Skip to main content

Federal Facility Security: Additional Actions Needed to Help Agencies Comply with Risk Assessment Methodology Standards

GAO-14-86 Published: Mar 05, 2014. Publicly Released: Apr 07, 2014.
Jump To:
Skip to Highlights

Highlights

What GAO Found

Three of the nine selected agencies' risk assessment methodologies that GAO reviewed—the Department of Energy (DOE), the Department of Justice (DOJ), and the Department of State (State)—fully align with the Interagency Security Committee's (ISC) risk assessment standards, but six do not—the Department of the Interior (DOI), the Department of Veterans Affairs (VA), the Federal Protective Service (FPS), the Federal Emergency Management Agency (FEMA), the Nuclear Regulatory Commission (NRC), and the Office of Personnel Management (OPM). As a result, these six agencies may not have a complete understanding of the risks facing approximately 52,000 federal facilities and may be less able to allocate security resources cost-effectively at the individual facility level or across the agencies' facility portfolios. ISC's The Risk Management Process for Federal Facilities ( RMP ) standard requires that agencies' facility risk assessment methodologies must (1) consider all of the undesirable events identified in the RMP as possible risks to federal facilities, and (2) assess the threat, consequences, and vulnerability to specific undesirable events. Six of the nine agencies' methodologies GAO reviewed do not align with ISC's standards because the methodologies do not (1) consider all of the undesirable events in the RMP or (2) assess threat, consequences, or vulnerability to specific undesirable events. For example, five agencies (DOI, VA, FEMA, FPS, and NRC), do not assess the threat, consequences, or vulnerability to specific undesirable events, as ISC requires. The reasons why varied; for example, VA said that its methodology was in place before ISC issued its standards. Officials from that agency told us they were working to update their methodology.

ISC has issued a series of physical security standards and guidance to assist member agencies with developing their risk assessment methodologies, but does not know the extent to which its 53 member agencies comply with its standards, including its risk assessment standards, because it does not monitor agencies' compliance. ISC does not monitor compliance or have an approach to do so that incorporates outreach to agencies regarding their compliance status. Officials stated that they would like to monitor agencies' compliance, but limited resources and other priorities, such as developing standards and guidance, have prevented them from doing so. However, ISC has the authority to create a working group from its member agencies to help it perform its duties. In the absence of ISC's monitoring, agencies' risk assessment methodologies may not align with ISC's standards. In addition, although ISC issued risk assessment guidance in August 2013, this guidance is limited. For example, the guidance does not describe how to incorporate threat, consequence, or vulnerability assessments of specific undesirable events into a risk assessment methodology. Not having appropriate guidance is inconsistent with federal internal-control standards designed to promote effectiveness and efficiency.

Why GAO Did This Study

The 2012 shooting at the Anderson Federal Building in Long Beach, California, demonstrates that federal facilities and their employees as well as the public who visit federal buildings continue to be the targets of violence. The Federal Protective Service and about 30 other federal agencies are responsible for protecting civilian federal facilities and their occupants from potential threats, in part, by assessing risks to their facilities. ISC—an interagency organization led by the Department of Homeland Security— issues standards for facility protection.

GAO was asked to examine how federal agencies assess risk to their facilities. This report assesses (1) the extent to which selected ISC member agencies' facility risk assessment methodologies align with ISC's risk assessment standards, and (2) how ISC assists member agencies in developing risk assessment methodologies and monitors compliance with these standards. GAO selected 9 of 53 ISC member agencies based on their missions and number of facilities. GAO compared each selected agency's risk assessment methodology to ISC's risk assessment standards. ISC is required to enhance security in and protection of federal facilities government-wide; recommendations GAO makes are to ISC and not its member agencies.

Recommendations

GAO recommends that ISC take action to assess member agencies' compliance and provide additional risk- assessment methodology guidance. DHS concurred with GAO's recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Homeland Security To help ensure that federal agencies are developing and using appropriate risk assessment methodologies, the Secretary of Homeland Security should direct the ISC to conduct outreach to identify which member agencies have not developed risk assessment methodologies that align with ISC standards and develop a mechanism to monitor and ensure compliance of all its member agencies.
Closed – Implemented
Federal facilities are among the targets for terrorist attacks and other acts of violence. The Federal Protective Service and about 30 other federal agencies are responsible for protecting civilian federal facilities and their occupants from potential threats, in part, by assessing risks to their facilities. The Interagency Security Committee (ISC)--an interagency organization led by the Department of Homeland Security--is mandated to develop and evaluate security standards for federal facilities and develop a strategy for ensuring compliance with these standards, among other things. In 2014, GAO reported that ISC issued a series of physical security standards and guidance to assist member agencies with developing their risk assessment methodologies, but did not know the extent to which its 53 member agencies complied with its standards, including its risk assessment standards, because it did not monitor agencies' compliance or have an approach to do so that incorporated outreach to agencies regarding their compliance status. ISC officials stated that they would like to monitor agencies' compliance but limited resources and other priorities, such as developing standards and guidance, have prevented them from doing so. However, ISC has the authority to create a working group from its member agencies to help it perform its duties. Without monitoring agencies activities via appropriate mechanisms, ISC does not know the extent to which member agencies understand and are complying with its standards. Therefore, GAO recommended that the ISC conduct outreach to identify which member agencies have not developed risk assessment methodologies that align with ISC standards and develop a mechanism to monitor and ensure compliance of all its member agencies. In 2016, GAO confirmed that ISC conducted outreach to member agencies to identify how its standards are being used and issues impacting their appropriate use; and to improve understanding of how its standards can be used. For example, ISC conducted site visits to various federal facilities around the country, held regional meetings, and developed a training program that teaches participants how to apply its risk management standard. Regarding a compliance mechanism, the ISC formed a compliance working group that developed a mechanism for ensuring compliance with established standards. The ISC issued agency and facility compliance benchmarks--documented in December 2016--to provide a measure that the agencies must use to assess the degree to which they conform to ISC standards. Agencies are required to evaluate all their facilities against these benchmarks and certify their compliance with them to ISC. As a result of these actions, ISC is in a better position to help agencies understand and comply with ISC standards, which may result in better protection of federal facilities.
Department of Homeland Security To help ensure that federal agencies are developing and using appropriate risk assessment methodologies, the Secretary of Homeland Security should direct the ISC to supplement the risk assessment guidance contained in The Risk Management Process for Federal Facilities with: (1) information on how to incorporate threat, consequence, and vulnerability assessments of specific undesirable events into a risk assessment methodology and (2) examples of risk assessment methodologies that ISC determines comply with its standards.
Closed – Implemented
To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC)--a DHS-chaired organization comprised of 53 member agencies--developed a physical security standard, The Risk Management Process for Federal Facilities (RMP), with which federal executive branch agencies must comply. The RMP was intended to provide agencies with an integrated, single source of physical security information and guidance. In 2014, GAO reported that three of the nine selected agencies' risk assessment methodologies that GAO reviewed fully align with the ISC's risk assessment standards, but six do not. The RMP standard required that agencies' facility risk assessment methodologies must (1) consider all of the undesirable events identified in the RMP as possible risks to federal facilities, and (2) assess the threat, consequences, and vulnerability to specific undesirable events. Six agencies' methodologies did not align with ISC's standards because the methodologies did not (1) consider all of the undesirable events in the RMP or (2) assess threat, consequences, or vulnerability to specific undesirable events. The RMP outlines ISC's risk assessment standards and related guidance. However, this guidance was limited as compared to federal risk assessment guidance contained in DHS' National Infrastructure Protection Plan (NIPP). As compared to the NIPP, ISC's RMP lacked specificity. Although the scope and applicability of the NIPP was broader than the RMP, the NIPP contained more detailed information and guidance on risk assessments. For example, unlike the RMP, the NIPP contains dedicated sections on threat assessment, vulnerability assessment, and consequence assessment. In contrast, the RMP did not include these items; it also did not provide examples of risk assessment methodologies that align with ISC's risk assessment standards. ISC officials informed GAO that they have not provided more detailed risk assessment guidance, examples of methodologies that align with its standards, or other resources in the RMP because member agencies had not requested this information. However, agencies may not have requested additional guidance and information from ISC because they were unaware their risk assessment methodologies, or aspects of their methodologies, were inconsistent with ISC's standards. Without additional guidance and other information in the RMP some agencies may continue to face challenges developing and implementing appropriate methodologies and, thus, remain unable to assess risks at their facilities in a manner that aligns with ISC standards. Therefore, GAO recommended that ISC supplement the risk assessment guidance contained in the RMP with: (1) information on how to incorporate threat, consequence, and vulnerability assessments of specific undesirable events into a risk assessment methodology and (2) examples of risk assessment methodologies that ISC determines comply with its standards. In 2016, GAO confirmed that ISC 1) conducted site visits around the country, providing information to ensure that member agencies understand how to comply with its standard; 2) developed a training program that teaches participants how to conduct ISC-compliant risk assessments and provides participants with a risk assessment tool certified to be in compliance with ISC's standard; 3) issued a benchmarks document to provide a measure by which agencies can assess the degree to which they conform to ISC standards; and, 4) certified five agencies' risk assessment tools as ISC-compliant. As a result, federal agencies have additional information and guidance on conducting ISC-compliant risk assessment, which may result in better protection of federal facilities and their occupants from potential threats.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Facility securityFederal facilitiesInteragency relationsRisk assessmentRisk managementSafety standardsStandards evaluationSecurity threatsSecurity threat assessmentsFederal agenciesInternal controlsForeign governmentsPhysical security