Homeland Security
Greater Attention to Key Practices Would Improve the Federal Protective Service's Approach to Facility Protection Gao ID: GAO-10-142 October 23, 2009There is ongoing concern about the security of federal buildings and their occupants. The Federal Protective Service (FPS) within the Department of Homeland Security (DHS) is responsible for providing law enforcement and related security services for nearly 9,000 federal buildings under the control and custody of the General Services Administration (GSA). In 2004, GAO identified a set of key protection practices from the collective practices of federal agencies and the private sector that included: allocating resources using risk management, leveraging technology, and information sharing and coordination. As requested, GAO determined whether FPS's security efforts for GSA buildings reflected key practices. To meet this objective, GAO used its key practices as criteria, visited five sites to gain firsthand knowledge, analyzed pertinent DHS and GSA documents, and interviewed DHS, GSA, and tenant agency officials.
FPS's approach to securing GSA buildings reflects some aspects of key protection practices, and FPS has several improvements underway such as a new risk assessment program and a countermeasure acquisition program. While FPS's protection activities exhibit some aspects of the key practices, GAO found limitations in each of the areas. FPS assesses risk and recommends countermeasures to GSA and tenant agencies; however, FPS's ability to influence the allocation of resources using risk management is limited because resource allocation decisions are the responsibility of GSA and tenant agencies, which may be unwilling to fund FPS's countermeasure recommendations. Moreover, FPS uses an outdated risk assessment tool and a subjective, time-consuming process. As a result, GSA and tenant agencies are uncertain whether risks are being mitigated. Concerned with the quality and timeliness of FPS's risk assessment services, GSA and tenant agencies are pursuing some of these activities on their own. Although FPS is developing a new risk management program, full implementation is not planned until the end of fiscal year 2011 and has already experienced delays. With regard to leveraging technology, FPS inspectors have considerable latitude for selecting technologies and countermeasures that tenant agencies fund, but FPS provides inspectors with little training and guidance for making cost-effective choices. Additionally, FPS does not provide tenant agencies with an analysis of alternative technologies, their cost, and associated reduction in risk. As a result, there is limited assurance that the recommendations inspectors make are the best available alternatives and tenant agencies must make resource allocation decisions without key information. Although FPS is developing a program to standardize security equipment and contracting, the program has run behind schedule and lacks an evaluative component for assessing the cost-effectiveness of competing technologies and countermeasures. FPS has developed information sharing and coordination mechanisms with GSA and tenant agencies, but there is inconsistency in the type of information shared and the frequency of coordination. Lack of coordination through regular contact can lead to communication breakdowns. For example, during a construction project at one location, the surveillance equipment that FPS was responsible for maintaining was removed from the site during 2007. FPS and tenant agency representatives disagree over whether FPS was notified of this action. Furthermore, FPS and GSA disagree over what building risk assessment information can be shared. FPS maintains that the sensitive information contained in the assessments is not needed for GSA to carry out its mission. However, GSA maintains that restricted access to the risk assessments constrains its ability to protect buildings and occupants.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-10-142, Homeland Security: Greater Attention to Key Practices Would Improve the Federal Protective Service's Approach to Facility Protection
This is the accessible text file for GAO report number GAO-10-142
entitled 'Homeland Security: Greater Attention to Key Practices Would
Improve the Federal Protective Service's Approach to Facility
Protection' which was released on November 18, 2009.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to the Chairman, Committee on Homeland Security, House of
Representatives:
United States Government Accountability Office:
GAO:
October 2009:
Homeland Security:
Greater Attention to Key Practices Would Improve the Federal Protective
Service's Approach to Facility Protection:
GAO-10-142:
GAO Highlights:
Highlights of GAO-10-142, a report to the Chairman, Committee on
Homeland Security, House of Representatives.
Why GAO Did This Study:
There is ongoing concern about the security of federal buildings and
their occupants. The Federal Protective Service (FPS) within the
Department of Homeland Security (DHS) is responsible for providing law
enforcement and related security services for nearly 9,000 federal
buildings under the control and custody of the General Services
Administration (GSA). In 2004, GAO identified a set of key protection
practices from the collective practices of federal agencies and the
private sector that included: allocating resources using risk
management, leveraging technology, and information sharing and
coordination. As requested, GAO determined whether FPS‘s security
efforts for GSA buildings reflected key practices. To meet this
objective, GAO used its key practices as criteria, visited five sites
to gain firsthand knowledge, analyzed pertinent DHS and GSA documents,
and interviewed DHS, GSA, and tenant agency officials.
What GAO Found:
FPS‘s approach to securing GSA buildings reflects some aspects of key
protection practices, and FPS has several improvements underway such as
a new risk assessment program and a countermeasure acquisition program.
While FPS‘s protection activities exhibit some aspects of the key
practices, GAO found limitations in each of the areas.
FPS assesses risk and recommends countermeasures to GSA and tenant
agencies; however, FPS‘s ability to influence the allocation of
resources using risk management is limited because resource allocation
decisions are the responsibility of GSA and tenant agencies, which may
be unwilling to fund FPS‘s countermeasure recommendations. Moreover,
FPS uses an outdated risk assessment tool and a subjective, time-
consuming process. As a result, GSA and tenant agencies are uncertain
whether risks are being mitigated. Concerned with the quality and
timeliness of FPS‘s risk assessment services, GSA and tenant agencies
are pursuing some of these activities on their own. Although FPS is
developing a new risk management program, full implementation is not
planned until the end of fiscal year 2011 and has already experienced
delays.
With regard to leveraging technology, FPS inspectors have considerable
latitude for selecting technologies and countermeasures that tenant
agencies fund, but FPS provides inspectors with little training and
guidance for making cost-effective choices. Additionally, FPS does not
provide tenant agencies with an analysis of alternative technologies,
their cost, and associated reduction in risk. As a result, there is
limited assurance that the recommendations inspectors make are the best
available alternatives and tenant agencies must make resource
allocation decisions without key information. Although FPS is
developing a program to standardize security equipment and contracting,
the program has run behind schedule and lacks an evaluative component
for assessing the cost-effectiveness of competing technologies and
countermeasures.
FPS has developed information sharing and coordination mechanisms with
GSA and tenant agencies, but there is inconsistency in the type of
information shared and the frequency of coordination. Lack of
coordination through regular contact can lead to communication
breakdowns. For example, during a construction project at one location,
the surveillance equipment that FPS was responsible for maintaining was
removed from the site during 2007. FPS and tenant agency
representatives disagree over whether FPS was notified of this action.
Furthermore, FPS and GSA disagree over what building risk assessment
information can be shared. FPS maintains that the sensitive information
contained in the assessments is not needed for GSA to carry out its
mission. However, GSA maintains that restricted access to the risk
assessments constrains its ability to protect buildings and occupants.
What GAO Recommends:
GAO is making three recommendations to the Secretary of Homeland
Security. These include instructing FPS to report regularly to the
Secretary on its new risk management and countermeasures programs,
develop guidance for cost-effectively leveraging technology, and
determine information sharing parameters with GSA. DHS concurred with
the report‘s recommendations.
View [hyperlink, http://www.gao.gov/products/GAO-10-142] or key
components. For more information, contact Mark L. Goldstein at (202)
512-2834 or goldsteinm@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
FPS's Risk Management Approach Is Inadequate, but Improvements Are in
Development:
FPS Lacks a Systematic Approach for Leveraging Technology, but Is
Developing a Technology Acquisition Program:
FPS's Information Sharing and Coordination Practices Lack Consistency:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Comments from the Department of Homeland Security:
Appendix III: Comments from the General Services Administration:
Appendix IV: GAO Contact and Staff Acknowledgments:
Abbreviations:
BSA: building security assessment:
BSC: building security committee:
DHS: Department of Homeland Security:
DOJ: Department of Justice:
FAS: Federal Acquisition Service:
FPS: Federal Protective Service:
GSA: General Services Administration:
HSPD-7: Homeland Security Presidential Directive 7:
HSPD-12: Homeland Security Presidential Directive 12:
ICE: U.S. Immigration and Customs Enforcement:
ISC: Interagency Security Committee:
LES: Law Enforcement Sensitive:
MOA: memorandum of agreement:
NIPP: National Infrastructure Protection Plan:
NPPD: National Protection and Programs Directorate:
PBS: Public Buildings Service:
RAMPART: Risk Assessment Methodology Property Analysis and Ranking
Tool:
RAMP: Risk Assessment and Management Program:
SBU: Sensitive But Unclassified:
SWA: Security Work Authorization:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
October 23, 2009:
The Honorable Bennie G. Thompson:
Chairman:
Committee on Homeland Security:
House of Representatives:
Dear Mr. Chairman:
Concerns persist about the security of federal buildings, their
occupants, and visitors to these buildings. The Federal Protective
Service (FPS) provides law enforcement and related security services
for the nearly 9,000 buildings that are under the control and custody
of the General Services Administration (GSA). FPS's services include--
but are not limited to--responding to incidents and demonstrations,
conducting risk assessments, participating in meetings with GSA
property managers and tenant agencies, and determining whether GSA
buildings are compliant with security standards established by the
Interagency Security Committee (ISC).[Footnote 1] GSA serves as the
federal government's landlord and designs, builds, and manages
facilities to support the needs of other federal agencies. Until 2003,
FPS was a component of GSA's Public Buildings Service (PBS), but the
Homeland Security Act of 2002 transferred FPS to the Department of
Homeland Security (DHS)[Footnote 2] and DHS placed FPS within U.S.
Immigration and Customs Enforcement (ICE). Under the act, FPS retained
its law enforcement and related security functions for GSA buildings
and grounds, while GSA retained its powers, functions, and authorities
related to the operation, maintenance, and protection of GSA buildings
and grounds.[Footnote 3] To guide the transition, DHS and GSA developed
a Memorandum of Agreement (MOA) to set forth roles, responsibilities,
and operational relationships between FPS and GSA concerning the
protection of GSA buildings. Additionally, in 2006, GSA established a
security division within PBS to oversee its security operations and
policies and liaise with FPS. The President's Budget for Fiscal Year
2010 proposed transferring FPS from ICE to the National Protection and
Programs Directorate (NPPD) within DHS.[Footnote 4]
We have identified a set of key facility protection practices from the
collective practices of federal agencies and the private sector to
provide a framework for guiding agencies' protection efforts and
addressing challenges.[Footnote 5] In this report, we use these key
practices to evaluate how FPS protects GSA buildings. The key practices
essentially form the foundation of a comprehensive approach to building
protection.[Footnote 6] ISC is using our key facility protection
practices to guide its priorities and work activities. We focused on
the following three key practices for this report:[Footnote 7]
* Allocating resources using risk management. Identify threats, assess
vulnerabilities, and determine critical assets to protect and use
information on these and other elements to develop countermeasures and
prioritize the allocation of resources as conditions change.
* Leveraging technology. Select technologies to enhance asset security
through methods like access control, detection, and surveillance
systems. This involves not only using technology, but ensuring that
there are positive returns on investment in the form of reduced
vulnerabilities.
* Information sharing and coordination. Establish means of coordinating
and sharing security and threat information internally, within large
organizations, and externally, with other government entities and the
private sector.
You requested that we determine whether FPS's approach to securing GSA
buildings reflects key facility protection practices. In response, on
July 29, 2009, we issued a sensitive but unclassified report. As that
report contained information that was deemed to be either law
enforcement sensitive or for official use only, this version of the
report is intended to communicate our findings and recommendations as
related to each of the key practices that we reviewed while omitting
sensitive information about building security, including specific
vulnerabilities.
To meet the objective, we used the three key practices cited above as a
framework for assessing facility protection efforts by FPS management
and at the individual buildings. In doing our work, we reviewed
pertinent documents and policies from FPS and GSA, related laws and
directives, ISC's security standards, and prior and ongoing GAO work.
We also interviewed FPS and GSA officials at the national and regional
levels, and the ISC executive director. We selected five sites to
illustrate how FPS protects highly visible GSA buildings, basing our
selection on factors that included geographical diversity, occupancy,
the building's security level,[Footnote 8] and other potential security
considerations, such as new or planned construction. Selected sites
included three multi-tenant level IV buildings,[Footnote 9] one single-
tenant level IV campus,[Footnote 10] and one single-tenant level III
campus.[Footnote 11]
At these sites, we collected documentation and interviewed officials
from FPS, GSA, and tenant agencies. To supplement these site visits, we
interviewed FPS and GSA security officials from the four regions where
we had visited buildings. Because we observed FPS's efforts to protect
GSA buildings at a limited number of sites, our observations of
security issues at specific buildings cannot be generalized to all the
buildings that FPS is responsible for securing. We conducted this
performance audit from January 2008 to September 2009 in accordance
with generally accepted government auditing standards. Those standards
require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives. Appendix I contains a more detailed
discussion of our scope and methodology.
Results in Brief:
FPS's approach to securing GSA buildings reflects some aspects of the
key facility protection practices we examined--allocating resources
using risk management, leveraging technology, and information sharing
and coordination--but we also found significant limitations. FPS
recognizes the importance of making progress in these areas and has
improvements underway that could bring its activities more in line with
the key practices and better equip FPS to address security
vulnerabilities at GSA-controlled federal buildings. For example, FPS
is developing a new risk assessment tool and standardizing technology
acquisition. However, until these measures are fully implemented, FPS
will continue to rely on its current methods, which fall short of a
comprehensive approach to facility protection rooted in key practices.
More specifically:
* FPS assesses risk and recommends countermeasures to GSA and tenant
agencies; however, FPS's ability to influence the allocation of
resources using risk management is limited because resource allocation
decisions are the responsibility of GSA and tenant agencies, which may
be unwilling to fund FPS's countermeasure recommendations. We have
found that under this approach, the security equipment that FPS
recommends and is responsible for acquiring, installing, and
maintaining may not be implemented if tenant agencies are unwilling to
fund it. For example, one location shared a surveillance system with an
adjacent federal location, and while one building security committee
(BSC) agreed to fund a surveillance system upgrade that FPS had
recommended, the BSC of the other location would not, thus adversely
affecting the security of both locations. Compounding this situation,
FPS takes a building-by-building approach to risk management, using an
outdated risk assessment tool to create building security assessments
(BSA), rather than taking a more comprehensive, strategic approach and
assessing risks among all buildings in GSA's inventory and recommending
countermeasure priorities to GSA and tenant agencies. As a result, the
current approach provides less assurance that the most critical risks
at federal buildings across the country are being prioritized and
mitigated. Also, GSA and tenant agencies have concerns about the
quality and timeliness of FPS's risk assessment services and are taking
steps to obtain their own risk assessments. FPS is developing a new
risk management program that is intended to incorporate a new risk
assessment tool and be less subjective and time-consuming. However,
according to FPS's plans, this program will not be fully implemented
until the end of fiscal year 2011, and its development has already been
delayed.
* Leveraging technology is a key practice over which FPS has somewhat
more control. Individual FPS inspectors have considerable latitude in
determining which technologies and other countermeasures to recommend,
but the inspectors receive little training and guidance in how to
assess the relative cost-effectiveness of these technologies or
determine the expected return on investment. Moreover, the document
that FPS uses to convey its countermeasure recommendations to GSA and
tenant agencies--the BSA executive summary--includes cost estimates but
no analysis of alternatives. As a result, GSA and tenant agencies have
limited assurance that the investments in technologies and other
countermeasures that FPS inspectors recommend are cost-effective,
consistent across buildings, and the best available alternatives. At
one location, for example, FPS recommended that in addition to using an
explosives detection dog to screen mail, an enhanced X-ray machine
should be used to detect additional hazardous agents to lower the
threat level. However, FPS did not include a cost analysis of the
countermeasure and risk options in the BSA executive summary, leaving
tenant agency representatives without key information for making a
decision with cost and risk implications. FPS is developing a program
to standardize its security equipment recommendations and contracting,
but until the program is fully implemented, individual inspectors will
continue to make recommendations based on individual judgment and
information from vendors. In addition, FPS had planned to implement the
new program during fiscal year 2009, but extended full implementation
into fiscal year 2010. Moreover, the program does not provide for
assessing the cost-effectiveness of competing technologies and
countermeasures.
* Information sharing and coordination occur in a variety of ways, and
FPS and GSA top management have established communication channels.
However, the types of information shared at the regional and building
levels are inconsistent, and FPS and GSA disagree over what information
should be shared. For example, the MOA between DHS and GSA specifies
that FPS will provide quarterly briefings at the regional level, but
FPS had not been providing them consistently across all regions. FPS
resumed the practice in October 2008, however, GSA security officials
said that these briefings mostly focused on crime statistics and did
not constitute comprehensive threat analyses. Additionally, FPS is only
required to meet formally with GSA property managers and tenant
agencies as part of the BSA process--an event that occurs every 2 to 5
years, depending on a building's security level. Lack of coordination
through regular contact can lead to communication breakdowns. For
example, at one location, FPS, GSA, and tenant agency representatives
did not all meet together regularly during a large-scale construction
project and surveillance equipment that FPS was responsible for was
removed in 2007. During our visit in 2008, FPS officials told us they
had not been notified of the action and had not recovered the
equipment, but tenant agency representatives maintained there had been
coordination with FPS. Furthermore, we found that FPS generally does
not share complete BSAs with GSA because FPS believes GSA does not meet
the standards under which FPS shares sensitive law enforcement
information. GSA security officials maintain that this restriction on
their access to security information constrains GSA's ability to
protect its buildings and their occupants and is seeking a
clarification on access to BSAs as part of the MOA renegotiation with
FPS. However, FPS officials told us that they do not intend to change
this information sharing procedure during negotiations. We also found
that information sharing is constrained when FPS's radios are not
interoperable with other law enforcement agencies' radios and FPS
cannot communicate directly with the other agencies when responding to
incidents. While FPS is taking steps to improve interoperability, it is
too soon to tell whether FPS will achieve its goal in accordance with
established timelines.
Without greater attention to the key practices, FPS will be ill-
equipped to efficiently and effectively fulfill its responsibilities of
assessing risk, recommending countermeasures, and sharing information
and coordinating with GSA and tenant agencies to secure GSA buildings
as the security landscape changes and as new threats emerge.
Accordingly, we are making recommendations designed to move FPS toward
greater application of key practices and complete implementation of
planned improvements. Specifically, the Secretary of Homeland Security
should instruct the Director of FPS, in consultation, where
appropriate, with other parts of DHS, GSA, and tenant agencies to (1)
report regularly to the Secretary on the status of new risk management
and countermeasure program activities; (2) develop a methodology and
guidance for assessing and comparing the cost-effectiveness of
technology alternatives; and (3) work with GSA to determine what
information contained in the BSA is needed for GSA to protect buildings
and occupants. We provided a draft of the sensitive but unclassified
report to DHS and GSA for official review and comment. DHS agreed with
our assessment that greater attention to key practices would improve
FPS's approach to facility protection and agreed with the report's
recommendations. GSA agreed with our findings concerning the challenges
that FPS faces in delivering security services for GSA buildings. DHS's
comments can be found in appendix II and GSA's comments can be found in
appendix III. DHS also provided technical comments that we
incorporated, where appropriate.
Background:
FPS was created in 1971 and located within GSA until, under the
Homeland Security Act of 2002, it was transferred to DHS and placed
within ICE, effective March 1, 2003. Under the act, FPS is authorized
to protect the buildings, grounds, and property that are under the
control and custody of GSA and the persons on the property.[Footnote
12] FPS is authorized to enforce federal laws and regulations aimed at
protecting GSA buildings and persons on the property and to investigate
offenses against these buildings and persons. DHS and GSA developed an
MOA to set forth roles, responsibilities, and operational relationships
between FPS and GSA concerning the security of GSA buildings. In
accordance with the MOA, FPS inspectors[Footnote 13] are responsible
for performing a range of law enforcement and security duties at GSA
buildings, including:
* patrolling the building perimeter,[Footnote 14]
* responding to incidents and demonstrations,
* completing risk assessments for buildings[Footnote 15] and space that
GSA is considering leasing,[Footnote 16]
* recommending countermeasures,
* participating in meetings with GSA property managers and tenant
agency representatives, and:
* overseeing contract guard operations.[Footnote 17]
The level of physical protection services FPS provides at each of the
9,000 GSA buildings varies depending on the building's security level.
To determine a building's security level, FPS uses the Department of
Justice (DOJ) vulnerability assessment guidelines, which categorize
federal buildings into security levels I through V based on factors
such as building size and number of employees.[Footnote 18] The DOJ
standards recommend minimum security measures for each of the five
levels and FPS uses these standards and other information to recommend
countermeasures. The DOJ standards also require FPS to complete BSAs
[Footnote 19] every 2 to 4 years, depending on the security level of
the building.[Footnote 20] For example, a BSA is to be completed every
2 years for a level IV building and every 4 years for a level I
building. As part of each assessment, the inspector is required to
conduct an on-site physical security analysis using FPS's risk
assessment tool, known as Federal Security Risk Manager, and interview
tenant agency security representatives, GSA realty specialists, site
security supervisors, and building managers. After completing their
assessments, inspectors make recommendations to GSA and tenant agencies
for building security countermeasures,[Footnote 21] including security
equipment[Footnote 22] and security fixtures.[Footnote 23] Tenant
agencies decide whether to fund countermeasures recommended for
security equipment and FPS is responsible for acquiring, installing,
and maintaining approved equipment. GSA and tenant agencies determine
whether to fund recommended security fixtures and GSA is responsible
for acquiring, installing, and maintaining approved fixtures.[Footnote
24] In some cases, and in accordance with its policies, FPS has
delegated the protection of buildings to tenant agencies, which may
have their own law enforcement authority or may contract separately for
guard services.
FPS is a fully reimbursable agency--that is, its services are fully
funded by security fees collected from tenant agencies. FPS charges
each tenant agency a basic security fee per square foot of space
occupied in a GSA building. In fiscal year 2009, the basic security fee
is 66 cents per square foot and covers services such as patrolling the
building perimeter, monitoring building perimeter alarms, dispatching
law enforcement officers through its control centers, conducting
criminal investigations, and performing BSAs. FPS also collects an
administrative fee that it charges tenant agencies for building-
specific security services, such as controlling access to building
entrances and exits and checking employees and visitors. In fiscal year
2009, the fee rate for building-specific expenses is 8 percent. In
addition to these security services, FPS provides tenant agencies with
additional services upon request, which are funded through reimbursable
security work authorizations (SWA) for which FPS charges an
administrative fee. For example, tenant agencies fund FPS's security
equipment countermeasure recommendations that they approve through
SWAs. In fiscal year 2009, the SWA fee rate is 8 percent.
Since transferring to DHS, FPS's mission has expanded beyond solely
protecting GSA buildings to include homeland security activities, such
as implementing homeland security directives, and providing law
enforcement, security, and emergency response services during natural
disasters and special events. For example, FPS serves as the sector-
specific agency for the Government Facilities critical infrastructure
sector under Homeland Security Presidential Directive 7 (HSPD-7).
[Footnote 25] Additionally, DHS has authority under the Homeland
Security Act to engage FPS in activities DHS deems necessary to enhance
homeland security. For example, FPS can be called upon to assist the
Federal Emergency Management Agency in responding to natural disasters,
and provide backup to other DHS law enforcement units during special
events, such as political demonstrations. According to FPS, it is
reimbursed for these supportive services.
We have previously identified challenges that raised concerns about
FPS's protection of GSA buildings and tenants. In 2004, we reported on
the challenges FPS faced in transitioning from GSA to DHS, including
issues related to expanding responsibilities and funding.[Footnote 26]
In June 2008, we reported on a range of operational and funding
challenges facing FPS.[Footnote 27] We found that the operational
challenges we identified hampered FPS's ability to accomplish its
mission of protecting GSA buildings and the actions it took may not
have fully resolved the challenges. For example, the number of FPS
staff decreased by about 20 percent between fiscal year 2004 and fiscal
year 2007. We found that FPS managed these decreases in staffing
resources in a way that diminished security and increased the risk of
crime and terrorist attacks at many GSA buildings. We further reported
that the actions FPS took to address its funding challenges had some
adverse implications. For example, during fiscal years 2005 and 2006,
FPS's projected expenses exceeded its collections, and DHS had to
transfer funds to make up the difference. We also found that although
FPS had developed output measures, it lacked outcome measures to assess
the effectiveness of its efforts to protect GSA buildings. Moreover,
FPS lacked a reliable data management system for accurately tracking
performance measures.
As the federal government's landlord, GSA designs, builds, manages, and
safeguards buildings to support the needs of other federal agencies.
Under the Homeland Security Act of 2002--although FPS was transferred
to DHS along with its responsibility to perform law enforcement and
related security functions for GSA buildings--GSA also retained some
property protection responsibilities. The Homeland Security Act of 2002
stated that:
"Nothing in this chapter may be construed to affect the functions or
authorities of the Administrator of General Services with respect to
the operation, maintenance, and protection of buildings and grounds
owned or occupied by the Federal Government and under the jurisdiction,
custody, or control of the Administrator. Except for the law
enforcement and related security functions transferred under section
203(3) of this title, the Administrator shall retain all powers,
functions, and authorities vested in the Administrator under chapter 1,
except section 121(e)(2)(A), and chapters 5 to 11 of Title 40, and
other provisions of law that are necessary for the operation,
maintenance, and protection of such buildings and grounds."[Footnote
28]
In response to a 2005 GAO recommendation[Footnote 29] and to enhance
coordination with FPS, GSA established the Building Security and Policy
Division within the Public Buildings Service (PBS)--where FPS once
resided--in 2006.[Footnote 30] This division has three primary
branches:
* Building Security Policy--develops GSA security policies.
* Building Security Operations--interfaces with FPS and monitors the
services FPS provides to GSA and tenant agencies.
* Physical Security--provides physical security expertise, training,
and guidance to GSA leadership, regional staff, and tenant agencies.
During 2006, the division developed the Regional Security Network,
which consists of several staff per GSA region to further enhance
coordination with FPS at the regional and building levels, and to carry
out GSA security policy in collaboration with FPS and tenant agencies.
In 1995, Executive Order 12977 established the ISC to enhance the
quality and effectiveness of security in, and protection of,
nonmilitary buildings occupied by federal employees in the United
States. ISC has representation from all federal cabinet-level
departments and other agencies and key offices, including GSA and FPS.
[Footnote 31] Furthermore, ISC was established as a permanent body to
address continuing government security issues for federal buildings.
Under the order, ISC became responsible for developing policies and
standards, ensuring compliance and overseeing implementation, and
sharing and maintaining information. Executive Order 13286 transferred
the ISC Chair from GSA to DHS.[Footnote 32] In 2004, we assessed ISC's
progress in fulfilling its responsibilities.[Footnote 33]
We have identified a set of key facility protection practices from the
collective practices of federal agencies and the private sector to
provide a framework for guiding agencies' protection efforts and
addressing challenges.[Footnote 34] We focused on the following three
key practices for this report: (1) allocating resources using risk
management; (2) leveraging technology; and (3) information sharing and
coordination. We have used the key practices to evaluate the efforts of
the Smithsonian Institution to protect its assets,[Footnote 35] of DHS
to protect its facilities,[Footnote 36] and of federal entities to
protect icons and facilities on the National Mall.[Footnote 37]
Moreover, ISC is using our key facility protection practices as key
management practices to guide its priorities and work activities. For
example, ISC established subcommittees for technology best practices
and training, and working groups in the areas of performance measures
and strategic human capital management. ISC also issued performance
measurement guidance in 2009.[Footnote 38]
FPS's Risk Management Approach Is Inadequate, but Improvements Are in
Development:
FPS is limited in its ability to influence the allocation of resources
using risk management because security funding decisions are the
responsibility of GSA and tenant agencies. Moreover, FPS uses an
outdated risk assessment tool, a subjective approach, and a time-
consuming process to conduct BSAs. GSA and tenant agencies have
concerns about the quality and timeliness of FPS's risk assessment
services and in some cases, are assuming these responsibilities.
Although FPS is taking steps to implement a new risk management
program, it is unclear when all program components--such as risk
assessment tools--will be fully implemented as FPS has extended initial
implementation from fiscal year 2009 into fiscal year 2010. FPS's new
risk management program could help GSA and tenant agencies refine their
resource allocation decisions if risk assessments are enhanced and FPS
can help GSA and tenant agencies prioritize risks among all buildings.
Until the risk management program is implemented, FPS will continue to
use its current approach, which may leave some buildings and tenants
vulnerable to terrorist attacks and crime.
FPS's Ability to Influence Resource Allocation Based on Risk is
Limited:
FPS's ability to influence the allocation of resources based on the
results of its risk assessments is constrained because GSA and tenant
agencies must agree to fund recommended countermeasures, and we found
that tenant agencies were sometimes unwilling to fund recommended
security equipment. We have reported that a risk management approach to
building protection generally involves identifying potential threats,
assessing vulnerabilities, and evaluating mitigation alternatives for
their likely effect on risk and their cost.[Footnote 39] Incorporating
information on these elements, a strategy for allocating security-
related resources is developed, implemented, and reevaluated over time
as conditions change. Through the risk assessment process, FPS
inspectors make recommendations for security fixtures and equipment
which they include in BSA executive summaries that FPS is required to
share with GSA and tenant agencies. GSA and tenant agencies determine
whether to fund recommended security fixtures and GSA is responsible
for acquiring, installing, and maintaining approved fixtures. Tenant
agencies determine whether to fund recommended security equipment and
FPS is responsible for acquiring, installing, and maintaining security
equipment. However, tenant agencies may be unwilling to approve FPS's
security equipment countermeasure recommendations, in which case FPS
views them as choosing to accept the risk. According to officials we
spoke with from FPS, GSA, and tenant agencies, tenant agencies may not
approve FPS's security equipment countermeasure recommendations for
several reasons:
* Tenant agencies may not have the security expertise needed to make
risk-based decisions.
* Tenant agencies may find the associated costs prohibitive.
* The timing of the BSA process may be inconsistent with tenant
agencies' budget cycles.
* Consensus may be difficult to build among multiple tenant agencies.
* Tenant agencies may lack a complete understanding of why recommended
countermeasures are necessary because they do not receive BSAs in their
entirety.
For example, in August 2007, FPS recommended a security equipment
countermeasure--the upgrade of a surveillance system shared by two
locations that, according to FPS officials, would cost around $650,000.
While members of one BSC told us they approved spending between
$350,000 and $375,000 to fund their agencies' share of the
countermeasure, they said that the BSC of the other location would not
approve funding; therefore, FPS could not upgrade the system it had
recommended. In November 2008, FPS officials told us that they were
moving ahead with the project by drawing on unexpended revenues from
the two locations' building-specific fees and the funding that was
approved by one of the BSCs. In May 2009, FPS officials told us that
all cameras had been repaired and all monitoring and recording devices
had been replaced, and that the two BSCs had approved additional
upgrades and that FPS was implementing them. As we reported in June
2008, we have found other instances in which recommended security
countermeasures were not implemented at some of the buildings we
visited because BSC members could not agree on which countermeasures to
implement or were unable to obtain funding from their agencies.
[Footnote 40]
FPS's Current Approach to Risk Management Is Outdated, Subjective, and
Time-consuming:
Complicating the issue of FPS's limitations in influencing risk-based
resource allocation decisions, FPS inspectors use an outdated risk
assessment tool, known as Federal Security Risk Manager, to produce
BSAs which are also vulnerable to inspector error and subjectivity and
can take a considerable amount of time to complete. GSA originally
developed the risk assessment tool in the late 1990s when FPS was a
part of GSA and updated it in 2002, and it moved with FPS when it was
transferred to DHS in 2003. FPS has identified problems with the risk
assessment tool and overall approach to developing BSAs, including:
* The risk assessment tool contributes to BSA subjectivity because it
lacks a rigorous risk assessment methodology. For example, the tool
does not incorporate ISC standards or the National Infrastructure
Protection Plan (NIPP) framework,[Footnote 41] therefore, inspectors
must apply ISC standards during their reviews of BSAs produced from the
risk assessment tool and modify these reports in accordance with the
standards.
* Inspectors' compliance with BSA policies and procedures is
inconsistent and inspectors must search for risk information from
different sources and perform duplicative data entry tasks making it
difficult for inspectors to focus fully on the needs of GSA and tenant
agencies. Additionally, inspectors record risk assessment findings on
paper-based forms and then transfer data to the risk assessment tool
and other systems manually, potentially introducing errors during the
transfer.
We concur with FPS's findings and also believe the discretion given to
inspectors in FPS's risk assessment approach provides less assurance
that vulnerabilities are being consistently identified and mitigated.
Without consistent application of risk assessment procedures, FPS
cannot assure GSA and tenant agencies that expenditures to implement
its recommendations are necessary. Furthermore, FPS's reliance on an
outdated risk assessment tool provides less assurance that risks and
mitigation strategies are adequately identified.
We have previously reported on other concerns about FPS's risk
assessment tool.[Footnote 42] For example, the tool does not allow FPS
to compare risks from building to building so that FPS, GSA, and tenant
agencies can prioritize security improvements among the nearly 9,000
buildings within GSA's inventory. The ability to compare risks among
all buildings is important because it could allow FPS, GSA, and tenant
agencies to comprehensively identify and prioritize risks and
countermeasure recommendations at a national level and direct resources
toward alleviating them. We also reported that the risk assessment tool
does not allow FPS to further refine security improvement priorities
based on more precise risk categories--rather than the high, medium, or
low categories FPS inspectors use under the current system.
Furthermore, we reported that the risk assessment tool does not allow
FPS to track the implementation status of security recommendations
based on assessments.[Footnote 43] Without this ability, FPS has
difficulty determining the extent to which identified vulnerabilities
at GSA buildings have been mitigated.
Considering the steps involved, it can also take several months for FPS
to complete a BSA. Some of these steps include:
* conducting an on-site physical security survey,
* interviewing representatives from GSA and tenant agencies (an
inspector may need to visit a site multiple times to meet with all
pertinent officials),
* entering survey and interview results into the risk assessment tool
and other systems such as the Security Tracking System,
* producing a BSA document that undergoes several layers of review and
approval, and:
* briefing representatives of tenant agencies and GSA on the BSA
results and distributing the executive summary to them.
An FPS supervisory officer told us that it took an average of 3 months
to complete a BSA. The officer explained that it may take 2 to 5 weeks
for an inspector to complete a security survey, interviews, and a BSA
document. The officer gave an example that for one of the buildings
within the region, an inspector must interview representatives from 30
tenant agencies. In another example, we found that an FPS inspector had
completed a BSA report for one location in April 2008, but at the time
of our visit in August 2008 the document was still undergoing
supervisory review and tenant agency representatives and GSA had not
yet been briefed on the results or received a copy of the executive
summary.[Footnote 44] Furthermore, inspectors are responsible for
conducting BSAs for multiple buildings. The inspectors we interviewed
were each responsible for conducting BSAs and overseeing security
operations at between 1 and 20 buildings.
GSA and Tenant Agencies Are Assuming More Security Responsibilities:
GSA security officials at the national and regional levels that we met
with were concerned about the quality and timeliness of the risk
assessment services that FPS provides. Officials explained that GSA
created the current risk assessment tool hastily following the 1995
bombing of the Alfred P. Murrah Federal Building and that FPS inherited
a flawed tool when it moved to DHS. GSA security officials expressed
concerns over the quality of FPS's BSAs. For example, GSA regional
security officials told us that an FPS inspector recommended that GSA
remove a structure from a building, because the inspector thought it
blocked the view of the security guards. However, according to these
officials, FPS had not cited this blocked view as a vulnerability or
recommended the structure's removal in previous BSAs, and to their
knowledge, there had been no significant changes in identified threats,
the space, or the building's tenant composition. GSA security officials
also told us that they have had difficulties receiving timely risk
assessments from FPS for space that GSA is considering leasing. These
risk assessments must be completed before GSA can take possession of
the property and lease it to tenant agencies. An inefficient risk
assessment process for new lease projects can add costs for GSA and
create problems for both GSA and tenant agencies that have been
planning for a move. ICE officials told us that there are many
occasions where FPS is not notified by GSA of the need for a new lease
assessment and in some cases, tenants have moved into leased space
without FPS's knowledge. GSA is updating a tool--the Risk Assessment
Methodology Property Analysis and Ranking Tool (RAMPART)[Footnote 45]--
that it began developing in 1998, but has not recently used, to better
ensure the timeliness and comprehensiveness of these risk assessments.
GSA expects to test and implement the system during fiscal year 2009.
GSA security officials told us that they may use RAMPART for other
physical security activities, such as conducting other types of risk
assessments and determining security countermeasures for new
facilities.
The tenant agency officials we spoke with at the five sites did not
raise concerns about FPS's risk assessment process, but all of them
told us that at the national level, their agencies were taking steps to
pursue their own risk assessments for the exterior of their buildings,
even though they pay FPS for this service. GSA security officials said
they have seen an increase in the number of tenant agencies conducting
their own risk assessments. They told us that they are aware of at
least nine tenant agencies that are taking steps to acquire risk
assessments for the exterior of their buildings. Additionally, we have
previously reported that some tenant agencies had told us that they
were using or planned to find contractors to complete additional risk
assessments because of concerns about the quality and timeliness of
FPS's BSAs.[Footnote 46] We also reported that several DHS components
and other tenant agencies were taking steps to acquire their own risk
assessments because FPS's assessments were not always timely or
adequate. Similarly, we also found that many facilities had received
waivers from FPS to enable the agencies to complete their own risk
assessments.[Footnote 47] While tenant agencies have typically taken
responsibility for assessing risk and securing the interior of their
buildings, assessing exterior risks will require additional expertise
and resources. This is an inefficient approach considering that tenant
agencies are paying FPS to assess building security. However, ICE
officials stated that in many cases, the agencies that are pursuing
risk assessments are doing so to include both GSA and non-GSA buildings
that they occupy, and that in other instances, agencies must adhere to
other physical security standards and thus conduct their own
assessments.
FPS Is Developing a New Risk Assessment Tool and Implementing Updated
Security Standards:
FPS recognizes the inadequacies of its risk assessment tool,
methodology, and process and is taking steps to develop a new risk
management program. Specifically, FPS is developing the Risk Assessment
and Management Program (RAMP) to improve the effectiveness of FPS's
risk management approach and the quality of BSAs. According to FPS,
RAMP will provide inspectors with the information needed to make more
informed and defensible recommendations for security countermeasures.
FPS also anticipates that RAMP will allow inspectors to obtain
information from one electronic source, generate reports automatically,
enable FPS to track selected countermeasures throughout their life
cycle, address some concerns about the subjectivity inherent in BSAs,
and reduce the amount of time inspectors and managers spend on
administrative work. Additionally, FPS is designing RAMP so that it
will produce risk assessments that are compliant with ISC standards,
compatible with the risk management framework set forth by the NIPP,
and consistent with the business processes outlined in the MOA with
GSA. FPS expects that the first phase of RAMP will include BSA and
countermeasure management tools, among other functions. According to
FPS, RAMP will support all components of the BSA process, including
gathering and reviewing building information; conducting and recording
interviews; assessing threats, vulnerabilities, and consequences to
develop a detailed risk profile; recommending appropriate
countermeasures; and producing BSA reports.[Footnote 48] According to
FPS, RAMP's countermeasure lifecycle management activities will include
countermeasure design, review, recommendation, approval,
implementation, acceptance, operation, testing, and replacement.
FPS began designing RAMP in early 2007 and expects to implement the
program in three phases, completing its implementation by the end of
fiscal year 2011. However, it is unclear whether FPS will meet the
implementation goals established in the program's proposed timeline. In
June 2008, we reported that FPS was going to implement a pilot version
of RAMP in fiscal year 2009,[Footnote 49] but in May 2009, FPS
officials told us they intend to implement the first phase in the
beginning of fiscal year 2010. FPS officials also told us that RAMP
training for inspectors will begin in October 2009 and conclude in
December 2009. Until RAMP components are fully implemented, FPS will
continue to rely on its current risk assessment tool, methodology, and
process, potentially leaving GSA and tenant agencies dissatisfied. GSA
security officials are aware that RAMP's development and implementation
have run behind schedule and are concerned about when improvements to
FPS's risk assessment processes will be made. Under the 2006 MOA, FPS
and GSA recognized that revisions and enhancements would need to be
made to the risk assessment process, and FPS agreed it would work in
consultation with GSA on any modifications to risk assessment tools.
FPS shared RAMP plans with GSA in 2007 and solicited feedback, yet GSA
security officials told us they think collaboration could have been
stronger and have concerns about RAMP's ability to meet their physical
security needs. For example, as stated earlier, GSA relies on FPS to
provide it with risk assessments for buildings that it wants to lease,
but because FPS does not provide these assessments in a timely manner
GSA is taking steps to implement its own risk assessment tool by the
end of fiscal year 2009. According to FPS, RAMP will include a risk
assessment tool for new lease projects, but it did not include this
component in the first development phase and instead, this tool is
scheduled for rollout at the end of fiscal year 2010. FPS officials
told us that as they move forward with RAMP, they intend to ask GSA and
tenant agencies what risk assessment information they need from BSA
reports.
Also, FPS officials told us they are reassessing building security
levels using ISC's updated facility security level standards[Footnote
50] and a specialized calculator tool. The updated ISC standards take
factors other than a building's size and population into account,
including mission criticality, symbolism, threats to tenant agencies,
and other factors such as proximity to a major transportation hub.
[Footnote 51] FPS is trying to meet ISC's target date of September 30,
2009, for finalizing updated building security levels for nearly 9,000
GSA buildings. According to FPS, inspectors began reassessing building
security levels during June 2008 and as of May 2009, FPS officials told
us that inspectors had determined preliminary security levels for all
buildings, and finalized security levels for 3,100 buildings. FPS
officials told us inspectors have been following ISC guidance in
reassessing the facility security levels which require that the tenant
agencies make the final security level determination. However, GSA
security officials at the national office told us they were receiving
feedback from GSA security officials in the regions that some FPS
inspectors were presenting the updated security levels as mandatory and
final, not as preliminary results to be discussed.
Risk management practices provide the foundation of a comprehensive
protection program. Hence, efforts in the other key practice areas--
leveraging technology and information sharing and coordination--are
diminished if they are not part of a risk management approach which can
be the vehicle for using these tools. It is critical that FPS--which is
responsible for assessing risk for nearly 9,000 GSA buildings and
properties that GSA may lease--replace its outdated, subjective, and
time-consuming risk assessment tool and approach with the new program
it has been developing since fiscal year 2007, especially as the
results of its risk analyses lay the foundation for FPS, GSA, and
tenant agencies' security efforts. DHS is the nation's designated
leader of critical infrastructure protection efforts; therefore, it is
critical that RAMP be developed in an expeditious manner so that DHS
can fulfill this mission with regard to federal facilities that FPS
protects. Furthermore, department level attention in ensuring that FPS
achieves success through regular updates to the Secretary is warranted.
This added oversight would enhance the department's ability to monitor
RAMP development and make FPS accountable for results, given the delays
that RAMP has already experienced.
FPS Lacks a Systematic Approach for Leveraging Technology, but Is
Developing a Technology Acquisition Program:
FPS's approach to leveraging technology does not ensure that the most
cost-effective technologies are being selected to protect GSA
buildings. Individual inspectors make technology decisions with limited
training and guidance, giving GSA and tenant agencies little assurance
that vulnerabilities have been systematically mitigated within and
among all buildings as cost-effectively as possible. Although FPS is
developing a program for technology acquisition, its implementation has
been delayed and it does not include an evaluative component to ensure
cost-effectiveness.
Inspectors Have Considerable Latitude in Determining Which Technologies
to Pursue, but Receive Little Training and Guidance:
As previously discussed, FPS inspectors recommend security fixtures to
GSA and security equipment to tenant agencies through the BSA process.
However, the training, guidance, and standards that FPS provides to
inspectors for selecting technologies are limited. As a result, GSA and
tenant agencies have little assurance that the countermeasures
inspectors recommend are cost-effective and the best available
alternative. We have previously reported that by efficiently using cost-
effective technology to supplement and reinforce other security
measures, agencies can more effectively apply the appropriate
countermeasures to vulnerabilities identified through the risk
management process, and that linking the chosen technology to
countermeasures identified as part of the risk management process
provides assurance that factors such as purpose, cost, and expected
performance have been addressed.[Footnote 52] Furthermore, we have
recognized that having a method that allows for cost-effectively
leveraging technology to supplement and reinforce other measures
represents an advanced application of the key practice.[Footnote 53]
Through the BSA process, FPS recommends security fixtures to GSA, and
GSA has policies and procedures in place to guide its decisions about
the recommended investments and to identify and acquire cost-effective
fixtures through established contracts with vendors.[Footnote 54] FPS
inspectors also recommend technology-related security equipment through
the BSA process and acquire, install, and maintain the security
equipment that tenant agencies approve for purchase. FPS does not have
a comprehensive approach for identifying, acquiring, and assessing the
cost-effectiveness of the security equipment that its inspectors
recommend. Instead, individual FPS inspectors identify equipment for
its purchase, installation, and maintenance. FPS officials told us that
inspectors make technology decisions based on the initial training they
receive, personal knowledge and experience, and contacts with vendors.
FPS inspectors receive some training in identifying and recommending
security technologies as part of their initial FPS physical security
training. Since FPS was transferred to DHS in 2003, its refresher
training program for inspectors has primarily focused on law
enforcement.[Footnote 55] Consequently, inspectors lack recurring
technology training. Supervisory officers and inspectors from two of
the five sites we visited told us that they learn about security
technologies on their own by reviewing industry publications and by
attending trade shows and security conferences but inspectors must have
the time and funding to attend. A supervisory officer from one FPS
region told us the region has sent some inspectors to security
conferences sponsored by ASIS International.[Footnote 56] Additionally,
FPS does not provide inspectors with specialized guidance and standards
for cost-effectively selecting technology. In the absence of specific
guidance, inspectors follow the DOJ minimum countermeasure standards
and other relevant ISC standards[Footnote 57] but these standards do
not assist users in selecting cost-effective technologies.
FPS's devolution of responsibility for selecting technology to
individual inspectors, whose knowledge of existing and emerging
technologies varies because it is built on limited training and
personal experience, results in subjective equipment selection
decisions. Additionally, the acquisition process can be time-consuming
for inspectors--many of whom have other law enforcement and security
duties for multiple buildings--because they must search for equipment
and vendors and facilitate the establishment of installation and
maintenance contracts. FPS's process for acquiring, installing, and
maintaining technologies provides GSA and tenant agencies with little
assurance that they are getting the highest-quality, most cost-
effective technology security solutions and that common vulnerabilities
are being systematically mitigated across all buildings. For example,
an explosives detection dog was used at one location to screen mail
that is distributed elsewhere. In 2006, FPS had recommended, based on
the results of its risk analysis, the use of this dog and an X-ray
machine, although at the time of our visit only the dog was being used.
Moreover, the dog and handler work 12-hour shifts Monday through Friday
when most mail is delivered and shipped, and the dog needs a break
every 7 minutes. The GSA regional security officials we spoke with
questioned whether this approach was more effective and efficient than
using an on-site enhanced X-ray machine that could detect biological
and chemical agents as well as explosives and could be used anytime. In
accordance with its policies, FPS conducted a BSA of the site in 2008
and determined that using an enhanced X-ray machine and an explosives
detection dog would bring the projected threat rating of the site down
from moderate to low. FPS included estimated one-time installation and
recurring costs in the BSA and executive summary, but did not include
the estimated cost and risk of the following mail screening options:
(1) usage of the dog and the additional countermeasure; (2) usage of
the additional countermeasure only; and (3) usage of the dog only.
Consequently, tenant agency representatives would have to investigate
the cost and risk implications of these options on their own to make an
informed resource allocation decision.
FPS Is Developing a Program to Standardize Equipment and Contracting:
FPS is taking steps to implement a more systematic approach to
technology acquisition by developing a National Countermeasures
Program, which could help FPS leverage technology more cost-
effectively. According to FPS, the program will establish standards and
national procurement contracts for security equipment, including X-ray
machines, magnetometers, surveillance systems, and intrusion detection
systems. FPS officials told us that instead of having inspectors search
for vendors to establish equipment acquisition, installation, and
maintenance contracts, inspectors will call an FPS mission support
center with their countermeasure recommendations, and the center will
procure the services through standardized contracts. According to FPS,
the program will also include life-cycle management plans for
countermeasures. FPS officials explained that the National
Countermeasures Program establishes contractual relationships through
GSA Schedule 84 to eliminate the need for individual contracting
actions when requirements for new equipment or services are identified.
[Footnote 58] FPS officials told us they worked closely with GSA's
Federal Acquisition Service (FAS) to develop the program and FAS
officials concurred stating, for example, that the two agencies have
collaborated to ensure that GSA Schedule 84 has a sufficient number of
vendors to support FPS requirements for physical security services. FPS
officials said they established an X-ray machine contract through the
schedule and that future program contracts will also explore the use of
the schedule as a source for national purchase and service contracts.
According to FPS, the National Countermeasures Program should provide
the agency with a framework to better manage its security equipment
inventory; meet its operational requirement to identify, implement, and
maintain security equipment; and respond to stakeholders' needs by
establishing nationwide resources, streamlining procurement procedures,
and strengthening communications with its customers. FPS officials told
us they believe this program will result in increased efficiencies
because inspectors will not have to spend their time facilitating the
establishment of contracts for security equipment because these
contracts will be standardized nationwide. Additionally, FPS officials
told us that they participate in the research and development of new
technologies with DHS's Science and Technology Directorate.[Footnote
59]
Although the National Countermeasures Program includes improvements
that may enhance FPS's ability to leverage technology, it does not
establish tools for assessing the cost-effectiveness of competing
technologies and countermeasures and implementation has been delayed.
Security professionals are faced with a multitude of technology options
offered by private vendors, including advanced intrusion detection
systems, biotechnology options for screening people, and sophisticated
video monitoring. Having tools and guidance to determine which
technologies most cost-effectively address identified vulnerabilities
is a central component of the leveraging technology key practice. FPS
officials told us that the National Countermeasures Program will enable
inspectors to develop countermeasure cost estimates that can be shared
with GSA and tenant agencies. However, incorporating a tool for
evaluating the cost-effectiveness of alternative technologies into
FPS's planned improvements in the security acquisition area would
represent an enhanced application of this key practice. Another concern
is that FPS had planned to implement the program throughout fiscal year
2009, but extended implementation into fiscal year 2010 and thus it is
not clear whether FPS will meet the program's milestones in accordance
with updated timelines. For example, FPS had anticipated that the X-ray
machine and magnetometer contracts would be awarded by December 2008,
and that contracts for surveillance and intrusion detection systems
would be awarded during fiscal year 2009. In May 2009, FPS officials
told us that the X-ray machine contract was awarded on April 30, 2009,
and that they anticipated awarding the magnetometer contract in the
fourth quarter of fiscal year 2009 and an electronic security services
contract for surveillance and intrusion detection systems during the
second quarter of fiscal year 2010. FPS had planned to test the program
in one region before implementing it nationwide, but after further
consideration, FPS management decided to forgo piloting the program in
favor of rolling it out nationally. Until the National Countermeasures
Program is fully implemented, FPS will continue to rely on individual
inspectors to make technology decisions. It would be beneficial for FPS
to establish a process for determining the cost-effectiveness of
technologies considering the cost and risk implications for the tenant
agencies that determine whether they will implement FPS's
countermeasure recommendations.
FPS's Information Sharing and Coordination Practices Lack Consistency:
FPS, GSA, and tenant agencies share information and coordinate in a
variety of ways at the national, regional, and building levels;
however, FPS inspectors do not meet regularly with GSA property
managers and tenant agencies, FPS and GSA disagree over what threat and
risk information should be shared, and FPS faces technical obstacles to
communicating directly with other law enforcement agencies when
responding to incidents.
Information Sharing and Coordination Practices Have Weaknesses:
At the national level, FPS and GSA share information and coordinate in
a variety of ways. We have reported that information sharing and
coordination among organizations is crucial to producing comprehensive
and practical approaches and solutions to address terrorist threats
directed at federal buildings.[Footnote 60] FPS and the Building
Security and Policy Division within GSA's PBS hold two biweekly
teleconferences--one to discuss building security issues and priorities
and the other to discuss the status of GSA contractor security
background checks. FPS officials stated that this regular contact with
GSA has made their relationship more productive and promotes
coordination. GSA security officials also recognize the importance of
these teleconferences, although they would like more involvement from
FPS such as having better follow-through on meeting action items.
Additionally, FPS and GSA are both members of ISC and serve together on
various subcommittees and working groups. The FPS Director and the
Director of the PBS Building Security and Policy Division participate
in an ISC executive steering committee, which sets the committee's
priorities and agendas for ISC's quarterly meetings. These activities
could enhance FPS's and GSA's collaboration in implementing ISC's
security standards and potentially lead to greater efficiencies.
According to FPS and ISC, FPS has consistently participated in ISC
working groups, but the staff assigned to some of the groups changed
from meeting to meeting. GSA security officials also cited limitations
with FPS's staffing of ISC working groups.
FPS and GSA have also established an Executive Advisory Council to
enhance the coordination and communication of security strategies,
policies, guidance, and activities with tenant agencies in GSA
buildings. As the council's primary coordinator, FPS convened the group
for the first time in August 2008, and 17 agencies attended. According
to FPS, it intends to hold semiannual council meetings, and as of May
2009, FPS had not held a second formal meeting. This council could
enhance communication and coordination between FPS and GSA, and provide
a vehicle for FPS, GSA, and tenant agencies to work together to
identify common problems and devise solutions.
Furthermore, FPS and GSA are renegotiating the 2006 MOA between DHS and
GSA to, among other things, improve communication. However, officials
told us that this process has been time-consuming and the two parties
have different views on the outcomes. FPS and GSA began renegotiating
the MOA during fiscal year 2008 and expected to finalize it during
fiscal year 2009. However, in May 2009, FPS officials told us they do
not have an estimated date for finalizing the MOA and GSA officials
told us they do not anticipate reaching an agreement until fiscal year
2010. FPS and GSA recognize that the renegotiation can serve as an
opportunity to discuss service concerns and develop mutual solutions.
While FPS and GSA concur that the MOA should be used as an
accountability tool, FPS thinks the document should offer general
guidelines on the services it provides, but GSA wants a more
prescriptive agreement.
Overall, FPS and GSA regional officials told us that FPS shares some
information with GSA and that collaboration between the two agencies
has improved. However, the agencies' satisfaction with this situation
differs. The FPS regional officials we spoke with said the agencies'
information sharing and coordination procedures work well, while GSA
regional security officials told us that communication should be more
frequent and the quality of the information shared needs to be
improved. Moreover, according to the GSA officials, FPS's sporadic and
restricted sharing of threat information limits GSA's ability to
protect its properties. We have reported that by having a process in
place to obtain and share information on potential threats to federal
buildings, agencies can better understand the risks they face and more
effectively determine what preventive measures should be
implemented.[Footnote 61] Additionally, we have reported that sharing
terrorism-related information that is critical to homeland security
protection is important, and agencies need to develop mechanisms that
support this type of information sharing.[Footnote 62] The 2006 MOA
between DHS and GSA requires FPS to provide GSA with quarterly
briefings at the regional level. However, GSA regional security
officials told us that they were not receiving related threat
information as part of these updates until October 2008, when the FPS
Director--in response to feedback from GSA--instructed regional
personnel to share threat information. The FPS Director advised
Regional Directors to meet quarterly with their respective GSA regional
administrators, regional commissioners, or security representatives to
discuss and share information on regional security issues. The Director
further stated that briefings should include unclassified intelligence
information concerning threats against GSA buildings and updates to the
regional threat assessment, as well as information and analysis on
protecting the regions' most vulnerable facilities. Moreover, in its
strategic plan,[Footnote 63] FPS recognizes the importance of ensuring
that policies and procedures are being established and followed
consistently across the country, and asserts that effective
communication between headquarters and regional personnel at all levels
will aid in this effort. GSA officials also told us that they are
taking steps to replicate headquarters structures in their regions to
ensure consistent applications of policies and to standardize
communication practices.
While FPS's action to share threat information is a positive step, GSA
security officials at the national office told us they received
feedback from security staff in the regions that threat briefings were
not uniform across regions and varied in their usefulness. The majority
of the briefings, the officials said, communicated information about
crime incidents and did not, in their view, provide threat information.
In May 2009, FPS officials told us that regions gave briefings during
the second quarter of fiscal year 2009, but GSA security officials told
us that some regions reported that they had not received these second
quarter briefings. To improve information sharing and coordination at
the regional level, FPS standardized its quarterly threat briefing
format. FPS officials told us that they partnered with GSA to create a
sensitive but unclassified (SBU) facility-specific companion document
to the BSA called the "Facility Security Assessment Threat Summary."
According to FPS, this quarterly threat briefing will contain facility-
specific information on security performance measures, criminal
activity, unclassified intelligence regarding threats, significant
events, special FPS law enforcement operations, and potential threats,
demonstrations, and other events. FPS officials told us that this
quarterly threat briefing format is a positive step in providing a
briefing document that GSA can use in evaluating threat information
that is germane to its property portfolio. FPS officials told us that
they finalized the briefing format and that the Director signed the
General Services Administration Threat Briefing Policy directive in
June 2009. In contrast, in June 2009, GSA security officials told us
that they believe they had little involvement in developing FPS's
threat briefing format explaining that although FPS asked GSA to
comment on its proposed format--which, according to GSA, it did in
March 2009--FPS had not discussed GSA's comments with them or updated
GSA on the content or status of the format. GSA security officials told
us they have representation on an ISC working group that is developing
a standardized design basis threat template to support risk assessment
threat ratings.
According to the 2006 MOA, FPS is to meet with GSA property managers
and tenant agency representatives when it discusses the results of its
BSAs. Depending on the building's security level, the BSA may occur
every 2 to 4 years.[Footnote 64] Apart from these briefings, FPS, GSA,
and tenant agencies choose how frequently they will all meet. An
information sharing best practice that we have reported on is holding
regularly scheduled meetings during which participants can, for
example, share security management practices, discuss emerging
technologies, and create committees to perform specific tasks, such as
policy setting.[Footnote 65] It is critical that FPS, as the provider
of law enforcement and related security services for GSA buildings, and
GSA, as the manager of these properties, have well-established lines of
communication with each other and with tenant agencies to ensure that
all parties are aware of the ever-changing risks in a dynamic threat
environment and that FPS and GSA are taking appropriate actions to
reduce vulnerabilities. Nevertheless, we identified information sharing
gaps at all the sites we visited, and found that in some cases these
deficiencies led to decreased security awareness and increased risk.
* At one location, we observed during our interview with the building
security committee (BSC) that the committee members were confused about
procedures for screening visitors who are passengers in employees' cars
that enter the building via the parking garage. One of the tenants
recounted an incident in which a security guard directed the visitor to
walk through the garage to an appropriate screening station. According
to the GSA property manager, this action created a safety hazard. The
GSA property manager knew the appropriate screening procedure, but told
us there was no written policy on the procedure that members could
access. Additionally, BSC members told us that the committee met as
needed.
* At one location, FPS had received inaccurate square footage data from
GSA and had therefore overcharged the primary tenant agency for a guard
post that protected space shared by all the tenants. According to the
GSA property manager, once GSA was made aware of the problem, the
agency obtained updated information and worked with the tenant agencies
to develop a cost-sharing plan for the guard post, which made the
primary tenant agency's security expenses somewhat more equitable. BSC
members told us that the committee met regularly.
* At one location, members of a BSC told us that they met as needed,
although even when they hold meetings, one of the main tenant agencies
typically does not participate. GSA officials commented that this
tenant adheres to its agency's building security protocols and does not
necessarily follow GSA's tenant policies and procedures which GSA
thinks creates security risks for the entire building.
* At one location, tenant agency representatives and officials from FPS
told us they met regularly, but GSA officials told us they were not
invited to these meetings. GSA officials at this location told us that
they invite FPS to their property management meetings for that
location, but FPS does not attend. GSA officials also said they do not
receive timely incident information for the site from FPS and suggested
that increased communication among the agencies would help them be more
effective managers of their properties and provide tenants with better
customer service.
* At one location, GSA undertook a major renovation project beginning
in April 2007. FPS, GSA, and tenant agency representatives did not all
meet together regularly to make security preparations or manage
security operations during construction. FPS officials told us they had
not been invited to project meetings, although GSA officials told us
that they had invited FPS and that FPS attended some meetings. In May
2008, FPS discovered that specific surveillance equipment had been
removed. As of May 2009, FPS officials told us they did not know who
had removed the equipment and were working with tenant agency
representatives to recover it. However in June 2009, tenant agency
representatives told us that they believed FPS was fully aware that the
equipment had been removed in December 2007.[Footnote 66]
To improve information sharing and coordination at the building level,
FPS and GSA plan to implement ISC's facility security committee
standards at all multi-tenant and single-tenant buildings and campuses
after ISC issues them. FPS and GSA could leverage these standards to
establish consistent communications and designate the roles and
responsibilities of FPS, GSA, and tenant agencies. FPS and GSA have had
representation on the ISC working group that is developing the
standards. ISC intends to issue the standards in the first quarter of
fiscal year 2010, but it is unclear when FPS and GSA will implement
them.
GSA security officials also told us that FPS does not consistently or
comprehensively inform GSA of changes to services or provide GSA with
contingency plans when FPS deploys inspectors and other personnel to
provide law enforcement, security, and emergency response services for
special events in support of broader homeland security goals. For
example, GSA security officials cited some instances in which FPS
reduced its services during the 2009 Presidential Inauguration. They
noted, for example, that FPS inspectors did not attend BSC meetings and
said that FPS did not inform GSA of all service changes. FPS's response
to special events and critical incidents is governed by the FPS Interim
Critical Incident Response Plan issued by the Director in September
2007.[Footnote 67] This plan does not include procedures for notifying
GSA and tenant agencies of expected service changes, restrictions, and
modifications at the national, regional, and building levels. FPS
officials told us that FPS notified tenant agencies in the National
Capital Region of expected service changes, restrictions, and
modifications during the 2009 inauguration. Officials also said that,
when possible, inspectors personally contacted GSA building managers
and tenant agency representatives in the region. However, FPS personnel
were deployed from all regions in accordance with the critical incident
response plan and FPS officials did not tell us that regions other than
the National Capital Region were notified. Because GSA and tenant
agencies rely on FPS to provide critical law enforcement and security
services and tenant agencies pay for these services, we believe it is
important for FPS to notify these entities in advance of service
changes and provide for interim coverage.
FPS and GSA Disagree Over Sharing Information from the BSA:
While FPS and GSA acknowledge that the two organizations are partners
in protecting and securing GSA buildings, FPS and GSA fundamentally
disagree over how much of the information in the BSA should be shared.
Per the MOA, FPS is required to share the BSA executive summary with
GSA and FPS believes that this document contains sufficient information
for GSA to make decisions about purchasing and implementing FPS's
recommended countermeasures. However, GSA officials at all levels cited
limitations with the BSA executive summary saying, for example, that it
does not contain enough contextual information on threats and
vulnerabilities to support FPS's countermeasure recommendations and to
justify the expenses that GSA and tenant agencies would incur by
installing additional countermeasures. Moreover, GSA security officials
told us that FPS does not consistently share BSA executive summaries
across all regions. Instead, GSA wants to receive BSAs in their
entirety so that it can better protect its buildings and the tenants
who occupy them. The BSA executive summary includes:
* a brief description of the building;
* an overview of the risk assessment methodology;
* types of threats that the building is exposed to and their risk
ratings;
* countermeasure recommendations, estimated installation and recurring
costs; and:
* projected threat ratings after countermeasure implementation.
In contrast, a complete BSA includes:
* a detailed description of the physical features of the building and
its tenants;
* a list of interviewees and contact information;
* a profile of occupants and agency missions;
* recent losses, crimes, and security violations;
* previous security surveys, inspections, and related audits,
investigations, and studies;
* descriptions of adequate and inadequate existing countermeasures;
* descriptions of threats and risk ratings;
* descriptions of countermeasure recommendations, and estimated
installation and recurring costs; and:
* projected threat ratings after countermeasure implementation.
When FPS was housed within GSA and PBS, GSA security officials told us
that FPS shared BSAs in their entirety with GSA, but now at the
national level, GSA can request full BSAs from FPS, and FPS makes
determinations on a case-by-case basis by following and interpreting
DHS information sharing policies. However, GSA security officials told
us that the process for requesting BSAs is informal and that FPS has
not been responsive to these requests overall. Furthermore, considering
there are nearly 9,000 buildings in GSA's inventory, this may be an
inefficient approach to obtain key facility protection information. We
have found that information sharing and coordination are important at
the individual building level and that protecting federal buildings
requires building security managers to involve multiple organizations
to effectively coordinate and share information to prevent, detect, and
respond to terrorist attacks.[Footnote 68]
According to GSA, building protection functions are an integral part of
its property preservation, operation, and management responsibilities.
In 2000, when FPS was still a part of GSA, Congress considered removing
FPS from PBS. At that time, GSA opposed such action asserting that it
would divorce security from other federal building functions when
security considerations needed to be integrated into decisions about
the location, design, and operation of federal buildings. GSA was
concerned that separating FPS from PBS would create an organizational
barrier between protection experts and PBS asset managers, planners,
project managers, and building managers who set PBS budgets and
policies for the GSA inventory as a whole and oversaw day-to-day
operations in GSA buildings. However, Congress did not remove FPS from
PBS, and FPS remained within GSA and PBS until it was transferred to
DHS and ICE under the Homeland Security Act of 2002. Prior to the
creation of DHS, we expressed concern about separating security from
other real property portfolio functions, such as site location, design,
and construction for new federal buildings, because decisions on these
factors have implications for what types of security will be necessary
and effective.[Footnote 69] We concluded that if DHS was given the
responsibility for securing GSA facilities, the role of integrating
security with other real property functions would be an important
consideration, especially since GSA would still be the caretaker of
these buildings.
Under the Homeland Security Act of 2002, FPS was transferred to DHS and
retained responsibilities for law enforcement and related security
functions for GSA buildings and grounds. However, except for law
enforcement and related security functions transferred to DHS, under
the act, GSA retained all powers, functions, and authorities in law,
related to the operation, maintenance, and protection of its buildings
and grounds.[Footnote 70] As a result of the act, GSA and DHS both have
protection responsibilities for GSA-controlled buildings and grounds.
DHS and GSA developed an MOA to address roles, responsibilities, and
operational relationships between FPS and GSA concerning the security
of GSA-controlled space. Through this agreement, DHS and GSA determined
that FPS would continue to conduct BSAs for GSA. GSA security officials
told us that GSA staff at the national, regional, and building levels
need the information contained in the BSA to cost-effectively manage
their buildings to ensure that they are secure and that their
customers, or tenant agencies, are adequately protected. Because GSA
personnel do not receive the entire BSA, they must decide on the basis
of incomplete information how to use funds to implement countermeasures
and mitigate vulnerabilities. Furthermore, GSA property managers are
responsible for coordinating and maintaining emergency management
plans, such as evacuation and continuity of operations plans, and when
a safety or security incident arises at a GSA building, GSA assumes a
lead role in the incident command. Without complete risk information,
GSA is challenged to maintain appropriate situational awareness and
preparedness to protect buildings, especially during emergencies.
Although the Director of FPS recognizes that FPS and GSA have common
interests in protecting GSA buildings and the federal employees who
work in them, the Director has determined that GSA does not meet the
standards under which FPS shares BSAs and maintains that BSA executive
summaries provide GSA with sufficient information. FPS designates the
SBU information contained in BSAs as "law enforcement sensitive"
(LES)[Footnote 71] in accordance with DHS and ICE policies. FPS
considers the BSA to be an LES document because it incorporates all
aspects of a location's physical security into one document whose
release outside of the law enforcement arena could adversely impact the
conduct of law enforcement programs. According to FPS, the BSA can
include LES information such as:
* information, details, or criminal intelligence data indicating why a
threat is deemed credible;
* information and details relating to any ongoing criminal
investigations, law enforcement operations, or both; and:
* detailed analysis of why the lack or inadequacy of a countermeasure
creates an exploitable vulnerability.
According to FPS, LES information is safeguarded and determinations to
disseminate LES information are made in accordance with a DHS
information safeguarding management directive[Footnote 72] and an ICE
directive for safeguarding LES information.[Footnote 73] FPS maintains
that GSA does not need to know the LES information that is contained in
the BSA and that if the BSA is released to GSA, the risk of
unscrupulous or criminal use of the information would increase
significantly. According to FPS, the information contained in the BSA
is not critical to GSA's performance of its authorized, assigned
mission. FPS further maintains that GSA retains no legal responsibility
for the physical protection and law enforcement operations within GSA
buildings because the Homeland Security Act of 2002 transferred FPS's
law enforcement and related security functions from GSA to DHS and that
under the act it is responsible for protecting the buildings, grounds,
and property under GSA's control or custody.
We have reported on the importance of sharing terrorism-related
information that is critical to homeland security protection and have
identified a need for agencies to develop mechanisms that support this
information sharing.[Footnote 74] Other federal agencies have found
ways to share sensitive information with other entities. For example,
in response to a GAO recommendation,[Footnote 75] the Transportation
Security Administration established regulations that allow for sharing
sensitive security information with persons covered by the regulations
who have a need to know, including airport and aircraft operators,
foreign vessel owners, and Transportation Security Administration
employees.[Footnote 76] The ICE directive for safeguarding LES
information states that an information sharing and access agreement in
the form of a memorandum of understanding or agreement may formalize
LES information exchanges between DHS and an external entity. Moreover,
according to standard language in FPS's BSAs, a security clearance is
not required for access to LES information; a criminal history check
and a national fingerprint check--performed in accordance with Homeland
Security Presidential Directive 12 (HSPD-12)[Footnote 77] investigative
requirements--is required. According to GSA, it follows these
requirements. Moreover, GSA has an information safeguarding policy in
place to protect SBU building information which can include:
* the location and details of secure functions or space in a building
such as secure routes for prisoners and judges inside courthouses;
* the location and details of secure functions or secure space such as
security and fire alarm systems;
* the location and type of structural framing for the building
including any information regarding structural analysis, such as
counterterrorism methods used to protect the building and occupants;
and:
* risk assessments and information regarding security systems or
strategies of any kind.[Footnote 78]
In the 2006 MOA, FPS and GSA agreed that shared SBU information would
be handled in accordance with each agency's information safeguarding
policies. Furthermore, one of FPS's strategic goals is to foster
relationships to increase the proactive sharing of information and
intelligence. In its strategic plan, FPS states that it will use
efficient information sharing and information protection processes
based on mutually beneficial, trusted relationships to ensure the
implementation of effective, coordinated, and integrated infrastructure
protection programs and activities.[Footnote 79]
When we spoke with FPS and GSA officials in 2008, they thought the MOA
renegotiation could serve as a platform for determining what BSA
information should be shared. However, when we spoke with FPS and GSA
officials in 2009, they did not know when the MOA would be renegotiated
and FPS determined it would not change BSA sharing procedures during
the renegotiation. Therefore, GSA will continue to receive BSA
executive summaries and the individual BSAs that FPS approves for
sharing, but it will not have access to other BSA information that it
could use to make risk-based decisions to protect its buildings, the
federal employees who work in them, and visitors to these buildings.
In a post-September 11 era, it is crucial that federal agencies work
together to share information to advance homeland security and critical
infrastructure protection efforts. Information is a crucial tool in
fighting terrorism, and the timely dissemination of that information to
the appropriate government agency is absolutely critical to maintaining
the security of our nation. The ability to share security-related
information can unify the efforts of federal agencies in preventing or
minimizing terrorist attacks. However, in the absence of comprehensive
information-sharing plans, many aspects of homeland security
information sharing can be ineffective and fragmented. In 2005, we
designated information sharing for homeland security as a
governmentwide high-risk area because of the significant challenges
faced in this area[Footnote 80]--challenges that are still evident
today. It is critical that FPS and GSA--which both have protection
functions for GSA buildings, their occupants, and those who visit them-
-reach consensus on sharing information in a timely manner to support
homeland security and critical infrastructure protection efforts. GSA
raises strong arguments for having this information and FPS could do
more to resolve this situation.
FPS's and Other Law Enforcement Organizations' Communication Systems
Lack Interoperability:
FPS provides the law enforcement response for incidents at GSA
buildings, during which it may need to communicate with other first
responders. Additionally, DHS can call upon FPS to provide law
enforcement and security services at natural disasters or special
events such as political demonstrations, and FPS must then communicate
with other federal, state, and local first responders. For these
situations, having an interoperable communication system is desirable.
However, first responders continue to use various, and at times
incompatible, communications technologies, making it difficult to
communicate with neighboring jurisdictions or other first responders to
carry out the response. We noted during our review that FPS radios lack
interoperability, meaning they are unable to communicate with the
equipment used by other law enforcement agencies--federal, state, and
local. Delayed communications with area first responders during
emergencies could curtail the timeliness and effectiveness of FPS's law
enforcement services.
* FPS officials at one location told us that only new FPS vehicles have
had radio upgrades, some FPS personnel have new hand-held radios, and
other handheld radios have not been changed in 6 years. Changes in
radio technology can inhibit interoperability among first responders
who upgrade equipment as possible.
* FPS officials at one location told us that FPS can use the same radio
frequency as the local police department, but the two organizations'
radio systems are not fully interoperable because the police use a
digital system and FPS does not. Therefore, communication between these
entities can be limited.
* FPS officials at one location told us that federal and local law
enforcement agencies communicate with FPS via telephone or through the
area FPS MegaCenter,[Footnote 81] instead of directly through radios,
because the organizations' radio systems are not interoperable.
Therefore, communication among these entities can be limited.
* FPS officials at one location told us that FPS's handheld radios are
not interoperable with those of area federal and local law enforcement
personnel, because FPS does not use the same radio band spectrum other
federal law enforcement agencies use and instead uses its own ultra-
high-frequency band. As a result, communication among these entities is
limited.
* FPS officials at one location told us that their radios are not
interoperable with those of the local police department. Therefore,
communication between the two entities can be limited. FPS is exploring
whether it can connect to the police department through a local
interagency communications system.
FPS is developing a National Radio Program that includes a component
intended to make FPS's radios interoperable with those of other
federal, state, and local law enforcement organizations. FPS began
planning this initiative in 2008, was working to fill the program
manager position by the end of June 2009, and expects to achieve full
implementation by 2013. According to FPS officials, they have
established a branch under the FPS MegaCenter program specifically
dedicated to enhancing and supporting the National Radio Program.
Consistent with establishing this new branch, FPS officials said they
are working to fill contract positions in each region for radio
technicians to support the technical requirements associated with
mobile radios, portable radios, programming, and the radio network
infrastructure. According to FPS, they are working to contract for a
survey and design team to coordinate with FPS's regional offices, the
National Radio Program, and the MegaCenter program to standardize and
enhance the national radio infrastructure.
According to FPS officials, the enhancements to FPS's communications
will provide solutions for newer technologies and will meet national
communications standards and DHS standards for advanced encryption. FPS
officials said they are beginning an internal evaluation of FPS's
existing communications capabilities, which should allow future
enhancement efforts to be prioritized as part of an overall effort to
enhance national radio coverage. FPS officials said they are working to
procure, program, and issue more than 2,900 new radios that conform to
new equipment standards and will eventually phase out older equipment
used by FPS officers and guards. FPS officials said that all future
radios issued will conform to updated standards to promote uniformity
and enhanced support capabilities. While FPS officials think
interoperability will be improved under this initiative, they cautioned
that their law enforcement counterparts' communication equipment must
meet DHS's advanced encryption standard which can be a challenge for
state and local partners.
Conclusions:
FPS has a number of improvements planned or in development that, if
fully incorporative of the key practices, will provide greater
assurance that FPS is effectively protecting GSA buildings and
maximizing security investment dollars. The key practices we examined
vis-à-vis FPS--allocating resources using risk management, leveraging
technology, and information sharing and coordination--are critical
components to an effective and efficient physical security program.
However, FPS's application of these practices had limitations and as a
result, there is a lack of assurance that federal buildings under the
control and custody of GSA, the employees who work in them, and
visitors to them are being adequately protected. Related to allocating
resources using risk management, FPS's assessment of risks at buildings
is a critical responsibility considering the results lay the foundation
by which GSA and tenants make resource allocation decisions. However,
FPS's current risk assessment process is inadequate and its efforts to
improve it through the development of RAMP have been delayed. Related
to leveraging technology, planned improvements to the way inspectors
acquire security equipment through the National Countermeasures Program
have also experienced delays and knowing the cost implications of
different alternatives is the foundation of this key practice, although
FPS is not directly addressing this critical element. Continued delays
in the implementation of improvements in these critical areas--risk
management and leveraging technology--are of concern and deserving of
greater attention by DHS management. Furthermore, related to
information sharing and coordination, FPS's communications with GSA and
tenants could benefit from more clearly defined parameters for
consistency, frequency, and content, and issues related to
interoperability with other law enforcement agencies surfaced as a
concern that FPS is trying to address. Without a greater focus on the
key practices, FPS will be ill-equipped to sufficiently manage security
at GSA buildings, and assist with broader homeland security efforts as
the security landscape changes and new threats emerge.
Recommendations for Executive Action:
We are making three recommendations to the Secretary of Homeland
Security aimed at moving FPS toward greater use of the key practices we
assessed. Specifically, we recommend that the Secretary instruct the
Director of FPS, in consultation, where appropriate, with other parts
of DHS, GSA, and tenant agencies to take the following three actions:
1. Provide the Secretary with regular updates, on a mutually agreed-to
schedule, on the status of RAMP and the National Countermeasures
Program, including the implementation status of deliverables, clear
timelines for completion of tasks and milestones, and plans for
addressing any implementation obstacles.
2. In conjunction with the National Countermeasures Program, develop a
methodology and guidance for assessing and comparing the cost-
effectiveness of technology alternatives.
3. Reach consensus with GSA on what information contained in the BSA is
needed for GSA to fulfill its responsibilities related to the
protection of federal buildings and occupants, and accordingly,
establish internal controls to ensure that shared information is
adequately safeguarded; guidance for employees to use in deciding what
information to protect with SBU designations; provisions for training
on making designations, controlling, and sharing such information with
GSA and other entities; and a review process to evaluate how well this
information sharing process is working, with results reported to the
Secretary regularly on a mutually agreed-to schedule.
Agency Comments and Our Evaluation:
We provided a draft of the sensitive but unclassified report to DHS and
GSA for review and comment. DHS agreed with our assessment that greater
attention to key practices would improve FPS's approach to facility
protection and agreed with the report's recommendations. Furthermore,
DHS stated that FPS will continue to work with key stakeholders to
address other security issues that were cited in our report, for which
specific recommendations were not made. With respect to the first
recommendation--to provide the Secretary of Homeland Security with
regular updates on the status of RAMP and the National Countermeasures
Program--DHS stated that FPS will submit a consolidated monthly report
to the Secretary.
Although DHS agreed with our second and third recommendations, we are
concerned that the steps it described are not comprehensive enough to
address the intent of the recommendations. For the second
recommendation--to develop a methodology and guidance for assessing and
comparing the cost-effectiveness of technology alternatives--DHS
commented that such efforts will be a part of FPS's development of RAMP
and that future phases of RAMP will include the ability to evaluate
countermeasure alternatives based on cost and the ability to mitigate
identified risks. However, RAMP has experienced delays and it is
unclear when this future component of RAMP will be developed and
implemented. Moreover, as we reported, FPS inspectors have considerable
latitude in determining which technologies and other countermeasures to
recommend, but receive little guidance to help them assess the cost-
effectiveness of these technologies. Until the cost-analysis component
of RAMP is implemented, it will be important for inspectors to have
guidance they can use to make cost-effective countermeasure
recommendations so that GSA and tenant agencies can be assured that
their investments in FPS-recommended technologies and other
countermeasures are cost-effective, consistent across buildings, and
the best available alternatives.
Regarding the third recommendation--to reach consensus with GSA on what
information contained in the BSA is needed for GSA to fulfill its
protection responsibilities and to establish information sharing and
safeguarding procedures--DHS responded that FPS is developing a
facility security assessment template as a part of RAMP to produce
reports that can be shared with GSA and other agencies. However, DHS
did not explicitly commit to reaching consensus with GSA in identifying
building security information that can be shared, or to the steps we
outlined in our recommendation--steps that in our view comprise a
comprehensive plan for sharing and safeguarding sensitive information.
As we reported, FPS and GSA fundamentally disagree over what BSA
information should be shared and FPS has decided not to discuss this
matter with GSA as part of the MOA renegotiation. Furthermore, RAMP
continues to experience delays and it is unclear when it will produce
facility security assessments than can be shared with GSA. Therefore,
it is important that FPS engage GSA in identifying what building
security information can be shared and follow the information sharing
and safeguarding steps we included in our recommendation to ensure that
GSA acquires the information it needs to protect the 9,000 buildings
under its control and custody, the federal employees who work in them,
and those who visit them.
GSA agreed with our findings concerning the challenges that FPS faces
in delivering security services for GSA buildings. GSA indicated that
it will continue to work closely with FPS to ensure the protection of
GSA buildings, their tenants, and visitors to these buildings. GSA
stated that it will work with FPS to address our recommendation that
the two agencies reach a consensus on the sharing and safeguarding of
information contained in BSAs. DHS also provided technical comments,
which we incorporated where appropriate. DHS's comments can be found in
appendix II and GSA's comments can be found in appendix III.
As agreed with your office, unless you publicly announce the contents
of this report earlier, we plan no further distribution until 30 days
from the report date. At that time, we will send copies of this report
to the Secretary of Homeland Security, the Acting Administrator of
General Services, appropriate congressional committees, and other
interested parties. In addition, the report will be available at no
charge on GAO's Web site at [hyperlink, http://www.gao.gov].
If you have any questions about this report, please contact me at (202)
512-2834 or goldsteinm@gao.gov. Contact points for our Offices of
Congressional Relations and Public Affairs may be found on the last
page of this report. GAO staff who made major contributions to this
report are listed in appendix IV.
Sincerely yours,
Signed by:
Mark L. Goldstein:
Director, Physical Infrastructure Issues:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
The objective of this report was to determine whether the Federal
Protective Service's (FPS) approach to security for buildings under the
control and custody of the General Services Administration (GSA)
reflects key facility protection practices. Through previous work, we
identified a set of key practices from the collective practices of
federal agencies and private sector entities that can provide a
framework for guiding agencies' protection efforts and addressing
challenges.[Footnote 82] These key practices form the foundation of a
comprehensive approach to building protection. We used our key facility
protection practices as criteria to evaluate the steps that FPS has
taken. We used the following key practices as criteria: allocating
resources using risk management; leveraging technology; and information
sharing and coordination. For the purposes of this review, we did not
consider three other key practices for varying reasons: performance
measurement and testing, because we reported on the limitations FPS
faces in assessing its performance in 2008; aligning assets to mission,
because GSA, not FPS, controls the asset inventory; and strategic
management of human capital, because we are currently reviewing FPS's
management of human capital.
To examine FPS's application of key practices at the building level, we
selected five sites, basing our selection on factors that included
geographical diversity, high occupancy, the building's designated
security level, other potential security considerations such as new or
planned building construction, and recent and ongoing work. Selected
sites included three multi-tenant level IV buildings,[Footnote 83] one
single-tenant level IV campus, and one single-tenant level III campus.
[Footnote 84]
Collectively, the sites we selected illustrate the range of building
protection practices applied by FPS. At each site, we interviewed FPS,
GSA, and tenant agency officials with primary responsibility for
security implementation, operation, and management. We toured each site
and observed the physical environment, the buildings, and the principal
security elements to gain firsthand knowledge of the building
protection practices. We collected documents, when available, that
contained site-specific information on security risks, threats,
budgets, and staffing for analysis. Because we observed FPS's efforts
to protect GSA buildings at a limited number of sites, our observations
cannot be generalized to all the buildings that FPS is responsible for
securing. To supplement these site visits, we interviewed FPS and GSA
security officials from the four regions where we had visited
buildings--regions 2, 4, 7, and 11. We also interviewed FPS and GSA
security officials at the national level and collected supporting
documentation on security plans, policies, procedures, budgets, and
staffing for analysis. For example, we reviewed the 2006 Memorandum of
Agreement between the Department of Homeland Security (DHS) and GSA
that sets forth the security responsibilities of FPS and GSA at federal
buildings. We also interviewed the executive director of the
Interagency Security Committee (ISC), and we analyzed ISC's Facility
Security Level Determinations for Federal Facilities, Security Design
Criteria for new Federal Office Buildings and Major Modernization
Projects, and Security Standards for Leased Space. We also analyzed the
facility security level standards and minimum security requirements set
forth by the Department of Justice's (DOJ) DOJ Vulnerability Assessment
of Federal Facilities.[Footnote 85] We analyzed FPS planning documents,
including FPS's 2008-2011 Strategic Plan and the Risk Assessment and
Management Program Concept of Operations. We analyzed laws that
described FPS and GSA's protection authorities including the Homeland
Security Act of 2002, and Title 40 of the United States Code. We also
analyzed laws and internal documents that govern FPS's information
safeguarding practices including DHS Management Directive 11042.1,
Safeguarding Sensitive But Unclassified Information and ICE Directive
73003.1, Safeguarding Law Enforcement Sensitive Information.
We conducted this performance audit from January 2008 to September 2009
in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objective.
[End of section]
Appendix II: Comments from the Department of Homeland Security:
US. Department of Homeland Security:
Washington, DC 20528:
October 16, 2009:
Mr. Mark L. Goldstein:
Director:
Physical Infrastructure Issues:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Goldstein:
Re: Draft Report GAO-10-142, Homeland Security: Greater Attention to
Key Practices Would Improve the Federal Protective Service's Approach
to Facility Protection (GAO Job Code 543249/543230):
The Department of Homeland Security (Department) appreciates the
opportunity to review and comment on the U.S. Government Accountability
Office's (GAO's) draft report referenced above. The Department,
particularly U.S. Immigration and Customs Enforcement under which the
Federal Protective Service (FPS) currently is located, agrees with the
recommendations.
GAO makes three recommendations to the Secretary aimed at moving FPS
toward greater use of assessed key practices, specifically recommending
that the Director of FPS take the following actions:
Recommendation l: Provide the Secretary with regular updates, on a
mutually agreed-to schedule, on the status of the Risk Assessment and
Management Program (RAMP) and the National Countermeasures Program,
including the implementation status of deliverables, clear timelines
for completion of tasks and milestones, and plans for addressing any
implementation obstacles.
Response: The Director of the FPS will submit a consolidated monthly
report to the Secretary via the ICE Assistant Secretary. FPS will also
continue to coordinate the methodological aspects of RAMP with the
Office of Risk Management and Analysis in the National Protection and
Programs Directorate, Finally, it should be noted that FPS has briefed
RAMP to the National Academy of Sciences panel that is currently
examining the use of risk assessments throughout the Department.
Recommendation 2: In conjunction with the National Countermeasures
Program, develop a methodology and guidance for assessing and comparing
the cost-effectiveness of technology alternatives.
Response: Through the development of RAMP and the National
Countermeasures Program, FPS is incorporating information on the
various countermeasure systems, types, and elements that can be
employed to mitigate risk for Federal facilities. This includes
estimated cost information. Future phases of RAMP will include the
ability to specifically evaluate countermeasure alternatives based on
cost and their ability to mitigate identified risks for federal
facilities. Also, the information included in RAMP for recommended and
implemented countermeasures will provide FPS with a comprehensive
system to assess the estimated and actual costs to install, operate,
maintain, test, and replace the countermeasures it utilizes This will
serve to continually improve and update the financial information used
for cost-benefit analyses.
Recommendation 3: Reach consensus with the General Services
Administration (GSA) on what information contained in the building
security assessments (BSA) is needed for GSA to fulfill its
responsibilities related to the protection of federal buildings and
occupants, and accordingly, establish internal controls to ensure that
shared information is adequately safeguarded; guidance for employees to
use in deciding what information to protect with Sensitive But
Unclassified (SBU) designations; provisions for training on making
designations, controlling, and sharing such information with GSA and
other entities; and a review process to evaluate how well this
information sharing process is working, with results reported to the
Secretary regularly on a mutually agreed-to schedule.
Response: In developing the Facility Security Assessment (previously
referred to as the BSA) template that will be used by RAMP, FPS has
given specific attention to the breadth of information that is required
for GSA and tenant agencies to understand the risks faced by their
facilities and the countermeasures being recommended by FPS. In
addition to more detailed information on these items, FPS also will
provide additional explanations of the processes it uses to assess risk
and identify appropriate countermeasures. FPS has worked with many
agencies to ensure appropriate information sharing and is committed to
providing information to its stakeholders. With the revised version of
the Facility Security Assessment report, FPS should be able to provide
more details to support a comprehensive understanding of the
recommendations it puts forward.
Additionally, ICE officials recognize that the draft GAO report
identifies a number of other serious and substantive issues that impact
FPS's ability to mitigate risk for federal facilities and their
occupants. Chief among these is the distributed nature of the decision-
making and funding process for implementing appropriate physical
security countermeasures at federal facilities. While the report's
recommendations focus on FPS risk assessment and countermeasures
methodologies and information sharing, these other issues deserve
attention and a path toward resolution. FPS will continue to work with
key stakeholders to provide appropriate security solutions, including
resolving those situations where, as noted in the report, FPS-
recommended security solutions were not implemented.
Sincerely,
Signed by:
Jerald E. Levine:
Director:
Departmental GAO/OIG Liaison Office:
[End of section]
Appendix III: Comments from the General Services Administration:
GSA Public Buildings Service:
U.S. General Services Administration:
1800 F Street, NW:
Washington, DC 20405-0002:
[hyperlink, http://www.gsa.gov]
Mark L. Goldstein:
Director, Physical Infrastructure Issues:
Government Accountability Office:
Washington, DC 20548:
Dear Mr. Goldstein:
The General Services Administration (GSA) appreciates this opportunity
to submit agency comments on the Government Accountability Office (GAO)
draft report, "Greater Attention to Key Practices Would improve the
Federal Protective Service's Approach to Facility Protection," GAO-09-
644SU (Draft Report). We agree with the draft report's findings
concerning the challenges the Federal Protective Service (FPS) faces in
the delivery of security services in GSA owned and leased buildings.
We will continue to work closely with the FPS to ensure the protection
of the GSA portfolio, Federal tenants and visitors. In conjunction with
FPS we will address GAO's recommendation that FPS and GSA reach a
consensus on the sharing and safeguarding of information contained
within Building Security Assessments.
If you have any questions or concerns, please contact me at (202) 501-
1100.
Sincerely,
Signed by:
Anthony E. Costa:
Acting Commissioner:
Enclosure:
[End of section]
Appendix IV: GAO Contact and Staff Acknowledgments:
GAO Contact:
Mark L. Goldstein, (202) 512-2834 or goldsteinm@gao.gov:
Staff Acknowledgments:
In addition to the contact named above, David Sausville, Assistant
Director; Denise McCabe, Analyst-in-Charge; Anne Dilger; Elizabeth
Eisenstadt; Brandon Haller; Robin Nye; Susan Michal-Smith; and Adam Yu
made key contributions to this report.
[End of section]
Footnotes:
[1] Following the Oklahoma City bombing, Executive Order 12977 called
for the creation of an interagency security committee to address the
quality and effectiveness of physical security requirements for federal
facilities by developing and evaluating security standards. ISC has
representation from all major federal departments and agencies. In
2003, the Chair of the ISC moved from GSA to DHS.
[2] 6 U.S.C. § 203.
[3] 6 U.S.C. § 232.
[4] According to the DHS budget for fiscal year 2010, FPS is to be
transferred from ICE to NPPD because FPS's responsibilities are outside
the scope of ICE's immigration and customs enforcement mission and are
better aligned to NPPD.
[5] GAO, Homeland Security: Further Actions Needed to Coordinate
Federal Agencies' Facility Protection Efforts and Promote Key
Practices, [hyperlink, http://www.gao.gov/products/GAO-05-49]
(Washington, D.C.: Nov. 30, 2004).
[6] We have used these key practices as criteria to evaluate how
entities such as DHS and the Smithsonian Institution secure their
assets. GAO, Federal Real Property: DHS Has Made Progress, but
Additional Actions Are Needed to Address Real Property Management and
Security Challenges, [hyperlink,
http://www.gao.gov/products/GAO-07-658] (Washington, D.C.: June 22,
2007). GAO, Smithsonian Institution: Funding Challenges Affect
Facilities' Conditions and Security, Endangering Collections,
[hyperlink,
http://www.gao.gov/products/GAO-07-1127] (Washington, D.C.: Sept. 28,
2007).
[7] For the purposes of this review, we did not include key practices
related to (1) performance measurement and testing, because we reported
on the limitations FPS faces in assessing its performance in GAO,
Homeland Security: The Federal Protective Service Faces Several
Challenges That Hamper Its Ability to Protect Federal Facilities,
[hyperlink, http://www.gao.gov/products/GAO-08-683] (Washington, D.C.:
June 11, 2008); (2) aligning assets to mission because GSA, not FPS,
controls the asset inventory; and (3) strategic management of human
capital because we are reviewing FPS's management of human capital in a
separate engagement. Appendix I explains our methodology in detail.
[8] At the time of our review, FPS evaluated the security level of
GSA's facilities using Department of Justice (DOJ) standards that
categorized facilities from level I (low risk) to level V (high risk).
[9] At the time of our review, a level IV facility had more than 450
federal employees; more than 150,000 square feet; a high volume of
public contact; and tenant agencies that could include high-risk law
enforcement and intelligence agencies, courts, judicial offices, and
highly sensitive government records.
[10] According to ISC facility security level determinations standards,
a campus consists of two or more federal facilities located contiguous
to one another and typically sharing some aspects of the environment--
such as parking, courtyards, private vehicle access roads or gates, or
entrances to connected facilities.
[11] At the time of our review, a level III facility had between 151
and 450 federal employees, 80,000 to 150,000 square feet, and a
moderate to high volume of public contact.
[12] 6 U.S.C. § 232 and 40 U.S.C. § 1315. In addition to GSA
facilities, the Homeland Security Act of 2002 also provides FPS with
the authority to protect the buildings, grounds, and property of other
agencies whose functions were transferred to DHS.
[13] FPS inspectors are also referred to as Law Enforcement Security
Officers. As of April 2009, FPS had 1,236 employees, of whom 694--or 56
percent--were inspectors.
[14] "Patrol" refers to movement within an area for the purpose of
observation or surveillance to prevent or detect criminal violations,
maintain security, and be available to provide service and assistance
to the public.
[15] According to FPS officials, there is no official policy on the
number of buildings assigned to each inspector. The number of buildings
is entirely dependent on the buildings' geographic dispersion and risk
levels.
[16] In accordance with the 2006 MOA between DHS and GSA, FPS is
supposed to conduct security assessments--or "prelease assessments"--
for proposed buildings that are generally greater than 10,000 square
feet. As part of the assessment process, FPS is supposed to inspect the
building, identify vulnerabilities, and recommend security
countermeasures.
[17] FPS is responsible for overseeing about 15,000 contract guards
that provide security services at GSA buildings. FPS inspectors are
responsible for conducting contract guard inspections to ensure that
guards are in compliance with contract requirements; have up-to-date
certifications for required training, including firearms or cardio
pulmonary resuscitation training; and are completing assigned duties.
[18] U.S. Department of Justice, Vulnerability Assessment of Federal
Facilities, (Washington, D.C., June 28, 1995).
[19] A BSA is a type of security evaluation conducted by FPS to
determine how susceptible a facility is to various forms of threats or
attacks. BSAs include countermeasure recommendations to mitigate
threats and reduce vulnerabilities.
[20] On March 10, 2008, ISC issued new standards for determining the
security level of federal facilities, which supersede the standards
developed in the DOJ's 1995 vulnerability assessment. FPS is currently
reassessing building security levels using the updated standards. These
standards also change the BSA schedule such that level III, IV, and V
buildings will be assessed at least every 3 years, and level I and II
buildings will be assessed at least every 5 years. ISC plans to issue
updated minimum security countermeasure standards during fiscal year
2009, which FPS intends to implement.
[21] FPS makes two types of countermeasure recommendations: (1)
"mandatory" countermeasures are those required to address high risks
and ISC minimum security or other nationally recognized security
standards or protocols and (2) "optional" countermeasures are those
that address moderate or low risks or areas for which minimum ISC
standards or other nationally recognized security standards or
protocols may not exist.
[22] "Security equipment" refers to security items that are easily
removable from the building, such as X-ray machines, magnetometers,
closed-circuit television systems and cameras, and intrusion and duress
alarm systems.
[23] "Security fixtures" are physical security countermeasures that are
part of the building, or are attached to and not easily removable from
the building. Examples include vehicle barriers such as bollards,
gates, pop-up and arm gates; doors, locks, and card readers at building
entrances that serve solely as a locking mechanism; parking lot fencing
and gates; guard booths; and blast-resistant windows.
[24] GSA funds "mandatory" security fixture recommendations and tenant
agencies fund "optional" security fixture recommendations through
reimbursable work authorizations with GSA.
[25] Issued in 2003, HSPD-7 identified 17 critical infrastructure
sectors, which include assets, systems, networks, and functions that
provide vital services to the nation. In March 2008, an 18th sector was
established--Critical Manufacturing. One of the 18 sectors is the
Government Facilities sector which includes a wide variety of
facilities owned or leased by federal, state, local, and tribal
governments, located domestically and oversees. HSPD-7 designated DHS
as the Government Facilities sector-specific agency, and DHS in turn
assigned this responsibility to FPS.
[26] GAO, Homeland Security: Transformation Strategy Needed to Address
Challenges Facing the Federal Protective Service, [hyperlink,
http://www.gao.gov/products/GAO-04-537] (Washington, D.C.: July 14,
2004).
[27] [hyperlink, http://www.gao.gov/products/GAO-08-683].
[28] 6 U.S.C. § 232.
[29] GAO, Homeland Security: Actions Needed to Better Protect National
Icons and Federal Office Buildings from Terrorism, [hyperlink,
http://www.gao.gov/products/GAO-05-790] (Washington, D.C.: June 24,
2005). In 2005, GAO recommended that GSA establish a mechanism that
could serve as a liaison between FPS and tenant agencies, work to
address the challenges GSA faces related to security in its buildings,
and enable GSA to define its overall role in security following the
transfer of FPS to DHS.
[30] PBS, a component within GSA, acquires space on behalf of the
federal government through new construction and leasing, and acts as a
caretaker for federal properties across the country. PBS is funded
primarily through the Federal Buildings Fund, which is supported by
rent from federal customer agencies.
[31] ISC includes representation from the Departments (listed in order
of presidential succession) of State, Treasury, Defense, Justice,
Interior, Agriculture, Commerce, Labor, Health and Human Services,
Housing and Urban Development, Transportation, Energy, Education,
Homeland Security, and Veterans Affairs; GSA; the Environmental
Protection Agency; the Central Intelligence Agency; and the Office of
Management and Budget. Other members of ISC include the Director, U.S.
Marshals Service; the Director, Security Policy Board; and the
Assistant to the President for National Security Affairs. As a member
of ISC, the Department of Defense participates in meetings to ensure
that its physical security policies are consistent with ISC security
standards and policy guidance, according to the Executive Director of
ISC.
[32] Executive Order 13286, dated February 28, 2003, amended numerous
executive orders to reflect the transfer of certain functions and
responsibilities to the Secretary of Homeland Security. Section 23 of
the Executive Order transferred the ISC chair responsibility from GSA
to DHS.
[33] [hyperlink, http://www.gao.gov/products/GAO-05-49].
[34] [hyperlink, http://www.gao.gov/products/GAO-05-49].
[35] [hyperlink, http://www.gao.gov/products/GAO-07-1127].
[36] GAO, National Mall: Steps Identified by Stakeholders Facilitate
Design and Approval of Security Enhancements, [hyperlink,
http://www.gao.gov/products/GAO-05-518] (Washington, D.C.: June 14,
2005).
[37] [hyperlink, http://www.gao.gov/products/GAO-07-658].
[38] ISC, Use of Physical Security Performance Measures, (Washington,
D.C., June 16, 2009).
[39] [hyperlink, http://www.gao.gov/products/GAO-05-49].
[40] [hyperlink, http://www.gao.gov/products/GAO-08-683].
[41] The NIPP was founded through HSPD-7 and sets forth national policy
on how the plan's risk management framework and sector partnership
model are to be implemented by sector-specific agencies. FPS is the
agency responsible for the Government Facilities sector.
[42] [hyperlink, http://www.gao.gov/products/GAO-07-658].
[43] [hyperlink, http://www.gao.gov/products/GAO-08-683].
[44] In June 2009, FPS officials told us that tenant agency
representatives received the BSA executive summary in October 2008 from
FPS and that they would provide the BSA executive summary to the GSA
property manager for the campus.
[45] The original objective of RAMPART was to implement a risk
assessment methodology in software and create a user interface that
allowed GSA employees without risk assessment backgrounds to perform
and interpret a risk assessment for real property and begin to mitigate
risk.
[46] [hyperlink, http://www.gao.gov/products/GAO-08-683].
[47] In accordance with FPS's BSA Policy Document (FPS-07-004), some
federal agencies with law enforcement or security missions have the
personnel and the resources to conduct risk assessments of their own
facilities and may not want FPS to conduct a BSA. In these instances, a
BSA waiver is completed and signed by the agencies and FPS.
[48] Under RAMP, FPS will use the term, "Facility Security Assessment"
instead of BSA.
[49] [hyperlink, http://www.gao.gov/products/GAO-08-683].
[50] ISC, Facility Security Level Determinations for Federal
Facilities, an Interagency Security Committee Standard, (Washington,
D.C., Mar. 10, 2008).
[51] ISC officials told us they expect to issue updated standards for
physical security countermeasures--which support the updated standards
for facility security levels--by the end of fiscal year 2009.
[52] [hyperlink, http://www.gao.gov/products/GAO-05-49].
[53] [hyperlink, http://www.gao.gov/products/GAO-05-49].
[54] GSA acquires security fixtures through its Federal Acquisition
Service, which procures goods and services for the federal government.
[55] According to FPS officials, the design and methodology for its new
"Physical Security Refresher Training Program" has been completed and
training is scheduled to begin in January 2010.
[56] According to its Web site, ASIS International--an organization
that reports having more than 36,000 security industry members--is the
preeminent international organization for professionals responsible for
security, including managers and directors of security.
[57] Other relevant ISC standards include: (1) ISC Security Design
Criteria for new Federal Office Buildings and Major Modernization
Projects and (2) Security Standards for Leased Space.
[58] GSA Schedule 84 provides agencies with access to a range of
established security services and product contracts.
[59] The Science and Technology Directorate is DHS's primary research
and development arm. Its mission is to provide federal, state, and
local officials with the technology and capabilities to protect the
homeland.
[60] [hyperlink, http://www.gao.gov/products/GAO-05-49].
[61] [hyperlink, http://www.gao.gov/products/GAO-05-49].
[62] GAO, High-Risk Series: An Update, [hyperlink,
http://www.gao.gov/products/GAO-05-207] (Washington, D.C.: Jan. 1,
2005).
[63] FPS Strategic Plan: Secure Facilities, Safe Occupants, Fiscal
Years 2008 to 2011.
[64] Once FPS implements ISC's updated facility security level
standards, BSAs will be conducted at least every 3 or 5 years depending
on the security level.
[65] GAO, Information Sharing: Practices That Can Benefit Critical
Infrastructure Protection, [hyperlink,
http://www.gao.gov/products/GAO-02-24] (Washington, D.C.: Oct. 15,
2001).
[66] In June 2009, tenant agency representatives told us that at all
times, they had been aware of the location of the equipment and assured
proper safeguarding of the equipment during the reconstruction process.
[67] In May 2009, FPS officials told us that FPS's Policy Review
Committee and Management-Union Working Group were reviewing the FPS
Interim Critical Incident Response Plan and making recommendations
regarding a proposed Crisis Response Team Policy.
[68] GAO, National Preparedness: Technologies to Secure Federal
Buildings, [hyperlink, http://www.gao.gov/products/GAO-02-687T]
(Washington, D.C.: Apr. 25, 2002).
[69] GAO, Building Security: Security Responsibilities for Federally
Owned and Leased Facilities, [hyperlink,
http://www.gao.gov/products/GAO-03-8] (Washington, D.C.: Oct. 31,
2002).
[70] 6 USC § 203; see also 6 USC § 232.
[71] According ICE policy, LES information is a type of SBU information
that is compiled for law enforcement purposes, the unauthorized
disclosure of which could adversely impact the conduct of law
enforcement programs or the privacy or welfare of involved persons.
[72] DHS Management Directive 11042.1, Safeguarding Sensitive But
Unclassified Information.
[73] ICE Directive 73003.1, Safeguarding Law Enforcement Sensitive
Information.
[74] [hyperlink, http://www.gao.gov/products/GAO-05-207].
[75] GAO, Transportation Security Administration: Clear Policies and
Oversight Needed for Designation of Sensitive Security Information,
[hyperlink, http://www.gao.gov/products/GAO-05-677] (Washington, D.C.:
June 29, 2005).
[76] GAO, Transportation Security Administration's Processes for
Designating and Releasing Sensitive Security Information, [hyperlink,
http://www.gao.gov/products/GAO-08-232R] (Washington, D.C.: Nov. 30,
2007).
[77] HSPD-12 is the policy for a common identification standard for
federal employees and contractors. Its purpose is to enhance security,
increase government efficiency, reduce identity fraud, and protect
personal privacy by establishing a mandatory, government-wide standard
for secure and reliable forms of identification issued by the federal
government to its employees and contractors.
[78] PBS 3490.1A Document Security for Sensitive But Unclassified
Building Information (June 1, 2009). This document canceled PBS 3490.1
Document Security for Sensitive But Unclassified Paper and Electronic
Building Information (Mar. 8, 2002).
[79] FPS Strategic Plan, Secure Facilities, Safe Occupants, Fiscal
Years 2008 to 2011.
[80] [hyperlink, http://www.gao.gov/products/GAO-05-207].
[81] FPS MegaCenters provide three primary security services--alarm
monitoring, radio monitoring, and dispatching of FPS and contract
guards.
[82] GAO, Homeland Security: Further Actions Needed to Coordinate
Federal Agencies' Facility Protection Efforts and Promote Key
Practices, [hyperlink, http://www.gao.gov/products/GAO-05-49]
(Washington D.C., Nov. 30, 2004).
[83] At the time of our review, a level IV facility had over 450
federal employees; more than 150,000 square feet; a high volume of
public contact; and tenant agencies that could include high-risk law
enforcement and intelligence agencies, courts, judicial offices, and
highly sensitive government records.
[84] At the time of our review, a level III facility had between 151
and 450 federal employees, more than 80,000 to 150,000 square feet and
a moderate to high volume of public contact.
[85] The U.S. Department of Justice, DOJ Vulnerability Assessment of
Federal Facilities (Washington, D.C.: June 28, 1995).
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
