Federal Real Property Security: Interagency Security Committee Should Implement A Lessons-Learned Process

What GAO Found

Based on GAO’s previous work and the information obtained from other agencies, GAO identified eight individual practices that can be combined and considered steps within an overall lessons-learned process—that is, a systematic means for agencies to learn from an event and make decisions about when and how to use that knowledge to change behavior. Not all of the agencies with which GAO spoke used all of the practices, and the application of the practices varied among agencies. For example, to collect information about an incident—the first step of the process—the Bureau of Diplomatic Security within the Department of State collects incident reports, footage from security cameras, and interviews witnesses. To disseminate lessons learned—the fifth step—the Los Angeles Police Department produces a formal document after a critical incident that captures the lessons learned and disseminates the document to its units for use in planning, preparation, and coordination exercises.

The Interagency Security Committee (ISC), which is led by the Department of Homeland Security (DHS), currently does not have a systematic, comprehensive lessons-learned process for physical security, but the ISC does have a number of current initiatives that could support a more comprehensive lessons-learned effort. For example, ISC collects and analyzes information to update its physical security standards, captures and disseminates best practices to its members through its quarterly meetings, and archives information in the Homeland Security Information Network. ISC has initiated a working group to explore the idea of creating a systematic, governmentwide lessons-learned process. But the working group is at an early stage, and it is not clear if the new effort will include all of the lessons-learned practices that GAO identified. Not incorporating all eight practices could result in a less effective effort and fail to maximize the value of the lessons learned to ISC’s membership. ISC derives its authority from an executive order. However, it depends on its member agencies to take the initiative to share information and it is unclear that ISC’s current authority over its members is sufficient to implement a governmentwide lessons-learned process, which will rely on members to openly share information—including mistakes.

Law enforcement officials cited various challenges to establishing a governmentwide lessons-learned process, including the need to create a culture that encourages information sharing, address the concerns about safeguarding sensitive security information, disseminate information in a timely manner, and overcome resource constraints. Agencies GAO met with had found ways to mitigate these challenges using strategies consistent with a lessons-learned process.

Why GAO Did This Study

Attacks on federal facilities in the U.S. have highlighted the need to identify lessons learned from prior security incidents and apply that knowledge to security procedures governmentwide. Dozens of federal law enforcement agencies provide physical security services for domestic nonmilitary federal facilities. The ISC is responsible for developing governmentwide physical security standards and coordinating agencies to improve the protection of federal facilities. As requested, this report examines (1) the practices used to identify and apply lessons learned and how agencies have used these practices, (2) actions ISC has taken to identify and apply lessons learned from attacks on federal facilities, and (3) challenges to developing a governmentwide lessons-learned process and the strategies agencies have used to mitigate those challenges. GAO reviewed documents and interviewed officials from 35 security and law enforcement agencies with experience protecting selected tourist sites in cities in Greece, Israel, Italy, and the United States. GAO also interviewed officials from ISC and agencies known to apply lessons-learned practices.