Facility Security: Greater Outreach by DHS on Standards and Management Practices Could Benefit Federal Agencies
Highlights
What GAO Found
Agencies draw upon a variety of information sources in developing and updating their physical security programs. The most widely used source, according to survey responses from 32 agencies, is the institutional knowledge or subject matter expertise in physical security that agencies' security staff have developed through their professional experience. The second most used source are standards issued by the Interagency Security Committee (ISC). The standards, which are developed based on leading security practices across the government, set forth a decision-making process to help ensure that agencies have effective physical security programs in place. However, according to survey responses, the extent of agencies' use of ISC standards varied--with some agencies using them in a limited way. Agency officials from the case-study agencies said that certain conditions at their agencies--such as the types of facilities in the agencies' portfolios and their existing physical security requirements--contribute to limited use of the standards. ISC officials said that the standards are designed to be used by all agencies regardless of the types of facilities or their existing security programs; the standards can be customized to the needs of individual facilities and do not require the use of specific countermeasures. ISC has an opportunity to clarify how the standards are intended to be used when it trains agencies on them; during quarterly meetings with member agencies, where ISC can share best practices on the use of the standards; or when ISC engages in other outreach on the standards. Clarifying how agencies can use the standards may result in their greater use. Greater use of the standards may maximize the effectiveness and efficiency of agencies' physical security programs.
Agencies use a range of management practices to oversee physical security activities. For example, 22 surveyed agencies reported that they have a manager at the agency-wide level responsible for monitoring and overseeing physical security at individual facilities. In addition, 22 surveyed agencies reported that they have some documented performance measures for physical security. Such performance measures can help agencies evaluate the effectiveness of their physical security programs and identify changes needed to better meet program objectives. Agencies' use of management practices such as having a physical security manager responsible for allocating resources and using performance measures to justify investment decisions could also contribute to more efficient allocation of physical security resources across an agency's portfolio of facilities. However, some agencies make limited use of such practices to allocate resources. For example, only 13 reported that they have a manager for allocating resources based on risk assessments. In contrast, a majority of agencies reported having managers for other aspects of physical security, including those related to oversight. Greater use of management practices for allocating resources is particularly relevant given that the surveyed agencies identified allocating resources as the greatest challenge. As the government's central forum for exchanging information and disseminating guidance on physical security, ISC is well positioned to develop and disseminate guidance about management practices that can help agencies allocate resources across a portfolio of facilities. However, ISC's key physical security standards do not currently address management practices for allocating resources across an agency's entire portfolio of facilities.
Why GAO Did This Study
GAO has designated federal real property management as a high-risk area due, in part, to the continued challenge of facility protection. Executive branch agencies are responsible for protecting about 370,000 non-military buildings and structures; the Federal Protective Service (FPS) protects over 9,000 of these. ISC--an interagency organization led by the Department of Homeland Security (DHS)--issues physical security standards for agencies' use in designing and updating physical security programs. GAO was asked to review physical security programs at executive branch agencies with facilities that FPS does not protect. This report examines (1) the sources that inform agencies' physical security programs and (2) the management practices agencies use to oversee physical security and allocate resources. GAO reviewed and analyzed survey responses from 32 agencies. GAO also interviewed officials and reviewed documents from 5 of these agencies, which were selected as case studies for more indepth analysis. The survey and results can be found at GAO-13-223SP.
Recommendations
DHS should direct ISC to conduct outreach to executive branch agencies to clarify how its standards are to be used, and develop and disseminate guidance on management practices for resource allocation as a supplement to ISC's existing physical security standards. DHS concurred with these recommendations.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Homeland Security | To help achieve the purpose of Executive Order 12977 to enhance the quality and effectiveness of security of federal facilities, the Secretary of Homeland Security should direct ISC to conduct outreach to all executive branch agencies to clarify how the standards can be used in concert with agencies' existing physical security programs. |
GAO has designated federal real property management as a high-risk area due, in part, to the continued challenge of facility protection. Executive branch agencies are responsible for protecting about 370,000 non-military buildings and structures; the Federal Protective Service protects over 9,000 of these. The Interagency Security Committee (ISC)--an interagency organization led by the Department of Homeland Security--issues physical security standards for agencies' use in designing and updating physical security programs. In 2013, GAO reported that federal agencies draw upon a variety of information sources in developing and updating their physical security programs. Twenty-nine of the 32 agencies GAO surveyed reported that ISC standards inform their physical security programs, making it the second most-used source behind institutional knowledge. The standards, which ISC developed, are based on leading security practices across the government, set forth a decision-making process to help ensure that agencies have effective physical security programs in place. Although the majority of agencies GAO surveyed use ISC standards, the extent of their reliance varies-with some agencies using the standards extensively to inform their physical security programs and some using them in a more limited way. These agencies cited the suitability of the ISC standards to the agencies' facilities and their own physical security requirements as contributing to their limited use of the standards. GAO found that agencies' reasons for making limited use of ISC standards reflect a lack of understanding by some agencies regarding how the standards are intended to be used. ISC officials said that the standards are designed to be used by all agencies regardless of the types of facilities or their existing security programs; the standards can be customized to the needs of individual facilities and do not require the use of specific countermeasures. ISC has an opportunity to clarify to agencies how the standards are intended to be used when it, among other things, engages in other outreach regarding the standards. Therefore, GAO recommended that ISC conduct outreach to all executive branch agencies to clarify how the standards can be used in concert with agencies' existing physical security programs. In 2017 GAO confirmed that from 2015 through 2017, ISC conducted outreach to all the executive branch agencies GAO had previously surveyed to clarify that ISC security standards can be used in concert with agencies' existing physical security programs. As a result, the agencies are in a better position to understand how to use the standards regardless of the types of facilities in their portfolio and in concert with their existing physical security programs, which may result in the greater use of the standards.
|
Department of Homeland Security | To help agencies make the most effective use of resources available for physical security across their portfolios of facilities, the Secretary of Homeland Security should direct ISC to develop and disseminate guidance on management practices for resource allocation as a supplement to ISC's existing physical security standards. This effort could include identifying practices most beneficial for physical security programs and determining the extent to which federal agencies currently use these practices. |
In 2013, GAO reported that agencies use a range of management practices to oversee physical security activities. These practices included having a physical security manager responsible for allocating resources and using performance measures to justify investment decisions, which we reported could also contribute to more efficient allocation of physical security resources across an agency's portfolio of facilities. However, some agencies made limited use of such practices to allocate resources. For example, only 13 of the 32 agencies GAO surveyed reported that they had a manager for allocating resources based on risk assessments. In contrast, a majority of agencies reported having managers for other aspects of physical security, including those related to oversight. Greater use of management practices for allocating resources was particularly relevant given that the surveyed agencies identified allocating resources as the greatest challenge. As the government's central forum for exchanging information and disseminating guidance on physical security, the Interagency Security Committee (ISC) is well positioned to develop and disseminate guidance about management practices that can help agencies allocate resources across a portfolio of facilities. However, ISC's key physical security standards do not currently address management practices for allocating resources across an agency's entire portfolio of facilities. Therefore, GAO recommended that ISC develop and disseminate guidance on management practices for resource allocation as a supplement to ISC's existing physical security standards. In 2015, the ISC issued its "Best Practices for Planning and Managing Physical Security Resources: An Interagency Security Committee Guide." Among other things, the guide is intended to provide the most efficient processes and procedures to effectively allocate resources to implement physical security programs within federal departments and agencies. The guide is readily available to the federal security community on ISC's website. As a result, federal agencies have the guidance they need to make the most effective use of resources available for physical security across their portfolios of facilities.
|