This is the accessible text file for GAO report number GAO-10-867 entitled 'Pipeline Security: TSA Has Taken Actions to Help Strengthen Security, but Could Improve Priority-Setting and Assessment Processes' which was released on September 1, 2010. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Committees: United States Government Accountability Office: GAO: August 2010: Pipeline Security: TSA Has Taken Actions to Help Strengthen Security, but Could Improve Priority-Setting and Assessment Processes: GAO-10-867: GAO Highlights: Highlights of GAO-10-867, a report to congressional committees. Why GAO Did This Study: The United States depends on a vast network of pipelines to transport energy. GAO was asked to review the Transportation Security Administration’s (TSA) efforts to help ensure pipeline security. This report addresses the extent to which TSA’s Pipeline Security Division (PSD) has (1) assessed risk and prioritized efforts to help strengthen pipeline security, (2) implemented agency guidance and requirements of the Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Commission Act) regarding pipeline security, and (3) measured its performance in strengthening pipeline security. GAO reviewed PSD’s risk assessment process and performance measures and observed 14 PSD reviews and inspections scheduled during the period of GAO’s review. Although these observations are not generalizable, they provided GAO an understanding of how PSD conducts reviews and inspections. What GAO Found: PSD identified the 100 most critical pipeline systems and developed a pipeline risk assessment model based on threat, vulnerability, and consequence, but could improve the model’s consequence component and better prioritize its efforts. The consequence component takes into account the economic impact of a possible pipeline attack, but not other possible impacts such as public health and safety, as called for in the Department of Homeland Security’s (DHS) risk management guidance. PSD plans to improve its model by adding more vulnerability and consequence data, but has no time frames for doing so. Establishing a plan with time frames, as called for by standard management practices, could help PSD enhance the data in, and use of, its risk assessment model. Also, PSD procedures call for scheduling Corporate Security Reviews (CSR)—assessments of pipeline operators’ security planning—based primarily on a pipeline system’s risk, but GAO’ s analysis of CSR data suggests a system’s risk was not the primary consideration. Documenting a methodology for scheduling CSRs that includes how to balance risk with other factors could help PSD ensure it prioritizes its oversight of systems at the highest risk. PSD has taken actions to implement agency guidance that outlines voluntary actions for pipeline operators and 9/11 Commission Act requirements for pipeline security, but lacks a system for following up on its security recommendations to pipeline operators. PSD established CSR and Critical Facility Inspection (CFI) Programs in 2003 and 2008, respectively, and has completed CSRs of the 100 most at- risk systems, started conducting second CSRs, and completed 224 of 373 one-time CFIs. Both programs result in recommendations, but PSD does not generally send CSR recommendations to operators in writing or follow up to ensure that CSR and CFI recommendations were implemented. Standard project management practices call for plans that define approaches and start dates and Standards for Internal Control in the Federal Government calls for monitoring to ensure review findings are resolved. Developing a plan for how and when PSD will begin transmitting CSR recommendations to operators, and following up on CSR and CFI recommendations could better inform PSD of the state of pipeline security and whether operators have addressed vulnerabilities. PSD has taken steps to gauge its progress in strengthening pipeline security, but its ability to measure improvements is limited. In its pipeline security strategy, PSD does not include performance measures or link them to objectives, which GAO previously identified as desirable in security strategies. In addition, PSD developed performance measures, including one outcome measure to gauge its efforts to help operators reduce vulnerabilities identified in CSRs. However, the outcome measure does not link to all three of PSD’s objectives and provides limited information on improvements in areas such as physical security. According to DHS risk management guidance, outcome measures should link to objectives. Including measures linked to objectives in its strategy and developing more outcome measures directly linked to all of its objectives could help PSD improve accountability and assess improvements. What GAO Recommends: GAO recommends that TSA, among other things, establish time frames for improving risk model data, document its method for scheduling reviews, develop a plan for transmitting recommendations to operators, follow up on its recommendations, include performance measures linked to objectives in its pipeline strategy, and develop more outcome measures. DHS concurred with the recommendations and discussed planned actions, but not all will fully address the recommendations, as discussed in the report. View [hyperlink, http://www.gao.gov/products/GAO-10-867] or key components. For more information, contact Steve Lord at (202) 512-4379 or lords@gao.gov. [End of section] Contents: Letter: Background: PSD Has Developed a Pipeline Risk Assessment Model, but Could Strengthen the Data in the Model and Better Prioritize Security Reviews and Inspections: PSD Has Taken Actions to Implement Agency Guidance and 9/11 Commission Act Requirements, but Lacks a System for Following Up on Its Recommendations to Operators: PSD Could Strengthen Its Documented Security Strategy and More Reliably Report Security Improvements: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: Comments from the Department of Homeland Security: Appendix III: GAO Contact and Staff Acknowledgments: Table: Table 1: TSA Pipeline Security Assessment Activities Since 2003: Figures: Figure 1: Map of Hazardous Liquid and Natural Gas Transmission Pipelines in the United States, September 28, 2009: Figure 2: Physical Security Measures a Pipeline Operator Might Employ at a Critical Facility: Figure 3: NIPP Risk Management Framework: Figure 4: Correlation Between a Pipeline System's Risk Ranking and the Time Elapsed from the First to the Second CSR, as of May 2010: Figure 5: Antiterrorism Crash Barrier Gate Installed inside Fenced Perimeter of a Critical Facility: Figure 6: Boulders Installed inside Perimeter Fencing at a Critical Facility Serve as a Vehicle Barrier: Figure 7: One of Many Closed-Circuit Television Cameras Installed at a Critical Facility: Figure 8: CFI Team Explains That Leaving the Entry Gate of a Critical Facility Open during Business Hours Constitutes a Serious Lapse in Security: Figure 9: Excessive Vegetation Surrounding a Critical Facility Impedes the Operator's Ability to Inspect Fencing and See Possible Intruders: Figure 10: Transportation Sector Goals and Pipeline Security Objectives: Abbreviations: AGA: American Gas Association: AOPL: Association of Oil Pipe Lines: APGA: American Public Gas Association: API: American Petroleum Institute: CFI: Critical Facility Inspection: CSR: Corporate Security Review: DOE: Department of Energy: DHS: Department of Homeland Security: DOT: Department of Transportation: FBI: Federal Bureau of Investigation: FMFIA: Federal Managers' Financial Integrity Act of 1982: HSPD-7: Homeland Security Presidential Directive-7: INGAA: Interstate Natural Gas Association of America: MOU: memorandum of understanding: NIPP: National Infrastructure Protection Plan: PHMSA: Pipeline and Hazardous Materials Safety Administration: PSD: Pipeline Security Division: TSA: Transportation Security Administration: TSNM: Office of Transportation Sector Network Management: [End of section] United States Government Accountability Office: Washington, DC 20548: August 4, 2010: The Honorable John Rockefeller: Chairman: The Honorable Kay Bailey Hutchison: Ranking Member: Committee on Commerce, Science, and Transportation: United States Senate: The Honorable Frank R. Lautenberg: Chairman: The Honorable John Thune: Ranking Member: Subcommittee on Surface Transportation and Merchant Marine Infrastructure, Safety, and Security: Committee on Commerce, Science, and Transportation: United States Senate: U.S. citizens and businesses depend on the continued operation of vast networks of pipelines that traverse hundreds of thousands of miles to transport energy for operating air and surface vehicles, running industrial equipment, heating homes, and generating electricity. The United States has the largest network of energy pipelines of any nation in the world. These pipelines transport nearly all the natural gas and about two-thirds of the hazardous liquids, including crude and refined petroleum products, consumed in the United States, making them a potential target to those wanting to disrupt commerce and other activities. Although attacks on U.S. pipelines have been rare--carried out, for example, by individuals with unclear motives--attacks on pipelines outside the United States by groups such as militant rebels highlight potential vulnerabilities of pipelines. For example, in Colombia, rebels attacked a major pipeline using explosives more than 600 times from 1996 through 2005, and in Nigeria, militant rebels have repeatedly attacked pipelines and oil facilities. Within the United States, a terrorist plot to attack jet fuel pipelines and storage tanks at JFK International Airport was uncovered and foiled in 2007. The same year, a U.S. citizen was convicted of attempting to provide material support to terrorists, among other things, after he tried to conspire with Al-Qaeda to blow up sections of the Trans Alaska Pipeline System and sections of the Transcontinental Pipeline System, which carries natural gas from the Gulf Coast to New York City. Such events raise concerns that attacks could occur in the United States. Securing the nation's pipeline system is a responsibility shared by the federal government and the private sector. Prior to the terrorist attacks of September 11, 2001, the federal government's involvement in pipelines largely focused on safety, and security efforts were minimal. In November 2001, the Aviation and Transportation Security Act established the Transportation Security Administration (TSA) within the Department of Transportation (DOT) and gave TSA the lead responsibility for security in all modes of transportation, including pipeline.[Footnote 1] In November 2002, the Homeland Security Act was enacted, and upon the creation of the Department of Homeland Security, TSA was transferred from DOT to DHS, where it currently resides. [Footnote 2] In August 2007, the federal government enacted the Implementing Recommendations of the 9/11 Commission Act of 2007, which required the Secretary of Homeland Security, in consultation with the Secretary of Transportation, to take specific pipeline security actions.[Footnote 3] Within DHS, TSA's Pipeline Security Division (PSD) leads pipeline security activities. TSA has not issued pipeline security regulations, but works with the pipeline industry to implement suggested security measures to make pipeline systems more secure. Private companies who own and operate pipeline systems are responsible for assessing their own specific security needs and incur the costs associated with implementing security measures. Since it is not feasible to protect all assets and systems against every possible threat, DHS has called for using a risk management approach to prioritize its investments, develop plans, and allocate resources in a risk-informed way that balances security and commerce. DHS detailed this approach in its National Infrastructure Protection Plan (NIPP), which it issued in June 2006 and updated in 2009. [Footnote 4] You requested that we review TSA's efforts to help ensure pipeline security. Specifically, this report addresses the following objectives: * To what extent has TSA's Pipeline Security Division (PSD) identified critical pipeline systems, assessed risk, and prioritized efforts, consistent with the NIPP, to help strengthen the security of hazardous liquid and natural gas pipeline systems? * To what extent has PSD taken actions to implement agency guidance and requirements of the Implementing Recommendations of the 9/11 Commission Act of 2007 regarding the security of hazardous liquid and natural gas pipeline systems? * To what extent has PSD measured its performance to help strengthen the security of hazardous liquid and natural gas pipeline systems and improvements in pipeline security? To determine the extent to which PSD used a risk management process to help strengthen the security of pipelines, we reviewed PSD's efforts to identify critical pipeline systems, assess risk, and prioritize its pipeline review efforts.[Footnote 5] We reviewed relevant documents, including PSD's list of the 100 most critical pipeline systems, and interviewed PSD officials about the methods they used to identify these systems.[Footnote 6] We reviewed TSA assessments of threat, vulnerability, and consequence from 2003 through May 2010--such as TSA's annual pipeline threat assessment, Corporate Security Reviews (CSR) that PSD uses as a vulnerability assessment, and consequence assessments on natural gas disruptions sponsored by the Department of Energy (DOE) and PSD--and discussed these with relevant agency officials.[Footnote 7] TSA characterized these as threat, vulnerability, and consequence assessments, but we did not assess the extent to which these assessment activities met the NIPP criteria for such assessments, as this was outside the scope of our work. We analyzed PSD's risk assessment model, which integrates the various assessments to develop a risk estimate and relative risk ranking for each pipeline system, and the data PSD inputs into the model. We also compared the time elapsed between PSD's first and subsequent CSRs for each pipeline system with the system's ranking based on risk to measure the strength of their relationship. Additionally, we compared the order in which PSD conducted the first Critical Facility Inspection (CFI) for each system with each system's risk ranking, and measured the strength of that relationship.[Footnote 8] To assess the reliability of April 2003 through May 2010 risk assessment model data, we (1) performed testing of required data elements, (2) compared the data with other sources of information, and (3) interviewed knowledgeable agency officials. We determined that the data were sufficiently reliable for the purposes of this report. We analyzed agency guidance on risk management, including the NIPP and the Transportation Systems Sector-Specific Plan, to determine criteria for effectively implementing a risk management framework and associated best practices for conducting risk assessments, and compared these with PSD's risk management strategy.[Footnote 9] We also compared PSD's approach for advancing its risk management program to standard practices in program management planning.[Footnote 10] To determine the extent to which PSD has taken actions to implement agency guidance and Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Commission Act) requirements regarding pipeline security, we reviewed the Pipeline Security Information Circular (2002 circular)[Footnote 11] and the 9/11 Commission Act and actions described in agency documents.[Footnote 12] To learn more about PSD's actions, we interviewed officials from PSD and DOT as well as representatives of the major associations with ties to the pipeline industry (American Petroleum Institute, Association of Oil Pipe Lines, American Gas Association, Interstate Natural Gas Association of America, and American Public Gas Association); attended the 2008 International Pipeline Security Forum organized by PSD and Natural Resources Canada; and met with security personnel from 10 pipeline operators with headquarters or significant operations in Houston. [Footnote 13] We chose Houston because it has the highest concentration of operators with systems on PSD's list of the 100 most critical pipeline systems, and those with whom we met operate about one-third of those systems. While the results of these interviews cannot be generalized to all pipeline operators and industry associations, they provided perspectives on how operators view PSD's security efforts. Further, we accompanied PSD officials on 4 reviews of pipeline systems operated by 4 different operators and 10 inspections of critical facilities operated by 3 different operators. We observed these reviews and inspections because PSD had scheduled them while we were conducting our work. These involved hazardous liquid and natural gas pipelines as well as different size operators with pipeline systems that varied in the amount of energy they carry, their relative risk ranking, and their location (we observed CSRs in four states and CFIs in three states). While the results of these observations cannot be generalized to all CSRs and CFIs or all pipeline systems and critical facilities, they provided us with an understanding of how PSD conducts these reviews and inspections, and some perspective on the security posture at different critical facilities. We also interviewed representatives of Secure Solutions International--a security and risk management consulting firm that assisted PSD in developing and carrying out CFIs--about critical facilities and the inspection process. In addition, we independently observed the exterior of 10 other critical facilities. We selected these facilities, which were located in four states and operated by 6 different operators, because of their proximity to our offices. Although the results of these observations cannot be generalized to all critical facilities, they provided us insight on security measures at additional critical facilities. We compared PSD's processes for transmitting and following up on CSR and CFI recommendations with criteria in GAO Standards for Internal Control in the Federal Government regarding recording and communicating deficiencies found during evaluations.[Footnote 14] We also compared PSD's approach for advancing its process for communicating CSR recommendations to standard practices in project management.[Footnote 15] To determine the extent to which PSD measured its performance in strengthening the security of pipelines and improvements in pipeline security, we reviewed PSD's performance measures and interviewed Office of Transportation Sector Network Management and PSD officials regarding those measures, and discussed PSD's related data collection methodologies with PSD officials.[Footnote 16] We analyzed TSA's national security strategy for pipeline systems--the Pipeline Modal Annex--to determine the extent to which it conformed to provisions related to goal setting and performance measurement found in Executive Order 13416: Strengthening Surface Transportation Security,[Footnote 17] the NIPP, the Transportation Systems Sector-Specific Plan,[Footnote 18] and guidance on desirable characteristics for a national strategy that we developed in a previous report.[Footnote 19] We also reviewed the NIPP and the 2007 Transportation Systems Sector- Specific Plan to determine the risk management framework's recommended approach to performance measurement and compared TSA's actions with that guidance. In addition, we analyzed data PSD used as an outcome measure to determine the extent of improvements in pipeline security and evaluated both the reliability of the data and its sufficiency as a measure of pipeline security outcomes. As part of this analysis, we compared two successive data collection instruments--the original instrument PSD developed in 2003 and used in conducting early CSRs with the one TSA developed in 2004, which PSD subsequently used. Later in this report we discuss concerns about the reliability of some of these data. Appendix I contains a more detailed discussion of our objectives, scope and methodology. We conducted this performance audit from November 2008 to August 2010 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: Overview of U.S. Pipeline Systems: More than 2.4 million miles of hazardous liquid and natural gas pipeline--primarily buried underground in the continental United States--run under remote and open terrain as well as densely populated areas. These pipelines are comprised of three main types: * Hazardous liquid: About 170,000 miles of hazardous liquid pipeline transport crude oil, diesel fuel, gasoline, jet fuel, anhydrous ammonia, and carbon dioxide. * Natural gas transmission and storage: Over 320,000 miles of pipeline-- mostly interstate--transport natural gas from sources to communities. * Natural gas distribution: About 1.9 million miles of pipeline-- mostly intrastate--transport natural gas from transmission pipelines to residential, commercial, and industrial customers. The network of hazardous liquid and natural gas transmission pipelines in the United States can be seen in figure 1. Figure 1: Map of Hazardous Liquid and Natural Gas Transmission Pipelines in the United States, September 28, 2009: [Refer to PDF for image: illustrated map of the United States] Depicted on the map are: Hazardous liquid pipelines; Natural gas pipelines. Source: Department of Transportation, Pipeline and Hazardous Materials Safety Administration. [End of figure] More than 3,000 pipeline companies operate the nation's pipeline systems. Pipeline systems are comprised of the pipelines themselves, which can traverse multiple states and U.S. borders with Canada and Mexico, as well as a variety of facilities, such as storage tanks, compressor stations, and control centers. Some of these facilities are considered critical and merit particular attention to security if, for example, they are important to the nation's energy infrastructure; serve installations critical to national defense; or, if attacked, have the potential for mass casualties or significant impact on public drinking water affecting a major population center. A significant disruption of pipeline service has the potential to inflict economic havoc on a region or the nation at large. Notwithstanding the potential damage or harm that could result from an attack, the inherent design and operation of U.S. pipeline systems might reduce some of the potential impacts regarding loss of service. For one thing, the pipeline sector is generally considered to be resilient. Historically, pipeline operators have been able to quickly respond to the adverse consequences of an incident--whether it is damage from a major hurricane or a backhoe--and quickly restore pipeline service. In addition, pipeline infrastructure is versatile and includes such redundancies as parallel pipelines or looping capabilities that enable operators to mitigate potential disruptions by rerouting energy through the network. Key Pipeline Security Stakeholder Roles and Responsibilities: Protecting the nation's pipeline systems is a responsibility shared primarily by the federal government and private industry. Since the terrorist attacks of September 11, 2001, the role of federal agencies in securing the nation's transportation systems has continued to evolve. In response to those attacks, the federal government enacted the Aviation and Transportation Security Act of 2001, which created and conferred upon TSA broad responsibility for securing all modes of transportation, including pipeline.[Footnote 20] In November 2002, the federal government enacted the Homeland Security Act, which established DHS, transferred TSA from DOT to DHS, and assigned DHS responsibility for protecting the nation from terrorism, including securing the nation's transportations systems.[Footnote 21] Within TSA, the Office of Transportation Sector Network Management (TSNM) manages all surface transportation security issues with divisions dedicated to each surface mode of transportation, including pipeline. Within TSNM, the Pipeline Security Division (PSD)--the smallest of TSNM's surface transportation divisions--has lead responsibility for the security of the nation's pipeline systems. [Footnote 22] For fiscal year 2010, PSD has an authorized staffing level of 13 and a budget of about $4 million. TSA's Office of Intelligence is responsible for collecting and analyzing threat information related to the transportation network; it shares with PSD any information related to pipeline threats or suspicious incidents. While TSA, within DHS, was given primary responsibility for pipeline security, DOT's Pipeline and Hazardous Materials Safety Administration (PHMSA) retained responsibility and authority for regulating the transportation of hazardous materials via pipeline and pipeline safety. In 2004, DHS and DOT entered into a memorandum of understanding (MOU) delineating the agencies' roles and responsibilities with respect to transportation security and recognizing DHS as having primary responsibility for security in all modes of transportation, including pipeline. In 2006, TSA and PHMSA completed an annex to the MOU further clarifying both agencies' roles. The annex identifies TSA as the lead federal entity for transportation security, including hazardous materials and pipeline security, and PHMSA as responsible for administering a national program of safety in natural gas and hazardous liquid pipeline transportation, including identifying pipeline safety concerns and developing uniform safety standards. However, pipeline security and safety are intertwined, and PSD and PHMSA coordinate on matters relating to pipeline security and protection. TSA and DOE also work together on matters where pipeline safety and security overlap and PSD and DOE worked closely on pipeline security issues, programs, and activities, such as efforts to enhance reliability and resiliency. Although PSD has primary federal responsibility for pipeline security, implementation of asset-specific protective security measures remains the responsibility of pipeline operators in the private sector. Particularly since the September 11, 2001, terrorist attacks, operators' attention to security has increased and they have sought to incorporate security practices and programs into their overall business operations. Pipeline operators' interests and concerns are represented by five major trade associations with ties to the pipeline industry--the Interstate Natural Gas Association of America (INGAA), American Gas Association (AGA), American Public Gas Association (APGA), American Petroleum Institute (API), and Association of Oil Pipe Lines (AOPL). These associations have worked closely with the federal government on a variety of pipeline security-related issues. In March 2002, API developed Security Guidelines for the Petroleum Industry and in September 2002, INGAA and AGA developed Security Guidelines for the Natural Gas Industry, which were adopted by APGA. [Footnote 23] Both sets of guidelines emphasize security planning and strategies that, to varying degrees, include identifying, analyzing, and reducing vulnerabilities. Both reference some of the physical security measures that operators can take to protect their critical facilities, but provide caveats explaining the general nature of the described security practices and the importance of each operator determining the security measures that are appropriate for each facility. Figure 2 illustrates some of the physical security measures that operators may choose to employ at a critical facility. Figure 2: Physical Security Measures a Pipeline Operator Might Employ at a Critical Facility: [Refer to PDF for image: illustration] Closed-circuit TV camera; Light; Vehicle barrier; Barbed wire-topped fence; Key card access; Security personnel; Locked access gate; Gate entry access control; Lights; No trespassing sign. Sources: GAO analysis of Security Guidelines for the Petroleum Industry and Security Practices Guidelines for the Natural Gas Industry and Art Explosion (clip art). [End of figure] Laws and Agency Guidance Concerning Pipeline Security: In September 2002, prior to the establishment of DHS, DOT issued voluntary guidance for pipeline operators in the form of the Pipeline Security Information Circular (the 2002 circular), which TSA later adopted. The 2002 circular, developed in collaboration with pipeline industry associations, recommended pipeline operators identify their critical facilities, develop security plans consistent with prior industry association guidance, and begin implementing appropriate security measures at critical facilities. It also outlined steps the federal government planned to take, including conducting onsite reviews of pipeline operators' security plans to determine whether the plans are consistent with security guidance published by their industry. In collaboration with industry associations, PSD developed new, draft pipeline security guidance to replace the 2002 circular. As of May 2010, PSD had not yet issued the new guidance, but it anticipates doing so sometime during 2010. Pipeline Security Contingency Planning Guidance, also developed by DOT in 2002 and considered part of the 2002 circular, provides criteria for pipeline operators to use to identify critical facilities and establishes guidelines for protective measures for critical facilities under each threat condition corresponding to the Homeland Security Advisory System. For example, during periods of elevated threat conditions (yellow), operators should ensure, among many other things, that employees are educated on security standards and procedures; fencing, locks, camera surveillance, intruder alarms, and lighting are in place and functioning; gates and barriers are closed and locked except those needed for immediate entry and exit at critical facilities; and visitation is limited and it is confirmed that every visitor is expected and has a need to be at a critical facility. However, similar to industry guidelines, the Pipeline Security Contingency Planning Guidance also states that pipeline operators are expected to use good judgment in incorporating measures into their security plans as not all security measures are appropriate for all types of facilities.[Footnote 24] In August 2007, Congress passed the 9/11 Commission Act, which identifies the following pipeline security requirements that the Secretary of Homeland Security must implement. Some of these requirements are shared responsibilities with the Secretary of Transportation; others are to be carried out in consultation with the Secretary of Transportation.[Footnote 25] Within DHS, PSD has responsibility for carrying out the following pipeline security requirements of the 9/11 Commission Act: * Establish a program for reviewing pipeline operators' adoption of the 2002 circular, including the review of pipeline security plans and critical facility inspections. * Develop and implement a plan for reviewing the pipeline security plans of the 100 most critical pipeline operators covered by the 2002 circular. * Develop and implement a plan for inspecting the critical facilities of the 100 most critical pipeline operators covered by the 2002 circular. * In conducting these reviews and inspections, use risk assessment methodologies to prioritize risks and target inspections. * Develop security recommendations for natural gas and hazardous liquid pipelines and pipeline facilities and transmit to pipeline operators. * If the Secretary of Homeland Security determines that regulations are appropriate, promulgate regulations and carry out necessary inspection and enforcement actions. * Develop a pipeline security and incident recovery protocols plan and submit a report to the appropriate congressional committees. The report is to include the plan and an estimate of the private and public sector costs to implement any recommendations. A Risk-Based Approach to Guide Pipeline Security: In recent years, we, along with Congress, the executive branch, and the 9/11 Commission, have recommended that federal agencies with homeland security responsibilities utilize a risk management approach to help ensure that finite national resources are dedicated to assets or activities considered to have the highest security priority. Homeland Security Presidential Directive 7 (HSPD-7) directed the Secretary of Homeland Security to establish uniform policies, approaches, guidelines, and methodologies for integrating federal infrastructure protection and risk management activities.[Footnote 26] It also called for the Secretary to produce a comprehensive, integrated national plan for critical infrastructure and key resources protection to outline national goals, objectives, milestones, and key initiatives. In response to HSPD-7, DHS released the NIPP in June 2006, and updated it in 2009. The NIPP created a risk-based framework for the development of sector-specific agency strategic plans. In keeping with the NIPP and as required by Executive Order 13416, TSA developed the Transportation Systems Sector-Specific Plan in 2007 to document the process to be used in carrying out the national strategic priorities outlined in the NIPP. The plan contains supporting modal implementation plans for each transportation mode, including pipeline. The Pipeline Modal Annex provides information on efforts to secure pipelines, as well as TSA's overall goals and objectives related to pipeline security. The cornerstone of the NIPP is the risk management framework that entails a continual process of managing risk through six interrelated activities, as illustrated in figure 3. Figure 3: NIPP Risk Management Framework: [Refer to PDF for image: illustration] Physical: Cyber: Human: Set goals and objectives; Identify assets, systems, and networks; Assess risks (consequences, vulnerabilities, and threats); Prioritize; Implement programs; Measure effectiveness; Continuous improvement to enhance protection of critical infrastructure and key resources for each activity listed. Source: GAO, DHS. [End of figure] * Set goals and objectives: Define specific outcomes, conditions, and end points for an effective risk management posture. * Identify assets, systems, and networks: Develop an inventory of the assets, systems, and networks deemed to be critical, and collect information pertinent to risk management. * Assess risks: Evaluate risk as a function of threat, vulnerability, and consequence. Once the three components of risk have been assessed for one or more given assets, systems, or networks, integrate them into a defensible model to produce risk estimates. * Prioritize: Compare risk assessment results and establish priorities based on risk. Accord the highest priority in risk management activities to those assets, systems, or networks with the highest expected losses. * Implement programs: Select appropriate actions or programs to reduce or manage the risk identified. * Measure effectiveness: Use metrics and other evaluation tools to measure progress and assess the effectiveness of protection programs that have been implemented. PSD Has Developed a Pipeline Risk Assessment Model, but Could Strengthen Data in the Model and Better Prioritize Security Reviews and Inspections: PSD Identified the Most Critical Pipeline Systems and Developed a Risk Model, but Some Model Components Could be Strengthened: PSD identified the 100 most critical pipeline systems in the United States,[Footnote 27] consistent with the NIPP, and developed a pipeline risk assessment model to generate a risk score for those systems; however, some components of PSD's model are incomplete. [Footnote 28] The NIPP calls for agencies to identify the most critical assets, systems, or networks within each sector, including the transportation sector, in order to collect information pertinent to risk management. PSD relied on each pipeline system's energy throughput to identify the most critical systems from more than 3,000 systems in the United States. It has since been focusing its risk management efforts on these 100 most critical systems, which, according to PSD officials, move 85 percent of all energy within the United States. Once critical systems have been identified, the NIPP calls for agencies to assess risk as a function of threat, vulnerability, and consequence, and to integrate these individual assessments into a model to produce a risk estimate. It further requires that the consequence component of a risk assessment take into account the impact that an event or incident would have on the economy and public health and safety, among other things. PSD was the first of TSA's surface transportation modes to develop a risk assessment model that combines all three components of risk--threat, vulnerability, and consequence--to generate a risk score. PSD's pipeline risk assessment model generates a risk score for each of the 100 most critical systems and ranks them according to risk.[Footnote 29] PSD holds the threat score constant for all pipeline systems and uses the results of its Corporate Security Reviews (CSR) in its vulnerability component. However, its consequence component is incomplete in that it accounts for economic impact, but not the impact on public health and safety. The following provides more information on the assessments or information for the threat, vulnerability, and consequence data that PSD uses in its risk assessment model. * Threat: In the case of terrorist attacks, the NIPP calls for the threat component of the assessment to be calculated based on the likelihood of the intent and capability of a terrorist attack on a particular asset, system, or network. However, if threat likelihoods cannot be estimated, an agency can use conditional risk values based on vulnerability and consequence. TSA's Office of Intelligence develops Pipeline Threat Assessments and, according to officials from that office, the approach they use to assess threat is consistent across transportation modes. They further explained that because they have no actionable intelligence for specific pipeline systems, they can not develop likelihood estimates.[Footnote 30] As such, PSD holds threat constant in its model and bases each pipeline system's risk score on vulnerability and consequence. Office of Intelligence officials explained that if they were to receive intelligence regarding a credible threat to a specific pipeline system, they would work with PSD officials to adjust the threat level for that system in PSD's risk assessment model. * Vulnerability: According to the NIPP, agencies are responsible for ensuring that vulnerability assessments are performed within their sector in order to identify areas of weakness within a system under review. PSD uses the results of the CSRs it conducts on each of the most critical pipeline systems as the basis for the vulnerability component in its risk assessment model. PSD uses a CSR protocol (i.e., a questionnaire that guides the CSR interview) to collect information on an operator's security planning and management practices for a given pipeline system, and calculates a CSR score by tallying points associated with responses to each of 73 standard questions in the protocol.[Footnote 31] Using the CSR score, PSD determines a pipeline system's vulnerability by calculating the difference or "gap" between a total possible score of 100 and an operator's CSR score. PSD uses this gap, known as the "vulnerability gap," as the basis for the vulnerability component in its risk assessment model. Using CSRs as vulnerability assessments is consistent with the approach taken by other surface transportation modes, such as freight rail and highway infrastructure, on which we have previously reported.[Footnote 32] * Consequence: According to the NIPP, consequence assessments should measure key effects on the well being of the nation. This includes the negative consequences on the economy, public health and safety, and the environment, as well as the functioning of government that can be expected if an asset, system, or network is damaged, destroyed, or disrupted by a terrorist attack. Within its risk assessment model, PSD uses the annual energy throughput of a pipeline system to help measure the possible adverse economic impact of a terrorist attack or other event on a pipeline system, but does not take into account other possible adverse impacts, such as on public health and safety. According to PSD officials, because the major consequence of an attack on a pipeline would be the loss of energy, annual energy throughput provides a good measure of this expected loss. However, the consequences of some potential attacks might not be limited to the economy. For example, under some circumstances, an attack on a critical pipeline facility located near a waterway has the potential to significantly contaminate drinking water or, if located in a highly populated area, could result in significant casualties. PSD officials explained that the pipeline risk assessment model is in the early stages of development and they intend to improve it over time by incorporating additional data. PSD has sponsored or conducted assessments and collected information on pipeline systems, some of which could be used to enhance individual components of its model. For example, through its Critical Facility Inspection (CFI) Program, PSD has collected information on critical facilities, such as the number of facilities per system, and officials say they plan to eventually use these data in their risk estimates. PSD officials explained that the number of critical facilities can be an indicator of a system's vulnerability--that is, the more critical facilities a system has, the more vulnerable the system. Thus, incorporating this information into the vulnerability component of PSD's risk assessment model and including it in the risk estimate could enhance the model. In addition, including information that might be available from other sources, such as the number of miles of pipeline that run through a high-consequence, or highly populated, area could also enhance the consequence component of the model. PSD officials noted that such data could be a good measure of the effects on public health and safety. However, the officials explained that with a small staff, they have not had time to make any specific enhancements to the model. PSD officials also agreed that adding other information that could be available in the future might further improve its model. For example, PSD and DOE sponsored regional gas pipeline studies that include information that could be used to improve the consequence component of the model. These studies use computer-based modeling to evaluate the impact of a major natural gas pipeline disruption. PSD officials told us they would like to incorporate such information into the consequence component of its risk model, but adding such information for natural gas pipelines without adding comparable information for hazardous liquid pipelines would skew its risk ranking of the most critical pipeline systems. PSD officials told us in May 2010 that they had secured funds to contract for a similar assessment of the hazardous liquid pipeline market and expect the work to begin later in fiscal year 2010. They also said they plan to use the results of their CFIs to enhance the vulnerability components of the risk model; however, they will need to wait until they complete inspections of all critical facilities associated with the 100 most critical pipeline systems. The officials told us they expect to complete these inspections by the end of 2011. Although PSD officials said they would like to add more information to their pipeline risk assessment model and have included placeholders in the model for incorporating other vulnerability and consequence factors when additional information is known, they have not established time frames or milestones (i.e., a schedule of actions needed to achieve goals) for doing this. Standard practices for program management call for establishing time frames and milestones as part of a plan to ensure that results are achieved.[Footnote 33] Developing a plan that includes time frames and milestones could help PSD accomplish its goal of improving the data in its risk assessment model. By including additional information in its risk model--some that exists and some that should be available in the future--PSD could improve its risk assessment of the most critical pipeline systems and better assure it has the information it needs to guide decisions, including allocating resources to the highest risk pipeline systems. Table 1 summarizes all of TSA's assessment activities related to the three individual components of risk for the pipeline industry, and identifies which ones PSD includes in the data it inputs into its risk assessment model.[Footnote 34] Table 1: TSA Pipeline Security Assessment Activities Since 2003: Entity: TSA Office of Intelligence; Time frame: Annually; Description: Annual Threat Assessments: TSA's Office of Intelligence provides an overview of threats--including key actors and possible attack tactics and targets--to pipeline systems. The assessments include incidents of interest and suspicious activities targeting pipeline systems in the United States and overseas; Risk component addressed: Threat: [Check]; Risk component addressed: [Empty]; Risk component addressed: Vulnerability: [Empty]; Risk component addressed: Consequence: [Empty]; Included in pipeline risk assessment model: Yes. PSD uses this for the threat component of the risk model. Entity: TSA Pipeline Security Division; Time frame: Ongoing since 2003; Description: Corporate Security Reviews (CSR): PSD conducts CSRs to assess pipeline security plans at the 100 most critical pipeline systems in the United States. The intent of these on-site reviews of pipeline companies is to develop firsthand knowledge of security planning, establish communication with key pipeline security personnel, and identify and share good security practices; Risk component addressed: Threat: [Empty]; Risk component addressed: [Empty]; Risk component addressed: Vulnerability: [Check]; Risk component addressed: Consequence: [Check][A]; Included in pipeline risk assessment model: Yes. PSD uses CSRs for the vulnerability component of the risk model. Entity: TSA Pipeline Security Division; Time frame: Ongoing since Nov. 2008; Description: Critical Facility Inspections (CFI): PSD, with the help of a contractor, conducts in-depth inspections of all the critical facilities of the 100 most critical pipeline systems in the United States; Risk component addressed: Threat: [Empty]; Risk component addressed: [Empty]; Risk component addressed: Vulnerability: [Check]; Risk component addressed: Consequence: [Check]; Included in pipeline risk assessment model: No. PSD collects the number of critical facilities per system, which could be used to enhance the risk model. PSD also collects consequence information for each system that could be used once PSD completes all inspections. Entity: TSA Pipeline Security Division and Natural Resources Canada; Time frame: 2004-2007; Description: Pipeline-Cross-Border Vulnerability Assessments Program: U.S. and Canadian teams assess pipeline operations, control systems, interdependencies, and assault planning in critical cross-border infrastructure; Risk component addressed: Threat: [Empty]; Risk component addressed: [Empty]; Risk component addressed: Vulnerability: [Check]; Risk component addressed: Consequence: [Check]; Included in pipeline risk assessment model: No. PSD cannot use this in its risk model because it involves only a few of the 100 most critical pipeline systems. Entity: TSA Pipeline Security Division - initiated by DOE; Time frame: 2003-2008; Description: Regional Gas Pipeline Studies: PSD, in coordination with DOE, sponsored a series of studies using computer-based modeling, to evaluate the impact of a major pipeline disruption[B]; Risk component addressed: Threat: [Empty]; Risk component addressed: [Empty]; Risk component addressed: Vulnerability: [Empty]; Risk component addressed: Consequence: [Check]; Included in pipeline risk assessment model: No. PSD cannot use this information until a comparable study for hazardous liquid pipelines is completed. Entity: TSA Pipeline Security Division; Time frame: Ongoing; Description: Cued Assessments: When intelligence activities indicate that a pipeline operator has been under possible terrorist surveillance, PSD works with the operator to conduct vulnerability and consequence assessments to determine the existing state of security and gaps that need to be addressed. After these assessments, PSD makes recommendations on how to close the security gaps; Risk component addressed: Threat: [Empty]; Risk component addressed: [Empty]; Risk component addressed: Vulnerability: [Check]; Risk component addressed: Consequence: [Check]; Included in pipeline risk assessment model: No. PSD cannot use this information because such assessments are isolated. Thus, PSD does not have such information for all of the 100 most critical pipeline systems. Source: GAO and PSD. [A] PSD collects consequence information during a CSR, but does not conduct a consequence assessment. [B] INGAA and AGA funded the first in this series of studies. [End of table] PSD Could Better Prioritize Its Reviews and Inspections of Critical Pipeline Systems Based on Risk: PSD's CSR procedures call for scheduling CSRs based primarily on a pipeline system's risk ranking as determined by its risk assessment model; however, we found a weak statistical correlation between a system's risk ranking and the time elapsed between the first and subsequent CSR for a pipeline system.[Footnote 35] This suggests that a system's risk ranking was not the primary consideration in scheduling these reviews. For the pipeline systems included in PSD's risk assessment model dated May 2010, PSD had conducted 54 initial CSRs of pipeline operators who operate the 100 most critical systems, and 27 second CSRs of those operating 65 of the most critical pipeline systems.[Footnote 36] Figure 4 illustrates the weak correlation we found between risk ranking and time between reviews for the 27 operators with which PSD conducted a second CSR, as denoted by data points that are not clustered near or on the line of best fit. [Footnote 37] If a stronger correlation existed between these variables, the data points would be clustered closer to the line of best fit. Figure 4: Correlation Between a Pipeline System's Risk Ranking and the Time Elapsed from the First to the Second CSR, as of May 2010: [Refer to PDF for image: plotted point graph] The graph plots the pipeline system risk ranking (from most at risk to least at risk) against year between first and second CSR. Source: GAO analysis of PSD data. Notes: n=27. In 27 cases, PSD conducted two CSRs for the same operator. These CSRs were conducted from April 2003 through May 2010. Because some pipeline operators operate more than one system and a CSR usually covers all the systems operated by a given operator, these 27 CSRs covered a total of 65 of the 100 most critical pipeline systems. [End of figure] According to CSR procedures, using a pipeline system's risk ranking when scheduling CSRs allows PSD to consider the importance of the system to the nation's transportation infrastructure and the likelihood that the system could be attacked. Similarly, according to the NIPP, the highest priority in risk management efforts should be accorded to those systems with the highest expected losses. In addition, the 9/11 Commission Act requires that risk assessment methodologies be used to prioritize risk and to target inspection actions to the highest risk pipeline assets. According to PSD officials, a pipeline system's relative risk ranking is the primary factor driving their decision of when to schedule a subsequent CSR, however, other factors, such as geographic proximity, also affect the decision. For example, in some cases PSD officials schedule a CSR for a lower risk-ranked system that might be located in the same geographic area as a higher risk-ranked system to be efficient and reduce travel time and costs. We also found considerable variation in the time elapsed before PSD returned to conduct a second CSR. For example, our analysis of the data in PSD's risk assessment model showed: * Within the 15 highest risk-ranked pipeline systems, the time between the first and second CSR ranged from 1 to 7 years.[Footnote 38] * For all pipeline systems, the average time elapsed between a first and second CSR was 4.8 years, regardless of the system's risk ranking. [Footnote 39] * For 5 systems that rank in the top 15 in terms of risk, approximately 6 years elapsed between a first and second CSR--more than the average time for all systems. PSD officials stated that although the time elapsed between a first and second CSR might be longer than average for some of the highest risk pipelines, this does not mean that PSD has not been focusing its attention on these operators. For example, in one of these cases, the officials explained they spent 6 weeks in 2009 inspecting dozens of critical facilities belonging to this operator through the CFI program, met with the company president to discuss the need for security improvements, and had other contacts with the operator. However, even after accounting for PSD inspecting one or more of an operator's critical facilities before conducting a second CSR, we still found a weak relationship between a pipeline system's risk ranking and the time elapsed between that system's first and subsequent CSR.[Footnote 40] The NIPP calls for systems that are considered to have the highest expected losses if damaged, disrupted, or destroyed, to receive more scrutiny. Furthermore, PSD's CSR procedures state that the CSR program should consider a pipeline system's risk level as one of the most crucial factors when scheduling CSRs and PSD officials told us they consider a system's risk to be the primary factor in these decisions. However, PSD has not clearly stated in its CSR procedures that risk should be the primary criteria in scheduling CSRs, nor has it documented a methodology addressing how it is to balance other practical considerations, such as travel efficiencies, with its consideration of risk. Doing so could help PSD ensure it prioritizes its oversight of pipeline systems that are most at risk. Similarly, PSD has no documented procedures or methodology for using a system's risk ranking when scheduling CFIs. According to PSD officials, when they began the CFI program in November 2008, their primary consideration in scheduling CFIs was to do so in a manner that would allow them to complete a large number of inspections as soon as possible. For example, if 10 critical facilities were located close enough to each other to complete all 10 in 1 week, PSD would schedule those inspections and leave the inspections of more geographically dispersed critical facilities for a later time. The officials further explained that because inspecting outdoor space is critical to a CFI, they also consider weather when scheduling inspections (i.e., scheduling cold weather locations in warmer months). However, the NIPP calls for according the highest priority in risk management efforts to those systems with the highest expected losses. Furthermore, the 9/11 Commission Act requires that risk assessment methodologies be used to prioritize risk and to target inspections to the highest risk pipeline assets. Documenting a methodology for scheduling CFIs and including a pipeline system's risk ranking as the primary criteria while recognizing other considerations that can affect scheduling could help PSD ensure it prioritizes its oversight of pipeline systems that are most at risk. We identified almost no statistical correlation between the order in which PSD conducted critical facility inspections and the risk ranking of the pipeline system containing those facilities.[Footnote 41] For example, PSD did not inspect any of the critical facilities of three of the highest risk-ranked systems until early 2010, although it had conducted CFIs of some of the lowest risk-ranked systems in the previous year. PSD's oversight of the critical facilities belonging to the most at-risk pipeline systems could be better prioritized by scheduling inspections of facilities based on their system's risk ranking. PSD Has Taken Actions to Implement Agency Guidance and 9/11 Commission Act Requirements, but Lacks a System for Following Up on Its Recommendations to Operators: PSD Established a Program for Reviewing Pipeline Security Plans: PSD established an on-site CSR program in April 2003 that has been evolving in response to, and consistent with, agency guidance-- specifically, DOT's September 2002 Pipeline Security Information Circular (the 2002 circular)--and the 9/11 Commission Act. PSD undertook CSRs to determine the state of security within the pipeline industry and enhance the level of security planning and preparedness throughout the industry. The 2002 circular outlines voluntary actions that pipeline operators should take and describes actions the federal government plans to take to improve pipeline security.[Footnote 42] It gives operators some discretion to determine which security measures are appropriate for each of their critical facilities and provides the federal government with broad guidance and, thus, some flexibility, in carrying out its reviews. According to the 2002 circular, pipeline operators should take the following actions: * Identify critical facilities.[Footnote 43] * Develop a corporate security plan that is consistent with voluntary security guidance published by the pipeline industry.[Footnote 44] * Begin to implement appropriate security measures for the critical facilities. In addition, the 2002 circular describes the following actions the federal government planned to take: * Review pipeline operators' security plans on site. * Determine whether operators' security plans are consistent with security guidance published by their industry. * Conduct spot checks of selected critical facilities in the field to verify operators are implementing their security plans as written. * Work with operators to correct security deficiencies. CSRs emphasize the importance of pipeline operators' management practices in prevention, protection, and response to threats. They focus on pipeline operators' security plans and how operators manage their security programs, and include recommendations to operators for application in routine operational practices and during heightened alert levels. These reviews are also intended to provide PSD a means to establish and maintain relationships with pipeline operators' key security personnel. CSRs include detailed interviews with the pipeline operators' security personnel--typically at operators' corporate headquarters; spot checks of selected facilities; reviews of security plans and related documents; and PSD feedback, including recommendations specific to the operator.[Footnote 45] A CSR team, comprised of PSD officials, conducts the interview using a CSR protocol that PSD developed based on the 2002 circular and industry guidance.[Footnote 46] The protocol includes 73 standard questions divided into 11 areas that include vulnerability assessments, credentialing, security training, cyber security,[Footnote 47] and physical security.[Footnote 48] According to the PSD General Manager, the CSR process gives PSD some confidence that operators are doing what their corporate security plans say. Further, he expects that operators who do well on a CSR generally have reasonably good security measures in place at their critical facilities. However, he noted that it is difficult to be certain of the physical security measures in place at critical facilities without conducting full inspections. When the 9/11 Commission Act was enacted in August 2007, it reinforced the CSR program that PSD had underway by specifically requiring reviews of pipeline operators' security plans for the 100 most critical pipeline systems.[Footnote 49] Within the first 5 years of conducting CSRs, PSD had reviewed the 100 most critical systems and had begun a second round of CSRs. As of May 2010, it had completed 103 CSRs covering more than 125 pipeline systems, including 76 first-time CSRs and 27 second-time CSRs.[Footnote 50] According to PSD officials, CSRs have shown that pipeline operators are generally implementing voluntary security measures and that second CSRs have indicated that operators are generally improving their security posture. We observed a CSR team conducting four CSRs from August through October 2009. These represented a first CSR for two of the operators and a second CSR for the remaining two operators--both of which had a first CSR in 2004. The CSR team followed the same general process for all four CSRs, asked all the questions in the CSR protocol, and conducted the CSRs in a manner consistent with CSR program goals (i.e., emphasizing the importance of security management practices, establishing working relationships with pipeline security personnel, and identifying and sharing knowledge of best practices). The CSR team found that the security posture of these four operators varied considerably. As part of each CSR, the team identified security practices the operators were implementing well, but also made recommendations regarding areas for improvement, tailored to each operator and based on the results of each review. For the four CSRs we observed, the CSR team made a total of 32 recommendations, ranging from 3 recommendations to one operator and 17 recommendations to another. For example, officials recommended that one operator conduct vulnerability assessments for its critical facilities, another operator should issue identification cards to contractors, and a third should add certain emergency contact information to its security plan and add its new headquarters to its list of critical facilities. PSD Established a Program for Inspecting Critical Facilities of the Most Critical Pipeline Systems: PSD established the CFI program to conduct inspections of all the critical facilities of the 100 most critical pipeline systems, as required by the 9/11 Commission Act.[Footnote 51] According to PSD officials, the purpose of the CFIs is to take a one-time snapshot of each critical facility's security posture--that is, to collect information on each critical facility's security measures and equipment. PSD relied on pipeline operators to identify their own critical facilities using criteria contained in the 2002 circular. As of May 2010, operators of the 100 most critical systems had notified PSD of a total of 373 critical facilities; however, PSD officials explained that this number is fluid. PSD manages the CFI program and has contracted with a security and risk management consulting firm that focuses primarily on energy infrastructure security to help with the program's design and implementation. CFI teams (comprised of PSD staff and contractors from the consulting firm) began conducting CFIs in November 2008 and, as of May 2010, had completed 224 CFIs. Due to the time-and resource- intensive nature of these inspections, PSD officials estimated they will finish inspecting all the critical pipeline facilities operators have identified by the end of 2011. Each CFI takes roughly 4 hours and entails the following steps: * The CFI team conducts an in-depth interview regarding the operator's security practices using a CFI protocol that covers more than 150 items. * The CFI team conducts an on-site physical inspection of the interior and exterior of each critical facility, including the perimeter of the property. Through physical observation and some testing, the CFI team confirms that the security measures discussed during the CFI interview are actually in place. * The CFI team shares with the operator's security personnel its observations of good security practices, areas for improvement, and security recommendations. * PSD sends the operator a final inspection report for each facility inspected, including recommendations, subsequent to the CFI. From June through August 2009, we observed the CFI team conduct 10 CFIs involving critical facilities operated by three different pipeline operators. The CFI teams we observed followed the same general process for each inspection and asked all the questions in the CFI protocol. The security posture at these facilities varied considerably, and the CFI team's observations and recommendations varied accordingly. During each CFI, the team commended the operator for specific security practices that were in place at the facility, but also made recommendations for actions to improve security. The CFI team made a total of 88 recommendations for the 10 CFIs we observed, ranging from 4 recommendations at some facilities to 13 recommendations at others. For example, recommendations the CFI team made to one operator included overhauling the procedure for obtaining visitor badges and installing "no trespassing" signs and warnings indicating that the property is under video surveillance. Recommendations to another operator included securing all perimeter gates when not in active use, installing an access control system at the main gate that logs activity, upgrading main gate lighting, and establishing a formal key management program. Figures 5, 6, and 7 show several of the security measures for which the CFI team commended the operator during a CFI we observed. Figure 5: Antiterrorism Crash Barrier Gate Installed inside Fenced Perimeter of a Critical Facility: [Refer to PDF for image: photograph] Source: GAO. [End of figure] Figure 6: Boulders Installed inside Perimeter Fencing at a Critical Facility Serve as a Vehicle Barrier: [Refer to PDF for image: photograph] Source: GAO. [End of figure] Figure 7: One of Many Closed-Circuit Television Cameras Installed at a Critical Facility: [Refer to PDF for image: photograph] Source: GAO. [End of figure] Figures 8 and 9 are photographs of two types of security lapses the CFI team identified during two other CFIs we observed. The CFI team made recommendations to the operator to address these and other security vulnerabilities. Figure 8: CFI Team Explains That Leaving the Entry Gate of a Critical Facility Open during Business Hours Constitutes a Serious Lapse in Security: [Refer to PDF for image: photograph] Source: GAO. [End of figure] Figure 9: Excessive Vegetation Surrounding a Critical Facility Impedes the Operator's Ability to Inspect Fencing and See Possible Intruders: [Refer to PDF for image: photograph] Source: GAO. [End of figure] In addition to accompanying CFI teams on inspections, we independently observed the exterior of 10 critical facilities operated by six different pipeline operators. Based on what we could observe at these facilities from outside the property perimeters, we saw variation in the physical security measures that these operators appeared to have in place--not dissimilar to what we observed when we accompanied CFI teams on their inspections. In contrast to CSRs, which look at pipeline operators' corporate security plans and security management, CFIs, when all are completed, are to yield information on security measures in place at every individual critical pipeline facility that operators have identified. According to PSD's General Manager, the CFI program fills a gap that existed in the CSR program by providing PSD the ability to develop first-hand knowledge of security measures in place at critical pipeline sites. As designed, the program provides PSD with a single point-in-time snapshot of the security posture of each critical facility. PSD officials explained that the CSR and CFI programs are complementary and that the CSRs' focus on management practices and the CFIs' focus on security measures in place at critical facilities provide PSD with needed information and are both important. They further stated that, because of its value, they are discussing ways to continue the CFI program after they complete all the inspections if resources are available. Options discussed include repeating the full set of CFIs after inspections of the critical facilities of the 100 most critical systems are completed; expanding inspections beyond these 100 systems, including toxic inhalation hazard pipeline systems; and enhancing CSRs to incorporate more thorough inspections of critical facilities.[Footnote 52] PSD Does Not Routinely Follow Up on Recommendations to Pipeline Operators: PSD does not routinely transmit its CSR recommendations in writing to pipeline operators, nor does it have a database of the CSR or CFI recommendations it makes or a process to routinely follow up on pipeline operators' implementation of those recommendations. After each CSR, PSD officials document review findings and the recommendations they make in an internal PSD report and provide oral recommendations aimed at enhancing that operator's security planning and preparedness to the pipeline operator's security personnel and sometimes management. However, PSD officials said they do not communicate these recommendations to the operator in writing as a matter of practice, but will transmit them in writing if an operator asks. Of the four CSRs we observed, one operator asked that the recommendations be put in writing, and PSD officials agreed to do so. Standards for Internal Control in the Federal Government calls for deficiencies found during evaluations to be communicated to the individual responsible for the function and to at least one level of management above that individual. It also calls for information to be recorded and communicated to management and others within the entity who need it and in a form and within a time frame that enables them to carry out their internal control and other responsibilities. PSD officials explained they had reasons for not transmitting written recommendations to operators when they first started the CSR program, and they subsequently continued the practice of sharing recommendations orally.[Footnote 53] However, by transmitting written recommendations to pipeline operators, PSD could better ensure that operators have clear guidance on actions they can take to enhance security. PSD officials agreed that their pipeline security efforts would benefit from transmitting CSR recommendations to pipeline operators in writing and told us they intend to begin doing this after they issue new Pipeline Security Guidance and revise their CSR protocol.[Footnote 54] However, they could not provide a specific time for when they would begin transmitting the recommendations to operators. Standard practices for project management call for developing a plan that includes defined approaches as well as start dates for activities. [Footnote 55] Developing such a plan could help PSD accomplish its intended goal of transmitting CSR recommendations in writing to pipeline operators. In addition, PSD officials told us they do not have a database of the recommendations they make to operators as a result of its CSRs; rather, they document CSR recommendations in individual internal reports PSD maintains on each operator. Having such a database could allow PSD to analyze the recommendations it has made through the CSR program. Moreover, the officials said they do not have a process for following up on those recommendations other than through subsequent CSRs that, on average, occur about every 5 years. According to PSD's General Manager, the greatest challenge PSD officials face is that they do not know if operators are implementing the recommendations PSD makes as a result of the CSRs. He further stated that he would like to conduct CSRs with each pipeline operator about once every 2 or 2.5 years to see if operators have implemented PSD's recommendations, but with a small staff, PSD can only visit a company about once every 4 or 5 years.[Footnote 56] Similarly, PSD officials said they do not have a database that would allow them to readily analyze the CFI recommendations they make. The CFI program, designed as a one-time inspection program of every critical pipeline facility of the 100 most critical pipeline facilities, includes recommendations that PSD sends to pipeline operators and are specific to each facility it inspects. Although the CFI contractor designed a database to capture the results of each completed CFI, the database does not include the recommendations made. Furthermore, PSD officials said they to not have a process for following up to see if operators have implemented these recommendations. Standards for Internal Control in the Federal Government state that internal controls should generally be designed to assure that ongoing monitoring occurs, and further states that monitoring should include policies and procedures for ensuring that the findings of reviews are promptly resolved. Because PSD does not follow up on its CSR recommendations other than through a subsequent CSR 5 years later, on average, it lacks assurance that its recommendations are being implemented and whether the state of pipeline security is improving. PSD officials agreed that having a database that would allow them to analyze CSR recommendations, and following up on recommendations more frequently and systematically could increase PSD's knowledge of the security posture and vulnerabilities of individual operators as well as the pipeline industry, enhance its ability to monitor security progress, and provide additional information about its pipeline security efforts. In carrying out its CFI program, PSD has invested resources in hiring a contractor, conducting inspections, making recommendations, and developing a database. However, PSD officials agreed that without including its CFI recommendations in that database and following up on their implementation, they cannot analyze the recommendations they have made and have limited information on whether pipeline operators are addressing security vulnerabilities identified at each critical facility. PSD officials told us in May 2010 that they would like to follow up on the recommendations they make as a result of their inspections and had been discussing ways they do this, but they did not have specific plans or time frames for doing so. Moreover, the 9/11 Commission Act states that DHS or DOT should issue pipeline security regulations if DHS determines they are appropriate. PSD officials told us in April 2009 that the results of the CSR and CFI programs, together, will inform that decision and noted that they are continually reassessing whether regulations are needed. They explained that they have been learning about the security posture of pipeline operators through these two programs and see indications that operators are making progress in improving security. Still, in a December 2009 quarterly report to the Office of Transportation Sector Network Management (TSNM) based on the first 159 CFIs, PSD reported that CFI data indicated that security improvements are needed. PSD further reported that regulations were not needed at that time. PSD officials agreed that by following up more frequently on whether operators are implementing the recommendations PSD makes as a result of its CSRs and developing a process for following up on the recommendations it makes as a result of its CFIs, they could be better informed of the state of the nation's pipeline security, including whether their recommendations have been implemented. Additionally, this would provide them information they say they plan to use to decide whether pipeline security regulations are needed. PSD Has Developed Pipeline Security Recommendations: PSD reported that it met the 9/11 Commission Act mandate to develop and transmit security recommendations to pipeline operators through its issuance of Pipeline Security Smart Practices (Smart Practices). PSD issued its Smart Practices in August 2006 to reflect lessons learned from its first few years of conducting CSRs and to detail security practices that can enhance the security of the pipeline industry. The Smart Practices address a wide range of security practices, such as risk assessments, vulnerability assessments, and security planning; threat information; employment screening; vehicle checkpoints; physical security; intrusion detection; security awareness training; and drills, exercises, and regional cooperation. During CSRs, PSD officials remind operators of the Smart Practices and disseminate the document. In addition, PSD officials told us they inform operators of its availability through activities such as at the annual International Pipeline Security Forum and disseminate it upon request. PSD intends to periodically review and update the Smart Practices to reflect advancements in security technology and maintain the viability of the security practices described. In addition, PSD officials stated that they will further address this mandate by issuing new Pipeline Security Guidelines to replace the 2002 circular. According to these officials, the biggest difference between the existing and new draft pipeline security guidelines is that the new voluntary guidelines will apply to all pipeline operators--including those who do not have any critical facilities. Under the new guidelines, all operators will be expected to implement some security measures at all their facilities, and implement even more at critical facilities. In contrast, the 2002 circular applies only to those operators that have critical facilities. In addition, the new guidelines will contain a section on cyber security.[Footnote 57] As of May 2010, PSD officials said that the new guidelines were in draft and expected they would be issued later in 2010. PSD officials told us they worked closely with industry groups to develop the new draft guidelines, and industry groups we spoke with commended PSD's collaborative approach during this process. An INGAA official explained that PSD used an iterative process to develop the new guidelines that included holding multiple sessions with stakeholders and forming work groups. An APGA official spoke of the open process PSD used in inviting industry comments. Similarly, AGA officials spoke highly of PSD's approach of inviting operator and association participation, which they said contributed to new guidance that applies to critical infrastructure and provides sensible baseline guidance for operators--both large and small--for securing noncritical infrastructure. API and AOPL officials also said that PSD worked closely with them and commended PSD's coordination efforts. PSD Officials Report Developing a Pipeline Security and Incident Recovery Protocols Plan: PSD officials stated that they have drafted a pipeline security and incident recovery protocols plan, which the 9/11 Commission Act required be completed by August 2009. The 9/11 Commission Act requires that DHS develop a pipeline security and incident recovery protocols plan that includes (1) increased federal security support to the most critical pipelines under severe security threat alert levels or specific threat information and (2) a plan to develop protocols for the continued transportation of natural gas and hazardous liquids to essential markets and for essential public health or national defense uses in the event of an incident. The act required DHS to submit a report to Congress by August 2009 that included the plan and the implementation costs of any recommendations in the plan. The plan is also to take into account actions and plans of private and public entities and consult with DOT and other stakeholders specified in the 9/11 Commission Act. The act requires DHS to develop this plan in consultation with DOT and PHMSA and in accordance with the annex to the DOT/DHS MOU, the National Strategy for Transportation Security, and HSPD-7. The 9/11 Commission Act also identifies other parties that are to be consulted as DHS develops the plan.[Footnote 58] According to PSD, it consulted with the various parties called for by the act in developing its plan. Starting in December 2008, PSD, in coordination with the DOT, conducted a series of meetings and interviews with DOE, DHS's Office of Infrastructure Protection, and the Federal Bureau of Investigation (FBI).[Footnote 59] PSD subsequently held two workshops (in April and May 2009) at the Johns Hopkins University Applied Physics Laboratory to discuss and review the document with additional security partners and stakeholders. PSD informed us that in developing the plan, it consulted the representatives of numerous federal agencies and agency components, as well as nonfederal organizations and industry groups.[Footnote 60] As of March 2010, PSD officials said they had not submitted the required report to Congress. According to the officials, the pipeline security and incident recovery protocols plan had been reviewed within DHS and was being reviewed by the Office of Management and Budget. They further said the draft plan clarifies the roles of federal agencies during and after various types of incidents, but does not contain any new responsibilities or recommendations for federal agencies or industry. As such, there are no additional costs associated with the plan and the report to Congress will not include a cost estimate. PSD Could Strengthen Its Documented Security Strategy and More Reliably Report Security Improvements: PSD's Security Strategy Could Be Strengthened by Incorporating Performance Measures and Milestones: The 2007 Pipeline Modal Annex to the Transportation Systems Sector- Specific Plan--TSA's national security strategy for pipeline systems-- identified several goals and objectives for improving transportation and pipeline security; however, the strategy lacks performance measures and milestones. In prior work, we have identified the inclusion of performance measures and milestones as a desirable characteristic for a successful national strategy and reported that a successful strategy should document what it seeks to achieve, the steps necessary to get those results, and the performance measures and milestones to gauge results.[Footnote 61] We also reported that a strategy could accomplish this by stating its mission and then clearly linking its goals, objectives, programs, and performance measures to achieve results. PSD's strategy (the Pipeline Modal Annex) includes TSA's transportation sector goals that apply to all modes of transportation and identifies objectives specific to pipeline security, as shown in figure 10.[Footnote 62] It also describes government and industry programs and activities that support these goals and objectives. Figure 10: Transportation Sector Goals and Pipeline Security Objectives: [Refer to PDF for image: illustration] Transportation Sector goals: * Prevent and deter acts of terrorism using or against the transportation system. * Enhance resiliency of the U.S. transportation system. * Improve the cost-effective use of resources for transportation security. Pipeline security objectives: * Reduce the level of risk through analysis and implementation of security programs that enhance deterrence and mitigate critical infrastructure and key resources vulnerabilities against threats and natural perils. * Increase the level of resiliency and robustness of pipeline systems and operations through collaborative implementation of measures that increase response preparedness capabilities and minimize effects caused by attack from threats or from natural perils. * Increase the level of domain awareness and information sharing and response planning and coordination through enhanced training, network building and efficient research, and development application. Source: GAO presentation of PSD information. [End of figure] Although the Pipeline Modal Annex contains goals and objectives, it does not incorporate the performance measures and milestones PSD uses to evaluate the effectiveness of its security programs and activities. [Footnote 63] For example, the annex describes an objective to reduce the level of risk through implementation of security programs and aligns it with the CSR program, but does not incorporate the performance measures and milestones PSD uses to evaluate the CSR program's effectiveness in achieving this objective. According to PSD officials, they considered performance measures and milestones in writing the annex, but did not include them because the annex was intended as a planning document and not an assessment tool. Our prior work concluded that better identification of performance measures and milestones would help parties achieve results in specific time frames and enable more effective oversight and accountability. [Footnote 64] Thus, using milestones and performance measures to gauge progress in meeting its stated goals and objectives could help PSD further develop and implement its national security strategy for pipeline systems and enhance its usefulness in making resource and policy decisions to better ensure accountability. Moreover, by drawing a link in the pipeline security strategy between pipeline security goals and objectives, milestones, performance measures, and programs, PSD could better evaluate its progress in helping to improve pipeline security--information that could be useful to decision makers during the risk prioritization process--and achieve results in specific time frames. PSD Has Taken Steps to Measure Its Performance, but Could Better Measure and More Reliably Report Industry Improvements: PSD has initiated efforts to measure its performance in helping strengthen the security of pipeline systems, but could improve its performance measures to better evaluate and reliably report on the extent of security improvements in the pipeline industry. As a part of its risk management framework, the NIPP calls for agencies to measure progress in security improvements against transportation sector goals, using performance measures--(1) output data to track the progression of tasks associated with a program or activity and (2) outcome data to evaluate the extent to which a program achieves sector goals and objectives. The NIPP also states that agencies must develop performance measures that are specific and clear about what they are measuring, practical in that the needed data are available, and built on objectively measured data. NIPP Metrics Program guidance, intended to help agencies develop performance measures, called for focusing on output measures in 2008, but continuing progress toward outcome-based performance measures in 2009. PSD Has Developed Several Performance Measures: Although the national security strategy for pipeline systems--the Pipeline Modal Annex--does not include performance measures, PSD has developed two output measures and one outcome measure to help evaluate its progress in meeting program objectives, consistent with the requirements of the NIPP. For its output measures, PSD tracks: * the number of CSRs it conducts, with a milestone, or interim goal, of 12 CSRs each year; and: * the number of CFI trips it completes, with a milestone of 15 trips each year.[Footnote 65] According to PSD officials, they track CSR and CFI program progress against these two performance milestones, and provide this information to TSNM to consider in developing the transportation sector annual report.[Footnote 66] In addition, PSD officials told us that they collect performance output data on other activities and have established the following annual milestones: * ten stakeholder conference calls, * an International Pipeline Security Forum, * quarterly meetings with DOT (per PHMSA's and TSA's annex to the MOU between DHS and DOT), and: * two pipeline Intermodal Security Training Exercise Program exercises.[Footnote 67] In 2009, PSD developed an outcome measure--the vulnerability gap--that uses CSR program data to help evaluate the impact of its efforts to improve pipeline security. This outcome measure is intended to evaluate improvements in operators' security planning and preparedness based on its CSR program evaluations. More specifically, it compares the results of first and second CSRs to quantify the extent to which operators have reduced security vulnerabilities identified through CSRs. Additional Outcome Measures Could Assist PSD in Measuring Pipeline Security Improvements: Although PSD has taken steps to gauge the progress of its programs, its ability to measure improvements in pipeline security is limited. The NIPP states that using performance measures as part of risk management can enable agencies to assess security improvements, and it instructs agencies to track progress toward a strategic goal or objective by measuring results or outcomes. The NIPP further states that the key to NIPP performance management is aligning outcome performance measures to goals and objectives. According to the Transportation Systems Sector-Specific Plan, outcome measures should be used to assess program goals and objectives; however, output measures may be used as proxies for outcome measures in the early stages of its programs. In addition, we have reported on the limitations of output-based measures in our prior work. Specifically, we have stated that using output measures to evaluate security program performance may not systematically target areas of higher risk and may not result in the most effective use of resources because these measures are not pointed toward outcomes, or what activities are accomplishing.[Footnote 68] PSD's outcome measure--the vulnerability gap--measures aspects of two of its pipeline security objectives; however, PSD has not developed outcome measures that enable it to fully assess improvements related to pipeline security as a whole. The vulnerability gap focuses on what PSD measures through its CSR program--primarily improvements in pipeline operators' security planning and preparedness--but provides limited information on improvements in other areas, such as physical security. According to the Pipeline Modal Annex, the CSR program evaluates aspects of two of the pipeline security objectives--(1) to reduce risk and (2) to increase information sharing and response planning and coordination. By extension, the vulnerability gap measures these as well. For example, the vulnerability gap takes into account operators' risk reduction activities such as how they assess threats and vulnerabilities. It also measures increased information sharing, such as how operators manage threat information. However, according to the Pipeline Modal Annex, the CSR program does not evaluate the third pipeline security objective--to increase the level of resiliency and robustness of pipeline systems--and, thus, the vulnerability gap does not measure this objective.[Footnote 69] As a result, PSD is limited in its ability to measure or report on improvements in this latter area of pipeline security. Furthermore, according to PSD officials, collecting CSR information every 4 to 5 years limits their ability to measure the security improvements that operators are making. Nevertheless, they said the changes they have observed from operators' first to second CSRs provide them with a strong level of confidence that improvements have occurred. PSD officials explained that they are in the early stages of performance measurement and have not yet developed additional outcome measures or established time frames for doing so. We recognize challenges PSD might face in developing outcome measures related to reducing risk. In our prior work we acknowledged that assessing the deterrent benefits of a program is inherently challenging because it is often difficult to isolate the impact of an individual program on behavior that may be affected by multiple other factors.[Footnote 70] In the case of pipeline security, it may be difficult to isolate the impact of PSD's programs on operators' security actions. Nevertheless, outcome-based data could better inform decision makers of the extent to which programs and activities have been able to reduce risk and better enable them to determine funding priorities within and across agencies. Also, developing additional outcome measures that assess the impacts of its efforts to improve pipeline security and are directly aligned with transportation sector goals and pipeline security objectives could better enable PSD to evaluate security improvements in the pipeline industry. PSD Could Improve the Reliability of Data It Uses to Measure Effectiveness: PSD designed the vulnerability gap outcome measure to help evaluate the impact of its efforts to improve pipeline security using CSR program data, but the baseline data PSD used to measure its efforts may not be reliable. When PSD officials began conducting CSRs in 2003, they developed a CSR protocol to collect information on pipeline systems' corporate security planning and preparedness. However, according to PSD officials, they began using a different protocol in August 2004 that TSA developed for all surface transportation modes to use during their respective CSRs to ensure consistency among modes. Many questions in the second protocol differed from those in the first, although the topic areas were similar.[Footnote 71] Although changes in the CSR protocol provide PSD with more information on some topics, differences between the two protocols limited PSD's ability to use CSR program data collected with the first protocol. PSD officials explained they, therefore, sought to develop comparable CSR data for all operators, regardless of which protocol PSD used during CSRs. To accomplish this, PSD officials instructed staff to reconstruct a new protocol (using the second CSR protocol) for each pipeline operator PSD reviewed from mid-April 2003 through mid-July 2004--the 15-month period during which the first protocol was used. [Footnote 72] Staff were to do this using available information from the first completed protocol, any notes PSD officials took during the CSR, and security plans or other documents PSD gathered during the CSR. However, PSD officials said they did not provide written instructions to staff or verify that staff accurately reconstructed the data. Although the officials expressed confidence in their staff's work, we could not be assured that the CSR information staff reconstructed was accurate and reliable. We analyzed the content, or substance, of the questions in both the first and second protocols and identified concerns about whether operator information could have been transferred reliably from the first to the second protocol after the fact. We found that 41 of the 73 newer CSR protocol questions were either consistent with the content of the first protocol or could have been consistently verified using the security plan operators provided during the original CSR. We therefore found it reasonable that PSD staff would have been able to accurately transfer the completed information from the first protocol to the second protocol for these 41 questions. However, we could not be reasonably assured that PSD staff accurately transferred information for the remaining 32 questions onto the second protocol because the content of these questions was inconsistent and, thus, PSD staff may not have been able to reliably reconstruct the data using the security plans operators provided during the original CSRs. For example, the second protocol contained the following questions directed to operators, but we found no similar questions on the first protocol: * Do you have a 24/7 emergency response/operations center? * Do you conduct different levels of background checks based on type of employment (e.g., executive, operational, police)? * Do you periodically conduct exercises and drills? For these questions, and 29 others like them, PSD staff may have been able to locate the information they needed in notes and documents to reconstruct the second protocol, but we had no assurance that this was possible or done in an accurate and reliable manner. We have previously reported that performance measures should reliably assess progress such that the same results would be achieved if applied repeatedly to the same situation.[Footnote 73] Furthermore, errors in data accuracy could alter conclusions about the extent to which performance goals have been achieved, such as reporting performance at either a higher or lower level than is actually being attained. We have also reported that decision makers must have assurance that the program data being used to measure performance are sufficiently accurate and reliable if the data are to inform decision-making. [Footnote 74] Thus, the usefulness of agency performance information depends to a large degree on the reliability and accuracy of performance data. Because of the changes in the CSR protocol questions and concerns about the reliability of reconstructed operator responses transferred to a different form, the baseline data PSD used in comparing operators' first and second CSR scores and resulting reports may not be accurate. As such, PSD's outcome performance measure--the differences in vulnerability gaps as calculated using CSR scores-- suggests a level of precision that may not be supported.[Footnote 75] PSD officials said they did not see this as a significant problem because not all the baseline CSRs involved reconstructed data and, as they continue to conduct CSRs, they will eventually be able to compare the results of operators' second to third CSRs in reporting improvements. Furthermore, although PSD's CSR data may be useful for some analytical purposes, such as analyzing industry trends and assessing individual operators' security planning and preparedness, some of the early data are not useful for reporting the extent to which the vulnerability gap has closed. PSD and decision makers could be better informed and could more effectively prioritize efforts if PSD maintains a more reliable baseline for its outcome performance measure and does not use reconstructed data in reporting its baseline. Conclusions: Securing the nation's vast network of hazardous liquid and natural gas pipeline systems is a formidable task. The importance of pipeline systems to the nation's economy underscores the need for PSD to employ a risk management approach to prioritize its security efforts. PSD has taken actions to implement a risk management approach, including identifying the 100 pipeline systems it considers most critical and being the first of the surface transportation modes to develop a risk assessment model. Nevertheless, work remains to ensure that the highest risk pipeline systems are given the necessary scrutiny. PSD's risk assessment model is in its early stages of development; however, information is available or expected that could enhance the vulnerability and consequence components of the model. By developing a plan that includes time frames and milestones for adding information to its risk assessment model, PSD could be better assured of reaching its goal to improve the model. This could help PSD more accurately rank pipeline systems according to risk and help guide resource allocation decisions. In addition, documenting a methodology for scheduling CSRs and CFIs that includes a pipeline system's risk ranking as the primary criteria, while recognizing other considerations that can affect scheduling, could help PSD ensure it prioritizes its oversight of pipeline systems that are most at risk. PSD has taken actions to encourage private pipeline operators to employ security measures that will protect their pipeline systems, including critical facilities. While PSD officials have said that operators of the most critical pipeline systems are generally implementing voluntary security measures, two of PSD's key efforts-- its CSR and CFI programs--have identified shortcomings in operators' security programs and critical facilities that should be addressed to reduce vulnerabilities. As such, an important aspect of the CSR and CFI programs is the specific recommendations PSD makes and tailors to each operator to address the vulnerabilities PSD has identified. However, PSD is missing opportunities with respect to these recommendations. PSD officials agreed that routinely transmitting CSR recommendations in writing to operators could better ensure that operators are clear on the actions they can take to enhance the security of their pipeline system or systems, and they have said they intend to do this. Developing a plan that includes a defined approach and time frames for how and when PSD intends to begin transmitting CSR recommendations in writing to pipeline operators could help PSD accomplish its intended goal. In addition, by establishing databases of the CSR and CFI recommendations it makes, PSD could more readily and systematically analyze its recommendations and be better informed of security vulnerabilities in the pipeline industry. Furthermore, because CSRs take place infrequently and CFIs are not repeated, following up on the implementation of CSR and CFI recommendations is particularly important. By doing so, PSD could enhance its knowledge of the state of security of the pipeline industry as well as individual systems and facilities, have an additional means for measuring the effectiveness of its programs, and obtain information that could help inform its decision on whether it would be appropriate to issue pipeline security regulations. The 2007 Pipeline Modal Annex represents a positive step toward conveying TSA's strategy for helping the pipeline industry secure the nation's pipelines. However, incorporating PSD's performance measures and milestones and linking them to the goals and objectives in its national security strategy for pipeline systems could aid PSD and the pipeline industry in achieving results within specific time frames and could facilitate more effective oversight and accountability. PSD has developed some output-based performance measures and milestones to track the progress of its programs and activities and has developed an outcome measure to evaluate the impact of some of its efforts to improve pipeline security. However, PSD's dependence on a single outcome measure hinders its ability to evaluate the extent of improvements related to all of its pipeline security objectives. Developing additional outcome measures aligned with its objectives could facilitate PSD's efforts to better evaluate its performance. Moreover, PSD has collected data on the security posture of pipeline operators through its CSR program and compared vulnerability gap data over time to measure the progress operators have made. PSD's CSR data may be useful to PSD for various analytical purposes. However, because of reliability issues affecting the baseline data PSD uses for calculating its vulnerability gap outcome measure, PSD would be better informed if, going forward, it establishes reliable baseline data for measuring and reporting improvements in pipeline security. Although this would limit PSD's ability to report on improvements in operators' security efforts from the first 15 months of the CSR program, it could provide greater assurance that, in the future, PSD is more accurately and reliably measuring those pipeline security improvements. Recommendations for Executive Action: To improve aspects of the Pipeline Security Division's (PSD) efforts to help ensure pipeline security, we recommend that the Assistant Secretary for the Transportation Security Administration take the following eight actions. To ensure that PSD is managing risk effectively, * Develop a plan with time frames and milestones for improving the data in the pipeline risk assessment model by, for example, adding more data to the consequence component. * Document a methodology for scheduling Corporate Security Reviews (CSR) and Critical Facility Inspections (CFI) that considers a pipeline system's risk ranking as the primary scheduling criteria and balances it with other practical considerations. To help PSD maximize its CSR and CFI efforts and keep its knowledge of the security posture of the pipeline industry current, * Develop a plan that includes a defined approach and time frame for how and when PSD intends to begin transmitting CSR recommendations in writing to pipeline operators. * Establish a database of CSR recommendations and develop a process for following up on the implementation of those recommendations. * Establish a database of CFI recommendations and develop a process for following up on the implementation of those recommendations. To better achieve the security strategy laid out in the Pipeline Modal Annex--the national security strategy for pipeline systems--to the extent feasible, revise future updates of the annex to incorporate performance measures for assessing PSD and pipeline industry progress and link those measures to pipeline security objectives. To better evaluate PSD's performance in helping strengthen the security of hazardous liquid and natural gas pipelines and improvements in pipeline security, develop additional outcome measures that are directly linked to sector goals and modal objectives and track progress towards its stated pipeline security objectives. To help ensure reliable reporting of security improvements in the pipeline industry, establish reliable baseline data and, until that time, refrain from using reconstructed baseline data to report progress in closing the vulnerability gap. Agency Comments and Our Evaluation: We provided a draft of our report to DHS on July 2, 2010, for review and comment. On July 23, 2010, DHS provided written comments, which are reprinted in appendix II. In commenting on the draft report, DHS stated that it concurred with our findings and all eight recommendations and discussed efforts planned or underway to address them. However, the actions DHS reports it plans to take do not fully address the intent of four of our eight recommendations. DHS concurred with our first recommendation that TSA develop a plan with time frames and milestones for improving the data in the pipeline risk assessment model and stated that PSD will develop a plan to coordinate security efforts that are underway that will help refine the pipeline risk ranking tool (the pipeline risk assessment model). DHS further stated that additional data from critical facility inspections, the hazardous liquid pipeline assessment, and toxic inhalation hazard study, among others, will help inform the consequence component. We support PSD's intention to develop a plan for taking such action and further encourage TSA to consider using critical facility inspection data to inform the vulnerability component of the pipeline risk model. The development of a plan for improving the data in the pipeline risk assessment model will address the intent of our recommendation, provided it includes time frames and milestones. DHS concurred with our second recommendation that TSA document a methodology for scheduling CSRs and CFIs that considers a pipeline system's risk ranking as the primary scheduling criteria and balances it with other practical considerations. DHS stated that TSA's analysis identified as critical those pipeline systems that transport the greatest amount of energy and that PSD developed the risk ranking tool to further enhance its risk-based effort. DHS further stated that to increase the value of the risk ranking tool, PSD will develop additional data to inform the tool's rankings and base its programmatic efforts on the results. While we support PSD's intention to develop additional data to inform its ranking of pipeline systems based on risk and base programmatic efforts on those rankings, these actions, alone, will not fully address the intent of our recommendation. We believe that to better prioritize oversight of pipeline systems among the 100 that are the most critical, and to address our recommendation, TSA should document a methodology for how it will schedule pipeline CSRs and CFIs in a manner that considers risk as the primary scheduling criteria, while balancing other practical scheduling considerations, such as travel efficiencies. DHS concurred with our third recommendation that TSA develop a plan that includes a defined approach and time frame for how and when PSD intends to begin transmitting written CSR recommendations to pipeline operators. DHS stated that PSD intends to modify its process of providing oral recommendations for security improvements to pipeline operators to include providing these recommendations to operators in writing. Developing a plan that includes a defined approach for how it will transmit its written recommendations to operators and a time frame for when it will begin to do so will address the intent of our recommendation. DHS concurred with our fourth recommendation that TSA establish a database of pipeline CSR recommendations and develop a process for following up on the implementation of those recommendations. DHS stated that PSD will initiate the development of such a database and further stated that repeat CSRs will particularly focus on the implementation of recommendations from prior reviews. Developing a database will partially address this recommendation. However, while we support a plan that includes PSD following up on prior CSR recommendations during subsequent CSRs, this, alone, will not fully address the intent of our recommendation. Because PSD conducts a CSR for any given pipeline operator about every 5 years, on average, a process for additional and timelier follow up is needed if PSD is to be assured that its recommendations are being implemented. DHS concurred with our fifth recommendation that PSD establish a database of CFI recommendations and develop a process for following up on the implementation of those recommendations. DHS stated that PSD has initiated the development of a CFI recommendation database and further stated that following up on those recommendations will enable TSA to assess the pipeline industry's progress in mitigating identified security deficiencies. Completing this database and developing a process for following up on the CFI recommendations will address the intent of our recommendation. DHS concurred with our sixth recommendation that TSA revise future updates of the Pipeline Modal Annex to incorporate performance measures for assessing PSD and pipeline industry progress and link those measures to pipeline security objectives. DHS stated that in future updates to the Transportation Systems Sector-Specific Plan, PSD will include performance measures within the Pipeline Modal Annex consistent with the sector format and guidance. However, direction on what is to be included in future updates of the Pipeline Modal Annex originates with TSA, which provides transportation modes, including pipeline, with guidance and a recommended format on how to revise or rewrite modal annexes to the Transportation Systems Sector-Specific Plan. TSA's 2010 Modal Plan Revision Guidance for transportation modes does not explicitly call for incorporating performance measures for assessing modal progress and, further, linking those measures to modal objectives. Thus, without TSA direction to include performance measures that are linked to objectives in modal annex updates, the action DHS described to address our recommendation does not fully address our intent. DHS concurred with our seventh recommendation that TSA develop additional outcome measures that are directly linked to sector goals and modal objectives and track progress towards its stated pipeline security objectives. DHS stated that PSD will develop appropriate outcome measures that reflect the impact of its security programs and the security status of the pipeline industry, and further stated that this effort will be made consistent with the performance measurement guidance of the Transportation Systems Sector-Specific Plan. We support PSD's intention to develop additional outcome measures. However, to fully address the intent of our recommendation, TSA should ensure that its performance measurement guidance calls for outcome measures to be directly linked to sector goals and modal objectives. DHS concurred with our eighth recommendation that TSA establish reliable baseline data for reporting security improvements in the pipeline industry and, until that time, refrain from using reconstructed baseline data to report progress in closing the vulnerability gap. DHS stated that updated data from repeat CSRs will be utilized to ensure more accurate reporting of the pipeline industry's security status. Such action will address the intent of our recommendation. DHS also provided us with technical comments, which we considered and incorporated in the report where appropriate. As agreed with your office, unless you publicly announce the contents of the report, we plan no further distribution for 30 days from the report date. At that time, we will send copies to the Secretary of Homeland Security, the Assistant Secretary of the Transportation Security Administration, appropriate congressional committees, and other interested parties. The report also is available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov/]. If you or your staff have any further questions about this report or wish to discuss these matters further, please contact me at (202) 512- 4379 or lords@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix III. Signed by: Stephen M. Lord: Director, Homeland Security and Justice Issues: [End of section] Appendix I: Objectives, Scope, and Methodology: Objectives: You requested that we review the Transportation Security Administration's (TSA) efforts to help ensure pipeline security. Specifically, this report addresses the following questions: * To what extent has TSA's Pipeline Security Division (PSD) identified critical pipeline systems, assessed risk, and prioritized efforts, consistent with the National Infrastructure Protection Plan (NIPP), to help strengthen the security of hazardous liquid and natural gas pipeline systems? * To what extent has PSD taken actions to implement agency guidance and requirements of the Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Commission Act) regarding the security of hazardous liquid and natural gas pipeline systems? * To what extent has PSD measured its performance to help strengthen the security of hazardous liquid and natural gas pipeline systems and improvements in pipeline security? Scope and Methodology: To determine the extent to which PSD used a risk management process to help strengthen the security of pipelines, we reviewed PSD's efforts to (1) identify critical pipeline systems, (2) assess risk, and (3) prioritize its pipeline review and inspection efforts. To evaluate PSD's efforts to identify the most critical pipeline systems, we reviewed relevant documents, including PSD's list of the 100 most critical pipeline systems, and interviewed PSD officials about the methods they used to identify the most critical pipeline systems. To evaluate PSD's efforts to assess risk, we reviewed TSA assessments of threat, vulnerability, and consequence that were conducted from 2003 through May 2010. Specifically, we reviewed TSA's Pipeline Threat Assessments for 2008 and 2010 and interviewed officials at TSA's Office of Intelligence. We also reviewed Corporate Security Reviews (CSR) that PSD uses as vulnerability assessments, and consequence assessments on natural gas disruptions sponsored by the Department of Energy and PSD--and discussed these assessments with relevant agency officials. TSA characterized these as threat, vulnerability, and consequence assessments, but we did not assess the extent to which these assessment activities met the NIPP criteria for threat, vulnerability, and consequence assessments, as this analysis was outside the scope of our work. To evaluate PSD's efforts to prioritize risk, we analyzed its risk assessment model--the Pipeline Relative Risk Ranking Tool, which integrates the various assessments to produce a risk estimate and relative risk ranking for each pipeline system--and the data PSD inputs into the model. We also interviewed PSD officials about how they decide when to schedule CSRs and Critical Facility Inspections (CFI). Using correlation analysis and the data in the pipeline risk assessment model, we compared the time elapsed between PSD's first and subsequent CSR for each pipeline system with the system's ranking based on risk to measure the strength of their relationship.[Footnote 76] Specifically, for those systems that had two CSRs, we assessed the strength of the correlation between the time elapsed from the first and second CSR and the system's risk ranking. We found a correlation coefficient of 0.2, which indicates a weak correlation. A correlation coefficient measures the strength and direction of linear association between two variables without controlling for the effects of other characteristics. Because PSD officials said that the time elapsed between CSRs might be misleading because it does not account for other significant contact PSD might have had with an operator during that period, such as through a CFI, we controlled for this by running a simple regression equation.[Footnote 77] Specifically, the regression equation compared the time elapsed between the first and second CSR against system risk rank and a dummy variable to denote if PSD inspected at least one critical facility belonging to an operator between the first and second CSR. This regression equation explained about 21 percent of the total variation in elapsed time between the first and second CSR. To determine the extent to which PSD prioritized the CFIs it conducted, we performed a correlation analysis to measure the strength and direction of the relationship between a system's risk ranking and the order in which PSD conducted a first CFI for that system compared with other systems. We found a correlation coefficient of 0.03, which denotes that almost no correlation exists between the two variables. To assess the reliability of the April 2003 through May 2010 data PSD used in its risk assessment model, we (1) performed electronic testing of required data elements, (2) compared data in the model with other sources of information, and (3) interviewed agency officials knowledgeable about the data. We determined that the data were sufficiently reliable for the purposes of this report. We analyzed agency guidance on risk management, including the NIPP and the Transportation Systems Sector-Specific Plan, to determine criteria for effectively implementing a risk management framework and associated best practices for conducting risk assessments, and compared these with PSD's risk management strategy. In addition, we compared PSD's approach for advancing its risk management program to standard practices in program management planning.[Footnote 78] To determine the extent to which PSD has taken actions to implement agency guidance and 9/11 Commission Act requirements regarding pipeline security, we reviewed the Pipeline Security Information Circular (2002 circular) and the 9/11 Commission Act and actions described in agency documents. These documents included PSD's Pipeline Modal Annex, CSR Standard Operating Procedures, CSR and CFI protocols, and Pipeline Security Smart Practices.[Footnote 79] To learn more about PSD's actions, we interviewed officials from PSD and DOT as well as representatives of the major associations with ties to the pipeline industry (American Petroleum Institute, Association of Oil Pipe Lines, American Gas Association, and Interstate Natural Gas Association of America, and American Public Gas Association); attended the 2008 International Pipeline Security Forum organized by PSD and Natural Resources Canada; and met with security personnel from 10 pipeline operators with headquarters or significant operations in Houston. We chose Houston because it has the highest concentration of operators with systems on PSD's list of the 100 most critical pipeline systems, and those with whom we met operate about one-third of those systems. While the results of these interviews cannot be generalized to all pipeline operators, they provided perspectives on how operators view PSD's security efforts. To further our understanding of PSD's review and inspection processes, pipeline operators' security planning efforts, and physical security measures in place at selected critical pipeline facilities, we accompanied PSD officials on four reviews of pipeline systems operated by four different operators and 10 inspections of critical facilities operated by three different operators. We observed these reviews and inspections because PSD had scheduled them while we were conducting our work. These involved hazardous liquid and natural gas pipelines as well as different size operators with pipeline systems that varied in the amount of energy they carry, their relative risk ranking, and their location (we observed CSRs in four states and CFIs in three states). These observations further included one cross-border pipeline system and one port facility regulated under the Maritime Transportation Security Act. While the results of these observations cannot be generalized to all CSRs and CFIs or all pipeline systems and critical facilities, they provided us with an understanding of how PSD conducts these reviews and inspections, and some perspective on the security posture at different critical facilities. We also interviewed representatives of Secure Solutions International--a security and risk management consulting firm that assisted PSD in developing and carrying out CFIs--about critical facilities and the inspection process. In addition, we independently observed the exterior of 10 other critical facilities. We selected these facilities, which were located in four states and operated by six different operators, because of their proximity to GAO offices. Although the results of these observations cannot be generalized to all critical facilities, they provided us insight on security measures at additional critical facilities. We also compared PSD's processes for transmitting and following up on CSR and CFI recommendations with criteria in the Standards for Internal Control in the Federal Government regarding the monitoring of deficiencies found during evaluations.[Footnote 80] In addition, we compared PSD's approach for advancing its process for communicating CSR recommendation to standard practices in project management. [Footnote 81] To determine the extent to which PSD measured the impact of its efforts to help strengthen the security of pipelines and improvements in pipeline security, we reviewed PSD's performance measures and milestones. We analyzed TSA's national security strategy for pipeline systems--the 2007 Pipeline Modal Annex--to determine the extent to which it conformed to provisions related to goal setting and performance measurement found in Executive Order 13416: Strengthening Surface Transportation Security[Footnote 82] and guidance on desirable characteristics for a national strategy that we developed in a previous report.[Footnote 83] We also interviewed Office of Transportation Sector Network Management (TSNM) and PSD officials regarding PSD's performance measures and milestones and related data collection methodologies. In addition, we reviewed the 2009 NIPP and the 2007 Transportation Systems Sector-Specific Plan to determine the risk management framework's recommended approach to performance measurement and compared TSA's actions to that guidance. To assess the reliability of the data PSD used to develop its vulnerability gap outcome measure in 2009 for reporting on the extent of improvements in pipeline security, we reviewed and analyzed related documentation and interviewed PSD officials knowledgeable about the data and PSD's data collection methods. As part of this analysis, we compared two successive data collection instruments--the original CSR protocol that PSD developed and used in conducting CSRs from April 2003 to July 2004 and a newer protocol that PSD officials said they began using in August 2004, after TSA developed a protocol to be used by all the transportation modes. More specifically, to analyze and categorize specific differences between the two protocols, two analysts compared the first and second protocols to determine the extent to which content from the 73 questions in the newer protocol corresponded with content in the original protocol. To ensure the validity and reliability of our analysis, the two analysts discussed and reconciled any differences. With the assistance of a methodologist, the analysts mutually agreed on how to categorize their assessment of the newer protocol questions. They agreed on the following two categories to describe whether the information could have been reliably transferred from one protocol to the other: * We were reasonably assured that PSD staff would have been able to accurately transfer completed information from the first protocol to the second. * We could not be reasonably assured that PSD staff would have been able to accurately transfer completed information from the first protocol to the second. Because we could not be reasonably assured of the accuracy of the transferred data, we concluded that some of the baseline data key to PSD's outcome measure may not be reliable, as called for in our prior work that describes nine key attributes of successful performance measures. Furthermore, we determined that these data were not sufficiently reliable for the purposes of this report. We conducted this performance audit from November 2008 to August 2010 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Comments from the Department of Homeland Security: U.S. Department of Homeland Security: Washington, DC 20528: July 23, 2010: Mr. Steve Lord: Director, Homeland Security and Justice Issues: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Lord: Thank you for the opportunity to comment on the draft report titled, Pipeline Security, TSA Has Taken Actions to Help Strengthen Security, but Could Improve Priority-Setting and Assessment Processes (GAO-10- 867). The Transportation Security Administration (TSA) values the investigative team's comprehensive review of this Agency's efforts in addressing pipeline security and intends to immediately implement its recommendations. TSA appreciates the professionalism demonstrated by GAO's team members in conducting this difficult and broad-ranging review. TSA also appreciates GAO's acknowledgment that the Pipeline Security Division (PSD) has (1) identified, consistent with the National Infrastructure Protection Plan, the Nation's most critical pipeline systems; and (2) developed a risk assessment model that combines all three components of risk: threat, vulnerability, and consequence. Further, the GAO report notes that the PSD has made significant progress in completing the requirements of the 9/11 Commission Act, which include establishing a program to review pipeline security plans, initiating inspections of critical facilities of the most essential pipeline systems, developing and promulgating security recommendations, and drafting a Pipeline Security and Incident Recovery Protocol Plan. The success of TSA's risk-based pipeline security program has been the result of a highly effective public-private partnership and close coordination with other Federal agencies, particularly the U.S. Department of Energy and the U.S. Department of Transportation's Pipeline and Hazardous Materials Safety Administration. As GAO discusses in the report, the PSD has actively engaged with pipeline system operators on a number of security programs. In each of these endeavors, TSA has benefited from the dedicated efforts of the Pipeline Sector Coordinating Council, which plays a significant communications and coordination role between the PSD and the pipeline industry. As an example of this partnership, the International Pipeline Security Form, now in its sixth year, is actively supported by industry operator and trade association speakers and attendees. Similarly, pipeline system operators have been enthusiastic participants in TSA's development of training videos in security awareness, improvised explosive device awareness, and pipeline infrastructure security training for law enforcement personnel. As GAO acknowledges, of particular note is PSD's close coordination with Government and industry partners in developing TSA's Pipeline Security Guidelines. As the guidelines were crafted and refined, the process involved the active participation of pipeline industry representatives in multiple meetings and conference calls. The document, although a voluntary standard, provides TSA's expectations for an effective security program for pipeline operators. The guidelines will serve as the basis for PSD's Corporate Security Reviews and other assessments of the pipeline industry's security status. The PSD has implemented a risk-based security program that will be enhanced by the adoption of GAO's recommendations. TSA's specific responses to the recommendations are identified below. Recommendations for Executive Action: To improve aspects of the Pipeline Security Division's (PSD) efforts to help ensure pipeline security, GAO recommends that the Assistant Secretary for the Transportation Security Administration take the following eight actions: Recommendation 1: To ensure that PSI) is managing risk effectively, develop a plan with time frames and milestones for improving the data in the pipeline risk assessment model by, for example, adding more data to the consequence component. TSA's Response: TSA concurs with this recommendation. The PSD will develop a plan to coordinate the security efforts underway that will help refine the risk ranking tool. Additional data from critical facility inspections, the hazardous liquid pipeline assessment, and toxic inhalation hazard study, among others, will help inform the consequence component. Recommendation 2: To ensure that PSD is managing risk effectively, document a methodology for scheduling Corporate Security Reviews (CSR) and Critical Facility Inspections (CFIs) that considers a pipeline system's risk ranking as the primary scheduling criteria and balances it with other practical considerations. TSA's Response: TSA concurs with this recommendation. In TSA's analysis, those pipeline systems that transport the greatest amount of energy were identified as critical. PSD developed the risk ranking tool to further enhance its risk-based effort. To increase the value of this tool in its programs, PSD will develop additional data to inform the tool's rankings and base its programmatic efforts on the results. Recommendation 3: To help PSD maximize its Corporate Security Review and Critical Facility Inspection efforts and keep its knowledge of the security posture of the pipeline industry current, develop a plan that includes a defined approach and time frame for how and when PSD intends to begin transmitting CSR recommendations in writing to pipeline operators. TSA's Response: TSA concurs with this recommendation. Although PSD has provided initial briefings at the conclusion of CSRs and subsequently followed up with more extensive briefings by teleconference, the recommendations have not typically been provided in writing. PSD intends to modify this process to ensure that pipeline operators are provided with written recommendations for security improvements. Recommendation 4: To help PSD maximize its Corporate Security Review and Critical Facility Inspection efforts and keep its knowledge of the security posture of the pipeline industry current, establish a database of CSR recommendations and develop a process for following up on the implementation of those recommendations. TSA's Response: TSA concurs with this recommendation. PSD will initiate the development of a CSR recommendations database. Repeat reviews of pipeline corporations will particularly focus on the implementation of recommendations from prior reviews. Recommendation 5: To help PSD maximize its Corporate Security Review and Critical Facility Inspection efforts and keep its knowledge of the security posture of the pipeline industry current, establish a database of CFI recommendations and develop a process for following up on the implementation of those recommendations. TSA's Response: TSA concurs with this recommendation. PSD has initiated the development of a CFI recommendations database. Following up on these recommendations will enable TSA to assess the pipeline industry's progress in mitigating identified security deficiencies. Recommendation 6: To better achieve the security strategy laid out in its Pipeline Modal Annex—the national security strategy for pipeline systems—to the extent feasible, revise future updates of the annex to incorporate performance measures for assessing PSD and pipeline industry progress and link those measures to the pipeline security objectives. TSA's Response: TSA concurs with this recommendation. In future updates to the Transportation Systems Sector Specific Plan PSD will include performance measures within the Pipeline Modal Annex consistent with the sector format and guidance. Recommendation 7: To better evaluate PSD's performance in helping strengthen the security of hazardous liquid and natural gas pipelines and improvements in pipeline security, develop additional outcome measures that are directly linked to sector goals and modal objectives and track progress towards its stated pipeline security objective. TSA's Response: TSA concurs with this recommendation. PSD will develop appropriate outcome measures that reflect the impact of its security programs and the security status of the pipeline industry. In so doing, this effort will be made consistent with the performance measurement guidance of the Transportation Systems Sector Specific Plan. Recommendation 8: To help ensure reliable reporting of security improvements in the pipeline industry, establish reliable baseline data and, until that time, refrain from using reconstructed baseline data to report progress in closing the vulnerability gap. TSA's Response: TSA concurs with this recommendation. Updated data from repeat Corporate Security Reviews will be utilized to insure more accurate reporting of the pipeline industry's security status. Thank you for the opportunity to comment on this Draft Report and we look forward to working with you on future homeland security issues. Sincerely, Signed by: Jerald E. Levine: Director: Departmental GAO/OIG Liaison Office: [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: Stephen M. Lord (202) 512-4379 or lords@gao.gov: Acknowledgments: In addition to the contact named above, Edward J. George, Jr., Assistant Director, and Lori A. Weiss, Analyst-in-Charge, managed this assignment. Valerie Kasindi and Jaclyn Nelson made significant contributions to the work. Chuck Bausell, Jr. provided expertise on risk management, David Bruno provided expertise on transportation security issues, and Mark Gaffigan provided expertise on energy issues. Tracey King provided legal support. Michele Fejfar and Amanda Miller assisted with design, methodology, and data analysis. Christopher Currie, Debra Sebastian, and Adam Vogt provided assistance in report preparation and Lydia Araya developed the report's graphics. [End of section] Footnotes: [1] Pub. L. No. 107-71, 115 Stat. 597 (2001). [2] Pub. L. No. 107-296, 116 Stat. 2135 (2002). [3] Pub. L. No. 110-53, 121 Stat. 266 (2007). The 9/11 Commission was a congressionally chartered commission established by Congress on November 27, 2002, to (1) investigate the relevant facts and circumstances relating to the terrorist attacks of September 11, 2001; (2) identify, review, and evaluate lessons learned from these attacks; and (3) report to the President and the Congress on findings, conclusions, and recommendations that generated from the investigation and review. [4] The NIPP provides a unifying structure for the integration of a range of efforts for the protection and resilience of the nation's critical infrastructure and key resources. [5] Throughout this report, we use the term pipelines to refer to either hazardous liquid or natural gas pipelines. [6] A system is considered critical if it is so vital to the United States that its incapacitation or destruction would have a debilitating effect on security, national economic security, public health or safety, or any combination thereof. PSD determined the most critical pipeline systems based on the amount of energy they carry. [7] Corporate Security Reviews are on-site reviews to assess corporate security plans for pipeline systems. The intent of these reviews is to develop first-hand knowledge of security planning, establish working relationships with key pipeline security personnel, and identify and share good security practices. PSD has conducted CSRs for the 100 most critical pipeline systems. [8] PSD established a program for inspecting all the critical facilities of the 100 most critical pipeline systems, as required by the Implementing Recommendations of the 9/11 Commission Act. These physical inspections include the interior and exterior of each critical facility. [9] The NIPP obligates each sector to develop a sector-specific plan that describes strategies to protect the nation's critical infrastructure and key resources under its purview, outline a coordinated approach to strengthen security efforts, and determine appropriate programmatic funding levels. TSA, as the sector-specific agency for the transportation sector, developed the Transportation Systems Sector-Specific Plan, which describes the strategies to protect all modes of transportation (aviation, maritime, mass transit, highway, freight rail, and pipeline). [10] The Project Management Institute, The Standard for Program Management © (2006). [11] The 2002 circular outlines voluntary actions that pipeline operators should take and describes actions the federal government plans to take to improve pipeline security. We also reviewed the Pipeline Security Contingency Planning Guidance, which is considered part of the 2002 circular. [12] Documents we reviewed included PSD's Pipeline Modal Annex, CSR Standard Operating Procedures, CSR and Critical Facility Inspection (CFI) protocols, and Pipeline Security Smart Practices. [13] Natural Resources Canada is the Canadian government agency that seeks to enhance the responsible development and use of Canada's natural resources and the competitiveness of Canada's natural resources products. [14] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). These standards, issued pursuant to the requirements of the Federal Managers' Financial Integrity Act of 1982 (FMFIA), provide the overall framework for establishing and maintaining internal control in the federal government. Also pursuant to FMFIA, the Office of Management and Budget issued Circular A-123, revised December 21, 2004, to provide the specific requirements for assessing the reporting on internal controls. Internal control standards and the definition of internal control in Circular A-123 are based on Standards for Internal Control in the Federal Government. [15] Project Management Institute, A Guide to the Project Management Body of Knowledge © (Fourth Edition, 2008). [16] Within TSA, the Office of Transportation Sector Network Management manages all surface transportation security issues with divisions dedicated to each surface mode of transportation, including pipeline. [17] Exec. Order No. 13,416, 71 Fed. Reg. 71,033 (Dec. 5, 2006). The order mandates that an annex shall be completed for each surface transportation mode in support of the Transportation Systems Sector- Specific Plan. [18] The NIPP obligates each sector to develop a sector-specific plan that, among other things, describes strategies to protect the nation's critical infrastructure and key resources under its purview. TSA developed the Transportation Systems Sector-Specific Plan, which describes the strategies to protect all modes of transportation, including pipeline. [19] GAO, Combating Terrorism: Evaluation of Selected Characteristics in National Strategies Related to Terrorism, [hyperlink, http://www.gao.gov/products/GAO-04-408T] (Washington, D.C.: Feb. 3, 2004). [20] Pub. L. No. 107-71, 115 Stat. 597 (2001). [21] Pub. L. No. 107-296, 116 Stat. 2135 (2002). [22] The Pipeline Security Division was established as a separate modal division in November 2005. [23] API issued a second edition of its guidelines in April 2003 and a third edition in April 2005. INGAA and AGA updated and published their guidelines internally in May 2008. [24] Although security measures are generally voluntary for operators of critical pipeline facilities, some operators have off-shore or port facilities that are regulated under the Maritime Transportation Security Act and are required to implement certain protective measures. [25] Pub. L. No. 110-53, §§ 1557, 1558, 121 Stat. 266, 475-77 (2007). [26] Recognizing that each sector possesses its own unique characteristics and risk landscape, HSPD-7 established sector-specific agencies for each of the critical infrastructure sectors and assigned those agencies responsibility for protecting the critical infrastructure within their area of expertise. HSPD-7 established 17 sectors and DHS later added an 18th sector. The 18 sectors are: agriculture and food; defense industrial base; energy; healthcare and public health; national monuments and icons; banking and finance; water; chemical; commercial facilities; critical manufacturing; dams; emergency services; nuclear reactors, materials, and waste; information technology; communications; postal and shipping; transportation systems; and government facilities. DHS serves as the sector-specific agency for transportation systems and 10 other sectors, and designated TSA as the lead sector-specific agency for transportation, including pipeline. [27] PSD uses system annual throughput in determining pipeline system criticality, which is based on the amount of hazardous liquid or natural gas product transported through a pipeline in 1 year (i.e., annual throughput). PSD officials told us they purchase a database containing annual pipeline throughput information to determine the 100 most critical pipeline systems and contact pipeline operators to verify information if needed. The 100 most critical systems can shift from year to year. For example, a system might be among the 100 most critical systems one year, but not the next, due to changes that affect each system's throughput. Changes that can affect an operator's position or even presence among the 100 most critical systems include increasing or decreasing annual throughput, going out of business, or selling or purchasing parts or all of a pipeline system. [28] DHS defines a risk score as a numerical result of a semiquantitative risk assessment methodology and is a numerical representation that gauges the combination of threat, vulnerability, and consequence at a specific moment. [29] PSD calls its risk assessment model the Pipeline Relative Risk Ranking Tool. [30] The Office of Intelligence also disseminates additional threat and suspicious incident information related to the pipeline sector to key federal and nonfederal stakeholders, as needed. [31] "Standard" questions refer to the ones that PSD scores and uses in calculating the CSR score. The CSR protocol includes five additional questions that are not scored, such as questions on the operator's view of the threat to the pipeline industry and how cost affected the operator's ability to implement security enhancements. [32] GAO, Highway Infrastructure: Federal Efforts to Strengthen Security Should Be Better Coordinated and Targeted on the Nation's Most Critical Highway Infrastructure, [hyperlink, http://www.gao.gov/products/GAO-09-57] (Washington, D.C.: January 30, 2009); Commercial Vehicle Security: Risk-Based Approach Needed to Secure the Commercial Vehicle Sector, [hyperlink, http://www.gao.gov/products/GAO-09-85] (Washington, D.C.: February 27, 2009); and Freight Rail Security: Actions Have Been Taken to Enhance Security, but the Federal Strategy Can Be Strengthened and Security Efforts Better Monitored, [hyperlink, http://www.gao.gov/products/GAO-09-243] (Washington, D.C.: April 21, 2009). [33] The Project Management Institute, The Standard for Program Management © (2006). [34] DHS's Office of Infrastructure Protection also conducts vulnerability assessments on some pipeline facilities. However, because these assessments are conducted at the facility level rather than the system level, PSD cannot use these assessments in its risk assessment model, which focuses on the system level. [35] We calculated a simple correlation coefficient to measure the strength and direction of the linear relationship between systems' risk rankings and the time elapsed between PSD's first and subsequent CSRs for the pipeline systems that had two CSRs. This resulted in a correlation coefficient score of 0.2, which indicates a weak correlation. The magnitude of the correlation coefficient determines the strength of the correlation. A perfect correlation equals 1 and no correlation equals 0. [36] PSD conducts CSRs with operators of the 100 most critical pipeline systems. If an operator owns or operates more than one system among the 100 that are most critical, and uses the same corporate security plan for all its systems, PSD conducts a single CSR for that operator. As a result, PSD did not need to conduct 100 CSRs to complete CSRs for the 100 most critical pipeline systems. [37] The line of best fit is found by using the least squares method, which involves finding the minimum of the sum of the squares of the vertical distances of each data point from the proposed line. It is often useful to attempt to represent data with the equation of a straight line in order to predict values that may not be displayed on a scatter plot. The slope of the line of best fit generally does not reflect the magnitude of the correlation. [38] As of May 2010, PSD had conducted second CSRs for 9 of the top 15 highest risk-ranked systems. PSD conducted first CSRs for the other 6 systems in 2006 or later. [39] Because some CSRs cover multiple systems (since some operators operate more than one system), we accounted for one system, or one CSR, per operator in our calculations. [40] We calculated a regression equation to see the extent to which values of the two independent variables--(1) a system's risk ranking and (2) whether PSD had inspected any critical facilities belonging to a system's operator--were associated with values of the dependent variable--i.e., the time elapsed between a first and second CSR. We found little variation in the time elapsed between CSRs that could be explained by the two independent variables. Although PSD officials might have had contact with pipeline operators through other means, we could not quantify other forms of contact and, therefore, could not include them in the analysis. [41] As of April 2010, 64 systems included in PSD's risk assessment model had at least one critical facility, according to information operators reported, and PSD had inspected at least one critical facility of 43 of these 64 systems. We calculated a simple correlation coefficient to measure the strength and direction of the linear relationship between the systems' risk rankings and when (i.e., the order in which) PSD conducted the first critical facility inspection of that system. This resulted in a correlation coefficient score of 0.03, which indicates almost no correlation. [42] Although these security measures are generally voluntary for operators of critical pipeline facilities, some operators have off- shore or port facilities that are regulated under the Maritime Transportation Security Act and are required to implement certain protective measures. [43] If an operator considers none of its facilities to be critical, the operator should document the basis for this conclusion. [44] INGAA and AGA published security guidelines for the natural gas industry, which were adopted by APGA; API published security guidelines for the petroleum industry. [45] PSD officials explained they began conducting inspections of critical facilities as part of a new program in November 2008 and curtailed CSR spot checks of selected facilities at that time. [46] We compared industry guidance to the CSR protocol and found that the protocol generally allows PSD to determine whether a pipeline operator's corporate security plan is consistent with industry guidance. [47] CSRs include questions pertaining to cyber security, but according to PSD officials, they do not involve in-depth inspections or assessment of an operator's cyber security system and its vulnerabilities because PSD does not possess this expertise. They explained that other federal component agencies, such as DHS's National Cyber Security Division, have this expertise, and pipeline operators typically have in-house expertise or contract for it. [48] The CSR protocol is divided into the following 11 functional areas: threat assessment, vulnerability assessment, security planning, credentialing, secure areas, critical infrastructure, physical security, cyber security, security training, communications, and exercises. [49] The 9/11 Commission Act requires DHS to establish a program for reviewing pipeline operator adoption of the recommendations of the 2002 circular, including the review of pipeline security plans, and requires DHS to develop and implement a plan to review the pipeline security plans of the 100 most critical pipeline operators covered by the 2002 circular. Pub. L. No. 110-53, § 1557(a), (b), 121 Stat. 266, 475 (2007). [50] Because PSD updates the 100 most critical systems annually using pipeline system energy throughput data, which is revised annually, PSD has conducted CSRs of operators whose systems once were, but may no longer be, on the most critical list. Also, as noted earlier, because some pipeline operators own or operate more than one of the 100 most critical systems, PSD did not need to conduct 100 CSRs to cover all 100 most critical systems. [51] The 9/11 Commission Act requires DHS to establish a program for reviewing pipeline operator adoption of the recommendations of the 2002 circular, including critical facility inspections, and requires DHS to develop and implement a plan to inspect the critical facilities of the 100 most critical pipeline operators covered by the 2002 circular. Pub. L. No. 110-53, § 1557(a), (b), 121 Stat. 266, 475 (2007). [52] Toxic inhalation hazard pipelines, such as those transporting anhydrous ammonia and chlorine gas, are among the most dangerous. These pipelines, which have relatively low energy throughputs, are not addressed by the 2002 circular or the 9/11 Commission Act; nevertheless, PSD officials have told us the security of these pipelines is important and should be addressed. [53] In trying to recall the origin of the decision to not communicate recommendations in writing, PSD officials said it was based on concerns about an operator's potential liability if it did not implement the recommendations and its pipeline system was later attacked. However, officials acknowledged that they send operators written recommendations for their newer program--the CFI program-- without such concerns. [54] PSD has contracted with Johns Hopkins University Applied Physics Laboratory to revise the CSR protocol. [55] Project Management Institute, A Guide to the Project Management Body of Knowledge © (Fourth Edition, 2008). [56] During the course of our review, the number of PSD staff ranged from 11 to 12. Three of these staff generally conducted CSRs. [57] Some pipelines may be vulnerable to "cyber attacks" on computer control systems that are used to collect data from pipeline sensors in real time and display these data to controllers, who monitor the data and operate pipeline control equipment remotely. A pipeline operator's control system represents a significant investment on the part of the operator and is a critical resource for response and recovery in the event of a pipeline incident of almost any type. [58] The 9/11 Commission Act states that interstate and intrastate transmission and distribution pipeline operators, nonprofit employee organizations representing pipeline employees, emergency responders, offerors, state pipeline safety agencies, public safety officials, and any other relevant parties are to be consulted. The incident recovery protocols plan is also to be developed in conjunction with interstate and intrastate pipeline operators and terminal and facility operators connected to pipelines. [59] The Office of Infrastructure Protection leads the coordinated national program to reduce risks to the nation's critical infrastructure and key resources posed by acts of terrorism, and to strengthen national preparedness, timely response, and rapid recovery in the event of an attack, natural disaster, or other emergency. [60] PSD officials reported to us that they had coordinated the plan with DHS/TSA components and other DHS components, DOT/PHMSA, DOE, Department of Justice/FBI, Department of Interior/Minerals Management Service, National Transportation Safety Board, Federal Energy Regulatory Commission, Environmental Protection Agency, Federal Energy Regulatory Commission, Department of Defense/U.S. Army Corps of Engineers, National Association of Regulatory Utility Commissioners, National Association of State Energy Officials, National Governors Association, National Emergency Managers Association, National Association of Pipeline Safety Representatives, International Association of Fire Chiefs, International Association of Chiefs of Police, National Sheriff's Association, Pipeliners Union Local 798, Interstate Natural Gas Association of America, and Association of Oil Pipe Lines Owners/Operators. [61] In prior work we identified a set of desirable characteristics to aid responsible parties in further developing and implementing national strategies, and to enhance the usefulness of those strategies in resource and policy decisions and better ensure accountability. For a more detailed discussion of these characteristics, see GAO, Combating Terrorism: Evaluation of Selected Characteristics in National Strategies Related to Terrorism, GAO-04-408T (Washington, D.C.: Feb. 3, 2004). [62] The Pipeline Modal Annex also identifies supporting strategies PSD will pursue to achieve pipeline security objectives and presents information to explain what TSA, other federal components, or industry is doing and how those activities correspond with these strategies. For example, the Pipeline Modal Annex describes the CSR program as a program to promote the implementation of layered threat deterrence and vulnerability mitigation programs and to conduct network enhancement and information-sharing activities. [63] According to PSD officials, they have prepared a 2010 revision to the 2007 Pipeline Modal Annex, which also does not incorporate performance measures and milestones. Officials told us in May 2010 that the revised annex was in internal review. [64] See [hyperlink, http://www.gao.gov/products/GAO-04-408T]. [65] Each CFI trip involves inspections of multiple critical facilities. [66] According to PSD and TSNM officials, an appendix to the 2010 Sector Critical Infrastructure and Key Resources Protection Annual Report for the Transportation Systems Sector will discuss other performance measures related to two risk mitigation activities--(1) the percentage of the 100 most critical pipeline systems that have had a CSR or a repeat CSR and (2) the percentage of the 100 most critical systems that have conducted annual security exercises and drills (specifically, the percentage that has participated in Intermodal Security Training Exercise Program exercises). As of May 2010, this report was in internal review. [67] TSA's Intermodal Security Training Exercise Program offers an intermodal transportation security exercise program for transportation sector network communities. The program is intended to enhance the preparedness of the nation's surface transportation sector network with evaluations of prevention, preparedness, and the ability to respond to terrorist-related incidents. [68] GAO, Risk Management: Further Refinements Needed to Assess Risks and Prioritize Protective Measures at Ports and Other Infrastructure, [hyperlink, http://www.gao.gov/products/GAO-06-91] (Washington, D.C.: December 15, 2005.) [69] The Pipeline Modal Annex identifies other programs and activities that seek to increase resiliency and robustness. [70] GAO, Aviation Security: A National Strategy and Other Actions Would Strengthen TSA's Efforts to Secure Commercial Airport Perimeters and Access Controls, [hyperlink, http://www.gao.gov/products/GAO-09-399] (Washington, D.C.: September 30, 2009). [71] PSD subsequently made minor revisions to the second CSR protocol that did not affect our analysis or the data PSD uses for its outcome measure. [72] According to PSD officials, they completed 31 CSRs from mid-April 2003 through mid-July 2004. [73] GAO, Tax Administration: IRS Needs to Further Refine Its Tax Filing Season Performance Measures, GAO-03-143 (Washington, D.C.: Nov. 22, 2002). In this report, GAO reported on nine key attributes of successful performance measures including the reliability of measures. [74] GAO, Managing for Results: Challenges Agencies Face in Producing Credible Performance Information, [hyperlink, http://www.gao.gov/products/GAO-GGD-00-52] (Washington, D.C.: Feb. 4, 2000). [75] An operator's CSR score is calculated based on the 73 standard questions in the newer CSR protocol. [76] For pipeline operators that operate more than one system, we used only the highest risk-ranked system for that operator in our analysis to control for the possibility that PSD also conducted a second CSR for a lower risk system belonging to the same operator. [77] Although PSD officials might have contact with pipeline operators through means other than CSRs and CFIs, we could not quantify other forms of contact and, therefore, could not include them in the analysis. [78] The Project Management Institute, The Standard for Program Management © (2006). [79] Our review of the 2002 circular included the Pipeline Security Contingency Planning Guidance. [80] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). [81] Project Management Institute, A Guide to the Project Management Body of Knowledge © (Fourth Edition, 2008). [82] Exec. Order No. 13,416, 71 Fed. Reg. 71,033 (Dec. 5, 2006). [83] GAO, Combating Terrorism: Evaluation of Selected Characteristics in National Strategies Related to Terrorism, [hyperlink, http://www.gao.gov/products/GAO-04-408T] (Washington, D.C.: Feb. 3, 2004). [84] GAO, Tax Administration: IRS Needs to Further Refine Its Tax Filing Season Performance Measures, [hyperlink, http://www.gao.gov/products/GAO-03-143] (Washington, D.C.: Nov. 22, 2002). [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: