
perimeter protection, some of which can be controlled at the entry
points by entering a code into a keypad, or remotely by the dispatch
center. The park is modernizing its dispatch center which will
incorporate radio-over-Internet-protocol technology and software-driven
security equipment, ensuring continued operations should the dispatch
center be damaged during an emergency.
Icon or park: Gettysburg;
Technologies and other countermeasures: The Gettysburg Foundation
implemented keyless lock technology for the park's new visitor center,
and the Park Service programs electronic key cards for each employee,
thus limiting access to an employee's area of responsibility. The
Gettysburg Foundation implemented video surveillance equipment, such as
closed-circuit television and motion detectors, and the Park Service
operates it.
Icon or park: Grand Canyon;
Technologies and other countermeasures: The park purchased and
installed video and surveillance equipment, such as digital video
recording technology and closed-circuit television, to secure fee
collection booths at park entrances.
Icon or park: Statue of Liberty;
Technologies and other countermeasures: The park installed temporary
visitor screening stations at Battery Park in New York City and Liberty
State Park in New Jersey. Visitors and their belongings must go through
magnetometer and X-ray screening before boarding the ferries to Liberty
Island. The park also installed a secondary screening station at
Liberty Island for visitors who want to go to the observation deck
level of the statue. In addition to magnetometers and X-ray machines,
this station has radiation and explosives detection devices.
Sources: GAO site visits and analysis of Park Service data.
[End of table]
Additionally, officials at icons we reviewed are partnering with other
agencies to test and obtain security technologies. By pooling resources
and sharing equipment, officials at icons are leveraging expertise and
cost-effectively enhancing their security. As we have reported,
technology implementation costs can be high, and the type of technology
used should be carefully analyzed to ensure its effectiveness and
efficiency.[Footnote 28] For example, at the Statue of Liberty, the
U.S. Air Force used the park as a testing ground for emerging
technologies, and the arrangement allowed the Park Service to keep the
equipment. For example, according to Park Service officials, the U.S.
Air Force has tested wireless cameras, weather stations, and chemical,
radiological, biological, nuclear, and explosives detection systems on
Liberty Island. Park Service and Park Police officials told us that the
weather stations are particularly useful to them since the Federal
Aviation Administration (FAA) requires weather data for fining aircraft
that violate airspace rules near the Statue of Liberty. According to
the Park Police, this partnership has been extended into 2010.
Despite icon and park officials' use of various technologies and other
countermeasures to enhance security, the Park Service has not developed
guidance on how to evaluate the cost-effectiveness of proposed or
actual security investments. We have recognized that having an approach
that allows for cost-effectively leveraging technology to supplement
and reinforce other measures would represent an advanced security
approach in this area.[Footnote 29] Without such guidance, icon and
park officials rely on other methods to identify systems and equipment
that best suit their needs. This, however, is an inefficient way to
enhance security, particularly in light of icon and park officials'
competing resource demands and regular developments in technology that
necessitate upgrades. For example, officials from two Park Service
regions told us that parks contact them for assistance in identifying
security equipment. Officials at the icons we reviewed cited instances
of using a trial and error approach to identify cost-effective and
suitable technologies. For example, officials at both the Statue of
Liberty and the Gateway Arch use magnetometers and X-ray machines to
screen visitors and their belongings. After several years of purchasing
security equipment, Park Police officials at the Statue of Liberty have
realized that they can acquire new and more effective space-saving
visitor screening equipment faster through leasing agreements. Park
Police officials told us that they intend to lease equipment in the
future to stay current with emerging technologies and ensure equipment
is maintained. Moreover, in its 2007 compliance review, OLES
recommended that park officials lease equipment because such an
approach would allow for quicker and less costly upgrades as new
technology is developed. In contrast, Park Service officials at the
Gateway Arch plan to continue purchasing this equipment. Officials at
both icons have made these decisions based on preference without formal
cost-benefit analysis. Officials from the Midwest Regional Office,
Statue of Liberty, and Gateway Arch suggested that the Park Service
could better assist icon and park officials in making informed
decisions about security technologies and other countermeasures.
The Park Service Lacks a Servicewide Approach to Sharing Information
Internally and Measuring Performance:
The Park Service has information sharing and coordination arrangements
with external organizations at the national, regional, icon, and park
levels, but lacks comparable arrangements for internal security
communications that would allow icon and park officials to share
information with one another on common security problems and solutions.
In addition, officials at the regions, icons, and parks have discretion
to implement security performance measures and testing, but the Park
Service lacks a servicewide approach for measuring and testing the
results of its security efforts. As a result, little consolidated
performance information is available for icon and park officials to use
in managing their day-to-day activities or for Park Service management
to use in managing security efforts throughout the organization.
The Park Service Shares Information and Coordinates with External
Organizations, but Internal Coordination Is Limited:
At the national, regional, icon, and park levels, the Park Service has
made progress in sharing information and coordinating with other law
enforcement, security, and emergency management entities. We have
reported that information sharing and coordination among organizations
is crucial to producing comprehensive and practical approaches and
solutions to addressing terrorist threats directed at federal assets.
[Footnote 30] By having a process in place to obtain and share
information on potential threats to federal assets, agencies can better
understand the risks they face and more effectively determine what
preventive measures should be implemented.[Footnote 31] At the national
level, the Park Service's Security and Intelligence Program Manager
analyzes intelligence from various sources including the Federal Bureau
of Investigation (FBI), DHS, and Interior, and disseminates this
information to officials at regions, icons, and parks. This manager
also attends department-level quarterly meetings of Interior's Security
Advisory Council.[Footnote 32] According to OLES officials, meeting
attendees are encouraged to disseminate information discussed at the
meetings to pertinent staff within their respective bureaus and
offices.
By collaborating with area law enforcement, security, and emergency
management entities, officials at regions, icons, and parks receive
threat information and leverage security expertise (see table 2). For
example, officials at the Gateway Arch said they are collaborating with
area federal agencies such as TSA, the Federal Air Marshal Service, and
FBI to form a federal screeners working group to share best practices
and learn about new technologies.
Table 2: Examples of Information Sharing and Coordination at Park
Service Regions, Icons, and Parks:
Region: Intermountain;
Collaborates with DHS on border park protection and has a memorandum of
understanding for the two entities to establish radio-sharing
responsibilities;
Coordinates with the Bureau of Reclamation to secure dams;
Receives intelligence information from the area JTTF.
Region: Midwest;
Participates on the Nebraska Anti-Terrorism Advisory Council;
Attends regular meeting of area chiefs of police, sheriffs, and other
law enforcement officials;
Coordinates with law enforcement officials in the vicinity of Mount
Rushmore National Memorial.
Region: Northeast;
Collaborated with the Smithsonian Institution on a risk assessment of a
Smithsonian asset;
Collaborated with FBI, the J. Paul Getty Trust, and the Smithsonian
Institution to develop a 3-day museum security awareness conference.
Pacific West;
Receives intelligence information from area JTTFs.
Icon or park: African Burial Ground;
Coordinates with the New York Police Department for park events;
Maintains a memorandum of understanding with DHS, which outlines FPS's
security responsibilities for the park.
Icon or park: Gateway Arch;
Forming a federal screeners working group with area agencies such as
TSA, the Federal Air Marshal Service, and FBI to share best practices
and learn about new technologies;
Provides a backup terminal for the Department of Justice
Interoperability Project which is intended to unify various radio
communications to enhance agencies' emergency response;
Member of the Illinois State Terrorism Intelligence Center.
Icon or park: Gettysburg;
Pays for a seat on the local dispatch center, which provides 24-hour
access and linkage to the state emergency center.
Icon or park: Grand Canyon;
Coordinates with FBI to dispense annual training for the park, and in
turn the park provides space for FBI to conduct training for FBI and
other agencies;
Coordinates with the U.S. Marshals Service for warrant services and
prisoner transport.
Icon or park: Statue of Liberty;
Connected to FAA's Domestic Events Network, allowing dispatch center
staff to track nearby aircraft;
Coordinates with FBI and the U.S. Coast Guard for maritime security;
Has a Park Police detective assigned to the New York City JTTF.
Source: GAO analysis of Park Service data.
[End of table]
While collaboration with partner agencies has expanded, the Park
Service has not fully leveraged information sharing and coordination
mechanisms that could strengthen the ability of officials at regions,
icons, and parks to share threat information and identify common
security problems and solutions. We have reported that sharing
information on threats and incidents that others have experienced can
help an organization identify trends better, understand the risks it
faces, and determine what countermeasures it should implement.[Footnote
33] Specifically, an information sharing practice that we have found to
be an important success factor in protecting critical infrastructure is
holding regularly scheduled meetings during which participants can
share security management practices, discuss emerging technologies, and
create committees to perform specific tasks such as policy setting.
[Footnote 34] However, the Park Service's use of regularly scheduled
security meetings is limited, and security discussions typically occur
on an as-needed basis. The Park Service's Law Enforcement, Security,
and Emergency Services branch holds a monthly conference call with
regional chief rangers, which covers a variety of topics and is not
solely focused on security. Regional officials we spoke with said they
meet with icon and park officials to discuss security issues on an as-
needed basis. Icon and park officials can contact Park Service regional
law enforcement or even the Park Service's Intelligence and Security
Program Manager for security assistance as needed.
Icon and park officials could access needed information anytime through
a Park Service security Web portal, but this tool does not exist
servicewide and is instead under development. We have reported that
secure Web portals are another important success factor in protecting
critical infrastructure and can ensure effective and timely
communication among an organization's members.[Footnote 35] Web portals
can be used to (1) disseminate all types of information, including
alerts, advisories, reports, and other analysis; (2) provide methods
for members to ask each other about particular incidents,
vulnerabilities, or potential solutions; and (3) share sensitive
information.[Footnote 36] For example, GSA's security division is
developing a Web portal to track incidents, share threat information,
post security policies and other related documents, and enable virtual
security discussions. The Park Service recognizes a need to improve its
use of technology to disseminate security information through
mechanisms such as a Web site and Web conferencing, thereby enhancing
its application of the information sharing and coordination key
practice. However, the Park Service's security Web portal is still
under development without a timetable for completion. According to OLES
officials, Interior's Office of Emergency Management maintains a secure
Web site known as SAFETALK, where sensitive information and policies
can be exchanged and stored. However, only authorized individuals are
allowed to access the portal, and over the course of our review, no
Park Service or Park Police officials we spoke to at the national,
regional, icon, or park levels cited this Web site as a primary
security information source. Without its own Web portal, the Park
Service is limited in its ability to disseminate key icon and park-
specific security information and guidance to icons and parks
efficiently and raise security awareness overall.
In the absence of a servicewide secure Web portal, some Park Service
regional offices have developed law enforcement and security Web sites,
but the functionality, content, and usage of these sites vary from
region to region. For example, while officials from the Intermountain
regional office said that they regularly update their Web site with
security resources, officials from the Midwest and Pacific West regions
said their law enforcement and security Web sites were used
infrequently and not to their fullest extent. The Midwest regional
chief ranger told us that officials from the region's icons and parks
make limited use of the regional Web site, instead preferring to
contact someone in the regional office for assistance or to obtain
policy documents. Officials from the Midwest and Pacific West regions
acknowledged that more could be done to enhance the content of their
Web sites and promote greater usage. For example, the Pacific West
regional chief ranger cited the inability of parks to communicate with
one another as a limitation on the usefulness of the regional Web site
as a tool for protecting visitors and resources. The Web site offers
one-way communication from the region to the field, but the region is
trying to increase the site's functionality and usage by adding
discussion threads and message boards, and displaying successful park
security strategies and plans. Also, the Northeast regional chief
ranger told us the office is considering creating a Web site to post
security-related lessons learned and security assessment templates.
The Park Service Lacks a Servicewide Approach for Routine Performance
Measurement and Testing:
The Park Service--at the national level--has no standardized
performance measures, evaluation mechanisms, or a testing program for
security servicewide. We have reported that successful performance
measures should (1) be linked to an agency's mission and goals; (2) be
clearly stated; (3) have quantifiable targets or other measurable
values; (4) be reasonably free of significant bias or manipulation that
would distort the accurate assessment of performance; (5) provide a
reliable way to assess progress; (6) sufficiently cover a program's
core activities; (7) have limited overlap with other measures; (8) have
balance, or not emphasize one or two priorities at the expense of
others; and (9) address governmentwide priorities.[Footnote 37] Linking
goals to a security program can be used to hold agencies and program
offices accountable for achieving those goals. Furthermore, we reported
that such alignment increases the usefulness of performance information
to decision makers.[Footnote 38]
Although the Park Service requires icon and park officials to report
security incidents, it has no centralized reporting and analysis
mechanism, thus these Park Service units have created their own
incident-tracking tools. The Park Service began developing an incident
reporting and analysis tool in 2003, but Interior decided to transfer
the project to OLES and leverage it for the whole department.
Interior's intent is that all bureaus--including the Park Service--will
use the Incident Management Analysis and Reporting System for a variety
of security performance measurement and management activities, such as
reporting incidents, identifying training and resource needs,
justifying resource requests and expenditures, measuring program
performance, and tracking training. These functions coincide with some
of the uses and results of performance measurement that we have
recognized, such as assessing the change in the total number of
security incidents to evaluate program effectiveness and inform the
overall risk management approach, as shown in figure 2.[Footnote 39]
However, Interior expects that this tool will not be available until
2011 or 2012, therefore, until the new system is implemented, the Park
Service will continue to be limited in its ability to identify common
threats and incidents--information which it could use to evaluate risk
management strategies and countermeasures, identify problems, and
develop solutions.
Figure 2: Performance Measures, Uses, and Results:
[Refer to PDF for image: illustration]
Performance measure examples:
* Risk assessments conducted;
* Compliance with security policies;
* Change in total number of security incidents;
* Change in risk rating resulting from countermeasures deployed.
Selected uses:
* Ensure adequate protection;
* Inform risk management;
* Allocate security resources;
* Hold employees accountable for security goals and objectives;
* Evaluate program effectiveness.
Potential results:
* Improvement in physical security;
* Physical security investments that justify costs;
* Reduction in facilities‘ vulnerability to acts of terrorism and other
forms of violence;
* Prioritization of funding within and across agencies.
Source: GAO.
[End of figure]
Regional officials may perform two to three park law enforcement
operational evaluations annually by selecting parks for evaluation or
responding to a park's request for an evaluation. These assessments
have a small security component, but are not security evaluations. For
example, the Midwest regional chief ranger examines the security of
park fee collections and the types of locks on windows and doors of
park facilities, according to this official. Officials from some of the
icons and parks we reviewed recognized a need for standardized
performance measures and testing. For example, Park Police officials at
the Statue of Liberty told us they would like a standardized testing
and evaluation program for security technologies, instead of solely
relying on informal testing efforts such as the Park Police's
collaboration with TSA to test visitor screening equipment. Similarly,
Park Service officials from the Gateway Arch expressed an interest in
coordinated reviews of the park's security that would incorporate
markers for achievement. Because performance is measured and tested
occasionally and inconsistently, officials from icons and parks have
limited opportunities for sharing lessons learned or using performance
data to manage security from a broader perspective.
We have reported that performance measurement can help achieve broad
program goals and improve security at the individual asset level.
[Footnote 40] Without effective performance measurement data, decision
makers may have insufficient information to evaluate whether their
investments have improved security or reduced vulnerabilities to
threats such as terrorism or crime. We have also reported that active
testing, using methods such as on-site security assessments, can
provide data on the effectiveness of efforts to reduce vulnerabilities.
[Footnote 41] Because the Park Service's performance management and
testing capability is limited, the agency has little information on the
status and performance of security activities at the icons and parks it
can use to manage day-to-day activities or that Park Service management
can use to strategize security efforts throughout the organization.
Absent a formal performance measurement system and testing program,
officials at icons and parks individually identify security program
components to test, such as focusing on equipment and procedural
knowledge. We have reported that testing methods include conducting
inspections to ensure that adequate levels of protection are employed,
testing the effectiveness of security measures such as structural
enhancements and physical barriers, and assessing preparedness through
training exercises and drills.[Footnote 42] We found some examples of
tests, exercises, and drills that park officials use to assess security
performance at icons and parks (see table 3). For example, officials at
the Grand Canyon said that they analyze law enforcement and security
incidents to shape patrol strategies, and officials at the Statue of
Liberty told us they hold emergency exercises with the New York Police
Department and FBI.
Table 3: Examples of Security-related Tests, Exercises, and Drills:
Icon or park: African Burial Ground;
Tests, exercises, and drills: FPS tests employee and visitor screening
equipment. The park participates in biannual fire drills and annual
shelter-in-place drills that GSA conducts for the facility.
Icon or park: Gateway Arch;
Tests, exercises, and drills: The park tests guards' operation of X-ray
equipment for visitor screening daily. The park tests the arch's
emergency power and fire alarm system annually. The park participated
in continuity of operations and pandemic flu tabletop exercises and
evaluations.
Icon or park: Gettysburg;
Tests, exercises, and drills: The chief ranger checked the
effectiveness of the park's evacuation training by informally testing
park staff on evacuation procedure recall.
Icon or park: Grand Canyon;
Tests, exercises, and drills: The park tests its evacuation plan
biannually--one tabletop exercise and one drill of a component of the
evacuation plan.
Icon or park: Statue of Liberty;
Tests, exercises, and drills: The guard service contractor has an
internal audit program with four assigned program evaluators for the
park to test security guards' performance. The park conducts several
emergency exercises with the New York Police Department and FBI. The
park participates in tabletop exercises with the New York and New
Jersey Port Authority and the U.S. Coast Guard.
Source: GAO analysis of Park Service data.
[End of table]
Human Capital Management Lacks a Security Focus:
The Park Service assigns security duties to selected regional staff and
requires that icon and park superintendents designate physical security
coordinators, but it does not require these staff to have physical
security experience or expertise, and it does not provide them with
specialized security training. As a result, there is little assurance
that staff are equipped to effectively identify and mitigate risks at
icons and parks.
Security Roles Are Not Well Defined and Training Is Limited:
The Park Service has security staff at the national, regional, icon,
and park levels that have a variety of security and other duties. We
have reported that the strategic management of human capital is a key
practice that can maximize the government's performance and ensure the
accountability of its security-related efforts.[Footnote 43] At the
national level, the Park Service has established a Security and
Intelligence Program Manager position within its Law Enforcement,
Security, and Emergency Services division. This position was created in
2003, in response to a 2002 Interior IG recommendation that Interior
bureaus install full-time security managers.[Footnote 44] We have also
recognized the importance of having a chief security officer position
and the security industry maintains that such a position is essential
in organizations with large numbers of mission-critical assets.
[Footnote 45] Moreover, a security trade organization--ASIS
International[Footnote 46]--has developed chief security officer
guidance for organizations to use in developing a security leadership
position that would establish a comprehensive, integrated security risk
strategy.[Footnote 47]
The Acting Chief of the Law Enforcement, Security, and Emergency
Services division and the Security and Intelligence Program Manager
told us that the Park Service has structured the manager position to
disseminate and coordinate information among Park Service units,
instead of establishing a managerial position that oversees and directs
security activities at regions, icons, and parks. The Security and
Intelligence Program Manager performs a variety of duties, such as
liaising with DHS to improve security within the southwest border
parks, coordinating with OLES to develop semiannual security workshops,
conducting risk assessments when parks request them, and gathering,
analyzing, and disseminating intelligence information. This official
also oversees some of the national initiatives we have previously
described, such as the small parks assessment program and the security
Web portal. According to the Security and Intelligence Program Manager,
as the Park Service has become more aware of this resource, the
manager's activities have increased, especially in the area of physical
security.
At the regional level, security responsibilities are assigned to law
enforcement staff that also have other duties in the areas of law
enforcement and emergency management. Of the four regional offices we
reviewed, only the Northeast Regional Office, had a full-time position
dedicated to security. From 2002 to 2007, the regional office employed
a physical security and intelligence specialist who performed a variety
of activities such as conducting risk assessments, establishing
technology-sharing relationships with other federal agencies, and
analyzing and disseminating intelligence throughout the agency. This
position was vacated in 2007, but the regional chief ranger is trying
to staff this position again and is revising the position description
to focus on physical security. Park Police law enforcement specialists
are staffed to the National Capital, Northeast, Intermountain, and
Pacific West regional offices and can provide security assistance.
Regional Park Service and Park Police staff who have security
responsibilities are available to help icons and parks that request
their services. These staff may conduct risk assessments or help
identify security technologies or other countermeasures, as shown in
table 4.
Table 4: Security Positions at Regions, and Examples of Activities:
Region: Intermountain;
Activities: The regional chief ranger and two Park Police captains have
security duties. The Park Police captain advises parks on security
equipment costs and quality. The region has promoted the practice of
parks upgrading and implementing alarms and cameras which they report
has reduced vandalism.
Region: Midwest;
Activities: The regional chief ranger and assistant chief ranger have
security duties, and the office uses the physical security specialist
from the Gateway Arch to conduct risk assessments at parks throughout
the region. The assistant chief ranger manages fee collections security
programs, supports security programs in parks that do not have rangers
on staff, and advises park superintendents on security matters.
Region: Northeast;
Activities: The regional chief ranger and assistant chief ranger have
security duties. The region employed a physical security specialist
from 2002 until 2007, and is trying to fill the vacancy. This
specialist established contacts and coordinated with external agencies
to acquire security intelligence and training; conducted park risk
assessments; and provided training in explosive devices and checkpoint
security for rangers at icons and urban parks. A Park Police captain
currently assigned to the region has a background in icon protection
and has been involved with protection efforts at the Statue of Liberty.
Region: Pacific West;
Activities: The region relies on the Park Police at the San Francisco
Field Office for security expertise. A Park Police sergeant assists
with security assessments throughout the region and at times may visit
a park to conduct a comprehensive review of the facilities.
Source: GAO analysis of Park Service data.
[End of table]
The Park Service requires icon and park superintendents to designate
physical security coordinators and expects them to develop and
implement park physical security plans and conduct physical security
surveys of all structures. Park Service officials told us that,
typically, physical security coordinators are park rangers or
maintenance managers, who have other duties and responsibilities in
addition to security. Moreover, because of the small size of some
parks, one person may serve as the physical security coordinator for
several parks. For example, the Intermountain Regional Chief Ranger
told us that the region has 41 physical security coordinators
positioned at about 56 of its 78 parks. We found that physical security
coordinators perform a variety of duties, such as overseeing dispatch
center operations and reviewing video surveillance images, as shown in
table 5. Additionally, Park Service law enforcement rangers and Park
Police staff at icons and parks have some security responsibilities in
addition to law enforcement duties.
Table 5: Security Positions at Icons and Parks, and Examples of
Activities:
Icon or park: African Burial Ground;
Activities: The Northeast Regional Park Police captain will fulfill the
role of the physical security coordinator until fiscal year 2010, when
the park is fully staffed. The former Northeast region physical
security specialist participated in visitor center design discussions
and coordinated FPS involvement, review, and approval of security
systems.
Icon or park: Gateway Arch;
Activities: The physical security specialist is the designated physical
security coordinator and has responsibility for the operations,
planning, and supervision of the dispatch center and operation of
physical security checkpoints. The assistant chief ranger maintains
oversight of the physical security and anti-terrorism branch of the
ranger activities division.
Icon or park: Grand Canyon;
Activities: A law enforcement ranger is the physical security
coordinator. The physical security coordinator supervises the fee
collections law enforcement group.
Icon or park: Statue of Liberty;
Activities: A Park Police lieutenant is the physical security
coordinator. The former Northeast region physical security specialist
and Park Police officials have overseen technology enhancements and
maintained equipment.
Source: GAO analysis of Park Service data.
[End of table]
Despite the range of security duties assigned to regional staff,
physical security coordinators, law enforcement rangers, and Park
Police staff, the Park Service does not provide them with specialized
training. Moreover, senior Park Service officials told us that they do
not have an inventory of all the physical security coordinators
servicewide, and they do not track their duties. We have noted that the
effectiveness of a risk management approach depends on the involvement
of experienced and professional security personnel and that the chances
of omitting major steps in the risk management process increase if
personnel are not well trained in applying risk management.[Footnote
48] Without training for security staff, or evaluations of their
security activities, there is little assurance that risks are
identified and mitigated and that staff are held accountable for
results.
Though the Park Service lacks a physical security training program, it
has partnered with OLES to organize security workshops at icons and
other critical assets such as the Hoover Dam (see table 6). Park
Service and Park Police staff are invited to attend, but attendance is
contingent upon time and resource availability. For example, staff from
the icons we reviewed and the regions we interviewed had attended some
of these workshops, but no staff from the African Burial Ground,
Gettysburg, or the Grand Canyon had attended. Officials at regions,
icons, and parks may also develop security training internally or in
collaboration with external agencies. We have reported that (1)
training exercises are useful in assessing preparedness,(2) effective
security entails having well-trained staff that follow and enforce
policies and procedures, and (3) good training and practice are
essential to successfully implementing policies by ensuring that
personnel exercise good judgment in following security procedures.
[Footnote 49]
Table 6: Security Training Examples:
Office: National;
Types of training: The Park Service national office organizes security
workshops in collaboration with OLES and other Interior bureaus. The
workshops have been held at the Statue of Liberty in 2005, Hoover Dam
in 2006, the Gateway Arch in 2007, and the Kennedy Space Center in
2009. In September 2009, the Park Police will host a critical
infrastructure and key resource protection training program for the
Park Police and some Park Service and Interior staff.
Office: Region: Intermountain;
Types of training: In 2005, the region hosted a chief ranger conference
that focused on physical security. Participants received training in
developing physical security plans, guidance for conducting security
surveys, and a checklist to assess risks and countermeasures.
Office: Region: Midwest;
Types of training: Every 18 months, the region hosts a chief ranger
conference in the Black Hills area of South Dakota. At the 2008
conference, an FBI official presented a session on icon and critical
infrastructure and key resource protection.
Office: Region: Northeast;
Types of training: In 2008, the region hosted a museum and security
conference, which focused on protecting cultural property, resources,
and collections.
Office: Region: Pacific West;
Types of training: The region created an Operational Leadership
Program, which targets safety and accident prevention. The program has
started to gain national recognition and is the primary focus of the
Park Service National Leadership Council. The region is training 100
facilitators for the program.
Office: Icon or park: African Burial Ground;
Types of training: The northeast region and FPS provide physical
security training.
Office: Icon or park: Gateway Arch;
Types of training: The physical security specialist has undertaken a
number of training activities including creating and dispensing a
security awareness presentation to orient new staff, inviting a U.S.
Postal Service inspector to dispense mail screening training for
employees directly involved in handling mail, and regularly sending
security awareness tips via e-mail to park staff.
Office: Icon or park: Gettysburg;
Types of training: The park's museum services supervisor served as a
keynote speaker at the Northeast region's museum and security awareness
training in September 2008. The supervisor addressed how park and
museum staff can work together to ensure security of collections.
Office: Icon or park: Grand Canyon;
Types of training: FBI provides a training course annually for the
park. Past FBI training has covered topics such as evidence recovery,
behavioral profiling, and violent crimes.
Office: Icon or park: Statue of Liberty;
Types of training: Security awareness training is provided to Park
Police personnel through roll call and in-service training. Depending
on available space, the Park Police may open up training to some Park
Service employees and partners such as concessions providers.
Source: GAO analysis of Park Service data.
[End of table]
Additionally, Park Service rangers can try to enroll in two physical
security courses that are offered at the Federal Law Enforcement
Training Center (FLETC)[Footnote 50]--the physical security training
program and the critical infrastructure protection training program.
However, according to Park Service officials, space in the courses is
limited--the Park Service receives one or two slots per class--the
courses are offered on a limited basis, training and travel are subject
to resource constraints, and the training is not specific to icons and
parks. For example, the physical security specialist at the Gateway
Arch tried to enroll in the physical security course for more than 18
months before gaining admission and completing the course in 2008.
According to Park Service officials, this specialist may also be able
to attend the critical infrastructure training. No park staff from the
Statue of Liberty have completed the physical security course since
2001.[Footnote 51] Moreover, Park Service officials told us that no
staff from the African Burial Ground, Gettysburg, or Grand Canyon have
completed either of the two FLETC training courses. The Grand Canyon
chief ranger tried to enroll the physical security coordinator in the
physical security training course, but the application for enrollment
was not accepted; as a result, the park lacks staff with experience and
formal training in physical security.
While various security training opportunities arise throughout the Park
Service, training is inconsistent and lacks cohesion, and there is
little assurance that Park Service employees have the knowledge,
skills, and awareness needed to contribute to overall park security.
With limited security expertise, the Park Service will face challenges
in implementing the other key practices. The lack of physical security
expertise affects icon and park officials' ability to develop
strategies for identifying their security vulnerabilities and
determining how to mitigate them effectively and efficiently with
limited resources. Such strategies would ensure that the Park Service
has the expertise and resources at the national and regional levels to
oversee the implementation of security advancements and practices.
Moreover, physical security expertise allows icon and park officials to
determine what countermeasures fit their specific needs and how well
these countermeasures enhance their security performance. Finally,
because all icon and park staff have a role in security, increasing
overall security awareness enhances the security of the park.
Human Capital Challenges Are a Particular Concern at Icons:
We noted earlier that officials at icons have made improvements in
security since 2001; however, the Interior IG and OLES have concerns
about icon security that are related to human capital issues, including
security expertise and the management of security operations. We have
reported that it is widely recognized that there is a need for
competent professionals who can effectively manage complex security
programs that are designed to reduce threats to people and assets.
[Footnote 52] Clearly defining roles and responsibilities and ensuring
that security personnel are adequately trained are central aspects of
this key practice. In its 2008 assessment of the Park Police, the IG
recommended that the Park Service hire a qualified senior-level
certified security professional to oversee Park Service security
operations at all icons, including those that are managed by the Park
Police, but the Park Service does not believe such action is necessary.
[Footnote 53] Senior Park Service officials told us that the agency
works closely with the Park Police, especially in areas with shared
responsibility. However, the Park Service relies on its Security and
Intelligence Program Manager to oversee icon security for icons that do
not have a Park Police presence--the Gateway Arch, Independence
National Historic Park, and Mount Rushmore National Memorial. The Park
Service relies on the Park Police for security program management at
the national mall icons and the Statue of Liberty. As a result, the
Park Service has no comprehensive program with centralized senior-level
oversight of icon security. This is an inefficient approach, since the
five icons--while distinct--have a need to manage similar issues
including guard services, surveillance and screening equipment, vehicle
and pedestrian barriers, access to intelligence information, staff
trained in security awareness, and security performance measurement and
testing procedures.
Moreover, until recently, the Park Service Security and Intelligence
Program Manager lacked specialized physical security expertise. Trained
as a law enforcement special agent, this official was not certified in
physical security until 2008. According to OLES officials, the Park
Service security manager meets the minimum security training
requirements for senior-level security managers that OLES established
in 2009.[Footnote 54] The Interior IG also recognized that this manager
has been through extensive physical security training.[Footnote 55]
Although the Park Police created an Homeland Security Division in
October 2008 and established a security manager position in accordance
with the IG's 2002 recommendation,[Footnote 56] the IG reported in 2009
that the appointee to this position--a Deputy Chief--had no background
in physical security and had only been through a basic 2 week critical
infrastructure protection course at FLETC.[Footnote 57] According to
the Park Police, the Deputy Chief is qualified for the position having
(1) attended a 2 week DHS program on critical infrastructure and key
resource protection in August 2008, (2) worked on icon protection
issues for 4 years, (3) designed security upgrades at the Washington
Monument, and, (4) over the course of 25 years, worked on security
system alarm issues in Washington, D.C. and San Francisco. Furthermore,
the Park Police told us that the Deputy Chief received a certification
after completing DHS's Critical Infrastructure and Key Resources
Protection course. OLES officials also told us that the Deputy Chief
has met the department's minimum training requirements.
The Interior IG and OLES officials are also concerned about the Park
Service's management of security operations at individual icons. In its
2003 icon protection report, the IG suggested that icons with the most
significant threat potential should have trained and certified security
managers on-site,[Footnote 58] and in 2008, recommended that the Park
Service install trained and certified security professionals at each
icon park to work under the direction of the security manager the IG
had recommended for all of the icons.[Footnote 59] In its 2006 icon
risk assessment and 2007 icon compliance reviews, OLES recommended that
Independence National Historic Park and the Statue of Liberty hire
security managers. While officials at these two icons have identified
hiring security managers as a priority, they had yet to fill the
positions at the time of our review. While park officials at the Statue
of Liberty have identified hiring a security manager as a top priority,
they have not determined whether the Park Service or the Park Police
will fund the position.[Footnote 60] In 2007, the Park Police hired a
security manager for the National Capital Region. The Deputy Chief of
the Icon Protection Division told us that the Park Police intends to
hire a technical assistant for this manager who can, for example,
repair security equipment.
Of the five icons, only the Gateway Arch has a full-time physical
security specialist--a need the park identified on its own and filled
with a qualified professional. Park officials at the Gateway Arch
created and staffed this position during 2006 and had to give up one
law enforcement position to do so. The park's assistant chief rangers,
who are law enforcement officers, told us they believe the tradeoff was
justified and the specialist's efforts may increase awareness among
staff. The physical security specialist has undertaken a number of
initiatives, such as conducting a risk assessment of the facility where
park officials wanted to locate its dispatch center, testing security
alarms in the visitor center, sending park employees security awareness
e-mails, and forming partnerships with area federal departments and
agencies such as DHS, the Department of Justice, and the U.S. Postal
Service to enhance surveillance capabilities, acquire interoperable
communications technology, and assess mail handling. Moreover, the
Midwest Region has leveraged the specialist's expertise to help the
region develop a risk assessment tool for its small parks security
program. OLES officials told us that of the five icons, the Gateway
Arch had the highest security policy compliance rating in 2007, and
although they did not attribute this rating to the physical security
specialist's work, it is worthwhile to note that the Gateway Arch is
the only icon that has a full-time position dedicated solely to
physical security.
Conclusions:
In addition to its primary mission to preserve the natural and cultural
resources and values of the national park system for the enjoyment,
education, and inspiration of those who visit them, the Park Service
has a critical role related to security at national icons and parks and
has taken important steps to improve the security of nearly 400
national icons and parks. However, concerns persist that terrorists may
attack the United States by targeting national icons such as the Statue
of Liberty and the Gateway Arch, and by harming those who visit places
emblematic of our nation's natural beauty and heritage, such as the
Grand Canyon and Gettysburg. More emphasis on the key practices would
provide greater assurance that Park Service assets are well protected
and that Park Service resources are being used efficiently to improve
protection. Critical to advancing the Park Service's security efforts,
a more comprehensive risk management approach and related guidance--
which are currently lacking--would provide management with up-to-date
information on threats and trends in security gaps and would allow
management to target resources to address the greatest threats and
vulnerabilities. Standards and guidance for technology investment, if
developed, would provide better assurance that the Park Service's
return on investment is maximized. In addition, a strategy for
improving internal communication by, for example, expeditiously
developing a security Web portal, could lead to more efficient
information sharing and coordination. Implementing a more systematic
performance measurement and testing program would inform risk
management efforts and allow management to better gauge security
performance. Finally, paying greater attention to the human capital
component of security--by clearly defining security roles and
responsibilities using risk management and establishing a security
training program--would give Park Service staff the tools and awareness
needed to protect the Park Service's assets and the people who visit
them.
Recommendations for Executive Action:
In order to better oversee and more efficiently manage the protection
of the vast and diverse inventory of national icons and parks, in the
restricted version of this report, we recommended that the Secretary of
the Interior take six actions. Specifically, the Secretary should
instruct the Director of the National Park Service, in consultation
with OLES, to develop and implement:
1. a more comprehensive, routine risk management approach for security
that encompasses the Park Service's vast inventory of icons and parks,
including developing guidance, standards, and procedures for conducting
risk assessments at the icon and park level and for using the results
to inform resource allocation decisions at the national, regional,
icon, and park levels;
2. guidance and standards for leveraging security technology, including
how to assess the costs and benefits of countermeasure alternatives
while taking into account risk management results;
3. an internal communications strategy for security to address
coordination gaps, including a timeline for the development of a
servicewide Web portal for security;
4. a servicewide performance management and testing program that
includes specific measures and an evaluation component, which can be
used to inform broader risk management decision-making and to assess
security performance;
5. a strategy for more clearly defining security roles and
responsibilities within the Park Service, which should, among other
things, ensure that the Park Service is well equipped at the national
and regional levels to oversee security improvements; and:
6. a servicewide security training program and related curriculum to
provide staff with the knowledge, skills, and awareness needed to
improve Park Service security practices.
Agency Comments and Our Evaluation:
We provided a draft of the restricted version of this report to
Interior for official review and comment. Interior agreed with our
assessment that actions are needed to improve security practices at
national icons and parks and agreed with the report's recommendations.
Regarding the first recommendation to develop a more comprehensive,
routine risk management approach for security, Interior cited the
recent creation of a Homeland Security Division within the Park Police,
stated that parks and regions have been working to develop a more
comprehensive approach to security, and agreed to bring all of these
efforts together in a more comprehensive, servicewide program. For the
second recommendation to develop guidance and standards to leverage
security technology, Interior cited some examples of the partnerships
it has with other federal agencies and acknowledged that guidance and
standards for leveraging technology, coupled with an effective
communications strategy, would add to the effectiveness and efficiency
of its security program for icons and parks. With respect to the third
recommendation, Interior stated that a more formal internal
communications strategy would enhance the effectiveness of its security
program for icons and parks and noted that such a strategy should
acknowledge the critical importance of the communication networks icons
and parks establish at the asset level. For the fourth recommendation
to develop and implement a servicewide performance management and
testing program, Interior stated that while its current approach has
been effective in some situations, applying a servicewide approach
would benefit all icons and parks in the system. Regarding the fifth
recommendation to develop and implement a strategy for more clearly
defining security roles and responsibilities within the Park Service,
Interior stated that it would continue to look for ways to leverage the
expertise and experience of physical security staff and to clearly
define their roles and responsibilities.
Finally, for the sixth recommendation to develop and implement a
servicewide security training program and related curriculum, Interior
stated that a servicewide security training program and increased
access to contemporary training on appropriate security subjects would
be helpful and noted that it currently sends staff with security
responsibilities to a variety of training programs within and outside
of Interior, including the physical security training program offered
through FLETC. While these other security courses may be helpful, as we
reported, not all Park Service personnel that have security
responsibilities are able to attend these training classes due to the
space limitations of the entities offering these courses and resource
constraints on the part of individual icons and parks. Furthermore, as
we reported, the Park Service does not have a special training
curriculum for its designated physical security coordinators.
Therefore, it is important that the Park Service develop its own park-
specific training program so that staff that have security
responsibilities delegated to them can effectively carry out those
duties and better ensure that icons and parks, and the people who visit
and work at them, are well-protected. Interior's official comments are
contained in appendix II.
Interior also provided general and technical comments from the Park
Police and we incorporated the technical comments where appropriate. In
its general comments, the Park Police noted some of the security
improvements it has made since September 11 for the icons under its
purview in New York City and Washington, D.C. Specifically, the Park
Police cited enhancements made to physical barriers, surveillance
systems, visitor screening, and contract guard services. The Park
Police also stated that in October 2008, it underwent its largest
internal reorganization in 40 years and created a Homeland Security
Division and added more officers and patrols to enhance icon protection
efforts. Finally, with respect to information sharing and coordination,
the Park Police stated that it has assigned three intelligence officers
to enhance icon protection in Washington, D.C. and detectives to the
JTTFs in New York City; Washington, D.C.; and San Francisco. Moreover,
the Park Police has assigned a major to the Park Service's national
office to liaise with the Park Service to protect all icons.
As agreed with your office, unless you publicly announce the contents
of this report, we plan no further distribution until 30 days from the
report date. At that time, we will send copies of this report to the
Secretary of the Interior and appropriate congressional committees. In
addition, the report will be available at no charge on GAO's Web site
at [hyperlink, http://www.gao.gov].
If you have any questions about this report, please contact me at (202)
512-2834 or goldsteinm@gao.gov. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last
page of this report. GAO staff who made major contributions to this
report are listed in appendix III.
Sincerely yours,
Signed by:
Mark L. Goldstein:
Director, Physical Infrastructure Issues:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
Our objective was to determine whether the National Park Service's
(Park Service) approach to security for national icons and parks
reflects key protection practices. Through previous work, we identified
a set of key protection practices from the collective practices of
federal agencies and private sector entities that can provide a
framework for guiding agencies' protection efforts and addressing
challenges.[Footnote 61] The key practices essentially form the
foundation of a comprehensive approach to asset protection and can be
used to assess the management of security programs. We used our key
protection practices as criteria to evaluate the Park Service's
approach to security. Of the six key practices, we used the following
as criteria:
* Allocating resources using risk management.
* Leveraging technology.
* Information sharing and coordination.
* Performance measurement and testing.
* Strategic management of human capital.
We did not consider the sixth key practice, aligning assets to mission,
which focuses on realigning the federal real property inventory to
better reflect agencies' missions.
To examine the Park Service's application of key practices at the park
level, we selected five icons and parks basing our selection on factors
that included geographical diversity, high public visitation, and other
potential security considerations such as recent or planned facility
construction. To minimize duplication of effort, we considered our own
and the Department of the Interior's (Interior) Office of the Inspector
General's (IG) recent and ongoing work. For example, we did not select
the national mall icons--the Washington Monument National Memorial, the
Thomas Jefferson National Memorial, and the Lincoln National Memorial--
because the IG examined their security in 2008.[Footnote 62] We
selected:
* Two icons--the Statue of Liberty National Monument (Statue of
Liberty) in New York City and the Jefferson National Expansion Memorial
in St. Louis.
* Three parks--the African Burial Ground National Monument in New York
City, Gettysburg National Military Park in Pennsylvania, and Grand
Canyon (Grand Canyon) National Park in Arizona.
Collectively, the sites we selected illustrate a range of park
protection practices applied by the Park Service. At each site, we
interviewed Park Service officials with primary responsibility for
security implementation, operation, and management. We also interviewed
U.S. Park Police (Park Police) officials from the Statue of Liberty. We
toured each site and observed the physical environment and the
principal security elements to gain firsthand knowledge of the
protection practices used at all the sites except the Grand Canyon
where we used videoconferencing to interview Park Service officials. We
reviewed and analyzed documents, when available, that contained site-
specific information on security plans, policies, procedures, budgets,
and staffing. Because we observed the Park Service's efforts to protect
icons and parks at a limited number of sites, our observations of
security issues at individual sites cannot be generalized to all the
icons and parks that the Park Service is responsible for securing. To
supplement these site visits, we interviewed Park Service regional
chief rangers and other security officials from the three regions where
we had selected icons and parks--the Northeast, Midwest, and
Intermountain regions. We also interviewed the regional chief ranger
from the Pacific West region because the Park Service once identified
the Golden Gate Bridge as an icon and we wanted that region's
perspective on icon and park protection. At the national level, we
interviewed officials from the IG, Office of Law Enforcement and
Security, Park Service, and Park Police. Furthermore, we collected
supporting documentation including law enforcement and security
manuals; IG reports on law enforcement, security, and icon protection;
icon risk assessments and compliance reviews; and security plans,
policies, procedures, budgets, and staffing information when available.
We conducted this performance audit from January 2008 to June 2009 in
accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objective.
[End of section]
Appendix II: Comments from the Department of the Interior:
United States Department of the Interior
Office Of The Secretary:
Washington, D.C. 20240:
June 12, 2009:
Mr. Mark L. Goldstein:
Director, Physical Infrastructure Issues:
U.S. Government Accountability Office:
441 G Street, N.W.
Washington, D.C. 20548:
Dear Mr. Goldstein:
Thank you for providing the Department of the Interior (DO[) the
opportunity to review and comment on the U.S. Government Accountability
Office Draft report entitled, "Homeland Security Actions Needed to
Improve Security Practices at National Icons and Parks," (GAO-09-605).
The National Park Service (NPS) and the Department of the Interior have
reviewed the draft report and appreciate the diligent work of the team
in helping us further improve the security program for icons and parks
in the National Park System. We will continue to examine policy and
procedures and make adjustments as necessary to protect critical
infrastructure under our jurisdiction.
We believe the GAO has produced an informative summation of the complex
issues associated with risk management. Following are our comments on
the six actions recommended in the draft report.
1) A more comprehensive, routine risk management approach for security:
We concur that a more comprehensive approach to security would be
beneficial to the Park Service. In our efforts to this end to date, the
USPP has recently reorganized and created a Homeland Security Division.
The many parks throughout the system and several regional offices not
under the specific direction of the USPP have been and are continuing
to develop a more comprehensive approach to security. We will continue
to work toward bringing all of these efforts together in a more
comprehensive, service-wide, program.
2) Guidance and standards for leveraging security technology:
We concur that increased guidance and standards for leveraging
technology would be valuable to our program.
We currently enjoy technology assistance, information and advice from
many partners, including FLETC, OLES, DHS, TSA-TSL Labs and many more.
We have just recently learned that the USPP program with the USAF has
been funded for another year. Guidance and standards for leveraging
technology, coupled with an effective communications strategy (see (3)
below) will help our security program become more effective and
efficient.
3) An internal communications strategy for security to address
communications gaps, including a time line for the development of a
Park Service-wide Web portal for security:
We concur that a more formal internal communications strategy for
security concerns would be useful in helping to make our security
program more effective. Currently, our senior-level Security and
Intelligence program managers have regular contact with Icon Parks, non-
Icon parks and regional office staff. Parks themselves, throughout the
country, enjoy both internal and external contacts, with their
respective regional office staff, Washington Office staff as well as
many local, regional and state law enforcement and security contacts.
These latter contacts, which are less apparent to central office staff,
are key to success in many of our rural and isolated park settings.
Overlaying a more formal communications strategy over the top of these
many aforementioned contacts could assist in addressing communications
gaps that may exist in the organization. It would be important for us,
in crafting said strategy, to not imply that the ground-level contacts
made by parks, throughout the system, are not critical to the success
of park-level security programs.
4) A Park Service-wide performance management and testing program that
includes specific measures and an evaluation component:
We concur that exploring the option of an appropriate and effective
performance management and testing program for security would be
beneficial. Although imperfect, the "ad-hoc" approach, as described in
the report, has been effective in pockets throughout the system.
Reviews and assessment of Icon Park and non-Icon Park security programs
take place periodically. A Park Service-wide approach, however, would
likely yield more positive and all inclusive results, thereby
benefiting all parks in the system.
5) A strategy for more clearly defining security roles and
responsibilities within the Park Service:
We concur that a strategy for defining security roles and
responsibilities within the Park Service would be advantageous for a
bureau-wide security program. Our two senior-level Security and
Intelligence program managers for the NPS and the USPP are recognized
and in-place today. These two positions are joined by several other key
officials designated, including Captains and Lieutenants at the four
Icon parks managed by the USPP. Additionally, parks and regions have
their own designated Physical Security Coordinators in place today. We
will continue to look for ways to leverage the expertise and experience
of current physical security staff and to clearly define their roles
and responsibilities.
6) A Park Service-wide security training program and related
curriculum:
We concur that Park Service-wide security training and increased access
to contemporary training on appropriate security subjects will continue
to be helpful to our program. However, we would like to note that we
currently send staff with security responsibilities to a variety of
excellent training programs including local, regional, state and
federally sponsored options. DHS has excellent training that we have,
and continue to take advantage of. We regularly use the Basic Physical
Security Training Program at the Federal Law Enforcement Training
Center as base-line training. This course is recognized nationally as
an excellent introduction to the world of Physical Security. Further,
we work closely with the DOI. OLES for further formal and contemporary
security training programs that include exposure to real-world
security.
In September of 2009, the USPP will be hosting the new FLETC. 80-hour
Critical Infrastructure and Key Resources Protection training to
Washington DC whereupon all key officials from the USPP, NPS. 01-ES and
others will have the opportunity to attend.
Thank you for the opportunity to comment on this informative report. We
have and will continue to place a high priority on Security throughout
the National Park System. We will also continue to interweave security
concerns in all aspects of risk management of our parks and Icons.
We request that the vulnerabilities in park security programs stated in
this report not be released to the public as we feel it could endanger
visitors, employees, residents and facilities.
Enclosed are specific itemized comments from the USPP, some of which
have been previously addressed. We hope these comments will assist you
in preparing the final report.
If you have any questions, or need additional information, contact
Acting Deputy Chief Kevin Hay, at 202-619-7085, or Chief, Division of
Law Enforcement, Security, and Emergency Services, Lane Baker, at 202-
513-7084.
Sincerely,
Signed by:
Pamela K. Haze:
Deputy Assistant Secretary for Budget and Business Management:
Enclosure:
Hand written additional note:
"Thank you for your help."
[End of section]
Appendix III: GAO Contact and Staff Acknowledgments:
GAO Contact:
Mark L. Goldstein, (202) 512-2834 or goldsteinm@gao.gov:
Staff Acknowledgments:
In addition to the contact named above, David Sausville, Assistant
Director; Denise McCabe, Analyst-in-Charge; Anne Dilger; Elizabeth
Eisenstadt; Brandon Haller; Robin Nye; Joshua Ormond; Susan Michal-
Smith; and Adam Yu made key contributions to this report.
[End of section]
Footnotes:
[1] The national park system is made up of close to 400 park units
which include 5 national icons and 14 other types of parks such as
monuments, national battlefields, and national parks. The park units
that Interior considers to be national icons are: (1) the Statue of
Liberty National Monument in New York City; (2) Independence National
Historical Park in Philadelphia; (3) the Jefferson National Expansion
Memorial in St. Louis; (4) Mount Rushmore National Memorial in South
Dakota; and (5) the national mall icons--the Washington Monument
National Memorial, the Thomas Jefferson National Memorial, and the
Lincoln National Memorial in Washington, D.C.
[2] GAO, Homeland Security: Actions Needed to Better Protect National
Icons and Federal Office Buildings from Terrorism, [hyperlink,
http://www.gao.gov/products/GAO-05-790] (Washington, D.C.: June 24,
2005).
[3] GAO, Homeland Security: Further Actions Needed to Coordinate
Federal Agencies' Facility Protection Efforts and Promote Key
Practices, [hyperlink, http://www.gao.gov/products/GAO-05-49]
(Washington, D.C.: Nov. 30, 2004). We excluded one key practice--
aligning assets to mission--from this review. This key practice
underscores the need to realign the federal real property inventory so
that it can better reflect agencies' missions.
[4] GAO, Federal Real Property: DHS Has Made Progress, but Additional
Actions Are Needed to Address Real Property Management and Security
Challenges, [hyperlink, http://www.gao.gov/products/GAO-07-658]
(Washington, D.C.: June 22, 2007).
[5] GAO, Smithsonian Institution: Funding Challenges Affect Facilities'
Conditions and Security, Endangering Collections, [hyperlink,
http://www.gao.gov/products/GAO-07-1127] (Washington, D.C.: Sept. 28,
2007).
[6] ISC was established by Executive Order 12977 in 1995 after the
bombing of the Alfred P. Murrah Federal Building in Oklahoma City.
[7] With the exception of the Grand Canyon--where we used
videoconferencing to interview Park Service officials--we visited each
of these sites.
[8] U.S. Department of the Interior, Office of Inspector General,
Disquieting State of Disorder: An Assessment of Department of the
Interior Law Enforcement, Report 2002-I-0014 (Washington, D.C., January
2002).
[9] HSPD-7 identified 17 critical infrastructure sectors and designated
federal entities, called sector-specific agencies, to be responsible
for coordinating asset protection within their sector throughout all
levels of government and the private sector. In June 2008, an 18th
sector was added--Critical Manufacturing.
[10] Department of Homeland Security and Department of the Interior,
National Monuments and Icons Sector-Specific Plan (Washington, D.C.,
May 2007).
[11] The other three Park Service regions include the Southeast,
Midwest, and Alaska regions.
[12] [hyperlink, http://www.gao.gov/products/GAO-05-49]. We excluded
one key practice--aligning assets to mission--from this review. This
key practice underscores the need to realign the federal real property
inventory so that it can better reflect agencies' missions.
[13] [hyperlink, http://www.gao.gov/products/GAO-07-1127].
[14] [hyperlink, http://www.gao.gov/products/GAO-07-658].
[15] GAO, National Mall: Steps Identified by Stakeholders Facilitate
Design and Approval of Security Enhancements, [hyperlink,
http://www.gao.gov/products/GAO-05-518] (Washington, D.C.: June 14,
2005).
[16] For the purposes of this report, we are referring to all of these
entities as federal agencies.
[17] ISC, Use of Physical Security Performance Measures, (Washington,
D.C., June 16, 2009).
[18] [hyperlink, http://www.gao.gov/products/GAO-05-49].
[19] This review did not include an assessment of security
vulnerabilities at border parks.
[20] According to the Park Police, it also updated icon protection
plans for the national mall icons during 2008.
[21] [hyperlink, http://www.gao.gov/products/GAO-05-49].
[22] FPS provides law enforcement and related security services to
about 9,000 facilities under the control and custody of GSA.
[23] JTTFs are chaired by the Federal Bureau of Investigation (FBI) and
are composed of various federal, state, and local agencies. JTTFs aim
to prevent, pre-empt, deter, and investigate terrorism and related
activities affecting the United States and to apprehend terrorists.
[24] Physical security is defined as physical or protective measures
designed to safeguard personnel, facilities, national borders, and
critical infrastructure and to prevent unauthorized access to material
and documents, and to safeguard them against terrorism, espionage,
sabotage, damage, weapons of mass destruction, and theft.
[25] One day after the 1995 bombing of the Alfred P. Murrah Federal
Building in Oklahoma City, the President directed the Department of
Justice to assess the vulnerability of federal office buildings. In
June 1995, DOJ issued a report entitled Vulnerability Assessment of
Federal Facilities and the President directed that security at each
federal facility be upgraded to the minimum security standards
recommended by the study.
[26] The Interagency Security Committee, Facility Security Level
Determinations for Federal Facilities (Washington, D.C., Mar. 10,
2008).
[27] [hyperlink, http://www.gao.gov/products/GAO-05-49].
[28] [hyperlink, http://www.gao.gov/products/GAO-05-49].
[29] [hyperlink, http://www.gao.gov/products/GAO-05-49].
[30] [hyperlink, http://www.gao.gov/products/GAO-05-49].
[31] [hyperlink, http://www.gao.gov/products/GAO-05-49].
[32] According to OLES officials, the Security Advisory Council meets
quarterly to discuss emerging protection technology and security best
practices, as well as recent security trends and policies. The council
also reviews proposed changes to department security policy for
sufficiency and impact.
[33] GAO, Information Sharing: Practices That Can Benefit Critical
Infrastructure Protection, [hyperlink,
http://www.gao.gov/products/GAO-02-24] (Washington, D.C.: Oct. 15,
2001).
[34] [hyperlink, http://www.gao.gov/products/GAO-02-24].
[35] [hyperlink, http://www.gao.gov/products/GAO-02-24].
[36] [hyperlink, http://www.gao.gov/products/GAO-02-24].
[37] GAO, Tax Administration: IRS Needs to Further Refine Its Tax
Filing Season Performance Measures, [hyperlink,
http://www.gao.gov/products/GAO-03-143] (Washington, D.C.: Nov. 22,
2002).
[38] GAO, Managing for Results: Enhancing Agency Use of Performance
Information for Management Decision Making, [hyperlink,
http://www.gao.gov/products/GAO-05-927] (Washington, D.C.: Sept. 9,
2005).
[39] GAO, Homeland Security: Guidance and Standards Are Needed for
Measuring the Effectiveness of Agencies' Facility Protection Efforts,
[hyperlink, http://www.gao.gov/products/GAO-06-612] (Washington, D.C.:
May 31, 2006).
[40] [hyperlink, http://www.gao.gov/products/GAO-05-49].
[41] [hyperlink, http://www.gao.gov/products/GAO-05-49].
[42] [hyperlink, http://www.gao.gov/products/GAO-05-49].
[43] [hyperlink, http://www.gao.gov/products/GAO-05-49].
[44] Interior IG Report 2002-I-0014.
[45] [hyperlink, http://www.gao.gov/products/GAO-05-790].
[46] According to its Web site, ASIS International--an organization
that reports to have more than 37,000 security industry members--is the
pre-eminent international organization for professionals responsible
for security, including managers and directors of security.
[47] ASIS International, Chief Security Officer Guideline 2008.
[48] [hyperlink, http://www.gao.gov/products/GAO-05-49].
[49] [hyperlink, http://www.gao.gov/products/GAO-05-49].
[50] FLETC serves as an interagency law enforcement training
organization for more than 80 federal agencies and provides basic and
advanced law enforcement training. The Park Service has assigned a
superintendent to the FLETC campus in Glynco, Georgia to develop and
manage basic and advanced training for Park Service law enforcement and
line management, and to develop policy and guidelines for servicewide
training and certification.
[51] In its technical comments on a draft of this report, the Park
Police stated that a USPP captain and a lieutenant from the Statue of
Liberty attended a similar physical security course provided by the New
York Police Department and that other officials in the New York Field
Office have attended the police department's risk assessment course.
Moreover, Park Police stated that dozens of its officers have taken the
physical security course offered at FLETC.
[52] [hyperlink, http://www.gao.gov/products/GAO-05-49].
[53] U.S. Department of the Interior, Office of the Inspector General,
Assessment of the United States Park Police, Report PI-EV-NPS-0001-2007
(Washington, D.C., February 2008).
[54] In March 2009, OLES issued a memorandum outlining minimum training
requirements for bureau and office-level security managers and
officers.
[55] U.S. Department of the Interior, Office of the Inspector General,
3rd Progress Report on the Implementation of the Secretary's Directives
for Law Enforcement Reform, PI-AT-MOA-0001-2008 (Washington, D.C.,
February 2009).
[56] Interior IG Report 2002-I-0014.
[57] Interior IG Report PI-AT-MOA-0001-2008.
[58] U.S. Department of the Interior, Office of the Inspector General,
Review of National Icon Park Security, Report 2003-I-0063 (Washington,
D.C., August 2003).
[59] Interior IG Report PI-EV-NPS-0001-2007.
[60] In its technical comments on a draft of this report, the Park
Police stated that a lieutenant has been serving as the security
manager at the Statue of Liberty.
[61] GAO, Homeland Security: Further Actions Needed to Coordinate
Federal Agencies' Facility Protection Efforts and Promote Key
Practices, [hyperlink, http://www.gao.gov/products/GAO-05-49]
(Washington, D.C.: Nov. 30, 2004).
[62] U.S. Department of the Interior, Office of the Inspector General,
Assessment of the United States Park Police, Report PI-EV-NPS-0001-2007
(Washington, D.C., February 2008).
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
