Federal Protective Service: Actions Needed to Resolve Delays and Inadequate Oversight Issues with FPS's Risk Assessment and Management Program
Highlights
The Federal Protective Service (FPS), which is within the Department of Homeland Security's (DHS) National Protection and Programs Directorate (NPPD), is responsible for protecting the more than 1 million federal employees and members of the public who work in and visit the over 9,000 federal facilities owned or leased by the General Services Administration (GSA) from a potential terrorist attack or other acts of violence. To accomplish its facility protection mission, FPS has about 1,200 full-time employees and approximately 13,200 contract security guards. FPS has an annual budget of about $1 billion and receives its funding from the revenues and collections of security fees charged to tenant agencies for protective services such as facility security assessments (FSA) and providing contract security guard services. Since 2008, we have issued numerous reports that address major challenges FPS faces in protecting federal facilities. For example, in 2009 and 2010 we reported that FPS had problems completing high-quality FSAs in a timely manner and did not provide adequate oversight of its contract guard program. In September 2007, FPS decided to address the challenges with its legacy security assessment and guard management systems with a new system. On August 1, 2008, DHS's Immigration and Customs Enforcement (ICE) competitively awarded and FPS funded a $21 million, 7-year contract to develop and maintain the Risk Assessment and Management Program (RAMP) system. RAMP is a web-enabled risk assessment and guard management system, and its initial implementation was scheduled for July 31, 2009. Among other things, RAMP is intended to: (2) provide FPS with the capability to assess risks at federal facilities based on threat, vulnerability, and consequence, and track countermeasures to mitigate those risks; and (2) improve the agency's ability to monitor and verify that its contract security guards are trained and certified to be deployed to federal facilities. In response to congressional request that we examine RAMP, this report addresses the following questions: (1) What is RAMP's current status, including whether it can be used as planned? (2) What are the factors that contributed to this status? (3) What are the actions FPS is taking to develop and implement RAMP?
RAMP is over budget, behind schedule, and cannot be used to complete FSAs and reliable guard inspections as intended. RAMP's contract award amount totals $57 million, almost three times more than the $21 million original development contract amount. As of June 2011, FPS has spent almost $35 million of the $57 million to develop RAMP. RAMP's costs increased in part because FPS changed the original system requirements and the contractor had to add additional resources to accommodate the changes. FPS also has experienced delays in developing and implementing RAMP, as it is almost 2 years behind its original July 2009 implementation date. FPS cannot use RAMP to complete FSAs because the agency did not verify the accuracy of the federal facility data it obtained from GSA or include an edit feature in RAMP that would allow inspectors to edit these data when necessary. FPS is also experiencing difficulty using RAMP to ensure that its approximately 13,200 contract guards have met training and certification requirements to be deployed at federal facilities because it does not have a process for verifying this information before it is entered into RAMP. RAMP also does not yet fully incorporate certain government security standards. For example, according to an FPS official, RAMP does not support the April 2010 ISC Physical Security Criteria for Federal Facilities because FPS did not have time to incorporate it in the June 2010 version of RAMP. FPS is planning to incorporate these standards in the next version of RAMP. Several factors have contributed to FPS being unable to use RAMP as planned. Most importantly, FPS and ICE did not adequately follow GAO's project management best practices in developing and implementing RAMP. FPS is taking some steps to address RAMP's problems. Most notably, FPS has preliminarily decided to discontinue its current RAMP development contract and is considering using a new contractor to finish developing RAMP. FPS is also working to incorporate ISC's Physical Security Criteria for Federal Facilities into RAMP before the next version is implemented. Given the technological changes that may have occurred since FPS began developing RAMP 4 years ago, there could be alternative systems that would better meet FPS's needs. However, FPS has not evaluated whether further developing RAMP is the most cost-beneficial approach compared to possible alternatives. In addition, FPS has not developed a plan to address the problems we found with RAMP, for example, ensuring the accuracy of federal facility and contract guard data. Given the challenges FPS faced thus far with developing RAMP, technological changes that may have occurred in the last 4 years, and to help guide and ensure the successful development and implementation of any risk assessment and contract guard management system, we recommend that the Secretary of Homeland Security direct the Under Secretary of NPPD and the Director of FPS to take the following four actions: (1) evaluate whether it is cost-beneficial to finish developing RAMP or if other alternatives for completing FSAs and managing security guards would be more appropriate, (2) increase the use of project management best practices by managing requirements and conducting user acceptance testing for any future RAMP development efforts, (3) establish a process for verifying the accuracy of federal facility and guard training and certification data before entering them into RAMP, and (4) develop interim solutions for completing FSAs and guard inspections while addressing RAMP's challenges. To improve contract administration, we recommend that the Secretary of Homeland Security direct the Directors of ICE and FPS to complete contract performance evaluations for the current RAMP contractor, and ensure that the evaluations and other required documents are maintained in the contract file in accordance with DHS's acquisition policy and the Federal Acquisition Regulation (FAR).
Recommendations
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Homeland Security | Given the challenges FPS faced thus far with developing RAMP, technological changes that may have occurred in the last 4 years, and to help guide and ensure the successful development and implementation of any risk assessment and contract guard management system, the Secretary of Homeland Security should direct the Under Secretary of NPPD and the Director of FPS to evaluate whether it is cost-beneficial to finish developing RAMP or if other alternatives for completing FSAs and managing security guards would be more appropriate. |
We reported in 2011 that the Federal Protective Service (FPS) experienced cost overruns and schedule delays with its Risk Assessment and Management Program (RAMP) contract. Specifically, we reported that FPS spent about $35 million and 4 years developing RAMP, essentially a web-enabled risk assessment and guard management system, but ultimately could not use it to complete facility security assessments or reliable guard inspections. Thus, we recommended that FPS evaluate whether it was cost beneficial to finish developing RAMP or if other alternatives for completing security assessments would be more appropriate. In May 2011, FPS determined that it was not cost beneficial to finish developing RAMP and considered other alternatives. FPS ultimately decided to develop an interim vulnerability assessment tool referred to as the Modified Infrastructure Survey Tool (MIST). In May 2012, FPS started training its personnel to use MIST and plans to use MIST to resume assessing security at federal facilities.
|
Department of Homeland Security | Given the challenges FPS faced thus far with developing RAMP, technological changes that may have occurred in the last 4 years, and to help guide and ensure the successful development and implementation of any risk assessment and contract guard management system, the Secretary of Homeland Security should direct the Under Secretary of NPPD and the Director of FPS to increase the use of project management best practices by managing requirements and conducting user acceptance testing for any future RAMP development efforts. |
In 2011, GAO reported that the Federal Protective Service (FPS) faced a number of challenges with its Risk Assessment and Management Program (RAMP) that prevented it from conducting risk assessments of federal facilities and reliable guard inspections as intended. Specifically, GAO reported that FPS did not adequately follow project management best practices in developing and implementing RAMP. For example, FPS did not manage requirement changes or conduct user acceptance testing with its inspectors. Therefore, GAO recommended that FPS increase the use of project management best practices by managing requirement changes and conducting user acceptance testing for any future RAMP development efforts. In response, in May 2011, FPS determined that it was not cost beneficial to finish developing RAMP and considered other alternatives. In September 2011, FPS decided to develop an interim vulnerability assessment tool referred to as the Modified Infrastructure Survey Tool (MIST). In 2015, GAO confirmed that FPS developed MIST following project management best practices such as managing requirement changes and conducting user acceptance testing. FPS was using MIST to assess risk and conduct guard inspections at federal facilities. As a result, FPS has a better system for conducting vulnerability assessments of federal facilities.
|
Department of Homeland Security | Given the challenges FPS faced thus far with developing RAMP, technological changes that may have occurred in the last 4 years, and to help guide and ensure the successful development and implementation of any risk assessment and contract guard management system, the Secretary of Homeland Security should direct the Under Secretary of NPPD and the Director of FPS to establish a process for verifying the accuracy of federal facility and guard training and certification data before entering them into RAMP. |
In 2011, GAO reported that FPS could not use RAMP to complete risk assessments of federal facilities because the agency did not verify the accuracy of the federal facility data it obtained from GSA or include an edit feature in RAMP that would allow inspectors to edit these data when necessary. FPS was also experiencing difficulty using RAMP to ensure that its approximately 13,200 contract guards have met training and certification requirements to be deployed at federal facilities because the agency does not have a process for verifying this information before it is entered into RAMP. Therefore, GAO recommended that FPS establish a process for verifying the accuracy of federal facility and guard training and certification data before entering them into RAMP (the system that FPS planned to use during our engagement). In 2015, GAO confirmed that FPS developed and implemented procedures to receive, review, and submit corrections to federal facility data sent from GSA's real property database for FPS to use to conduct facility vulnerability assessments. Regarding improving the accuracy of contract guard training and certification data, FPS developed and implemented procedures to verify the accuracy of that data before entering it into its interim contract guard database. As a result, FPS is better able to verify the accuracy of federal facility data as well as their contract guard training and certification data.
|
Department of Homeland Security | Given the challenges FPS faced thus far with developing RAMP, technological changes that may have occurred in the last 4 years, and to help guide and ensure the successful development and implementation of any risk assessment and contract guard management system, the Secretary of Homeland Security should direct the Under Secretary of NPPD and the Director of FPS to develop interim solutions for completing FSAs and guard inspections while addressing RAMP's challenges. |
In 2011, we reported that FPS' development of its Risk Assessment and Management Program (RAMP) was over budget, behind schedule and could not be used to complete facility security assessments (FSA) and reliable guard post inspections as intended. FPS discontinued using RAMP and replaced it with a risk calculator spreadsheet and template document to complete FSA's. However, we found several issues with these tools such as: the template did not meet Interagency Security Committee (ISC) standards, the tools lacked the ability to aggregate FSA results, limiting FPS' ability to assess risk across federal facilities and the tools allowed a subjective approach to assessing threats. As a result, FPS did not employ a comprehensive method of assessing risks to federal facilities and had to rely on more manual methods until a permanent solution was developed. FPS was also still using RAMP to conduct guard post inspections to ensure that qualified guards were standing post at federal facilities but neither FPS's guard training and certification information nor its method for determining the qualification status of contract guards in RAMP was reliable. In addition, FPS had neither evaluated whether further development of RAMP, pursued alternatives would be more cost-beneficial approach, nor developed a plan to address the problems we identified with RAMP. Therefore, we recommended that FPS develop interim solutions for completing FSAs and guard inspections while addressing RAMP's challenges. In 2016, we confirmed that FPS had developed interim solutions for completing FSA and guard inspections while addressing RAMP's challenges. FPS developed and implemented an FSA process which includes an interim vulnerability assessment tool--the Modified Infrastructure Survey Tool (MIST)--along with other information and tools to complete FSA's. FPS's current FSA process incorporates ISC standards, allows FPS to assess risk across federal facilities and reduced the subjectivity in assessing threats to federal facilities by incorporating additional threat information. Finally, FPS stopped using RAMP to complete guard post inspections. In its place, FPS developed and implemented a paper-based process for conducting guard post inspections and audits to better determine if contract guards are qualified. FPS is developing new, more comprehensive FSA and guard post inspection tools while these interim solutions are used. By using these interim tools, FPS is in a better position to complete FSA's and provide adequate oversight of its contract guard program.
|
Department of Homeland Security | To improve contract administration, the Secretary of Homeland Security should direct the Directors of ICE and FPS to complete contract performance evaluations for the current RAMP contractor, and ensure that the evaluations and other required documents are maintained in the contract file in accordance with DHS's acquisition policy and the Federal Acquisition Regulation. |
In 2011, GAO reported that FPS and the Department of Homeland Security's (DHS) Immigration and Custom Enforcement (ICE) did not always comply with DHS's acquisition policy and the FAR with the acquisition of FPS's Risk Assessment and Management Program (RAMP) system. Specifically FPS and ICE did not complete contractor performance evaluations for the contractor responsible for developing FPS's RAMP. These evaluations are one of the most important tools for ensuring that the contractor meets the terms of the contract. Therefore, GAO recommended that FPS and ICE complete contract performance evaluations for the RAMP contractor and ensure that the evaluations and other required documents are maintained in the contract file in accordance with DHS's acquisition policy and the FAR. In 2015, GAO confirmed that FPS and ICE had retroactively completed contract performance evaluations for the RAMP contractor and included them in the contract file. As a result, FPS has improved its acquisition process and is better able to explain the basis for key acquisition decisions.
|