Greater Attention to Key Practices Would Help Address Security Vulnerabilities at Federal Buildings
GAO-10-236T: Published: Nov 18, 2009. Publicly Released: Nov 18, 2009.
The Federal Protective Service (FPS) within the Department of Homeland Security (DHS) is responsible for providing law enforcement and related security services for nearly 9,000 federal facilities under the control and custody of the General Services Administration (GSA). In 2004 GAO identified a set of key protection practices from the collective practices of federal agencies and the private sector, which included allocation of resources using risk management, strategic management of human capital, leveraging of technology, information sharing and coordination, and performance measurement and testing. This testimony is based on past reports and testimonies and discusses (1) limitations FPS faces in protecting GSA buildings and resulting vulnerabilities; and (2) actions FPS is taking. To perform this work, GAO used its key practices as criteria, visited a number of GSA buildings, surveyed tenant agencies, analyzed pertinent laws and DHS and GSA documents, conducted covert testing at 10 judgmentally selected high-security buildings in four cities, and interviewed officials from DHS, GSA, and tenant agencies, and contractors and guards.
FPS's approach to securing GSA buildings reflects some aspects of key protection practices; however, GAO found limitations in each area and identified vulnerabilities. More specifically: (1) FPS faces obstacles in allocating resources using risk management. FPS uses an outdated risk assessment tool and a subjective, time-consuming process to assess risk. In addition, resource allocation decisions are the responsibility of GSA and tenant agencies. This leads to uncertainty about whether risks are being mitigated. Also, FPS continues to struggle with funding challenges that impede its ability to allocate resources effectively. (2) FPS does not have a strategic human capital management plan to guide its current and future workforce planning efforts, making it difficult to discern how effective its transition to an inspector-based workforce will be. Furthermore, because contract guards were not properly trained and did not comply with post orders, GAO investigators concealing components for an improvised explosive device passed undetected by FPS guards at 10 of 10 high-security facilities in four major cities. (3) FPS lacks a systematic approach for leveraging technology, and inspectors do not provide tenant agencies with an analysis of alternative technologies, their cost, and the associated reduction in risk. As a result, there is limited assurance that the recommendations inspectors make are the best available alternatives, and tenant agencies must make resource allocation decisions without key information. (4) FPS has developed information sharing and coordination mechanisms with GSA and tenant agencies, but there is inconsistency in the type of information shared and the frequency of coordination. (5) FPS lacks a reliable data management system for accurately tracking performance measurement and testing. Without such a system, it is difficult for FPS to evaluate and improve the effectiveness of its efforts, allocate resources, or make informed risk management decisions. FPS is taking actions to better protect GSA buildings, in part as a result of GAO's recommendations. For example, FPS is developing a new risk assessment program and has recently focused on improving oversight of its contract guard program. Additionally, GAO has recommended that FPS implement specific actions to make greater use of key practices and otherwise improve security. However, FPS has not completed many related corrective actions and FPS faces implementation challenges as well. Nonetheless, adhering to key practices and implementing GAO's recommendations in specific areas would enhance FPS's chances for future success, and could position FPS to become a leader and benchmark agency for facility protection in the federal government.