Homeland Security

Addressing Weaknesses with Facility Security Committees Would Enhance Protection of Federal Facilities Gao ID: GAO-10-901 August 5, 2010

To accomplish its mission of protecting about 9,000 federal facilities, the Federal Protective Service (FPS) currently has a budget of about $1 billion, about 1,225 full-time employees, and about 15,000 contract security guards. However, protecting federal facilities and their occupants from a potential terrorist attack or other acts of violence remains a daunting challenge for the Department of Homeland Security's (DHS) Federal Protective Service. GAO has issued numerous reports on FPS's efforts to protect the General Services Administration's (GSA) facilities. This report (1) recaps the major challenges we reported that FPS faces in protecting federal facilities and discusses FPS's efforts to address them and (2) identifies an additional challenge that FPS faces related to the facility security committees (FSC), which are responsible for addressing security issues at federal facilities. This report is based primarily on our previous work and recent FPS interviews.

Since 2007, we have reported that FPS faces significant challenges with protecting federal facilities, and in response FPS has recently started to take steps to address some of them. In 2008, we reported that FPS does not use a risk management approach that links threats and vulnerabilities to resource requirements. Without a risk management approach that identifies threats and vulnerabilities and the resources required to achieve FPS's security goals, there is limited assurance that programs will be prioritized and resources will be allocated to address existing and potential security threats in an efficient and effective manner. FPS recently began implementing a new system referred to as the Risk Assessment Management Program (RAMP). This system is designed to be a central database for capturing and managing facility security information, including the risks posed to federal facilities and the countermeasures that are in place to mitigate risk. FPS expects that RAMP will enhance its approach to assessing risk, managing human capital, and measuring performance. Our July 2009 report on FPS's contract guard program also identified a number of challenges that the agency faces in managing its contract guard program, including ensuring that the 15,000 guards that are responsible for helping to protect federal facilities have the required training and certification to be deployed at a federal facility. In response to our report, FPS took a number of immediate actions with respect to contract guard management. For example, FPS has increased the number of guard inspections it conducts at federal facilities in some metropolitan areas and revised its guard training. We have not reviewed whether these actions are sufficient to fulfill our recommendations. Another area of continuing concern is that FPS continues to operate without a human capital plan and does not have an accurate estimate of its current and future workforce needs. In our July 2009 report, we recommended that FPS develop a human capital plan to guide its current and future workforce planning efforts. While FPS agreed with this recommendation, it has not yet fully developed or implemented a human capital plan. As we reported in 2009, FPS's ability to protect GSA facilities is further complicated by the FSC structure. Each FSC includes FPS, GSA, and a tenant agency representative and is responsible for addressing security issues at its respective facility and approving the funding and implementation of security countermeasures recommended by FPS. However, there are several weaknesses with the FSC. First, FSCs have operated since 1995 without procedures that outline how they should operate or make decisions, or that establish accountability. Second, the tenant agency representatives to the FSC generally do not have any security knowledge or experience but are expected to make security decisions for their respective agencies. Third, many of the FSC tenant agency representatives also do not have the authority to commit their respective organizations to fund security countermeasures. No actions have been taken on these issues since our 2009 report, and thus these weaknesses continue to result in ad hoc security and increased risk at some federal facilities. GAO recommends that the Secretary of DHS direct the Director of FPS to work in consultation with other representatives of the FSC to develop and implement procedures that, among other things, outline the committees' organization structure, operations, and accountability. DHS concurred with GAO's recommendation.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Mark L. Goldstein Team: Government Accountability Office: Physical Infrastructure Phone: No phone on record

GAO-10-901, Homeland Security: Addressing Weaknesses with Facility Security Committees Would Enhance Protection of Federal Facilities This is the accessible text file for GAO report number GAO-10-901 entitled 'Homeland Security: Addressing Weaknesses with Facility Security Committees Would Enhance Protection of Federal Facilities' which was released on August 5, 2010. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States Government Accountability Office: GAO: August 2010: Homeland Security: Addressing Weaknesses with Facility Security Committees Would Enhance Protection of Federal Facilities: GAO-10-901: GAO Highlights: Highlights of GAO-10-901, a report to congressional requesters. Why GAO Did This Study: To accomplish its mission of protecting about 9,000 federal facilities, the Federal Protective Service (FPS) currently has a budget of about $1 billion, about 1,225 full-time employees, and about 15,000 contract security guards. However, protecting federal facilities and their occupants from a potential terrorist attack or other acts of violence remains a daunting challenge for the Department of Homeland Security‘s (DHS) Federal Protective Service. GAO has issued numerous reports on FPS‘s efforts to protect the General Services Administration‘s (GSA) facilities. This report (1) recaps the major challenges we reported that FPS faces in protecting federal facilities and discusses FPS‘s efforts to address them and (2) identifies an additional challenge that FPS faces related to the facility security committees (FSC), which are responsible for addressing security issues at federal facilities. This report is based primarily on our previous work and recent FPS interviews. What GAO Found: Since 2007, we have reported that FPS faces significant challenges with protecting federal facilities, and in response FPS has recently started to take steps to address some of them. In 2008, we reported that FPS does not use a risk management approach that links threats and vulnerabilities to resource requirements. Without a risk management approach that identifies threats and vulnerabilities and the resources required to achieve FPS‘s security goals, there is limited assurance that programs will be prioritized and resources will be allocated to address existing and potential security threats in an efficient and effective manner. FPS recently began implementing a new system referred to as the Risk Assessment Management Program (RAMP). This system is designed to be a central database for capturing and managing facility security information, including the risks posed to federal facilities and the countermeasures that are in place to mitigate risk. FPS expects that RAMP will enhance its approach to assessing risk, managing human capital, and measuring performance. Our July 2009 report on FPS‘s contract guard program also identified a number of challenges that the agency faces in managing its contract guard program, including ensuring that the 15,000 guards that are responsible for helping to protect federal facilities have the required training and certification to be deployed at a federal facility. In response to our report, FPS took a number of immediate actions with respect to contract guard management. For example, FPS has increased the number of guard inspections it conducts at federal facilities in some metropolitan areas and revised its guard training. We have not reviewed whether these actions are sufficient to fulfill our recommendations. Another area of continuing concern is that FPS continues to operate without a human capital plan and does not have an accurate estimate of its current and future workforce needs. In our July 2009 report, we recommended that FPS develop a human capital plan to guide its current and future workforce planning efforts. While FPS agreed with this recommendation, it has not yet fully developed or implemented a human capital plan. As we reported in 2009, FPS‘s ability to protect GSA facilities is further complicated by the FSC structure. Each FSC includes FPS, GSA, and a tenant agency representative and is responsible for addressing security issues at its respective facility and approving the funding and implementation of security countermeasures recommended by FPS. However, there are several weaknesses with the FSC. First, FSCs have operated since 1995 without procedures that outline how they should operate or make decisions, or that establish accountability. Second, the tenant agency representatives to the FSC generally do not have any security knowledge or experience but are expected to make security decisions for their respective agencies. Third, many of the FSC tenant agency representatives also do not have the authority to commit their respective organizations to fund security countermeasures. No actions have been taken on these issues since our 2009 report, and thus these weaknesses continue to result in ad hoc security and increased risk at some federal facilities. What GAO Recommends: GAO recommends that the Secretary of DHS direct the Director of FPS to work in consultation with other representatives of the FSC to develop and implement procedures that, among other things, outline the committees‘ organization structure, operations, and accountability. DHS concurred with GAO‘s recommendation. View [hyperlink, http://www.gao.gov/products/GAO-10-901] or key components. For more information, contact Mark Goldstein at (202) 512- 2834 or goldsteinm@gao.gov. [End of section] Contents: Letter: FPS Faces Challenges in Protecting Federal Facilities and Is Taking Some Actions to Address Them: Facility Security Committee Structure Hampers Protection of Federal Facilities: Conclusions: Recommendation for Executive Action: Agency Comments and Our Evaluation: Appendix I: Status of GAO Recommendations to the Federal Protective Service: Appendix II: Comments from the Department of Homeland Security: Appendix III: GAO Contacts and Staff Acknowledgments: Abbreviations: DHS: Department of Homeland Security: FPS: Federal Protective Service: FSA: facility security assessment: FSC: facility security committee: GSA: General Service Administration: ICE: Immigration and Customs Enforcement: ISC: Interagency Security Committee: NIPP: National Infrastructure Protection Plan: NPPD: National Protection and Programs Directorate: RAMP: Risk Assessment Management Program: [End of section] United States Government Accountability Office: Washington, DC 20548: August 5, 2010: Congressional Requesters: Protecting federal facilities and their occupants from a potential terrorist attack or other acts of violence remains a daunting challenge for the Department of Homeland Security's (DHS) Federal Protective Service (FPS). Since 2008, our work has shown that FPS has experienced significant operational, management, and funding challenges that have hampered its ability to protect the 9,000 federal facilities under the control and custody of the General Services Administration (GSA). We have made numerous recommendations to help FPS address these challenges, and while DHS agreed with our recommendations, the majority of them have not yet been fully implemented. See appendix I for a complete list of our recommendations and their current status. To assist Congress in its oversight of FPS, this report (1) recaps the major challenges we reported that FPS faces in protecting federal facilities and discusses actions FPS is taking to address them and (2) identifies an additional challenge FPS faces related to the facility security committees (FSC). Each FSC consists of representatives from each of the tenant agencies in the federal facility and is responsible for addressing security issues at their respective facility and approving the implementation of security countermeasures recommended by FPS. This report is based primarily on our previous work and recent interviews with FPS officials to obtain the current status of planned initiatives.[Footnote 1] We conducted our work from January 2010 through July 2010 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. FPS Faces Challenges in Protecting Federal Facilities and Is Taking Some Actions to Address Them: FPS Has Begun to Develop a Risk Management Approach to Protecting Federal Facilities: In 2008, we reported that FPS does not use a comprehensive risk management approach that links threats and vulnerabilities to resource requirements.[Footnote 2] Without a risk management approach that identifies threats and vulnerabilities and the resources required to achieve FPS's security goals, there is only limited assurance that programs will be prioritized and resources will be allocated to address existing and potential security threats in an efficient and effective manner. FPS uses a facility-by-facility approach to risk management. Under this approach, FPS assumes that all facilities with the same security level have the same risk regardless of their location. For example, a level IV facility in a metropolitan area is generally treated the same as one in a rural area.[Footnote 3] We also reported in 2008 that FPS's approach does not include a process for examining comprehensive risk across the entire portfolio of GSA's facilities. Both our and DHS's risk management frameworks include processes for assessing comprehensive risk across assets in order to prioritize countermeasures based on the overall needs of the system. FPS's building-by-building approach, however, prevents it from comprehensively identifying and prioritizing vulnerabilities and making countermeasure recommendations at a strategic level.[Footnote 4] Over the years we have advocated the use of a risk management approach that links threats and vulnerabilities to resource requirements and allocation. A risk management approach entails a continuous process of managing risk through a series of actions, including setting strategic goals and objectives, assessing risk, allocating resources based on risk, evaluating alternatives, selecting initiatives to undertake, and implementing and monitoring those initiatives. Risk assessment, an important element of a risk management approach, helps decision makers identify and evaluate potential risks so that countermeasures can be designed and implemented to prevent or mitigate the effects of the risks. In response to our recommendations in this area, FPS began developing a new system referred to as the Risk Assessment Management Program (RAMP). This system is designed to be a central database for capturing and managing facility security information, including the risks posed to federal facilities and the countermeasures in place to mitigate risk. FPS also anticipates that RAMP will allow inspectors to obtain information from one electronic source, generate reports automatically, enable FPS to track selected countermeasures throughout their life cycle, address some concerns about the subjectivity inherent in facility security assessments (FSA), and reduce the amount of time inspectors and managers spend on administrative work.[Footnote 5] FPS designed RAMP so that it will produce risk assessments that are compliant with Interagency Security Committee (ISC) standards, which, among other things, require risk assessment methodologies to be credible, reproducible, and defensible and for FSAs to be done every 3 to 5 years.[Footnote 6] According to FPS, RAMP is also compatible with the risk management framework set forth by the National Infrastructure Protection Plan (NIPP), and consistent with the business processes outlined in the memorandum of agreement with GSA.[Footnote 7] According to FPS, RAMP will support all components of the FSA process, including gathering and reviewing building information; conducting and recording interviews; assessing threats, vulnerabilities, and consequences to develop a detailed risk profile; recommending appropriate countermeasures; and producing FSA reports. FPS also plans to use RAMP to track and analyze certain workforce data, contract guard program data, and other performance data, such as the types and definitions of incidents and incident response times. Currently, FPS is in the process of implementing the first phase of RAMP and plans to have it fully implemented by the end of 2011. We are reviewing the design and implementation of RAMP and will provide Congress with a final report next year. FPS Has Taken Some Steps to Improve Oversight of the Contract Guard Program: We reported in July 2009 and April 2010 that FPS faces challenges in ensuring that many of the 15,000 contract security guards that FPS relies on to help protect federal facilities have the required training and certification to be deployed at federal facilities.[Footnote 8] We also identified substantial security vulnerabilities related to FPS's guard program. Each time they tried, in April and May 2009, our investigators successfully passed undetected through security checkpoints monitored by FPS's guards, with the components for an improvised explosive device concealed on their persons at 10 level IV facilities in four major metropolitan areas. FPS also took a number of immediate actions to address concerns raised about contract guard management in our July 2009 contract guard report. For example, since July 2009, FPS has increased its penetration tests in some regions and the number of guard inspections it conducts at federal facilities in some metropolitan areas. FPS currently requires its inspectors to complete two guard inspections a week at level IV facilities. Prior to this new requirement, FPS did not have a national requirement for guard inspections, and each region we visited had requirements ranging from no inspections to five inspections per month per FPS inspector. FPS is also in the process of providing additional X-ray and magnetometer training in response to our July 2009 testimony. FPS anticipates that guards will be fully trained by the end of 2010. Under FPS's revised training program, inspectors must receive 30 hours of X-ray and magnetometer training and guards must receive 16 hours. Prior to this revision, guards needed 8 hours of training on X-ray and magnetometer machines. However, despite these changes, we remain concerned about FPS's oversight of the contract guard program and made recommendations for additional improvements in our April 2010 report. For example, we reported that despite FPS's recent actions, guards were continuing to neglect or inadequately perform their assigned responsibilities. We also remained concerned that FPS had not acted diligently in ensuring the terms of its guard contract and taken enforcement action when noncompliance occurred. Thus, we recommended, among other things, that FPS identify other approaches that would be cost-beneficial for protecting federal facilities. FPS agreed with this recommendation but has not yet implemented it. DHS Transferred FPS to NPPD: We have reported on several issues related to locating FPS within DHS's Immigration and Customs Enforcement (ICE). For example, we reported in 2008 that some of FPS's operational and funding challenges stemmed from it being part of ICE. In October 2009, to enable FPS to better focus on its primary facility protection mission, the Secretary of Homeland Security transferred FPS from ICE to the National Protection and Programs Directorate (NPPD). According to DHS, transferring FPS to NPPD will enhance oversight and efficiency while maximizing the department's overall effectiveness in protecting federal buildings across the country. We are reviewing the transition of FPS into NPPD and will provide Congress with a final report in 2011. Several Key Workforce Issues Remain Unresolved: FPS has yet to fully ensure that its recent move to an inspector-based workforce does not hinder its ability to protect federal facilities. In 2007, FPS essentially eliminated its police officer position and moved to an all-inspector-based workforce. FPS also decided to place more emphasis on physical security activities, such as completing FSAs, and less emphasis on law enforcement activities, such as proactive patrol. We reported in 2008 that these changes may have contributed to diminished security and increases in inspectors' workload. Specifically, we found that when FPS is not providing proactive patrol at some federal facilities, there is an increased potential for illegal entry and other criminal activity. For example, in one city we visited, a deceased individual had been found in a vacant GSA facility that was not regularly patrolled by FPS. Under its inspector-based workforce approach, FPS will rely more on local police departments to handle crime and protection issues at federal facilities. However, at about 400 federal facilities across the United States, the federal government has exclusive jurisdiction, and it is unclear if local police have the authority to respond to incidents inside those facilities. Additionally, FPS has not entered into any memorandums of agreement for increased law enforcement assistance at federal facilities. In most of the cities we visited, local law enforcement officials said they would not enter into any agreements with FPS that involve increased responsibility for protecting federal facilities because of liability concerns, existing shortages of staff, and the need to respond to crime in their cities that would make it difficult to divert resources from their primary mission. For example, local law enforcement officials from one location we visited said they are significantly understaffed and overburdened with their current mission and would not be able to take responsibility for protecting federal facilities. We believe that it is important that FPS ensure that its decision to move to an inspector- based workforce does not hamper its ability to protect federal facilities. We recommended in 2008 that FPS clarify roles and responsibilities of local law enforcement agencies in responding to incidents at GSA facilities. While FPS agreed with this recommendation, FPS has decided not to pursue agreements with local law enforcement officials, in part because of reluctance on the part of local law enforcement officials to sign such agreements. In addition, FPS believes that the agreements are not necessary because 96 percent of the properties in its inventory are listed as concurrent jurisdiction facilities where both federal and state governments have jurisdiction over the property. Nevertheless, we continue to believe that these agreements would, among other things, clarify roles and responsibilities of local law enforcement agencies when responding to crime or other incidents. While FPS has recently increased the size of its workforce as mandated by Congress, we reported in our 2009 report that FPS has operated without a human capital plan.[Footnote 9] We recommended that FPS develop a human capital plan to guide its current and future workforce planning efforts. We have identified human capital management as a high-risk issue throughout the federal government, including within DHS. Without a long-term strategy for managing its current and future workforce needs, including effective processes for hiring, training, and staff development, FPS will be challenged to align its personnel with its programmatic goals. FPS concurred with this recommendation and has drafted a workforce analysis plan but has not yet fully developed or implemented a human capital plan. Appropriate Funding Mechanism Has Not Been Determined: FPS's primary means of funding its operations--the basic security fee charged to some federal agencies--does not account for a building's level of risk, the level of service provided, or the cost of providing those services. We reported in 2008 that this issue raises questions about whether some federal agencies are being overcharged by FPS.[Footnote 10] FPS also does not have a detailed understanding of its operational costs, including accurate information about the cost of providing its security services at federal facilities with different risk levels. Without this type of information, FPS has difficulty justifying the rate of the basic security fee to its customers. We have found that by having accurate cost information, an organization can demonstrate its cost-effectiveness and productivity to stakeholders, link levels of performance with budget expenditures, provide baseline and trend data for stakeholders to compare performance, and provide a basis for focusing an organization's efforts and resources to improve its performance. In addition, FPS's fee-based funding system has not always generated sufficient revenue to cover its operational costs. In 2007 we reported that FPS's collections fell short of covering its projected operational costs, and the steps it took to address the projected shortfalls reduced staff morale, increased attrition rates, and diminished security at some GSA facilities. FPS has yet to evaluate whether its fee-based system or an alternative funding mechanism is most appropriate for funding the agency as we recommended in our 2008 report. FPS agreed with our recommendation and has taken some action, including the development and implementation of an Activity Based Cost framework. We are assessing FPS's efforts in this area as part of our ongoing review of FPS's fee-base structure and will provide Congress with a final report in 2011. FPS Faces Limitations in Assessing Its Performance: We have reported that FPS is limited in its ability to assess the effectiveness of its efforts to protect federal facilities.[Footnote 11] To determine how well it is accomplishing its mission to protect federal facilities, FPS has identified some output measures. These measures include determining whether security countermeasures have been deployed and are fully operational, the amount of time it takes to respond to an incident, and the percentage of FSAs completed on time. While output measures are helpful, outcome measures are also important because they can provide FPS with broader information on program results, such as the extent to which its decision to move to an inspector-based workforce will enhance security at federal facilities or help identify the security gaps that remain at federal facilities and determine what action may be needed to address them. In addition, FPS does not have a reliable data management system that will allow it to accurately track these measures or other important measures such as the number of crimes and other incidents occurring at GSA facilities. Without such a system, it is difficult for FPS to evaluate and improve the effectiveness of its efforts to protect federal employees and facilities, allocate its limited resources, or make informed risk management decisions. For example, weaknesses in one of FPS's countermeasure tracking systems make it difficult to accurately track the implementation status of recommended countermeasures such as security cameras and X-ray machines. Without this ability, FPS has difficulty determining whether it has mitigated the risk of federal facilities to crime or a terrorist attack. FPS concurred with our recommendations and states that its efforts to address them will be completed in 2012 when its automated information systems are fully implemented. Facility Security Committee Structure Hampers Protection of Federal Facilities: FPS's ability to protect federal facilities under the control or custody of GSA is further complicated by the FSC structure. The Department of Justice's 1995 Vulnerability Assessment of Federal Facilities guidelines directed GSA to establish a FSC in each federal facility under its control. FSCs have experienced several issues that may have increased the risk at some federal facilities. For example, FSCs have operated since 1995 without guidelines, policies, or procedures that outline how they should operate, make decisions, or establish accountability. This results in ad hoc security that undermines effective protection of individual facilities as well as the entire facilities' portfolio. Each FSC consists of a representative from each of the tenant agencies in the facility and is responsible for addressing security issues at its respective facility and approving the implementation of security countermeasures recommended by FPS. After completing its FSAs, FPS makes recommendations to GSA and tenant agencies for building security countermeasures. For example, tenant agencies decide whether to fund countermeasures for security equipment, and FPS is responsible for acquiring, installing, and maintaining approved security equipment. However, we reported in November 2009 that the tenant agency representatives generally do not have any security knowledge or experience but are expected to make security decisions for their respective agencies. We also reported that some of the FSC tenant agency representatives also do not have the authority to commit their respective organizations to fund security countermeasures. Thus, when funding for security countermeasures is needed, each federal tenant agency representative that does not have funding authority must obtain approval from his or her headquarters office. According to some FSC members, in some instances funding for security countermeasures is not always available because the request for funding is generally made after the budget is formulated. In addition, while FPS, GSA, and tenant agencies are responsible for some aspects of protecting federal facilities, it is unclear who is the final arbiter or accountable for final decisions. We reported in November 2009 that the FSC structure may not contribute to effective protection of federal facilities for several reasons. [Footnote 12] * Some FSC members may not have the security expertise needed to make risk-based decisions. * They may find the associated costs prohibitive. * Tenant agencies may lack complete understanding of why recommended countermeasures are necessary because they do not receive an adequate amount of information from FPS. Moreover, we found some instances in 2008 and 2009 where the FSC structure contributed to increased risk at some federal facilities. For example, an FPS official in a major metropolitan area stated that over the last 4 years inspectors have recommended 24-hour coverage at one high-risk facility located in a high-crime area multiple times; however, the FSC was not able to obtain approval from all its members. In addition, several FPS inspectors stated that their regional managers have instructed them not to recommend security countermeasures in FSAs if FPS would be responsible for funding the measures because there is not sufficient funding in regional budgets to purchase and maintain the security equipment. Moreover, at a different location, members of a FSC told us that they met as needed, although even when they hold meetings, one of the main tenant agencies typically does not participate. GSA officials commented that this tenant adheres to its agency's building security protocols and does not necessarily follow GSA's tenant policies and procedures, which GSA thinks creates security risks for the entire building. ISC recently began to develop guidance for FSC operations, which may address some of these issues. The committee, however, has yet to announce an anticipated date for issuance of this guidance. Conclusions: In response to our many recommendations, FPS has a number of ongoing improvements that, once fully implemented, should enhance its ability to protect the over 1 million federal government employees and members of the public who visit federal facilities each year. In addition, FSCs have a significant role in ensuring the effective protection of federal facilities; however, they face a number of issues in carrying out their security responsibilities. For example, they have operated without any procedures since their creation in 1995, and efforts to develop guidance are incomplete. Without specific guidance or procedures, FSCs have operated in an ad hoc manner, and there is a lack of assurance that federal facilities under the control and custody of GSA are effectively protected by FPS. Moreover, no actions have been taken on these issues since we identified them in our November 2009 report. As such, these weaknesses continue to result in ad hoc security and increased risk at some federal facilities. Therefore, we are making a recommendation for the Secretary of DHS to address this matter. Recommendation for Executive Action: GAO recommends that the Secretary of DHS direct the Under Secretary of NPPD and the Director of FPS to work in consultation with GSA and ISC to develop and implement procedures that, among other things, outline the FSCs' organizational structure, operations, decision-making authority, and accountability. Agency Comments and Our Evaluation: We provided a draft of this report to DHS for review and comment. DHS concurred with the recommendation in this report. Regarding the status of our recommendations listed in appendix I, FPS commented that it is actively pursuing initiatives and implementing measures to address the nine recommendations that we reported as not implemented. We believe our characterization of FPS's efforts to address our recommendations reflects the data provided by FPS. We are also concerned that the steps FPS described in its documents are not comprehensive enough to address the recommendations that we reported as not implemented. For example, regarding our recommendation to identify other approaches and options that would be most beneficial and financially feasible for protecting federal facilities, FPS states that it most recently coordinated with DHS's Science and Technology Directorate to better define requirements for the next generation of security technology. However, we continue to believe that given the challenges FPS faces with managing its contract guard program, among other things, FPS needs to undertake a comprehensive review of how it protects federal facilities. FPS has not provided us with this type of analysis or information. We are also concerned about the reliability of the preliminary data FPS used to evaluate whether its fee-based system or an alternative funding mechanism is appropriate to fund the agency. We are currently reviewing the reliability of FPS's Activity Based Costing framework and will reassess FPS's efforts to address this recommendation at the end of our review. DHS's comments are presented in appendix II. DHS also provided technical clarifications, which we incorporated into the report as appropriate. We are sending copies of this report to appropriate congressional committees, the Secretary of Homeland Security, and other interested parties. In addition, the report will be available at no charge on GAO's Web site at [hyperlink, http://www.gao.gov]. If you have any questions about this report, please contact me at (202) 512-2834 or goldsteinm@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix III. Signed by: Mark L. Goldstein: Director, Physical Infrastructure Issues: List of Requesters: The Honorable Joseph I. Lieberman: Chairman: The Honorable Susan M. Collins: Ranking Member: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Daniel K. Akaka: Chairman: The Honorable George V. Voinovich: Ranking Member: Subcommittee on Oversight of Government Management, the Federal Workforce and the District of Columbia: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Bennie G. Thompson: Chairman: The Honorable Peter T. King: Ranking Member: Committee on Homeland Security: House of Representatives: The Honorable James L. Oberstar: Chairman: Committee on Transportation and Infrastructure: House of Representatives: The Honorable Eleanor Holmes Norton: Chairwoman: Subcommittee on Economic Development, Public Buildings, and Emergency Management: Committee on Transportation and Infrastructure: House of Representatives: [End of section] Appendix I: Status of GAO Recommendations to the Federal Protective Service: Report number: GAO-10-341: Recommendation: 1; Identify other approaches and options that would be most beneficial and financially feasible for protecting federal facilities; Status: Not implemented. Recommendation: 2; Rigorously and consistently monitor guard contractors' and guards' performance and step up enforcement against contractors that are not complying with the terms of the contract; Status: In process. Recommendation: 3; Complete all contract performance evaluations in accordance with FPS and FAR requirements; Status: In process. Recommendation: 4; Issue a standardized record-keeping format to ensure that contract files have required documentation; Status: Not implemented. Recommendation: 5; Develop a mechanism to routinely monitor guards at federal facilities outside metropolitan areas; Status: In process. Recommendation: 6; Provide building-specific and scenario-based training and guidance to its contract guards; Status: In process. Recommendation: 7; Develop and implement a management tool for ensuring that reliable, comprehensive data on the contract guard program are available on a real-time basis; Status: In process. Recommendation: 8; Verify the accuracy of all guard certification and training data before entering them into the Risk Assessment Management Program (RAMP), and periodically test the accuracy and reliability of RAMP data to ensure that FPS management has the information needed to effectively oversee its guard program; Status: In process. Report number: GAO-10-142: Recommendation: 1; Provide the Secretary with regular updates, on a mutually agreed-to schedule, on the status of RAMP and the National Countermeasures Program, including the implementation status of deliverables, clear timelines for completion of tasks and milestones, and plans for addressing any implementation obstacles; Status: In process. Recommendation: 2; In conjunction with the National Countermeasures Program, develop a methodology and guidance for assessing and comparing the cost-effectiveness of technology alternatives; Status: Not implemented. Recommendation: 3; Reach consensus with GSA on what information contained in the facility security assessment is needed for GSA to fulfill its responsibilities related to the protection of federal buildings and occupants, and accordingly, establish internal controls to ensure that shared information is adequately safeguarded; guidance for employees to use in deciding what information to protect with sensitive but unclassified designations; provisions for training on making designations, controlling, and sharing such information with GSA and other entities; and a review process to evaluate how well this information sharing process is working, with results reported to the Secretary regularly on a mutually agreed-to schedule; Status: Not implemented. Report number: GAO-09-749: Report number: 1; Recommendation: 1; Improve how FPS headquarters collects data on its workforce's knowledge, skills, and abilities to help it better manage and understand current and future workforce needs; Status: In process. Recommendation: 2; Use these data in the development and implementation of a long-term strategic human capital plan that addresses key principles for effective strategic workforce planning, including establishing programs, policies, and practices that will enable the agency to recruit, develop, and retain a qualified workforce; Status: Not implemented. Recommendation: 3; Collect and maintain an accurate and comprehensive list of all facility-designated points of contact, as well as a system for regularly updating this list; Status: In process. Recommendation: 4; Develop and implement a program for education and outreach to all customers to ensure they are aware of the current roles, responsibilities, and services provided by FPS; Status: Not implemented. Report number: GAO-08-683: Recommendation: 1; Develop and implement a strategic approach to manage FPS's staffing resources that, among other things, determines the optimum number of employees needed to accomplish its facility protection mission and allocate these resources based on risk management principles and the agency's goals and performance measures; Status: In process. Recommendation: 2; Clarify roles and responsibilities of local law enforcement agencies in regard to responding to incidents at GSA facilities; Status: Not implemented. Recommendation: 3; Improve FPS's use of the fee-based system by developing a method to accurately account for the cost of providing security services to tenant agencies and ensuring that its fee structure takes into consideration the varying levels of risk and service provided at GSA facilities; Status: Not implemented. Recommendation: 4; Evaluate whether FPS's current use of a fee-based system or an alternative funding mechanism is the most appropriate manner to fund the agency; Status: Not implemented. Recommendation: 5; Develop and implement specific guidelines and standards for measuring its performance, including outcome measures to assess its performance and improve the accountability of FPS; Status: In process. Recommendation: 6; Improve how FPS categorizes, collects, and analyzes data to help it better manage and understand the results of its efforts to protect GSA facilities; Status: In process. Source: GAO. [End of table] [End of section] Appendix II: Comments from the Department of Homeland Security: U.S. Department of Homeland Security: Washington, DC 20528: July 27, 2010: Mr. Mark L. Goldstein: Director, Physical Infrastructure Issues: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Goldstein: Subject: Draft Report GA0-10-901, Homeland Security: Addressing Weaknesses with Facility Security Committees Would Enhance Protection of Federal Facilities (Job Code 543250): The National Protection and Programs Directorate (NPPD)/Federal Protective Service (FPS) appreciates the opportunity to respond to the above referenced draft report (technical comments have been provided under separate cover). As described in the draft report, there is work to be done, but we are pleased to note the report's positive acknowledgment of the recent actions taken to address previous recommendations, including development of the Risk Assessment and Management Program (RAMP), increased penetration testing, increased frequency of guard inspections, more focused guard training and, significantly, the transfer of FPS to NPPD from Immigration and Customs Enforcement. Recommendation: GAO recommends that the Secretary of the Department of Homeland Security (DHS) direct the Under Secretary of NPPD and the Director of FPS to work in consultation with the General Services Administration (GSA) and the Interagency Security Committee (ISC) to develop and implement procedures that, among other things, outlines the Federal Security Committees' (FSCs') organizational structure, operations, decision making authority, and accountability. No other recommendations are made. Response: NPPD concurs with the recommendation. FPS and GSA currently co-chair an ISC Facility Security' Committee working group that is charged with developing and presenting an ISC Standard titled Facility Security Committees. The standard, among other things, addresses FSC duties and procedures, organizational structure, decision making processes, and accountability. The working group anticipates that the standard will be submitted to the ISC membership by December 31, 2010. Draft Report Discussion: With respect to the draft report itself, while we are pleased that GAO acknowledged actions and progress made toward closing GAO recommendations, DHS would like to emphasize that FPS is actively pursuing, and has reported its progress on, the closure of all open recommendations. In a March 30, 2010, update to GAO, and in the FPS response to Draft Report GA0-10-341, Federal Protective Service's Contract Guard Program Requires More Oversight and Reassessment of Use of Contract Guards. FPS provided evidence to support closure of seven open recommendations and to demonstrate substantial progress that has been made toward closure of all remaining open recommendations. DHS offers the following evidence that FPS is actively pursuing initiatives and implementing measures to address recommendations for which GAO indicated in the draft report there has been no activity. The draft report shows (Appendix I) nine recommendations as "not implemented." As indicated and documented in the March 30, 2010, update and the response to the GA0-10-341 draft report, FPS considers all of the open recommendations listed in Appendix I as "in process." In April, GAO recommended in its Draft Report GAO-10-341 that "FPS identify other approaches that would be cost-beneficial for protecting federal facilities," but noted that FPS had not yet implemented the recommendation. On the contrary, FPS notified GAO of progress made toward meeting this recommendation in the response to that draft report. Specifically, FPS informed GAO that since its creation in 1971, FPS has consistently examined past actions, best practices, and available resources and technology to determine the best available means to protect federal facilities. FPS added that largely due to resource constraints, FPS' approaches and options to protecting federal facilities have focused on providing more robust and analytical risk assessments, enhancing the training and oversight of protective security officers, and streamlining the implementation of countermeasures through the use of national contract vehicles. FPS also described its recently increased interaction with the research and development community, through the OHS Science and Technology Directorate, to better define requirements for the next generation of security technology. FPS explained that it is simultaneously testing new developments in countermeasures to assess their maximum effectiveness as part of the integrated set of countermeasures. GAO asserts that, "FPS has yet to evaluate whether its fee-based system or an alternative funding mechanism is most appropriate for funding the agency as we recommended in our 2008 report." However, in the March 30, 2010 update to GAO open recommendations, FPS reported that it had used preliminary data obtained from the recently deployed Activity Based Costing Framework (ABC) and risk-based workforce performance metrics to initiate an analysis of the current fee-based system and complete a study of alternative funding strategies that may better support the security and protection mission of the FPS within DHS. FPS' evaluation of the fee-based system currently used has concluded that fee collections have not been sufficient to cover projected operational costs in recent years, and the agency has faced shortfalls related to providing basic security services. Therefore, FPS conducted an Alternative Funding Model analysis with three primary objectives: (1) ensure that FPS security charges are appropriate, are aligned with operational costs, and do not result in further budgetary shortfalls; (2) possess sufficient flexibility to account for risks associated with specific buildings; and (3) clearly demonstrate the link between security charges to the customer agencies and underlying security costs. This analysis resulted in the identification and consideration of the following three alternatives, which are still being evaluated: (1) a direct FPS appropriation; (2) a more thorough review of the current fee-based system (four methodologies for assessing charges are proposed); and (3) the utilization of GSA services for billing and collection. GAO also refers to FPS' limited ability to assess the effectiveness of its efforts to protect federal facilities. It adds that FPS has identified some output measures to determine how well it is accomplishing its mission to protect federal facilities, but that FPS needs to develop outcome measures. Again. in the March 30, 2010, update, FPS responded to the GAO recommendation pertaining to performance measures by including sample outcome performance measures that have been implemented and are being monitored by FPS. Moreover, in the update, FPS reported that it has developed and is using guidelines, standards, and templates to ensure that performance, both output and outcome measures, possess the attributes recommended by GAO. FPS also explained that these measures are part of an agency-wide effort to establish a robust performance management program in response to GAO recommendations and in accordance with the guidelines of the Government Performance and Results Act, the Office of Management and Budget, and the DHS Office of Program Analysis and Evaluation. FPS concluded the update to this recommendation by adding that continuing through FY2012, implementation of automated information systems will continue to support efforts to fully address this GAO recommendation. Chief among these are the RAMP, Post Tracking System (PTS), and the Computer Aided Dispatch and Information System (CADIS). As these systems are brought on line, they are expected to provide detailed and robust information, previously unavailable, to assess FPS performance in providing integrated security and law enforcement services for the Federal community. NPPD/FPS remains committed to continuous improvement, and we will provide progress reports to you on efforts to address the previous recommendations referenced in this report. Sincerely, Signed by: Jerald E. Levine: Director: Departmental GAO/OIG Liaison Office: [End of section] Appendix III GAO Contacts and Staff Acknowledgments: GAO Contact: Mark L. Goldstein, (202) 512-2834 or goldsteinm@gao.gov: Acknowledgments: In addition to the contact name above, Tammy Conquest, Assistant Director; Jennifer Clayborne; Delwen Jones; and Susan Michal-Smith made key contributions to this report. [End of section] Footnotes: [1] This report draws upon the following primary sources: GAO, Homeland Security: Federal Protective Service's Contract Guard Program Requires More Oversight and Reassessment of Use of Contract Guards, [hyperlink, http://www.gao.gov/products/GAO-10-341] (Washington, D.C.: Apr. 13, 2010); Homeland Security: Greater Attention to Key Practices Would Improve the Federal Protective Service's Approach to Facility Protection, [hyperlink, http://www.gao.gov/products/GAO-10-142] (Washington, D.C.: Oct. 23, 2009); Homeland Security: Preliminary Results Show Federal Protective Service's Ability to Protect Federal Facilities Is Hampered by Weaknesses in Its Contract Security Guard Program, [hyperlink, http://www.gao.gov/products/GAO-09-859T] (Washington, D.C.: July 8, 2009); Homeland Security: Federal Protective Service Should Improve Human Capital Planning and Better Communicate with Tenants, [hyperlink, http://www.gao.gov/products/GAO-09-749] (Washington, D.C.: July 30, 2009); and Homeland Security: The Federal Protective Service Faces Several Challenges That Hamper Its Ability to Protect Federal Facilities, [hyperlink, http://www.gao.gov/products/GAO-08-683] (Washington, D.C.: June 11, 2008). [2] [hyperlink, http://www.gao.gov/products/GAO-08-683]. [3] On March, 10, 2008, the Interagency Security Committee issued new standards for determining the security level of federal facilities that supersede the standards developed in the Department of Justice's 1995 Vulnerability Assessment Guidelines. These guidelines have five security levels. A level I facility is typically a small storefront- type operation such as a military recruiting office with 10 or fewer employees and a low volume of public contact. A level II facility has from 11 to 150 employees; a level III facility has from 151 to 450 employees and a moderate to high volume of public contact; a level IV facility has over 450 employees, a high volume of public contact, and includes high-risk law enforcement and intelligence agencies. FPS does not have responsibility for a level V facility such as the White House or the Central Intelligence Agency. [4] [hyperlink, http://www.gao.gov/products/GAO-10-142]. [5] An FSA, formerly referred to as a building security assessment, is a type of security evaluation conducted by FPS to determine how susceptible a facility is to various forms of threats or attacks. FSAs included countermeasure recommendations to mitigate threats and reduce vulnerabilities. [6] Following the Oklahoma City bombing, Executive Order 12977 called for the creation of an Interagency Security Committee to address the quality and effectiveness of physical security requirements for federal facilities by developing and evaluating security standards. ISC has representation from all major federal departments and agencies. In 2003, the Chair of the ISC moved from GSA to DHS. [7] The NIPP was founded through the Homeland Security Presidential Directive-7 and sets forth national policy on how the plan's risk management framework and sector partnership model are to be implemented by sector-specific agencies. FPS is the agency responsible for the government facilities sector. [8] [hyperlink, http://www.gao.gov/products/GAO-09-859T] and [hyperlink, http://www.gao.gov/products/GAO-10-341]. [9] [hyperlink, http://www.gao.gov/products/GAO-09-749]. [10] [hyperlink, http://www.gao.gov/products/GAO-08-683]. [11] [hyperlink, http://www.gao.gov/products/GAO-08-863] and [hyperlink, http://www.gao.gov/products/GAO-10-236T]. [12] [hyperlink, http://www.gao.gov/products/GAO-10-236T]. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO‘s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO‘s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: