Homeland Security:

Greater Attention to Key Practices Would Improve the Federal Protective Service's Approach to Facility Protection

GAO-10-142: Published: Oct 23, 2009. Publicly Released: Nov 18, 2009.

Additional Materials:

Contact:

Mark L. Goldstein
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

There is ongoing concern about the security of federal buildings and their occupants. The Federal Protective Service (FPS) within the Department of Homeland Security (DHS) is responsible for providing law enforcement and related security services for nearly 9,000 federal buildings under the control and custody of the General Services Administration (GSA). In 2004, GAO identified a set of key protection practices from the collective practices of federal agencies and the private sector that included: allocating resources using risk management, leveraging technology, and information sharing and coordination. As requested, GAO determined whether FPS's security efforts for GSA buildings reflected key practices. To meet this objective, GAO used its key practices as criteria, visited five sites to gain firsthand knowledge, analyzed pertinent DHS and GSA documents, and interviewed DHS, GSA, and tenant agency officials.

FPS's approach to securing GSA buildings reflects some aspects of key protection practices, and FPS has several improvements underway such as a new risk assessment program and a countermeasure acquisition program. While FPS's protection activities exhibit some aspects of the key practices, GAO found limitations in each of the areas. FPS assesses risk and recommends countermeasures to GSA and tenant agencies; however, FPS's ability to influence the allocation of resources using risk management is limited because resource allocation decisions are the responsibility of GSA and tenant agencies, which may be unwilling to fund FPS's countermeasure recommendations. Moreover, FPS uses an outdated risk assessment tool and a subjective, time-consuming process. As a result, GSA and tenant agencies are uncertain whether risks are being mitigated. Concerned with the quality and timeliness of FPS's risk assessment services, GSA and tenant agencies are pursuing some of these activities on their own. Although FPS is developing a new risk management program, full implementation is not planned until the end of fiscal year 2011 and has already experienced delays. With regard to leveraging technology, FPS inspectors have considerable latitude for selecting technologies and countermeasures that tenant agencies fund, but FPS provides inspectors with little training and guidance for making cost-effective choices. Additionally, FPS does not provide tenant agencies with an analysis of alternative technologies, their cost, and associated reduction in risk. As a result, there is limited assurance that the recommendations inspectors make are the best available alternatives and tenant agencies must make resource allocation decisions without key information. Although FPS is developing a program to standardize security equipment and contracting, the program has run behind schedule and lacks an evaluative component for assessing the cost-effectiveness of competing technologies and countermeasures. FPS has developed information sharing and coordination mechanisms with GSA and tenant agencies, but there is inconsistency in the type of information shared and the frequency of coordination. Lack of coordination through regular contact can lead to communication breakdowns. For example, during a construction project at one location, the surveillance equipment that FPS was responsible for maintaining was removed from the site during 2007. FPS and tenant agency representatives disagree over whether FPS was notified of this action. Furthermore, FPS and GSA disagree over what building risk assessment information can be shared. FPS maintains that the sensitive information contained in the assessments is not needed for GSA to carry out its mission. However, GSA maintains that restricted access to the risk assessments constrains its ability to protect buildings and occupants.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In 2010, we reported that the Federal Protective Service (FPS) was using an outdated risk assessment tool and a subjective, time-consuming process. As a result, GSA and tenant agencies were uncertain whether risks are being mitigated. Concerned with the quality and timeliness of FPS's risk assessment services, GSA and tenant agencies were pursuing some of these activities on their own. Although FPS was developing a new risk management program, full implementation was not planned until the end of fiscal year 2011 and has already experienced delays. We also reported that FPS was developing a program to standardize security equipment and contracting, known as the National Countermeasures Program, but the program had run behind schedule. We recommended that FPS update the Secretary of Homeland Security on the status of RAMP and the National Countermeasures Program, including the implementation status of deliverables, clear timelines for completion of tasks and milestones, and plans for addressing any implementation obstacles. In response, FPS provided the Secretary with an update through the Under Secretary, National Protection and Programs Directorate, which provided a timeline for implementation of the two programs and discussed obstacles FPS was facing. As a result, these issues were brought to the attention of DHS management, which became better positioned to oversee these FPS activities.

    Recommendation: In order to move FPS toward greater use of the key practices, the Secretary should instruct the Director of FPS, in consultation, where appropriate, with other parts of DHS, GSA, and tenant agencies to provide the Secretary with regular updates, on a mutually agreed-to schedule, on the status of the Risk Assessment and Management Program (RAMP) and the National Countermeasures Program, including the implementation status of deliverables, clear timelines for completion of tasks and milestones, and plans for addressing any implementation obstacles.

    Agency Affected: Department of Homeland Security

  2. Status: Closed - Implemented

    Comments: In 2010, we reported that in their efforts to leverage technology in the protection of federal facilities, Federal Protective Service (FPS) inspectors had considerable latitude for selecting technologies and countermeasures that tenant agencies funded, but FPS provided inspectors with little training and guidance for making cost-effective choices. Additionally, FPS did not provide tenant agencies with an analysis of alternative technologies, their cost, and associated reduction in risk. As a result, there was limited assurance that the recommendations inspectors make are the best available alternatives and tenant agencies must make resource allocation decisions without key information. We recommended that FPS develop a methodology and guidance for assessing and comparing the cost-effectiveness of technology alternatives. In response, FPS developed a white paper entitled "Analysis of Countermeasure Cost Effectiveness Versus Risk Reduction," which explains how cost factors were to be taken into account within its risk management framework. According to the white paper, with both the estimated cost and estimated risk reduction identified, FPS would be in a position to examine the benefits achieved by different countermeasures while examining their estimated costs. This effort meets the intent of our recommendation and will better equip FPS to cost effectively deploy facility protection countermeasures.

    Recommendation: In order to move FPS toward greater use of the key practices, the Secretary should instruct the Director of FPS, in consultation, where appropriate, with other parts of DHS, GSA, and tenant agencies in conjunction with the National Countermeasures Program, to develop a methodology and guidance for assessing and comparing the cost-effectiveness of technology alternatives.

    Agency Affected: Department of Homeland Security

  3. Status: Closed - Implemented

    Comments: In 2010, we reported that the Department of Homeland Security's (DHS) Federal Protective Service (FPS) and the General Services Administration (GSA) disagreed over what information in FPS security assessments could be shared with GSA. FPS maintained that sensitive information in the assessments, which needs to be safeguarded, was not needed for GSA to carry out its mission. GSA, which also has a security role, maintained that lacking this information constrained its ability to protect buildings and occupants. We recommended that DHS, through FPS, reach consensus with GSA on what information is needed for GSA to fulfill its responsibilities and ensure, among other things, that shared information is adequately safeguarded. In February 2014, FPS issued a directive on the implementation of facility security assessments (FSA) that, among other things, outlines a policy for sharing FSAs with GSA, if requested, and ensuring that sensitive information is safeguarded by following DHS policies for handling "For Official Use Only" material. On the basis of this policy, FPS has taken action to ensure that GSA will be better equipped to fulfill its mission as it relates to the protection of federal facilities.

    Recommendation: In order to move FPS toward greater use of the key practices, the Secretary should instruct the Director of FPS, in consultation, where appropriate, with other parts of DHS, GSA, and tenant agencies to reach consensus with GSA on what information contained in the building security assessment (BSA) is needed for GSA to fulfill its responsibilities related to the protection of federal buildings and occupants, and accordingly, establish internal controls to ensure that shared information is adequately safeguarded; guidance for employees to use in deciding what information to protect with sensitive but unclassified (SBU) designations; provisions for training on making designations, controlling, and sharing such information with GSA and other entities; and a review process to evaluate how well this information sharing process is working, with results reported to the Secretary regularly on a mutually agreed-to schedule.

    Agency Affected: Department of Homeland Security

 

Explore the full database of GAO's Open Recommendations »

Sep 30, 2014

Sep 24, 2014

Sep 18, 2014

Sep 17, 2014

Sep 10, 2014

Sep 9, 2014

Sep 8, 2014

Jul 31, 2014

Looking for more? Browse all our products here