Federal Protective Service
Actions Needed to Resolve Delays and Inadequate Oversight Issues with FPS's Risk Assessment and Management Program Gao ID: GAO-11-705R July 15, 2011The Federal Protective Service (FPS), which is within the Department of Homeland Security's (DHS) National Protection and Programs Directorate (NPPD), is responsible for protecting the more than 1 million federal employees and members of the public who work in and visit the over 9,000 federal facilities owned or leased by the General Services Administration (GSA) from a potential terrorist attack or other acts of violence. To accomplish its facility protection mission, FPS has about 1,200 full-time employees and approximately 13,200 contract security guards. FPS has an annual budget of about $1 billion and receives its funding from the revenues and collections of security fees charged to tenant agencies for protective services such as facility security assessments (FSA) and providing contract security guard services. Since 2008, we have issued numerous reports that address major challenges FPS faces in protecting federal facilities. For example, in 2009 and 2010 we reported that FPS had problems completing high-quality FSAs in a timely manner and did not provide adequate oversight of its contract guard program. In September 2007, FPS decided to address the challenges with its legacy security assessment and guard management systems with a new system. On August 1, 2008, DHS's Immigration and Customs Enforcement (ICE) competitively awarded and FPS funded a $21 million, 7-year contract to develop and maintain the Risk Assessment and Management Program (RAMP) system. RAMP is a web-enabled risk assessment and guard management system, and its initial implementation was scheduled for July 31, 2009. Among other things, RAMP is intended to: (2) provide FPS with the capability to assess risks at federal facilities based on threat, vulnerability, and consequence, and track countermeasures to mitigate those risks; and (2) improve the agency's ability to monitor and verify that its contract security guards are trained and certified to be deployed to federal facilities. In response to congressional request that we examine RAMP, this report addresses the following questions: (1) What is RAMP's current status, including whether it can be used as planned? (2) What are the factors that contributed to this status? (3) What are the actions FPS is taking to develop and implement RAMP?
RAMP is over budget, behind schedule, and cannot be used to complete FSAs and reliable guard inspections as intended. RAMP's contract award amount totals $57 million, almost three times more than the $21 million original development contract amount. As of June 2011, FPS has spent almost $35 million of the $57 million to develop RAMP. RAMP's costs increased in part because FPS changed the original system requirements and the contractor had to add additional resources to accommodate the changes. FPS also has experienced delays in developing and implementing RAMP, as it is almost 2 years behind its original July 2009 implementation date. FPS cannot use RAMP to complete FSAs because the agency did not verify the accuracy of the federal facility data it obtained from GSA or include an edit feature in RAMP that would allow inspectors to edit these data when necessary. FPS is also experiencing difficulty using RAMP to ensure that its approximately 13,200 contract guards have met training and certification requirements to be deployed at federal facilities because it does not have a process for verifying this information before it is entered into RAMP. RAMP also does not yet fully incorporate certain government security standards. For example, according to an FPS official, RAMP does not support the April 2010 ISC Physical Security Criteria for Federal Facilities because FPS did not have time to incorporate it in the June 2010 version of RAMP. FPS is planning to incorporate these standards in the next version of RAMP. Several factors have contributed to FPS being unable to use RAMP as planned. Most importantly, FPS and ICE did not adequately follow GAO's project management best practices in developing and implementing RAMP. FPS is taking some steps to address RAMP's problems. Most notably, FPS has preliminarily decided to discontinue its current RAMP development contract and is considering using a new contractor to finish developing RAMP. FPS is also working to incorporate ISC's Physical Security Criteria for Federal Facilities into RAMP before the next version is implemented. Given the technological changes that may have occurred since FPS began developing RAMP 4 years ago, there could be alternative systems that would better meet FPS's needs. However, FPS has not evaluated whether further developing RAMP is the most cost-beneficial approach compared to possible alternatives. In addition, FPS has not developed a plan to address the problems we found with RAMP, for example, ensuring the accuracy of federal facility and contract guard data. Given the challenges FPS faced thus far with developing RAMP, technological changes that may have occurred in the last 4 years, and to help guide and ensure the successful development and implementation of any risk assessment and contract guard management system, we recommend that the Secretary of Homeland Security direct the Under Secretary of NPPD and the Director of FPS to take the following four actions: (1) evaluate whether it is cost-beneficial to finish developing RAMP or if other alternatives for completing FSAs and managing security guards would be more appropriate, (2) increase the use of project management best practices by managing requirements and conducting user acceptance testing for any future RAMP development efforts, (3) establish a process for verifying the accuracy of federal facility and guard training and certification data before entering them into RAMP, and (4) develop interim solutions for completing FSAs and guard inspections while addressing RAMP's challenges. To improve contract administration, we recommend that the Secretary of Homeland Security direct the Directors of ICE and FPS to complete contract performance evaluations for the current RAMP contractor, and ensure that the evaluations and other required documents are maintained in the contract file in accordance with DHS's acquisition policy and the Federal Acquisition Regulation (FAR).
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Mark L. Goldstein Team: Government Accountability Office: Physical Infrastructure Phone: (202) 512-6670GAO-11-705R, Federal Protective Service: Actions Needed to Resolve Delays and Inadequate Oversight Issues with FPS's Risk Assessment and Management Program
This is the accessible text file for GAO report number GAO-11-705R
entitled 'Federal Protective Service: Actions Needed to Resolve Delays
and Inadequate Oversight Issues with FPS's Risk Assessment and
Management Program' which was released on August 15, 2011.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
GAO-11-705R:
United States Government Accountability Office:
Washington, DC 20548:
July 15, 2011:
The Honorable Bennie G. Thompson:
Ranking Member:
Committee on Homeland Security:
House of Representatives:
Subject: Federal Protective Service: Actions Needed to Resolve Delays
and Inadequate Oversight Issues with FPS's Risk Assessment and
Management Program:
Dear Mr. Thompson:
The Federal Protective Service (FPS), which is within the Department
of Homeland Security's (DHS) National Protection and Programs
Directorate (NPPD), is responsible for protecting the more than 1
million federal employees and members of the public who work in and
visit the over 9,000 federal facilities owned or leased by the General
Services Administration (GSA) from a potential terrorist attack or
other acts of violence.[Footnote 1] To accomplish its facility
protection mission, FPS has about 1,200 full-time employees and
approximately 13,200 contract security guards. FPS has an annual
budget of about $1 billion and receives its funding from the revenues
and collections of security fees charged to tenant agencies for
protective services such as facility security assessments (FSA) and
providing contract security guard services. Since 2008, we have issued
numerous reports that address major challenges FPS faces in protecting
federal facilities. For example, in 2009 and 2010 we reported that FPS
had problems completing high-quality FSAs in a timely manner and did
not provide adequate oversight of its contract guard program.[Footnote
2]
In September 2007, FPS decided to address the challenges with its
legacy security assessment and guard management systems with a new
system. On August 1, 2008, DHS's Immigration and Customs Enforcement
(ICE) competitively awarded and FPS funded a $21 million, 7-year
contract to develop and maintain the Risk Assessment and Management
Program (RAMP) system.[Footnote 3] RAMP is a web-enabled risk
assessment and guard management system, and its initial implementation
was scheduled for July 31, 2009. Among other things, RAMP is intended
to:
* provide FPS with the capability to assess risks at federal
facilities based on threat, vulnerability, and consequence, and track
countermeasures to mitigate those risks; and:
* improve the agency's ability to monitor and verify that its contract
security guards are trained and certified to be deployed to federal
facilities.[Footnote 4]
In response to your request that we examine RAMP, this report
addresses the following questions:
1. What is RAMP's current status, including whether it can be used as
planned?
2. What are the factors that contributed to this status?
3. What are the actions FPS is taking to develop and implement RAMP?
Scope and Methodology:
To answer these questions, we reviewed documents from FPS and ICE
including: RAMP's requirement and project management documents, cost
estimates, FPS's risk calculator and template, DHS's security
standards such as the National Infrastructure Protection Plan (NIPP)
and the Interagency Security Committee's (ISC) Physical Security
Criteria for Federal Facilities, and RAMP contract files. We reviewed
FPS's and ICE's requirement and project documents to determine whether
FPS complied with selected GAO and industry best practices in project
management such as: managing changes in requirements and conducting
user acceptance testing in developing and implementing RAMP.[Footnote
5] These practices were selected because they are critical in
developing information technology systems. To understand how FPS is
conducting risk assessments currently, we also reviewed FPS's risk
calculator and FSA template. We reviewed the original and follow-on
RAMP contracts and contract documentation files to determine if FPS
and ICE complied with DHS's acquisition policy and the Federal
Acquisition Regulation (FAR).
In addition, we interviewed officials at FPS, ICE, DHS, NPPD, GSA;
officials from 5 tenant agencies in GSA buildings; the primary RAMP
contractor; and 7 of FPS's 37 contract guard vendors. We selected
these contractors based on the number of guards they employed and
geographic locations. We also visited 2 of FPS's 11 regions and
interviewed regional directors, commanders, and inspectors about their
use of RAMP and the FSA template and risk calculator, and observed
guard post inspections. We selected these regions based on criteria
such as: number of federal facilities in the region and their facility
security levels, the number of contract guards in the region, and
geographic dispersion. Our work is not generalizable to all FPS's
regions and guard contractors.
We conducted this performance audit from July 2010 through July 2011
in accordance with generally accepted government auditing standards.
Those standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe
that the evidence obtained provides a reasonable basis for our
findings and conclusions based on our audit objectives.
Results in Brief:
RAMP is over budget, behind schedule, and cannot be used to complete
FSAs and reliable guard inspections as intended. RAMP's contract award
amount totals $57 million, almost three times more than the $21
million original development contract amount. As of June 2011, FPS has
spent almost $35 million of the $57 million to develop RAMP. RAMP's
costs increased in part because FPS changed the original system
requirements and the contractor had to add additional resources to
accommodate the changes. FPS also has experienced delays in developing
and implementing RAMP, as it is almost 2 years behind its original
July 2009 implementation date. FPS cannot use RAMP to complete FSAs
because the agency did not verify the accuracy of the federal facility
data it obtained from GSA or include an edit feature in RAMP that
would allow inspectors to edit these data when necessary. FPS is also
experiencing difficulty using RAMP to ensure that its approximately
13,200 contract guards have met training and certification
requirements to be deployed at federal facilities because it does not
have a process for verifying this information before it is entered
into RAMP. RAMP also does not yet fully incorporate certain government
security standards. For example, according to an FPS official, RAMP
does not support the April 2010 ISC Physical Security Criteria for
Federal Facilities because FPS did not have time to incorporate it in
the June 2010 version of RAMP.[Footnote 6] FPS is planning to
incorporate these standards in the next version of RAMP.
Several factors have contributed to FPS being unable to use RAMP as
planned. Most importantly, FPS and ICE did not adequately follow GAO's
project management best practices in developing and implementing RAMP.
For example, FPS did not manage requirement changes or conduct user
acceptance testing with its inspectors as part of RAMP's development.
[Footnote 7] In addition, ICE did not always comply with DHS's
acquisition policy and the FAR as we found that contractor performance
evaluations were not completed. Contractor performance evaluations are
important tools for ensuring that the contractor meets the terms of
the contract.
FPS is taking some steps to address RAMP's problems. Most notably, FPS
has preliminarily decided to discontinue its current RAMP development
contract and is considering using a new contractor to finish
developing RAMP. FPS is also working to incorporate ISC's Physical
Security Criteria for Federal Facilities into RAMP before the next
version is implemented. Given the technological changes that may have
occurred since FPS began developing RAMP 4 years ago, there could be
alternative systems that would better meet FPS's needs. However, FPS
has not evaluated whether further developing RAMP is the most cost-
beneficial approach compared to possible alternatives. In addition,
FPS has not developed a plan to address the problems we found with
RAMP, for example, ensuring the accuracy of federal facility and
contract guard data. See enclosure I for more information.
Conclusions:
After almost 4 years of effort and spending almost $35 million, FPS
has not accomplished its goals of using RAMP to complete FSAs and
reliable guard inspections. Consequently, until FPS resolves RAMP's
problems, FPS will not have a comprehensive method of identifying
risks to Federal facilities or a reliable method for overseeing its
contract guard workforce. While FPS plans to take some actions, if it
does not take additional steps to specifically address the problems we
found, these problems are likely to continue. It is also crucial that
FPS take immediate steps to follow project management best practices
in further development of RAMP or any alternative system. Until FPS
does so, it risks repeating some of the same mistakes it made during
the last 4 years, which have resulted in significant expenditures on a
risk assessment and management system that is not functional.
Completing the required contractor performance evaluations and
ensuring that contract files are maintained in accordance with DHS and
FAR requirements is important. For example, completing the required
contractor performance evaluations would have provided FPS and ICE
officials with the ability to assess the contractor's performance
during key phases of RAMP's development and the opportunity to take
corrective action if necessary. Maintaining contract files that comply
with DHS's acquisition policy and the FAR is also important because
the contract files should contain information that explains the basis
for key acquisition decisions.
FPS's ongoing efforts to protect federal facilities should not be
impeded by its decision to finish developing RAMP, particularly since
the agency continues to charge GSA and tenant agencies millions of
dollars to protect their facilities. Thus, it is important that FPS
not only resolve the problems with RAMP but also, while doing so,
continue to pursue interim measures to enhance the protection of the
over 1 million government employees and members of the public that
visit such facilities each year from a potential terrorist attack or
other acts of violence. Finally, we agree with FPS that incorporating
the ISC's Physical Security Criteria for Federal Facilities into RAMP
is important and encourage FPS to continue its efforts to ensure that
this happens before the next version of RAMP is rolled out.
Recommendations for Executive Action:
Given the challenges FPS faced thus far with developing RAMP,
technological changes that may have occurred in the last 4 years, and
to help guide and ensure the successful development and implementation
of any risk assessment and contract guard management system, we
recommend that the Secretary of Homeland Security direct the Under
Secretary of NPPD and the Director of FPS to take the following four
actions:
* evaluate whether it is cost-beneficial to finish developing RAMP or
if other alternatives for completing FSAs and managing security guards
would be more appropriate,
* increase the use of project management best practices by managing
requirements and conducting user acceptance testing for any future
RAMP development efforts,
* establish a process for verifying the accuracy of federal facility
and guard training and certification data before entering them into
RAMP, and:
* develop interim solutions for completing FSAs and guard inspections
while addressing RAMP's challenges.
To improve contract administration, we recommend that the Secretary of
Homeland Security direct the Directors of ICE and FPS to complete
contract performance evaluations for the current RAMP contractor, and
ensure that the evaluations and other required documents are
maintained in the contract file in accordance with DHS's acquisition
policy and the FAR.
Agency Comments and Our Evaluation:
We provided a draft of this letter and attached enclosures to DHS for
comment. DHS concurred with our recommendations and provided technical
comments that we incorporated where appropriate.
As agreed upon with your office, unless you publicly announce the
contents of this report earlier, we plan no further distribution until
30 days from the report date. At that time, we will send copies of
this report to appropriate congressional committees, the Secretary of
Homeland Security, and the Director of the FPS. The report will be
available at no charge on GAO's website at [hyperlink,
http://www.gao.gov/].
If you or your staff members have any questions about this
information, please contact me at (202) 512-2834 or
goldsteinm@gao.gov. Contact points for our Offices of Congressional
Relations and Public Affairs may be found on the last page of this
report. Additionally, Tammy Conquest, Assistant Director; Greg Hanna;
Alicia Loucks; Justin Reed; Amy Rosewarne; Susan Michal-Smith; and
Frank Taliaferro made key contributions to this report.
Sincerely yours,
Signed by:
Mark Goldstein:
Director, Physical Infrastructure Issues:
Enclosures - 4:
[End of section]
Enclosure I: RAMP Briefing Report:
Federal Protective Service: Actions Needed to Resolve Delays and
Inadequate Oversight Issues with FPS's Risk Assessment and Management
Program:
Briefing for the Ranking Member, Committee on Homeland Security,
House of Representatives:
For more information, contact Mark Goldstein, goldsteinm@gao.gov or
202-512-2834.
Overview:
* Introduction;
* Background;
* Objectives;
* Summary of Results;
* RAMP Is Over Budget, Behind Schedule, and Cannot Be Used to Complete
FSAs and Reliable Guard Inspections;
* FPS Did Not Follow Some Project Management Best Practices in
Developing and Implementing RAMP;
* FPS Is Taking Some Steps to Address RAMP's Problems;
* Conclusions;
* Recommendations for Executive Action;
* Agency Comments and Our Evaluation;
Introduction:
The Federal Protective Service (FPS), which is within the Department
of Homeland Security's (DHS) National Protection and Programs
Directorate (NPPD), is responsible for protecting the more than 1
million federal employees and members of the public who work in and
visit the over 9,000 federal facilities owned or leased by the General
Services Administration (GSA) from a potential terrorist attack or
other acts of violence'[Footnote 8] To accomplish its facility
protection mission, FPS has about 1,200 full-time employees and
approximately 13,200 contract security guards.
FPS has an annual budget of about $1 billion and receives its funding
from the revenues and collections of security fees charged to tenant
agencies for protective services such as conducting facility security
assessments (FSA) and providing contract guard services.
Since 2008, GAO has issued numerous reports that discuss major
challenges FPS faces in protecting these facilities. For example, in
2009 we reported that FPS had problems with completing high-quality
FSAs in a timely manner and could not comprehensively assess risk
across federal facilities.[Footnote 9] We also found in 2010 that FPS
lacked adequate oversight of its contract guard program.[Footnote 10]
Background:
In September 2007, FPS decided to replace its legacy facility security
assessment and guard management systems with a new system. On August
1, 2008, DHS's Immigration and Customs Enforcement (ICE) competitively
awarded and FPS funded a $21 million, 7-year (1 base year and 6 option
years) cost-plus fixed fee contract to develop and maintain the Risk
Assessment and Management Program (RAMP) system. RAMP is a web-enabled
risk assessment and guard management system and was to, among other
things:
* provide FPS with the capability to assess risks to federal
facilities based on threat, vulnerability, and consequence, and track
countermeasures to mitigate those risks; and;
* improve FPS's ability to monitor and verify that its approximately
13,200 guards are trained and certified to be deployed to federal
facilities.[Footnote 11]
According to the original development contract, RAMP was to be
designed, developed, and implemented in three phases and completed by
July 31, 2011.
* Phase 1 would create a system that would enable a user to conduct
FSAs that would assess risks, calculate a risk score, and recommend
countermeasures for facilities by July 31, 2009.
* Phase 2 would add the capability to manage FPS's contract guard
workforce, including monitoring whether individual guards were
certified by July 31, 2010.
* Phase 3 would add more functions to the system, such as providing
FPS with the ability to modify imported GSA facility data and
assessing risks across FPS's portfolio of federal facilities by July
31, 2011.
FPS also developed RAMP to comply with government security standards,
such as those outlined by DHS's National Infrastructure Protection
Plan (NIPP) and the Interagency Security Committee (ISC), which were
not incorporated in FPS's previous risk assessment system.
* The NIPP sets forth DHS's coordinated approach to protect the
nation's critical infrastructure and key resources to reduce
vulnerability, deter threats, and minimize the consequences of attacks
and other incidents.
* The ISC Physical Security Criteria for Federal Facilities
establishes a baseline set of countermeasures to be applied to all
federal facilities based on their facility security level, and
provides a framework for customizing security countermeasures to
address the unique risks faced at each facility.
Finally, during RAMP's initial development, FPS was part of ICE. ICE
provided software development and project management technical
expertise and was responsible for awarding, administering, and
overseeing the contract. FPS funded RAMP's development and was
responsible for defining RAMP's requirements.
Objectives:
Our objectives for this briefing are to discuss:
(1) RAMP's current status, including whether it can be used as planned;
(2) factors that contributed to this status; and;
(3) actions FPS is taking to develop and implement RAMP.
Summary of Results:
RAMP is over budget, behind schedule, and cannot be used as intended.
RAMP's contract award amount totals $57 million, almost three times
more than the $21 million original development contract amount. As of
June 2011, FPS has spent almost $35 million of the $57 million to
develop RAMP. FPS also has experienced delays in developing and
implementing RAMP, as it is almost 2 years behind its original July
2009 implementation date. FPS cannot use RAMP to complete FSAs because
the agency did not verify the accuracy of the federal facility data it
obtained from GSA or include an edit feature in RAMP that would allow
inspectors to edit these data when necessary.
FPS is also experiencing difficulty using RAMP to ensure that its
approximately 13,200 contract guards have met training and
certification requirements to be deployed at federal facilities
because it does not have a process for verifying this information
before it is entered into RAMP.
RAMP also does not yet fully incorporate certain government security
standards. For example, according to an FPS official, RAMP does not
support the April 2010 ISC Physical Security Criteria for Federal
Facilities because FPS did not have time to incorporate it in the June
2010 version of RAMP. FPS is planning to incorporate these standards
in the next version of RAMP.
Several factors have contributed to FPS being unable to use RAMP as
planned. Most importantly, FPS and ICE did not adequately follow GAO's
project management best practices in developing and implementing RAMP.
[Footnote 12] For example, FPS did not manage requirement changes or
conduct user acceptance testing with its inspectors as part of RAM P's
development. In addition, ICE did not always comply with DHS's
acquisition policy and the Federal Acquisition Regulation (FAR), as we
found that contractor performance evaluations were not completed.
Contractor performance evaluations are one of the most important tools
for ensuring that the contractor meets the terms of the contract.
FPS is taking some steps to address RAMP's problems. Most notably,
FPS has preliminarily decided to discontinue its current RAMP
development contract and is considering using a new contractor to
finish developing RAMP. Given the technological changes that may have
occurred since FPS began developing RAMP 4 years ago, there could be
alternative systems that would better meet FPS's needs. However,
FPS has not evaluated whether further developing RAMP is the most cost-
beneficial option compared to possible alternatives. In addition,
FPS has not developed a plan to address the problems we found with
RAMP, for example ensuring the accuracy of federal facility and
contract guard data.
Objective 1: What is RAMP's current status?
RAMP Is Over Budget, Behind Schedule, and Cannot Be Used to Complete
FSAs and Reliable Guard Inspections:
RAMP Is Over Budget:
RAMP's potential costs have increased significantly from the initial
award amount. RAMP's contract award amount totals $57 million, almost
three times more than the $21 million original development contract
amount. As of June 2011, FPS has spent almost $35 million of the $57
million to develop RAMP. RAMP's costs increased, in part, because:
* FPS changed the original requirements and the contractor had to add
additional resources to accommodate them, for example, FPS requested
that RAMP operate independently of the web; and;
* unanticipated costs associated with FPS needing to meet DHS's
Office of Security requirement for a more secure laptop occurred.
RAMP Is Behind Schedule:
RAMP has been under development for almost 4 years and is currently
almost 2 years behind its original July 2009 implementation date. FPS
planned to have the FSA component of RAMP completed by July 31,
2009 and the contract guard inspection module completed by July 31,
2010 as well as provide the capability to modify imported GSA facility
data and assess risk across FPS's portfolio of federal facilities
completed by July 31, 2011. However, as of June 2011, FPS cannot
reliably use RAMP to complete FSAs because the agency did not verify
the accuracy of the federal facility data it obtained from GSA. See
enclosure II for a timeline of RAMP's original and actual milestones.
RAMP Cannot Be Used to Complete FSAs:
One of the key functions of RAMP was to significantly improve how FPS
completes FSAs. Specifically, with RAMP, FPS was supposed to be able
to complete FSAs that were based on threat, vulnerability, and
consequence. Moreover, FPS would be able to complete FSAs according to
government security standards. However, FPS officials said RAMP cannot
be used to complete FSAs because data for federal facilities (e.g.,
the address, government tenants, or the number of floors) obtained from
GSA are either missing or unreliable. In addition, FPS did not design
RAMP to allow inspectors to edit these data from GSA when necessary,
which would have led to incomplete FSA reports.
Although GSA officials informed FPS that the facility data had
limitations and were not designed for FPS's purpose, an FPS official
stated that the agency chose to use these data in RAMP because they
were the best source available on federal facilities. However, FPS did
not verify the completeness or accuracy of the data. We have reported
that agencies should consider the level of risk associated with using
data that have missing values in key elements.[Footnote 13]
Instead of using RAMP to complete FSAs as planned, FPS inspectors are
using a risk calculator spreadsheet and FSA template document.
According to FPS guidance, inspectors are to use the calculator to
determine threat, vulnerability, and consequence information for
facilities. This information is then entered into the template and
provided to tenant agencies as a report. There are several issues with
these tools. First, according to an FPS official, the template does
not meet the ISC standards because it should associate a facility's
risks with appropriate countermeasures. Second, because these tools
produce individual reports and FPS does not aggregate their results,
the agency's ability to assess risk across its portfolio of federal
facilities remains limited.
Third, FPS stakeholders also raised concerns about the FSA risk
calculator and template. For example, in December 2010, FPS training
personnel at the Federal Law Enforcement Training Center identified
problems with the risk calculator and decided not to teach new
inspectors how to use the FSA risk calculator or template. An FPS area
commander also said that to identify credible threats using the FSA
template, inspectors are using the same subjective approach used in
FPS's previous security assessment tool. As a result of the problems
with this tool, FPS does not currently employ a comprehensive method
for assessing risk to federal facilities but instead must rely on more
manual methods until the permanent solution to the problem is
implemented.
RAMP Cannot Be Used to Complete Reliable Guard Inspections:
FPS designed RAMP to help manage its contract guard workforce,
including conducting guard post inspections, but the agency is
experiencing difficulty using RAMP to ensure that its approximately
13,200 contract guards have the required training and certifications
to be deployed at federal facilities. FPS is using RAMP to conduct
guard post inspections to ensure that qualified guards are standing
post, but neither FPS's guard training and certification information
nor its method for determining the qualification status of contract
guards in RAMP is reliable.
FPS does not have reliable information on its contract guards, in part
because it did not fully verify the accuracy of the guard training and
certification information from its previous system before migrating it
into RAMP, as we recommended in 2010.[Footnote 14] In addition, FPS
relies on guard companies to electronically submit guard training and
certification information and does not verify these data before they
are uploaded into RAMP. As a result, some guards may be designated in
RAMP as unqualified when they are qualified, or as qualified when they
are unqualified.
Furthermore, once guard training and certification information is
uploaded into RAMP, FPS still cannot internally verify this
information because it no longer maintains physical files. Also,
inspectors cannot verify this information during guard post
inspections because FPS no longer requires guards to carry certain
physical credentials, such as a firearms qualification and training
certificate.
According to FPS headquarters officials, each region is required to
audit 10 percent of each guard company's files each month to determine
if they contain the required training and certification information.
However, the process for selecting the 10 percent can vary by region
and guard company, and FPS does not use the results of those audits to
verify the information in RAMP.
In addition to challenges with the reliability of its guard
information, FPS is also experiencing difficulty using RAMP to
determine whether a guard is qualified. For example, FPS did not
design RAMP to:
* take into account the differences in guard certification
requirements specified in FPS's 119 contracts;
* distinguish between newly hired guards in training and guards that
are unqualified because they have not met training and certification
requirements; or;
* account for training and certification records when a guard works
for more than one company.
These factors contribute to FPS having limited assurance that RAMP can
be used to determine whether or not a guard is qualified to stand post
at a federal facility. We have previously reported that an agency must
have reliable information relating to its mission on a real-time
basis to effectively manage and control its operations, and should
ensure that data validation is performed to identify erroneous data.
[Footnote 15]
FPS Has Experienced Difficulty Incorporating Certain Government
Security Standards:
FPS intended for RAMP to support government security standards, such
as the NIPP, and to implement ISC security standards”both of which
were lacking in the previous systems. Compliance with DHS's NIPP risk
assessment framework is important because it ensures that FPS is
calculating risk in a manner consistent with other agencies with
federal protection responsibilities. Similarly, compliance with ISC
standards provides agencies with federal protection responsibilities a
consistent approach to mitigate risks at federal facilities.
RAMP meets the NIPP's risk assessment framework by including questions
to determine the threats, vulnerabilities, and consequences associated
with a facility, and calculating an overall numerical risk score for
the facility based on the product of these factors. However, according
to an FPS official, RAMP does not yet support the April 2010 ISC
Physical Security Criteria for Federal Facilities because FPS did not
incorporate them in the June 2010 version of RAMP. FPS is planning to
incorporate these standards in the next version of RAMP.
Objective 2: What factors contributed to RAMP's current status?
FPS Did Not Follow Some Project Management Best Practices in
Developing and Implementing RAMP:
GAO's project management best practices indicate that agencies should
manage changes in requirements and conduct user acceptance testing.
FPS did not follow these practices in developing RAMP. For example,
while FPS originally planned for RAMP Phase 1 to focus on FSAs, FPS
changed the requirements for this phase to include the development of
the contract guard module. Additionally, FPS changed RAMP from
requiring an Internet connection to a system that users could work on
while not connected to the Internet and that would also meet ICE
network security standards. The contractor informed FPS that these
requirement changes were beyond the contract scope and would take more
time and resources.
FPS and ICE officials authorized the contractor to add staff to
implement the changes requested by FPS and resulting additional work,
but did not agree to extend the deadline for deploying RAMP. This
authorization resulted in FPS spending the entire $21 million original
contract amount by April 2010, as opposed to 2015 when the 7-year
contract was supposed to end. However, this increase in resources was
not effective, as the contractor could not deliver a functional RAMP
on this schedule. Our prior work on information technology project
management indicates that increasing staff to speed up work is
generally not effective and can actually cause greater delays because
of the need to coordinate the work and integrate new staff onto the
project.[Footnote 16]
Additionally, in order to deploy RAMP in November 2009, FPS and ICE
did not conduct user acceptance testing with its inspectors, which is
a GAO project management best practice. Although the contractor
conducted limited system testing, FPS and ICE did not conduct user
acceptance testing, which could have identified technical and design
problems before RAMP was deployed.[Footnote 17] For example, during
the initial rollout of RAMP, many inspectors had problems logging in
and thus were not able to use it. In another example, once logged into
RAMP, some inspectors experienced significant delays because RAMP
downloaded training and certification information on approximately
13,200 guards although the inspector did not need all of this
information. Our previous work indicates that user acceptance and
system testing help programs meet technical requirements to deliver
needed capabilities, and proceeding with acquisitions prior to the
completion of testing can result in delays in achieving technical
capability.[Footnote 18]
As part of DHS, ICE and FPS are required to comply with DHS's
Homeland Security Acquisition Regulation and the FAR. For example,
DHS and the FAR require that a performance evaluation be completed
annually and at the conclusion of the contract for those contracts
exceeding $100,000. These evaluations are one of the most important
tools for ensuring that the contractor meets the terms of the contract.
DHS policy also requires contracting officials to consider past
performance as one of several evaluation factors in awarding new
contracts.
However, when we reviewed the original RAMP contract file in March
2011, we did not find any performance evaluations for the RAMP
contractor. According to ICE contracting officials, the performance
evaluations were not completed because developing and implementing an
initial version of RAMP was the higher priority.
We also did not find any documentation in the contract files that
ICE took action against the contractor for performance issues,
although an ICE official provided us with a March 2010 memorandum to
the contractor indicating performance issues. Specifically, the
memorandum noted that, as of February 2010, RAMP was over budget,
behind schedule, and not performing as expected. This memo is the
first official indication that ICE was not satisfied with the
contractor's performance. In response to this memo, the contractor
provided a corrective action plan in April 2010 to address the
performance issues.
Finally, although DHS's acquisition policy and the FAR specify that
the basis for changes to contracts should be documented, we found that
key decisions regarding the change in RAMP's requirements were not
documented in the contract files. For example, the justification for the
decision to spend the entire $21 million of the original contract in
less than 2Y ears was not documented in the contract files. According
to ICE contracting officials, these documents were also not completed
because developing and implementing the initial version of RAMP was a
higher priority.
Objective 3: What are the actions FPS is taking to develop and
implement RAMP?
FPS Is Taking Some Steps to Address RAMP's Problems:
FPS is taking some steps to address RAMP's problems. For example,
FPS's Director acknowledges that RAMP is not working, and that
continuing the current course will not make it functional. As a
result, FPS has preliminarily decided to discontinue its current
development contract and is considering a new contractor to finish
developing RAMP. According to FPS officials, this change will, among
other things, reduce development costs and increase the functionality
of RAMP. In addition, FPS plans to conduct user testing with its
inspectors to ensure that the next version of RAMP functions,
integrates stakeholder comments, and incorporates ISC standards.
Given the technological changes that may have occurred since FPS began
developing RAMP 4 years ago, there may be alternative FSA and guard
management systems that would better meet FPS's needs. However, FPS
has not evaluated whether further developing RAMP is the most cost-
beneficial option or if alternative systems would better meet FPS's
needs. In addition, FPS has not developed a plan to address all the
problems we found with RAMP, such as ensuring the accuracy of federal
facility and contract guard data.
Conclusions:
After almost 4 years of effort and spending almost $35 million, FPS
has not accomplished its goals of using RAMP to complete FSAs and
reliable guard inspections. Consequently, until FPS resolves RAMP's
problems, FPS will not have a comprehensive method of identifying
risks to federal facilities or a reliable method for overseeing its
contract guard workforce. While FPS plans to take some actions, if it
does not take additional steps to specifically address the problems we
found, these problems are likely to continue. It is also important
that FPS take immediate steps to follow project management best
practices in further development of RAMP or any alternative. Until FPS
does so, it risks repeating some of the same mistakes it made during
the last 4 years, which have resulted in a risk assessment and
management system that is not functional.
Completing the required contractor performance evaluations and
ensuring that contract files are maintained in accordance with DHS and
the FAR is important. For example, completing the required contractor
performance evaluations would have provided FPS and ICE officials with
the ability to assess the contractor's performance during key phases
of RAMP's development and the opportunity to take corrective action if
necessary. Maintaining contract files that comply with DHS's
acquisition policy and the FAR is also important because the contract
files should contain information that explains the basis for key
acquisition decisions.
FPS's ongoing efforts to protect federal facilities should not be
impeded by its decision to finish developing RAMP, particularly since
the agency continues to charge GSA and tenant agencies millions of
dollars to protect their facilities. Thus, it is important that FPS
not only resolve challenges with RAMP but also concurrently pursue
interim measures to enhance the protection of the over 1 million
government employees and members of the public that visit such
facilities each year from a potential terrorist attack or other acts
of violence. Finally, we agree with FPS that incorporating the ISC
Physical Security Criteria for Federal Facilities into RAMP is
important, and encourage FPS to continue its efforts to ensure that
this happens before the next version of RAMP is rolled out.
Recommendations for Executive Action:
Given the challenges FPS faced with developing RAMP, technological
changes that may have occurred in the last 4 years, and to help guide
and ensure the successful development and implementation of any future
risk assessment and contract guard management system, we recommend
that the Secretary of Homeland Security direct the Under Secretary of
NPPD and the Director of FPS to take the following four actions:
* evaluate whether it is cost-beneficial to finish developing RAMP or
if other alternatives for completing FSAs and managing security guards
would be more appropriate;
* increase the use of project management best practices by managing
requirements and conducting user acceptance testing for future RAMP
development efforts;
* establish a process for verifying the accuracy of federal facility
and guard training and certification data before entering them into
RAMP; and;
* develop interim solutions for completing FSAs and guard inspections
while addressing RAMP's challenges.
To improve contract administration, we recommend that the Secretary of
Homeland Security direct the Directors of ICE and FPS to complete
contract performance evaluations for its current RAMP contractor and
ensure that the evaluations and other required documents are
maintained in the contract file in accordance with DHS's acquisition
policy and the FAR.
Agency Comments and Our Evaluation:
We provided a draft of these briefing slides and enclosures to DHS for
comment. DHS concurred with our recommendations and provided technical
comments that we incorporated where appropriate.
[End of briefing slides]
Enclosure II: Risk Assessment and Management Program (RAMP) Detailed
Timeline and Capability:
[Refer to PDF for image: timeline]
Original milestones:
April 2007:
Initial planning.
August 1, 2008:
RAMP development contract awarded.
July 31, 2009:
End of contract base year and original deadline for release of RAMP
Phase 1.
July 31, 2010:
End of option year 1 and original deadline for release of RAMP Phase 2.
July 31, 2011:
End of option year 2 and original deadline for release of RAMP Phase 3.
July 31, 2012:
End of option year 3.
July 31, 2013:
End of option year 4.
July 31, 2014:
End of option year 5.
July 31, 2015:
End of option year 6 and original end of RAMP's life cycle.
Actual schedule:
April 2007:
Initial planning.
August 1, 2008:
RAMP development contract awarded.
March 10, 2009:
Contract modification to provide funding for different laptops.
May 27, 2009:
Exercise option period in its entirety, increasing the contract amount.
November 16, 2009:
Federal Protective Service (FPS) launches initial version of RAMP.
November 2009–April 2010:
RAMP users encounter challenges with the log-in credential process and
extensive processing time delays following the release of the initial
version of RAMP.
December 29, 2009:
Exercise option years 4, 5, and 6 early.
April 12, 2010:
Release of next RAMP version to enhance processing capabilities.
June 4, 2010:
Signed 2-year follow-on contract, first year fully funded up front.
June 28, 2010:
Release of next RAMP version to enhance processing capabilities.
July 26, 2010:
Word Facility Security Assessment (FSA) template and Excel risk
calculator issued to FPS inspectors to complete FSAs.
January 2012 (anticipated milestone):
Anticipated release for next RAMP version.
September 20, 2022 (anticipated milestone):
Current projected end of RAMP's life cycle.
Source: GAO analysis of FPS data.
[End of figure]
[End of section]
Enclosure III: Federal Protective Service's (FPS) Process for Entering
Guard Training and Certification Information into Risk Assessment and
Management Program (RAMP):
Step 1: Within 7 days of a certifying event (e.g., completing
cardiopulmonary resuscitation training), FPS requires guard companies
to electronically submit guard training and certification information
to FPS through an extensible markup language (XML) forms format, such
as Microsoft InfoPath.[Footnote 19]
Step 2: An FPS contractor uploads the XML forms into RAMP. FPS
requires that the guard training and certification information be
uploaded within 24 hours of submission from the guard company.
Step 3: RAMP refreshes daily to include new uploads. During the
refresh period, RAMP may reject a guard company's submission because
of data input errors such as mismatched Social Security numbers or a
misspelled name. The guard company then has to correct the guard
information and resubmit it to FPS to be reuploaded into RAMP.
Step 4: At this point in the process, guard training and certification
information is available in RAMP for guard post inspections.
Source: GAO analysis of FPS information.
Enclosure IV: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
Washington, DC 20528:
July 8, 2011:
Mark L. Goldstein:
Director, Physical Infrastructure Issues:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Re: Draft Report GAO-11-705R, "Federal Protective Service: Actions
Needed to Resolve Delays and Inadequate Oversight Issues with FPS's Risk
Assessment and Management Program"
Dear Mr. Goldstein:
Thank you for the opportunity to review and comment on this draft
report. The U.S. Department of Homeland Security (DHS) appreciates the
U.S. Government Accountability Office's (GAO's) work in planning and
conducting its review and issuing this report on the Federal
Protective Service's (FPS's) Risk Assessment and Management Program
(RAMP).
RAMP is intended to provide FPS personnel with a centralized source of
information for Federal facilities they protect. The DHS National
Protection and Programs Directorate (NPPD)/FPS is responsible for the
safety of more than a million people who pass through our security
portals each day. Our contracted Protective Security Officers (PSOs)
conduct millions of inspections each year in pursuit of genuine
security”and not just the illusion of it. More than 700,000 dangerous
objects and contraband, including weapons, are confiscated each year
from entrants at NPPD/FPS screening posts. Our NPPD/FPS officers and
inspectors conduct facility security assessments (FSAs), cover more than
1,000 demonstrations and disturbances, and make more than 1,600
arrests annually.
Addressing GAO recommendations is a top priority for NPPD/FPS., and
work is under way to resolve the issues identified in this report,
including GAO's determination that deficiencies in RAMP development
may have impacted security at Federal facilities. As stated above, FPS
conducts comprehensive FSAs to identify credible threats for each
facility and assess specific vulnerabilities and likely consequences
associated with those threats. It should be noted that FSAs are one
piece of the protective services provided to the Federal community and
FPS's other efforts, such as patrol and response, tenant awareness
training, countermeasure testing, etc., are ongoing and have a direct
bearing on the security of Federal facilities.
The development of RAMP has been under way for nearly 4 years. Yet,
after careful consideration and review, FPS has determined that RAMP
development”as it was being pursued”was not cost-effective and has not
fulfilled its original goals. However FPS has a continuing need for
elements of RAMP and its basic functionality”which is discussed
further in the Departmental response to GAO's specific recommendations.
The draft report contained five recommendations, with which DHS
concurs. Specifically, GAO recommended that the Secretary of Homeland
Security direct the Under Secretary of NPPD and the Director of FPS
take the following actions:
Recommendation 1: Evaluate whether it is cost beneficial to finish
developing RAMP or if other alternatives for completing FSAs and
managing security guards would be more appropriate.
Response: Concur. NPPD/FPS is revalidating RAMP requirements with its
stakeholders and accessing next generation architecture to ensure that
future RAMP investments deliver robust capability to the end user, and
maximize network efficiencies and information sharing. NPPD/FPS has
already begun carefully assessing alternative programs, such as the
DHS Science and Technology Directorate's recommended Integrated Rapid
Visual Screen solution and the NPPD/Office of Infrastructure
Protection (IP) Infrastructure Survey Tool (1ST). Thus far, the
results of our preliminary assessment indicate that, at a minimum,
NPPD/FPS will gain efficiencies and improve RAMP capability by
leveraging the IST that is housed on the Link Encrypted Network System
(LENS), an NPPD/IP gateway. With this adjustment, NPPD/FPS will move
toward greater collaboration and integration with other NPPD elements.
While RAMP is re-engineered to incorporate threat level calculations,
recommended countermeasures, and Interagency Security Committee
standards, a version of 1ST was selected as an interim solution,
enabling NPPD/FPS to continue processing credible FSAs.
Placing RAMP on the same network backbone will enable information
sharing between NPPD/IP and NPPD/FPS, which will further enhance the
Department's ability to protect Federal facilities. Presently, the
Department of Energy (DOE), Argonne National Laboratory (ANL) supports
LENS. Further, our preliminary assessment also indicates that
development of RAMP by DOE ANL for LENS would be more economical than
our current approach. As a result, NPPD/FPS suspended RAMP development
with our current contractor while DOE ANL and other alternatives are
considered.
Recommendation 2: Increase the use of project management best
practices by managing requirements and conducting user acceptance
testing for any future RAMP development efforts.
Response: Concur. Additional RAMP development activities will
incorporate project management best practices. NPPD requires all
acquisition efforts to comply with the Acquisition Management
Directive 102.1 (MD 102). Further. NPPD has implemented the NPPD
Acquisition Instruction 102-01-01 describing our internal acquisition
review process. The Directive was developed on the basis of project
management best practices. NPPD/FPS's adherence to these documents
will address GAO's recommendation that future RAMP development efforts
have robust requirements development, change management, and user
acceptance testing processes.
Key to success will be to engage and involve the end users and any
other stakeholders throughout the entire process to ensure the product
delivered meets all expectations and requirements. Best management
practices also include development and tracking project activities,
milestones, costs, and deliverables through monthly cost reports,
project schedule reviews, systems engineering lifecycle gate reviews,
and weekly status reports. NPPD/FPS is now identifying stakeholders to
fully develop a new integrated project team and also intends to hire a
Program Manager immediately to oversee NPPD/FPS information technology
(IT) projects, which will ensure compliance with DHS's Systems
Engineering Lifecycle requirements and guidance.
Lastly, NPPD/FPS will adhere to the Office of Management and Budget's
recent "25 Point Implementation Plan to Reform Federal Information
Technology Management" (December 9, 2010). This document mandates
inclusion of value-added activities and requires Federal IT programs
to be structured to deploy business functionality in predetermined
release cycles, with initial deployment to end users not more than 18
months after the program begins.
Recommendation 3: Establish a process for verifying the accuracy of
federal facility and guard training and certification data before
entering into RAMP.
Response: Concur. With the further development of RAMP, NPPD/FPS
intends to make improvements to the PS0 certification validation
process, as well as the post-inspection and administrative audit
processes. These improvements will focus on accountability for data
integrity, metrics and trend analysis, and should also help identify
and correct process deficiencies.
Recommendation 4: Develop interim solutions for completing FSAs and
guard inspections while addressing RAMP's challenges.
Response: Concur. As an interim assessment solution, NPPD/FPS is
utilizing the 1ST until the development, testing, training, and
implementation of future RAMP capabilities have been completed.
A modified version of the 1ST will replace the current Microsoft Excel
Survey Tool template currently in use by NPPD/FPS. This modified 1ST
will be incorporated into the future capabilities of RAMP. It will
enable field-based inspectors to complete and file their assigned FSAs
electronically in the on-line database, and provide supervisors the
ability to approve or comment on the assessments electronically.
Additionally, the data collected via the interim IST will ultimately
be available in the shared risk assessment database. NPPD plans for
the completed FSAs to become a part of the national critical
infrastructure and key resources (CIKR) database, allowing NPPD the
capability to view and share all CIKR assessments.
The new PSO inspection process will focus on assessing the PSOs"
knowledge of the post-orders and emergency preparedness and response
measures specific to the facility they protect (e.g., Active Shooter,
Code Adam, Occupant Emergency Plans, Shelter-in-Place, response to
suspicious packages and bomb threats, etc.). NPPD/FPS will analyze
data collected from PSO inspections to identify opportunities for
remedial improvements.
Finally, NPPD/FPS has established a policy to employ a common matrix
to collect, categorize, and validate certification data and conduct
trend analysis on inspection deficiencies. This common matrix will be
designed so that monthly reporting on deficiencies can be incorporated
in the Contractor Performance Appraisal Reporting System (CPARS) for
guard services contracts. NPPD/FPS will ensure contractual actions
taken by the contracting officer in response to performance problems
are documented in the contract file. NPPD/FPS will conduct an ongoing
assessment of the contractor's performance on the basis of regular
inspections and will employ a common format for documenting and
addressing performance problems.
GAO also recommended that the Secretary of Homeland Security direct
the Directors of U.S. Immigration and Customs Enforcement (ICE) and
FPS to:
Recommendation 5: Complete contract performance evaluations for its
current RAMP contractor and ensure that the evaluations and other
required documents are maintained in the contract file in accordance
with DHS's acquisition policy and Federal Acquisition Regulations
(FAR).
Response: Concur. The DHS Office of Procurement Operations (OPO) now
administers the current contract. OPO will ensure that the Contracting
Officer's Technical Representative and the OPO contracting officer
complete the required assessments in the CPARS and maintain this
information in the contract files per DHS acquisition policy and FAR.
NPPD/FPS and OPO are working to complete the contract performance
evaluations on the existing RAMP contract. The first contractor
performance evaluation under OPO administration is in progress and is
due mid-October 2011.
Prior to the transfer of contract administration to OPO, ICE had
administered the contract. Since that time, ICE has made improvements
to its contractor performance reporting program. ICE has created a
permanent full-time position to manage CPARS. The manager will track
and monitor performance reporting and provide hands-on training to
CPARS users. The Head of Contracting Activity receives a monthly
status report on CPARS compliance. Additionally, timely CPARS
registration has been included in the employee performance plan for
every contract specialist/contracting officer.
Subsequent to the GAO review, ICE provided copies of monthly quality
assurance evaluations that had previously been completed. As described
earlier, performance assessments will be placed in CPARS for the
expired RAMP contract.
Again, we thank you for the opportunity to review and provide comment
on this draft report. Sensitivity comments were submitted under
separate cover. We look forward to working with you on future Homeland
Security-related engagements.
Sincerely,
Signed by:
Jim. H. Crumpacker:
Director:
Departmental GAO/OIG Liaison Office:
[End of section]
Footnotes:
[1] We refer to property that is owned by the federal government and
under the control and custody of the GSA as GSA-owned property.
[2] GAO, Homeland Security: Greater Attention to Key Practices Would
Improve the Federal Protective Service's Approach to Facility
Protection, [hyperlink, http://www.gao.gov/products/GAO-10-142]
(Washington, D.C.: Oct. 23, 2009) and GAO, Homeland Security: Federal
Protective Service's Contract Guard Program Requires More Oversight
and Reassessment of Use of Contract Guards, [hyperlink,
http://www.gao.gov/products/GAO-10-341] (Washington, D.C.: Apr. 13,
2010).
[3] During RAMP's initial development, FPS was part of ICE. ICE
provided software development and project management technical
expertise and was responsible for contract award and administration.
[4] According to DHS, risk is influenced by the nature and magnitude
of threats, the vulnerabilities to these threats, and the consequences
that could result.
[5] GAO, Information Technology Investment Management: A Framework for
Assessing and Improving Process Maturity, [hyperlink,
http://www.gao.gov/products/GAO-04-394G] (Washington, D.C.: Mar. 2004)
and Carnegie Mellon Software Engineering Institute, Capability
Maturity Model® Integration for Acquisition (CMMI-ACQ), Version 1.2
(November 2007).
[6] The ISC Physical Security Criteria for Federal Facilities
establishes a baseline set of countermeasures to be applied to all
federal facilities based on their facility security level, and
provides a framework for customizing security countermeasures to
address the unique risks faced at each facility.
[7] Managing requirements entails managing the capabilities or
conditions that a product is required to meet to satisfy an agreement
or standard. User acceptance testing is conducted to ensure that a
system meets contract requirements and performs satisfactorily for the
users of the program.
[8] We refer to property that is owned by the federal government and
under the control and custody of the GSA as GSA-owned property.
[9] GAO, Homeland Security: Greater Attention to Key Practices Would
Improve the Federal Protective Service's Approach to Facility
Protection, [hyperlink, http://www.gao.gov/products/GAO-10-142]
(Washington, D.C.: Oct. 23, 2009).
[10] GAO, Homeland Security: Federal Protective Service's Contract
Guard Program Requires More Oversight and Reassessment of Use of
Contract Guards, [hyperlink, http://www.gao.gov/products/GA0-10-341]
(Washington, D.C.: Apr. 13, 2010).
[11] According to DHS, risk is influenced by the nature and magnitude
of threats, the vulnerabilities to these threats, and the consequences
that could result.
[12] GAO, Information Technology Investment Management: A Framework
for Assessing and Improving Process Maturity, [hyperlink,
http://www.gao.gov/products/GAO-04-394G] (Washington, D.C.: March
2004).
[13] GAO, Assessing the Reliability of Computer-Processed Data,
[hyperlink, http://www.gao.gov/products/GAO-09-365G] (Washington,
D.C.: February 2009).
[14] [hyperlink, http://www.gao.gov/products/GA0-10-341].
[15] [hyperlink, http://www.gao.gov/products/GA0-10-341]. See also
GAO, Internal Control Management and Evaluation Tool, [hyperlink,
http://www.gao.gov/products/GAO-01-1008G] (Washington, D.C.: August
2001).
[16] [hyperlink, http://www.gao.gov/products/GA0-04-394G].
[17] User acceptance testing is conducted to ensure that a product
meets contract requirements and performs satisfactorily.
[18] GAO, Department of Homeland Security: Assessments of Selected
Complex Acquisitions, [hyperlink,
http://www.gao.gov/products/GAO-10-588SP] (Washington, D.C.: June 30,
2010).
[19] Microsoft InfoPath is an XML forms-creation and data-gathering
tool that permits businesses to gather information without program
coding. It requires manual data entry.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
