Federal Real Property Security:

Interagency Security Committee Should Implement A Lessons-Learned Process

GAO-12-901: Published: Sep 10, 2012. Publicly Released: Sep 10, 2012.

Additional Materials:

Contact:

Mark L. Goldstein
(202) 512-6670
goldsteinm@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Based on GAO’s previous work and the information obtained from other agencies, GAO identified eight individual practices that can be combined and considered steps within an overall lessons-learned process—that is, a systematic means for agencies to learn from an event and make decisions about when and how to use that knowledge to change behavior. Not all of the agencies with which GAO spoke used all of the practices, and the application of the practices varied among agencies. For example, to collect information about an incident—the first step of the process—the Bureau of Diplomatic Security within the Department of State collects incident reports, footage from security cameras, and interviews witnesses. To disseminate lessons learned—the fifth step—the Los Angeles Police Department produces a formal document after a critical incident that captures the lessons learned and disseminates the document to its units for use in planning, preparation, and coordination exercises.

The Interagency Security Committee (ISC), which is led by the Department of Homeland Security (DHS), currently does not have a systematic, comprehensive lessons-learned process for physical security, but the ISC does have a number of current initiatives that could support a more comprehensive lessons-learned effort. For example, ISC collects and analyzes information to update its physical security standards, captures and disseminates best practices to its members through its quarterly meetings, and archives information in the Homeland Security Information Network. ISC has initiated a working group to explore the idea of creating a systematic, governmentwide lessons-learned process. But the working group is at an early stage, and it is not clear if the new effort will include all of the lessons-learned practices that GAO identified. Not incorporating all eight practices could result in a less effective effort and fail to maximize the value of the lessons learned to ISC’s membership. ISC derives its authority from an executive order. However, it depends on its member agencies to take the initiative to share information and it is unclear that ISC’s current authority over its members is sufficient to implement a governmentwide lessons-learned process, which will rely on members to openly share information—including mistakes.

Law enforcement officials cited various challenges to establishing a governmentwide lessons-learned process, including the need to create a culture that encourages information sharing, address the concerns about safeguarding sensitive security information, disseminate information in a timely manner, and overcome resource constraints. Agencies GAO met with had found ways to mitigate these challenges using strategies consistent with a lessons-learned process.

Why GAO Did This Study

Attacks on federal facilities in the U.S. have highlighted the need to identify lessons learned from prior security incidents and apply that knowledge to security procedures governmentwide. Dozens of federal law enforcement agencies provide physical security services for domestic nonmilitary federal facilities. The ISC is responsible for developing governmentwide physical security standards and coordinating agencies to improve the protection of federal facilities. As requested, this report examines (1) the practices used to identify and apply lessons learned and how agencies have used these practices, (2) actions ISC has taken to identify and apply lessons learned from attacks on federal facilities, and (3) challenges to developing a governmentwide lessons-learned process and the strategies agencies have used to mitigate those challenges. GAO reviewed documents and interviewed officials from 35 security and law enforcement agencies with experience protecting selected tourist sites in cities in Greece, Israel, Italy, and the United States. GAO also interviewed officials from ISC and agencies known to apply lessons-learned practices.

What GAO Recommends

ISC should (1) incorporate the practices of a lessons-learned process as it develops its own process and (2) determine if its existing authority is sufficient to effectively implement a governmentwide lessons-learned process. DHS agreed with our findings and recommendations.

For more information, contact Mark L. Goldstein at (202) 512-2834 or GoldsteinM@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In 2012, GAO identified eight individual lessons-learned practices that can be combined and considered steps of an overall eight-step, lessons-learned process. This process is a systematic means for an agency to learn from an event and make decisions about when and how to use that knowledge to make a change in the behavior of the agency. The practices are (1) collect information; (2) analyze information; (3) validate the applicability of the lessons; (4) store and archive lessons; (5) disseminate and share the lessons; (6) management decides whether to invest resources to apply the lessons; (7) if yes, observe changes in behavior to verify that the lessons were learned; and (8) evaluate the effectiveness of the lessons-learned process. The Interagency Security Committee (ISC) did not have a systematic, comprehensive lessons-learned process for physical security, but ISC had a number of individual initiatives that could have supported a more comprehensive lessons-learned effort. ISC had initiated a working group during the course of our review to explore the idea of creating a systematic, government-wide, lessons-learned process. However, the working group was at an early stage and it was not clear if the new effort would include all of the lessons-learned practices that we had identified. Not incorporating all eight practices could result in a less effective effort and fail to maximize the value of the lessons-learned to federal law enforcement agencies which make up the ISC membership. GAO recommended that the ISC develop a lessons-learned process that (1) leveraged the lessons-learned practices it had already employed and (2) incorporated the full range of lessons-learned practices we identified. In March 2013, ISC announced the adoption of the same eight-step, lessons-learned process that GAO identified in its report. ISC incorporated the GAO process into ISC's newly-formed Lessons Learned & Best Practices Working Group. The Working Group is leveraging practices the ISC was already employing, such as collecting and analyzing information from past incidents and convening interagency meetings for sharing best practices. As a result, ISC membership has full access to a systematic, comprehensive lessons-learned process that will enable relevant agencies to learn and share lessons that could help protect federal buildings and save lives.

    Recommendation: To improve the federal government's ability to learn from and disseminate physical security lessons, the Secretary of Homeland Security should direct ISC to develop a lessons-learned process for physical security that will (1) leverage the lessons-learned practices it already employs and (2) incorporate the full range of lessons-learned practices identified in our report.

    Agency Affected: Department of Homeland Security

  2. Status: Closed - Implemented

    Comments: In 2012, GAO identified eight individual practices that can be combined and considered steps within an overall lessons-learned process that could be applied to the protection of federal facilities and public spaces. GAO's lessons-learned process is a systematic means for agencies to learn from an event and make decisions about when and how to use that knowledge to change behavior. GAO found that the Interagency Security Committee (ISC) did not have a systematic, comprehensive lessons-learned process for physical security, but the ISC did have a number of current initiatives that could support a more comprehensive lessons-learned effort. ISC had initiated a working group to explore the idea of creating a systematic, governmentwide lessons-learned process. But the working group was at an early stage, and it was not clear if the new effort would include all of the lessons-learned practices that GAO identified. Not incorporating all eight practices could result in a less effective effort and fail to maximize the value of the lessons learned to ISC's membership. In developing a process to disseminate lessons learned governmentwide through its membership, an important issue for ISC was the unique, interagency makeup of its organization. The value of a lessons-learned effort led by ISC was the ability to take the lessons from an incident that affected one agency and share that knowledge broadly among many agencies so that all may benefit and federal facilities across the government may become more secure. Therefore, the authority of ISC to require their participation in sharing lessons was important to the effectiveness of ISC's effort. Executive Order 12977, which established ISC, states that "each executive agency and department shall cooperate and comply with the policies and recommendations of the Committee." Agencies, however, were not sharing information with each other and ISC to the fullest extent possible. According to ISC officials, the committee serves at the will of the various agencies on which it relies for resources and support to accomplish its mission. ISC officials stated that they cannot force members to comply with its policies and recommendations. GAO recommended that the ISC determine whether the Executive Order provided the agency sufficient authority to effectively support a systematic, government-wide lessons-learned effort. Shortly after GAO's report was issued, ISC adopted same eight step lessons-learned process that GAO identified in its report. In November 2013, the ISC determined that the Executive Order did provide it with sufficient authority. As a result, ISC has sufficient authority to implement an effective lessons-learned process that will enable relevant agencies to learn from and disseminate physical security lessons that could help protect federal buildings and save lives.

    Recommendation: To improve the federal government's ability to learn from and disseminate physical security lessons, the Secretary of Homeland Security should direct ISC to determine, as it develops a lessons-learned process, whether Executive Order 12977 provides sufficient authority to effectively support a systematic, governmentwide lessons-learned effort. If ISC determines that it does not have sufficient authority, it should then determine the best course of action to seek the needed authority.

    Agency Affected: Department of Homeland Security

 

Explore the full database of GAO's Open Recommendations »

Dec 17, 2014

Nov 6, 2014

Oct 14, 2014

Sep 30, 2014

Sep 24, 2014

Sep 18, 2014

Sep 17, 2014

Sep 10, 2014

Looking for more? Browse all our products here