Homeland Security
Addressing Weaknesses with Facility Security Committees Would Enhance Protection of Federal Facilities
Gao ID: GAO-10-901 August 5, 2010
To accomplish its mission of protecting about 9,000 federal facilities, the Federal Protective Service (FPS) currently has a budget of about $1 billion, about 1,225 full-time employees, and about 15,000 contract security guards. However, protecting federal facilities and their occupants from a potential terrorist attack or other acts of violence remains a daunting challenge for the Department of Homeland Security's (DHS) Federal Protective Service. GAO has issued numerous reports on FPS's efforts to protect the General Services Administration's (GSA) facilities. This report (1) recaps the major challenges we reported that FPS faces in protecting federal facilities and discusses FPS's efforts to address them and (2) identifies an additional challenge that FPS faces related to the facility security committees (FSC), which are responsible for addressing security issues at federal facilities. This report is based primarily on our previous work and recent FPS interviews.
Since 2007, we have reported that FPS faces significant challenges with protecting federal facilities, and in response FPS has recently started to take steps to address some of them. In 2008, we reported that FPS does not use a risk management approach that links threats and vulnerabilities to resource requirements. Without a risk management approach that identifies threats and vulnerabilities and the resources required to achieve FPS's security goals, there is limited assurance that programs will be prioritized and resources will be allocated to address existing and potential security threats in an efficient and effective manner. FPS recently began implementing a new system referred to as the Risk Assessment Management Program (RAMP). This system is designed to be a central database for capturing and managing facility security information, including the risks posed to federal facilities and the countermeasures that are in place to mitigate risk. FPS expects that RAMP will enhance its approach to assessing risk, managing human capital, and measuring performance. Our July 2009 report on FPS's contract guard program also identified a number of challenges that the agency faces in managing its contract guard program, including ensuring that the 15,000 guards that are responsible for helping to protect federal facilities have the required training and certification to be deployed at a federal facility. In response to our report, FPS took a number of immediate actions with respect to contract guard management. For example, FPS has increased the number of guard inspections it conducts at federal facilities in some metropolitan areas and revised its guard training. We have not reviewed whether these actions are sufficient to fulfill our recommendations. Another area of continuing concern is that FPS continues to operate without a human capital plan and does not have an accurate estimate of its current and future workforce needs. In our July 2009 report, we recommended that FPS develop a human capital plan to guide its current and future workforce planning efforts. While FPS agreed with this recommendation, it has not yet fully developed or implemented a human capital plan. As we reported in 2009, FPS's ability to protect GSA facilities is further complicated by the FSC structure. Each FSC includes FPS, GSA, and a tenant agency representative and is responsible for addressing security issues at its respective facility and approving the funding and implementation of security countermeasures recommended by FPS. However, there are several weaknesses with the FSC. First, FSCs have operated since 1995 without procedures that outline how they should operate or make decisions, or that establish accountability. Second, the tenant agency representatives to the FSC generally do not have any security knowledge or experience but are expected to make security decisions for their respective agencies. Third, many of the FSC tenant agency representatives also do not have the authority to commit their respective organizations to fund security countermeasures. No actions have been taken on these issues since our 2009 report, and thus these weaknesses continue to result in ad hoc security and increased risk at some federal facilities. GAO recommends that the Secretary of DHS direct the Director of FPS to work in consultation with other representatives of the FSC to develop and implement procedures that, among other things, outline the committees' organization structure, operations, and accountability. DHS concurred with GAO's recommendation.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Mark L. Goldstein
Team:
Government Accountability Office: Physical Infrastructure
Phone:
No phone on record
GAO-10-901, Homeland Security: Addressing Weaknesses with Facility Security Committees Would Enhance Protection of Federal Facilities
This is the accessible text file for GAO report number GAO-10-901
entitled 'Homeland Security: Addressing Weaknesses with Facility
Security Committees Would Enhance Protection of Federal Facilities'
which was released on August 5, 2010.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
United States Government Accountability Office:
GAO:
August 2010:
Homeland Security:
Addressing Weaknesses with Facility Security Committees Would Enhance
Protection of Federal Facilities:
GAO-10-901:
GAO Highlights:
Highlights of GAO-10-901, a report to congressional requesters.
Why GAO Did This Study:
To accomplish its mission of protecting about 9,000 federal
facilities, the Federal Protective Service (FPS) currently has a
budget of about $1 billion, about 1,225 full-time employees, and about
15,000 contract security guards. However, protecting federal
facilities and their occupants from a potential terrorist attack or
other acts of violence remains a daunting challenge for the Department
of Homeland Security‘s (DHS) Federal Protective Service.
GAO has issued numerous reports on FPS‘s efforts to protect the
General Services Administration‘s (GSA) facilities. This report (1)
recaps the major challenges we reported that FPS faces in protecting
federal facilities and discusses FPS‘s efforts to address them and (2)
identifies an additional challenge that FPS faces related to the
facility security committees (FSC), which are responsible for
addressing security issues at federal facilities. This report is based
primarily on our previous work and recent FPS interviews.
What GAO Found:
Since 2007, we have reported that FPS faces significant challenges
with protecting federal facilities, and in response FPS has recently
started to take steps to address some of them. In 2008, we reported
that FPS does not use a risk management approach that links threats
and vulnerabilities to resource requirements. Without a risk
management approach that identifies threats and vulnerabilities and
the resources required to achieve FPS‘s security goals, there is
limited assurance that programs will be prioritized and resources will
be allocated to address existing and potential security threats in an
efficient and effective manner. FPS recently began implementing a new
system referred to as the Risk Assessment Management Program (RAMP).
This system is designed to be a central database for capturing and
managing facility security information, including the risks posed to
federal facilities and the countermeasures that are in place to
mitigate risk. FPS expects that RAMP will enhance its approach to
assessing risk, managing human capital, and measuring performance. Our
July 2009 report on FPS‘s contract guard program also identified a
number of challenges that the agency faces in managing its contract
guard program, including ensuring that the 15,000 guards that are
responsible for helping to protect federal facilities have the
required training and certification to be deployed at a federal
facility. In response to our report, FPS took a number of immediate
actions with respect to contract guard management. For example, FPS
has increased the number of guard inspections it conducts at federal
facilities in some metropolitan areas and revised its guard training.
We have not reviewed whether these actions are sufficient to fulfill
our recommendations. Another area of continuing concern is that FPS
continues to operate without a human capital plan and does not have an
accurate estimate of its current and future workforce needs. In our
July 2009 report, we recommended that FPS develop a human capital plan
to guide its current and future workforce planning efforts. While FPS
agreed with this recommendation, it has not yet fully developed or
implemented a human capital plan.
As we reported in 2009, FPS‘s ability to protect GSA facilities is
further complicated by the FSC structure. Each FSC includes FPS, GSA,
and a tenant agency representative and is responsible for addressing
security issues at its respective facility and approving the funding
and implementation of security countermeasures recommended by FPS.
However, there are several weaknesses with the FSC. First, FSCs have
operated since 1995 without procedures that outline how they should
operate or make decisions, or that establish accountability. Second,
the tenant agency representatives to the FSC generally do not have any
security knowledge or experience but are expected to make security
decisions for their respective agencies. Third, many of the FSC tenant
agency representatives also do not have the authority to commit their
respective organizations to fund security countermeasures. No actions
have been taken on these issues since our 2009 report, and thus these
weaknesses continue to result in ad hoc security and increased risk at
some federal facilities.
What GAO Recommends:
GAO recommends that the Secretary of DHS direct the Director of FPS to
work in consultation with other representatives of the FSC to develop
and implement procedures that, among other things, outline the
committees‘ organization structure, operations, and accountability.
DHS concurred with GAO‘s recommendation.
View [hyperlink, http://www.gao.gov/products/GAO-10-901] or key
components. For more information, contact Mark Goldstein at (202) 512-
2834 or goldsteinm@gao.gov.
[End of section]
Contents:
Letter:
FPS Faces Challenges in Protecting Federal Facilities and Is Taking
Some Actions to Address Them:
Facility Security Committee Structure Hampers Protection of Federal
Facilities:
Conclusions:
Recommendation for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Status of GAO Recommendations to the Federal Protective
Service:
Appendix II: Comments from the Department of Homeland Security:
Appendix III: GAO Contacts and Staff Acknowledgments:
Abbreviations:
DHS: Department of Homeland Security:
FPS: Federal Protective Service:
FSA: facility security assessment:
FSC: facility security committee:
GSA: General Service Administration:
ICE: Immigration and Customs Enforcement:
ISC: Interagency Security Committee:
NIPP: National Infrastructure Protection Plan:
NPPD: National Protection and Programs Directorate:
RAMP: Risk Assessment Management Program:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
August 5, 2010:
Congressional Requesters:
Protecting federal facilities and their occupants from a potential
terrorist attack or other acts of violence remains a daunting
challenge for the Department of Homeland Security's (DHS) Federal
Protective Service (FPS). Since 2008, our work has shown that FPS has
experienced significant operational, management, and funding
challenges that have hampered its ability to protect the 9,000 federal
facilities under the control and custody of the General Services
Administration (GSA). We have made numerous recommendations to help
FPS address these challenges, and while DHS agreed with our
recommendations, the majority of them have not yet been fully
implemented. See appendix I for a complete list of our recommendations
and their current status.
To assist Congress in its oversight of FPS, this report (1) recaps the
major challenges we reported that FPS faces in protecting federal
facilities and discusses actions FPS is taking to address them and (2)
identifies an additional challenge FPS faces related to the facility
security committees (FSC). Each FSC consists of representatives from
each of the tenant agencies in the federal facility and is responsible
for addressing security issues at their respective facility and
approving the implementation of security countermeasures recommended
by FPS. This report is based primarily on our previous work and recent
interviews with FPS officials to obtain the current status of planned
initiatives.[Footnote 1] We conducted our work from January 2010
through July 2010 in accordance with generally accepted government
auditing standards. Those standards require that we plan and perform
the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit
objectives. We believe that the evidence obtained provides a
reasonable basis for our findings and conclusions based on our audit
objectives.
FPS Faces Challenges in Protecting Federal Facilities and Is Taking
Some Actions to Address Them:
FPS Has Begun to Develop a Risk Management Approach to Protecting
Federal Facilities:
In 2008, we reported that FPS does not use a comprehensive risk
management approach that links threats and vulnerabilities to resource
requirements.[Footnote 2] Without a risk management approach that
identifies threats and vulnerabilities and the resources required to
achieve FPS's security goals, there is only limited assurance that
programs will be prioritized and resources will be allocated to
address existing and potential security threats in an efficient and
effective manner. FPS uses a facility-by-facility approach to risk
management. Under this approach, FPS assumes that all facilities with
the same security level have the same risk regardless of their
location. For example, a level IV facility in a metropolitan area is
generally treated the same as one in a rural area.[Footnote 3] We also
reported in 2008 that FPS's approach does not include a process for
examining comprehensive risk across the entire portfolio of GSA's
facilities. Both our and DHS's risk management frameworks include
processes for assessing comprehensive risk across assets in order to
prioritize countermeasures based on the overall needs of the system.
FPS's building-by-building approach, however, prevents it from
comprehensively identifying and prioritizing vulnerabilities and
making countermeasure recommendations at a strategic level.[Footnote 4]
Over the years we have advocated the use of a risk management approach
that links threats and vulnerabilities to resource requirements and
allocation. A risk management approach entails a continuous process of
managing risk through a series of actions, including setting strategic
goals and objectives, assessing risk, allocating resources based on
risk, evaluating alternatives, selecting initiatives to undertake, and
implementing and monitoring those initiatives. Risk assessment, an
important element of a risk management approach, helps decision makers
identify and evaluate potential risks so that countermeasures can be
designed and implemented to prevent or mitigate the effects of the
risks.
In response to our recommendations in this area, FPS began developing
a new system referred to as the Risk Assessment Management Program
(RAMP). This system is designed to be a central database for capturing
and managing facility security information, including the risks posed
to federal facilities and the countermeasures in place to mitigate
risk. FPS also anticipates that RAMP will allow inspectors to obtain
information from one electronic source, generate reports
automatically, enable FPS to track selected countermeasures throughout
their life cycle, address some concerns about the subjectivity
inherent in facility security assessments (FSA), and reduce the amount
of time inspectors and managers spend on administrative work.[Footnote
5] FPS designed RAMP so that it will produce risk assessments that are
compliant with Interagency Security Committee (ISC) standards, which,
among other things, require risk assessment methodologies to be
credible, reproducible, and defensible and for FSAs to be done every 3
to 5 years.[Footnote 6] According to FPS, RAMP is also compatible with
the risk management framework set forth by the National Infrastructure
Protection Plan (NIPP), and consistent with the business processes
outlined in the memorandum of agreement with GSA.[Footnote 7]
According to FPS, RAMP will support all components of the FSA process,
including gathering and reviewing building information; conducting and
recording interviews; assessing threats, vulnerabilities, and
consequences to develop a detailed risk profile; recommending
appropriate countermeasures; and producing FSA reports. FPS also plans
to use RAMP to track and analyze certain workforce data, contract
guard program data, and other performance data, such as the types and
definitions of incidents and incident response times. Currently, FPS
is in the process of implementing the first phase of RAMP and plans to
have it fully implemented by the end of 2011. We are reviewing the
design and implementation of RAMP and will provide Congress with a
final report next year.
FPS Has Taken Some Steps to Improve Oversight of the Contract Guard
Program:
We reported in July 2009 and April 2010 that FPS faces challenges in
ensuring that many of the 15,000 contract security guards that FPS
relies on to help protect federal facilities have the required
training and certification to be deployed at federal
facilities.[Footnote 8] We also identified substantial security
vulnerabilities related to FPS's guard program. Each time they tried,
in April and May 2009, our investigators successfully passed
undetected through security checkpoints monitored by FPS's guards,
with the components for an improvised explosive device concealed on
their persons at 10 level IV facilities in four major metropolitan
areas. FPS also took a number of immediate actions to address concerns
raised about contract guard management in our July 2009 contract guard
report. For example, since July 2009, FPS has increased its
penetration tests in some regions and the number of guard inspections
it conducts at federal facilities in some metropolitan areas. FPS
currently requires its inspectors to complete two guard inspections a
week at level IV facilities. Prior to this new requirement, FPS did
not have a national requirement for guard inspections, and each region
we visited had requirements ranging from no inspections to five
inspections per month per FPS inspector. FPS is also in the process of
providing additional X-ray and magnetometer training in response to
our July 2009 testimony. FPS anticipates that guards will be fully
trained by the end of 2010. Under FPS's revised training program,
inspectors must receive 30 hours of X-ray and magnetometer training
and guards must receive 16 hours. Prior to this revision, guards
needed 8 hours of training on X-ray and magnetometer machines.
However, despite these changes, we remain concerned about FPS's
oversight of the contract guard program and made recommendations for
additional improvements in our April 2010 report. For example, we
reported that despite FPS's recent actions, guards were continuing to
neglect or inadequately perform their assigned responsibilities. We
also remained concerned that FPS had not acted diligently in ensuring
the terms of its guard contract and taken enforcement action when
noncompliance occurred. Thus, we recommended, among other things, that
FPS identify other approaches that would be cost-beneficial for
protecting federal facilities. FPS agreed with this recommendation but
has not yet implemented it.
DHS Transferred FPS to NPPD:
We have reported on several issues related to locating FPS within
DHS's Immigration and Customs Enforcement (ICE). For example, we
reported in 2008 that some of FPS's operational and funding challenges
stemmed from it being part of ICE. In October 2009, to enable FPS to
better focus on its primary facility protection mission, the Secretary
of Homeland Security transferred FPS from ICE to the National
Protection and Programs Directorate (NPPD). According to DHS,
transferring FPS to NPPD will enhance oversight and efficiency while
maximizing the department's overall effectiveness in protecting
federal buildings across the country. We are reviewing the transition
of FPS into NPPD and will provide Congress with a final report in 2011.
Several Key Workforce Issues Remain Unresolved:
FPS has yet to fully ensure that its recent move to an inspector-based
workforce does not hinder its ability to protect federal facilities.
In 2007, FPS essentially eliminated its police officer position and
moved to an all-inspector-based workforce. FPS also decided to place
more emphasis on physical security activities, such as completing
FSAs, and less emphasis on law enforcement activities, such as
proactive patrol. We reported in 2008 that these changes may have
contributed to diminished security and increases in inspectors'
workload. Specifically, we found that when FPS is not providing
proactive patrol at some federal facilities, there is an increased
potential for illegal entry and other criminal activity. For example,
in one city we visited, a deceased individual had been found in a
vacant GSA facility that was not regularly patrolled by FPS.
Under its inspector-based workforce approach, FPS will rely more on
local police departments to handle crime and protection issues at
federal facilities. However, at about 400 federal facilities across
the United States, the federal government has exclusive jurisdiction,
and it is unclear if local police have the authority to respond to
incidents inside those facilities. Additionally, FPS has not entered
into any memorandums of agreement for increased law enforcement
assistance at federal facilities. In most of the cities we visited,
local law enforcement officials said they would not enter into any
agreements with FPS that involve increased responsibility for
protecting federal facilities because of liability concerns, existing
shortages of staff, and the need to respond to crime in their cities
that would make it difficult to divert resources from their primary
mission. For example, local law enforcement officials from one
location we visited said they are significantly understaffed and
overburdened with their current mission and would not be able to take
responsibility for protecting federal facilities. We believe that it
is important that FPS ensure that its decision to move to an inspector-
based workforce does not hamper its ability to protect federal
facilities. We recommended in 2008 that FPS clarify roles and
responsibilities of local law enforcement agencies in responding to
incidents at GSA facilities. While FPS agreed with this
recommendation, FPS has decided not to pursue agreements with local
law enforcement officials, in part because of reluctance on the part
of local law enforcement officials to sign such agreements. In
addition, FPS believes that the agreements are not necessary because
96 percent of the properties in its inventory are listed as concurrent
jurisdiction facilities where both federal and state governments have
jurisdiction over the property. Nevertheless, we continue to believe
that these agreements would, among other things, clarify roles and
responsibilities of local law enforcement agencies when responding to
crime or other incidents.
While FPS has recently increased the size of its workforce as mandated
by Congress, we reported in our 2009 report that FPS has operated
without a human capital plan.[Footnote 9] We recommended that FPS
develop a human capital plan to guide its current and future workforce
planning efforts. We have identified human capital management as a
high-risk issue throughout the federal government, including within
DHS. Without a long-term strategy for managing its current and future
workforce needs, including effective processes for hiring, training,
and staff development, FPS will be challenged to align its personnel
with its programmatic goals. FPS concurred with this recommendation
and has drafted a workforce analysis plan but has not yet fully
developed or implemented a human capital plan.
Appropriate Funding Mechanism Has Not Been Determined:
FPS's primary means of funding its operations--the basic security fee
charged to some federal agencies--does not account for a building's
level of risk, the level of service provided, or the cost of providing
those services. We reported in 2008 that this issue raises questions
about whether some federal agencies are being overcharged by
FPS.[Footnote 10] FPS also does not have a detailed understanding of
its operational costs, including accurate information about the cost
of providing its security services at federal facilities with
different risk levels. Without this type of information, FPS has
difficulty justifying the rate of the basic security fee to its
customers. We have found that by having accurate cost information, an
organization can demonstrate its cost-effectiveness and productivity
to stakeholders, link levels of performance with budget expenditures,
provide baseline and trend data for stakeholders to compare
performance, and provide a basis for focusing an organization's
efforts and resources to improve its performance. In addition, FPS's
fee-based funding system has not always generated sufficient revenue
to cover its operational costs. In 2007 we reported that FPS's
collections fell short of covering its projected operational costs,
and the steps it took to address the projected shortfalls reduced
staff morale, increased attrition rates, and diminished security at
some GSA facilities. FPS has yet to evaluate whether its fee-based
system or an alternative funding mechanism is most appropriate for
funding the agency as we recommended in our 2008 report. FPS agreed
with our recommendation and has taken some action, including the
development and implementation of an Activity Based Cost framework. We
are assessing FPS's efforts in this area as part of our ongoing review
of FPS's fee-base structure and will provide Congress with a final
report in 2011.
FPS Faces Limitations in Assessing Its Performance:
We have reported that FPS is limited in its ability to assess the
effectiveness of its efforts to protect federal facilities.[Footnote
11] To determine how well it is accomplishing its mission to protect
federal facilities, FPS has identified some output measures. These
measures include determining whether security countermeasures have
been deployed and are fully operational, the amount of time it takes
to respond to an incident, and the percentage of FSAs completed on
time. While output measures are helpful, outcome measures are also
important because they can provide FPS with broader information on
program results, such as the extent to which its decision to move to
an inspector-based workforce will enhance security at federal
facilities or help identify the security gaps that remain at federal
facilities and determine what action may be needed to address them.
In addition, FPS does not have a reliable data management system that
will allow it to accurately track these measures or other important
measures such as the number of crimes and other incidents occurring at
GSA facilities. Without such a system, it is difficult for FPS to
evaluate and improve the effectiveness of its efforts to protect
federal employees and facilities, allocate its limited resources, or
make informed risk management decisions. For example, weaknesses in
one of FPS's countermeasure tracking systems make it difficult to
accurately track the implementation status of recommended
countermeasures such as security cameras and X-ray machines. Without
this ability, FPS has difficulty determining whether it has mitigated
the risk of federal facilities to crime or a terrorist attack. FPS
concurred with our recommendations and states that its efforts to
address them will be completed in 2012 when its automated information
systems are fully implemented.
Facility Security Committee Structure Hampers Protection of Federal
Facilities:
FPS's ability to protect federal facilities under the control or
custody of GSA is further complicated by the FSC structure. The
Department of Justice's 1995 Vulnerability Assessment of Federal
Facilities guidelines directed GSA to establish a FSC in each federal
facility under its control. FSCs have experienced several issues that
may have increased the risk at some federal facilities. For example,
FSCs have operated since 1995 without guidelines, policies, or
procedures that outline how they should operate, make decisions, or
establish accountability. This results in ad hoc security that
undermines effective protection of individual facilities as well as
the entire facilities' portfolio.
Each FSC consists of a representative from each of the tenant agencies
in the facility and is responsible for addressing security issues at
its respective facility and approving the implementation of security
countermeasures recommended by FPS. After completing its FSAs, FPS
makes recommendations to GSA and tenant agencies for building security
countermeasures. For example, tenant agencies decide whether to fund
countermeasures for security equipment, and FPS is responsible for
acquiring, installing, and maintaining approved security equipment.
However, we reported in November 2009 that the tenant agency
representatives generally do not have any security knowledge or
experience but are expected to make security decisions for their
respective agencies. We also reported that some of the FSC tenant
agency representatives also do not have the authority to commit their
respective organizations to fund security countermeasures. Thus, when
funding for security countermeasures is needed, each federal tenant
agency representative that does not have funding authority must obtain
approval from his or her headquarters office. According to some FSC
members, in some instances funding for security countermeasures is not
always available because the request for funding is generally made
after the budget is formulated. In addition, while FPS, GSA, and
tenant agencies are responsible for some aspects of protecting federal
facilities, it is unclear who is the final arbiter or accountable for
final decisions.
We reported in November 2009 that the FSC structure may not contribute
to effective protection of federal facilities for several reasons.
[Footnote 12]
* Some FSC members may not have the security expertise needed to make
risk-based decisions.
* They may find the associated costs prohibitive.
* Tenant agencies may lack complete understanding of why recommended
countermeasures are necessary because they do not receive an adequate
amount of information from FPS.
Moreover, we found some instances in 2008 and 2009 where the FSC
structure contributed to increased risk at some federal facilities.
For example, an FPS official in a major metropolitan area stated that
over the last 4 years inspectors have recommended 24-hour coverage at
one high-risk facility located in a high-crime area multiple times;
however, the FSC was not able to obtain approval from all its members.
In addition, several FPS inspectors stated that their regional
managers have instructed them not to recommend security
countermeasures in FSAs if FPS would be responsible for funding the
measures because there is not sufficient funding in regional budgets
to purchase and maintain the security equipment. Moreover, at a
different location, members of a FSC told us that they met as needed,
although even when they hold meetings, one of the main tenant agencies
typically does not participate. GSA officials commented that this
tenant adheres to its agency's building security protocols and does
not necessarily follow GSA's tenant policies and procedures, which GSA
thinks creates security risks for the entire building.
ISC recently began to develop guidance for FSC operations, which may
address some of these issues. The committee, however, has yet to
announce an anticipated date for issuance of this guidance.
Conclusions:
In response to our many recommendations, FPS has a number of ongoing
improvements that, once fully implemented, should enhance its ability
to protect the over 1 million federal government employees and members
of the public who visit federal facilities each year. In addition,
FSCs have a significant role in ensuring the effective protection of
federal facilities; however, they face a number of issues in carrying
out their security responsibilities. For example, they have operated
without any procedures since their creation in 1995, and efforts to
develop guidance are incomplete. Without specific guidance or
procedures, FSCs have operated in an ad hoc manner, and there is a
lack of assurance that federal facilities under the control and
custody of GSA are effectively protected by FPS. Moreover, no actions
have been taken on these issues since we identified them in our
November 2009 report. As such, these weaknesses continue to result in
ad hoc security and increased risk at some federal facilities.
Therefore, we are making a recommendation for the Secretary of DHS to
address this matter.
Recommendation for Executive Action:
GAO recommends that the Secretary of DHS direct the Under Secretary of
NPPD and the Director of FPS to work in consultation with GSA and ISC
to develop and implement procedures that, among other things, outline
the FSCs' organizational structure, operations, decision-making
authority, and accountability.
Agency Comments and Our Evaluation:
We provided a draft of this report to DHS for review and comment. DHS
concurred with the recommendation in this report. Regarding the status
of our recommendations listed in appendix I, FPS commented that it is
actively pursuing initiatives and implementing measures to address the
nine recommendations that we reported as not implemented. We believe
our characterization of FPS's efforts to address our recommendations
reflects the data provided by FPS. We are also concerned that the
steps FPS described in its documents are not comprehensive enough to
address the recommendations that we reported as not implemented. For
example, regarding our recommendation to identify other approaches and
options that would be most beneficial and financially feasible for
protecting federal facilities, FPS states that it most recently
coordinated with DHS's Science and Technology Directorate to better
define requirements for the next generation of security technology.
However, we continue to believe that given the challenges FPS faces
with managing its contract guard program, among other things, FPS
needs to undertake a comprehensive review of how it protects federal
facilities. FPS has not provided us with this type of analysis or
information. We are also concerned about the reliability of the
preliminary data FPS used to evaluate whether its fee-based system or
an alternative funding mechanism is appropriate to fund the agency. We
are currently reviewing the reliability of FPS's Activity Based
Costing framework and will reassess FPS's efforts to address this
recommendation at the end of our review. DHS's comments are presented
in appendix II. DHS also provided technical clarifications, which we
incorporated into the report as appropriate.
We are sending copies of this report to appropriate congressional
committees, the Secretary of Homeland Security, and other interested
parties. In addition, the report will be available at no charge on
GAO's Web site at [hyperlink, http://www.gao.gov]. If you have any
questions about this report, please contact me at (202) 512-2834 or
goldsteinm@gao.gov. Contact points for our Offices of Congressional
Relations and Public Affairs may be found on the last page of this
report. GAO staff who made major contributions to this report are
listed in appendix III.
Signed by:
Mark L. Goldstein:
Director, Physical Infrastructure Issues:
List of Requesters:
The Honorable Joseph I. Lieberman:
Chairman:
The Honorable Susan M. Collins:
Ranking Member:
Committee on Homeland Security and Governmental Affairs:
United States Senate:
The Honorable Daniel K. Akaka:
Chairman:
The Honorable George V. Voinovich:
Ranking Member:
Subcommittee on Oversight of Government Management, the Federal
Workforce and the District of Columbia:
Committee on Homeland Security and Governmental Affairs:
United States Senate:
The Honorable Bennie G. Thompson:
Chairman:
The Honorable Peter T. King:
Ranking Member:
Committee on Homeland Security:
House of Representatives:
The Honorable James L. Oberstar:
Chairman:
Committee on Transportation and Infrastructure:
House of Representatives:
The Honorable Eleanor Holmes Norton:
Chairwoman:
Subcommittee on Economic Development, Public Buildings, and Emergency
Management:
Committee on Transportation and Infrastructure:
House of Representatives:
[End of section]
Appendix I: Status of GAO Recommendations to the Federal Protective
Service:
Report number: GAO-10-341:
Recommendation: 1; Identify other approaches and options that would be
most beneficial and financially feasible for protecting federal
facilities;
Status: Not implemented.
Recommendation: 2; Rigorously and consistently monitor guard
contractors' and guards' performance and step up enforcement against
contractors that are not complying with the terms of the contract;
Status: In process.
Recommendation: 3; Complete all contract performance evaluations in
accordance with FPS and FAR requirements;
Status: In process.
Recommendation: 4; Issue a standardized record-keeping format to
ensure that contract files have required documentation;
Status: Not implemented.
Recommendation: 5; Develop a mechanism to routinely monitor guards at
federal facilities outside metropolitan areas;
Status: In process.
Recommendation: 6; Provide building-specific and scenario-based
training and guidance to its contract guards;
Status: In process.
Recommendation: 7; Develop and implement a management tool for
ensuring that reliable, comprehensive data on the contract guard
program are available on a real-time basis;
Status: In process.
Recommendation: 8; Verify the accuracy of all guard certification and
training data before entering them into the Risk Assessment Management
Program (RAMP), and periodically test the accuracy and reliability of
RAMP data to ensure that FPS management has the information needed to
effectively oversee its guard program;
Status: In process.
Report number: GAO-10-142:
Recommendation: 1; Provide the Secretary with regular updates, on a
mutually agreed-to schedule, on the status of RAMP and the National
Countermeasures Program, including the implementation status of
deliverables, clear timelines for completion of tasks and milestones,
and plans for addressing any implementation obstacles;
Status: In process.
Recommendation: 2; In conjunction with the National Countermeasures
Program, develop a methodology and guidance for assessing and
comparing the cost-effectiveness of technology alternatives;
Status: Not implemented.
Recommendation: 3; Reach consensus with GSA on what information
contained in the facility security assessment is needed for GSA to
fulfill its responsibilities related to the protection of federal
buildings and occupants, and accordingly, establish internal controls
to ensure that shared information is adequately safeguarded;
guidance for employees to use in deciding what information to protect
with sensitive but unclassified designations;
provisions for training on making designations, controlling, and
sharing such information with GSA and other entities;
and a review process to evaluate how well this information sharing
process is working, with results reported to the Secretary regularly
on a mutually agreed-to schedule;
Status: Not implemented.
Report number: GAO-09-749:
Report number: 1;
Recommendation: 1; Improve how FPS headquarters collects data on its
workforce's knowledge, skills, and abilities to help it better manage
and understand current and future workforce needs;
Status: In process.
Recommendation: 2; Use these data in the development and
implementation of a long-term strategic human capital plan that
addresses key principles for effective strategic workforce planning,
including establishing programs, policies, and practices that will
enable the agency to recruit, develop, and retain a qualified
workforce;
Status: Not implemented.
Recommendation: 3; Collect and maintain an accurate and comprehensive
list of all facility-designated points of contact, as well as a system
for regularly updating this list;
Status: In process.
Recommendation: 4; Develop and implement a program for education and
outreach to all customers to ensure they are aware of the current
roles, responsibilities, and services provided by FPS;
Status: Not implemented.
Report number: GAO-08-683:
Recommendation: 1; Develop and implement a strategic approach to
manage FPS's staffing resources that, among other things, determines
the optimum number of employees needed to accomplish its facility
protection mission and allocate these resources based on risk
management principles and the agency's goals and performance measures;
Status: In process.
Recommendation: 2; Clarify roles and responsibilities of local law
enforcement agencies in regard to responding to incidents at GSA
facilities;
Status: Not implemented.
Recommendation: 3; Improve FPS's use of the fee-based system by
developing a method to accurately account for the cost of providing
security services to tenant agencies and ensuring that its fee
structure takes into consideration the varying levels of risk and
service provided at GSA facilities;
Status: Not implemented.
Recommendation: 4; Evaluate whether FPS's current use of a fee-based
system or an alternative funding mechanism is the most appropriate
manner to fund the agency;
Status: Not implemented.
Recommendation: 5; Develop and implement specific guidelines and
standards for measuring its performance, including outcome measures to
assess its performance and improve the accountability of FPS;
Status: In process.
Recommendation: 6; Improve how FPS categorizes, collects, and analyzes
data to help it better manage and understand the results of its
efforts to protect GSA facilities;
Status: In process.
Source: GAO.
[End of table]
[End of section]
Appendix II: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
Washington, DC 20528:
July 27, 2010:
Mr. Mark L. Goldstein:
Director, Physical Infrastructure Issues:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Goldstein:
Subject: Draft Report GA0-10-901, Homeland Security: Addressing
Weaknesses with Facility Security Committees Would Enhance Protection
of Federal Facilities (Job Code 543250):
The National Protection and Programs Directorate (NPPD)/Federal
Protective Service (FPS) appreciates the opportunity to respond to the
above referenced draft report (technical comments have been provided
under separate cover). As described in the draft report, there is work
to be done, but we are pleased to note the report's positive
acknowledgment of the recent actions taken to address previous
recommendations, including development of the Risk Assessment and
Management Program (RAMP), increased penetration testing, increased
frequency of guard inspections, more focused guard training and,
significantly, the transfer of FPS to NPPD from Immigration and
Customs Enforcement.
Recommendation: GAO recommends that the Secretary of the Department of
Homeland Security (DHS) direct the Under Secretary of NPPD and the
Director of FPS to work in consultation with the General Services
Administration (GSA) and the Interagency Security Committee (ISC) to
develop and implement procedures that, among other things, outlines
the Federal Security Committees' (FSCs') organizational structure,
operations, decision making authority, and accountability. No other
recommendations are made.
Response: NPPD concurs with the recommendation. FPS and GSA currently
co-chair an ISC Facility Security' Committee working group that is
charged with developing and presenting an ISC Standard titled Facility
Security Committees. The standard, among other things, addresses FSC
duties and procedures, organizational structure, decision making
processes, and accountability. The working group anticipates that the
standard will be submitted to the ISC membership by December 31, 2010.
Draft Report Discussion:
With respect to the draft report itself, while we are pleased that GAO
acknowledged actions and progress made toward closing GAO
recommendations, DHS would like to emphasize that FPS is actively
pursuing, and has reported its progress on, the closure of all open
recommendations. In a March 30, 2010, update to GAO, and in the FPS
response to Draft Report GA0-10-341, Federal Protective Service's
Contract Guard Program Requires More Oversight and Reassessment of Use
of Contract Guards. FPS provided evidence to support closure of seven
open recommendations and to demonstrate substantial progress that has
been made toward closure of all remaining open recommendations. DHS
offers the following evidence that FPS is actively pursuing
initiatives and implementing measures to address recommendations for
which GAO indicated in the draft report there has been no activity.
The draft report shows (Appendix I) nine recommendations as "not
implemented." As indicated and documented in the March 30, 2010,
update and the response to the GA0-10-341 draft report, FPS considers
all of the open recommendations listed in Appendix I as "in process."
In April, GAO recommended in its Draft Report GAO-10-341 that "FPS
identify other approaches that would be cost-beneficial for protecting
federal facilities," but noted that FPS had not yet implemented the
recommendation. On the contrary, FPS notified GAO of progress made
toward meeting this recommendation in the response to that draft
report. Specifically, FPS informed GAO that since its creation in
1971, FPS has consistently examined past actions, best practices, and
available resources and technology to determine the best available
means to protect federal facilities. FPS added that largely due to
resource constraints, FPS' approaches and options to protecting
federal facilities have focused on providing more robust and
analytical risk assessments, enhancing the training and oversight of
protective security officers, and streamlining the implementation of
countermeasures through the use of national contract vehicles. FPS
also described its recently increased interaction with the research
and development community, through the OHS Science and Technology
Directorate, to better define requirements for the next generation of
security technology. FPS explained that it is simultaneously testing
new developments in countermeasures to assess their maximum
effectiveness as part of the integrated set of countermeasures.
GAO asserts that, "FPS has yet to evaluate whether its fee-based
system or an alternative funding mechanism is most appropriate for
funding the agency as we recommended in our 2008 report." However, in
the March 30, 2010 update to GAO open recommendations, FPS reported
that it had used preliminary data obtained from the recently deployed
Activity Based Costing Framework (ABC) and risk-based workforce
performance metrics to initiate an analysis of the current fee-based
system and complete a study of alternative funding strategies that may
better support the security and protection mission of the FPS within
DHS. FPS' evaluation of the fee-based system currently used has
concluded that fee collections have not been sufficient to cover
projected operational costs in recent years, and the agency has faced
shortfalls related to providing basic security services.
Therefore, FPS conducted an Alternative Funding Model analysis with
three primary objectives: (1) ensure that FPS security charges are
appropriate, are aligned with operational costs, and do not result in
further budgetary shortfalls; (2) possess sufficient flexibility to
account for risks associated with specific buildings; and (3) clearly
demonstrate the link between security charges to the customer agencies
and underlying security costs. This analysis resulted in the
identification and consideration of the following three alternatives,
which are still being evaluated: (1) a direct FPS appropriation; (2) a
more thorough review of the current fee-based system (four
methodologies for assessing charges are proposed); and (3) the
utilization of GSA services for billing and collection.
GAO also refers to FPS' limited ability to assess the effectiveness of
its efforts to protect federal facilities. It adds that FPS has
identified some output measures to determine how well it is
accomplishing its mission to protect federal facilities, but that FPS
needs to develop outcome measures. Again. in the March 30, 2010,
update, FPS responded to the GAO recommendation pertaining to
performance measures by including sample outcome performance measures
that have been implemented and are being monitored by FPS. Moreover,
in the update, FPS reported that it has developed and is using
guidelines, standards, and templates to ensure that performance, both
output and outcome measures, possess the attributes recommended by
GAO. FPS also explained that these measures are part of an agency-wide
effort to establish a robust performance management program in
response to GAO recommendations and in accordance with the guidelines
of the Government Performance and Results Act, the Office of
Management and Budget, and the DHS Office of Program Analysis and
Evaluation. FPS concluded the update to this recommendation by adding
that continuing through FY2012, implementation of automated
information systems will continue to support efforts to fully address
this GAO recommendation. Chief among these are the RAMP, Post Tracking
System (PTS), and the Computer Aided Dispatch and Information System
(CADIS). As these systems are brought on line, they are expected to
provide detailed and robust information, previously unavailable, to
assess FPS performance in providing integrated security and law
enforcement services for the Federal community.
NPPD/FPS remains committed to continuous improvement, and we will
provide progress reports to you on efforts to address the previous
recommendations referenced in this report.
Sincerely,
Signed by:
Jerald E. Levine:
Director:
Departmental GAO/OIG Liaison Office:
[End of section]
Appendix III GAO Contacts and Staff Acknowledgments:
GAO Contact:
Mark L. Goldstein, (202) 512-2834 or goldsteinm@gao.gov:
Acknowledgments:
In addition to the contact name above, Tammy Conquest, Assistant
Director; Jennifer Clayborne; Delwen Jones; and Susan Michal-Smith
made key contributions to this report.
[End of section]
Footnotes:
[1] This report draws upon the following primary sources: GAO,
Homeland Security: Federal Protective Service's Contract Guard Program
Requires More Oversight and Reassessment of Use of Contract Guards,
[hyperlink, http://www.gao.gov/products/GAO-10-341] (Washington, D.C.:
Apr. 13, 2010); Homeland Security: Greater Attention to Key Practices
Would Improve the Federal Protective Service's Approach to Facility
Protection, [hyperlink, http://www.gao.gov/products/GAO-10-142]
(Washington, D.C.: Oct. 23, 2009); Homeland Security: Preliminary
Results Show Federal Protective Service's Ability to Protect Federal
Facilities Is Hampered by Weaknesses in Its Contract Security Guard
Program, [hyperlink, http://www.gao.gov/products/GAO-09-859T]
(Washington, D.C.: July 8, 2009); Homeland Security: Federal
Protective Service Should Improve Human Capital Planning and Better
Communicate with Tenants, [hyperlink,
http://www.gao.gov/products/GAO-09-749] (Washington, D.C.: July 30,
2009); and Homeland Security: The Federal Protective Service Faces
Several Challenges That Hamper Its Ability to Protect Federal
Facilities, [hyperlink, http://www.gao.gov/products/GAO-08-683]
(Washington, D.C.: June 11, 2008).
[2] [hyperlink, http://www.gao.gov/products/GAO-08-683].
[3] On March, 10, 2008, the Interagency Security Committee issued new
standards for determining the security level of federal facilities
that supersede the standards developed in the Department of Justice's
1995 Vulnerability Assessment Guidelines. These guidelines have five
security levels. A level I facility is typically a small storefront-
type operation such as a military recruiting office with 10 or fewer
employees and a low volume of public contact. A level II facility has
from 11 to 150 employees; a level III facility has from 151 to 450
employees and a moderate to high volume of public contact; a level IV
facility has over 450 employees, a high volume of public contact, and
includes high-risk law enforcement and intelligence agencies. FPS does
not have responsibility for a level V facility such as the White House
or the Central Intelligence Agency.
[4] [hyperlink, http://www.gao.gov/products/GAO-10-142].
[5] An FSA, formerly referred to as a building security assessment, is
a type of security evaluation conducted by FPS to determine how
susceptible a facility is to various forms of threats or attacks. FSAs
included countermeasure recommendations to mitigate threats and reduce
vulnerabilities.
[6] Following the Oklahoma City bombing, Executive Order 12977 called
for the creation of an Interagency Security Committee to address the
quality and effectiveness of physical security requirements for
federal facilities by developing and evaluating security standards.
ISC has representation from all major federal departments and
agencies. In 2003, the Chair of the ISC moved from GSA to DHS.
[7] The NIPP was founded through the Homeland Security Presidential
Directive-7 and sets forth national policy on how the plan's risk
management framework and sector partnership model are to be
implemented by sector-specific agencies. FPS is the agency responsible
for the government facilities sector.
[8] [hyperlink, http://www.gao.gov/products/GAO-09-859T] and
[hyperlink, http://www.gao.gov/products/GAO-10-341].
[9] [hyperlink, http://www.gao.gov/products/GAO-09-749].
[10] [hyperlink, http://www.gao.gov/products/GAO-08-683].
[11] [hyperlink, http://www.gao.gov/products/GAO-08-863] and
[hyperlink, http://www.gao.gov/products/GAO-10-236T].
[12] [hyperlink, http://www.gao.gov/products/GAO-10-236T].
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: