This is the accessible text file for GAO report number GAO-10-873 
entitled 'Building Security: New Federal Standards Hold Promise, But 
Could Be Strengthened to Better Protect Leased Space' which was 
released on September 22, 2010. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Subcommittee on Financial Services and General 
Government, Committee on Appropriations, House of Representatives: 

United States Government Accountability Office:
GAO: 

September 2010: 

Building Security: 

New Federal Standards Hold Promise, But Could Be Strengthened to 
Better Protect Leased Space: 

GAO-10-873: 

GAO Highlights: 

Highlights of GAO-10-873, a report to the Subcommittee on Financial 
Services and General Government, Committee on Appropriations, House of 
Representatives. 

Why GAO Did This Study: 

The federal government’s reliance on leased space underscores the need 
to physically secure this space and help safeguard employees, 
visitors, and government assets. In April 2010 the Interagency 
Security Committee (ISC), comprised of 47 federal agencies and 
departments and chaired by the Department of Homeland Security (DHS), 
issued Physical Security Criteria for Federal Facilities (the 2010 
standards) which supersede previous ISC standards. In response to 
Congress’ direction to review ISC standards for leased space, this 
report (1) identifies challenges that exist in protecting leased space 
and (2) examines how the 2010 standards address these challenges.
To conduct this work, GAO analyzed agency documents and interviewed 
federal officials from ISC, four federal departments selected as case 
studies based on their large square footage of leased space, and the 
Federal Protective Service (FPS). GAO also consulted prior work on 
federal real property and physical security, including key practices 
in facility protection. 

What GAO Found: 

Limited information about risks and the inability to control common 
areas and public access pose challenges to protecting leased space. 
Leasing officials do not always have the information needed to employ 
a risk management approach for allocating resources—a key practice in 
facility protection. Early risk assessments—those conducted before a 
lease is executed—can provide leasing officials with valuable 
information; however, FPS, which is the General Service 
Administration’s (GSA) physical security provider, generally does not 
perform these assessments for leased space under 10,000 square feet—
which constitutes a majority of GSA’s leases. Under its memorandum of 
agreement (MOA) with GSA, FPS is not expected to perform these 
assessments and does not have the resources to do so. Another 
challenge in protecting leased space is tenant agencies’ lack of 
control over common areas (such as elevator lobbies, loading docks, 
and the building’s perimeter) which hampers their ability to mitigate 
risk from public access to leased space. In leased space, lessors, not 
tenant agencies, typically control physical security in common areas. 
To implement measures to counter risks in common areas, tenant 
agencies must typically negotiate with and obtain consent from 
lessors, who may be unwilling to implement countermeasures because of 
the potential burden or undue effect on other, nonfederal tenants. For 
example, tenant agencies in a high-risk, multitenant leased facility 
we visited have been unable to negotiate changes to the common space, 
including the installation of X-ray machines and magnetometers, 
because the lessor believed that the proposed countermeasures would 
inconvenience other tenants and the public. 

The 2010 standards show potential for addressing some challenges with 
leased space. These standards align with some key practices in 
facility protection because they prescribe a decision making process 
to determine, mitigate, and accept risks using a risk management 
approach. Further, by requiring that decision making be tracked and 
documented, the standards facilitate performance measurement that 
could help enable agency officials to determine if the most critical 
risks are being prioritized and mitigated. With its emphasis on the 
uniform use of early risk assessments, the 2010 standards provide a 
baseline requirement for agencies to consider as they develop 
protocols and allocate resources for protecting leased space. For 
example, GSA and FPS must now consider this requirement, which 
represents an expansion of the services currently expected of FPS, as 
they renegotiate their MOA. In contrast, a shortfall within the 2010 
standards is that they offer little means for addressing tenant 
agencies’ lack of control over common areas and public access. While 
the 2010 standards outline specific countermeasures for addressing 
public access, they lack in-depth discussion and guidance—such as best 
practices—that could provide a framework for working with lessors to 
implement these countermeasures. Given the critical role that lessors 
play, such guidance is warranted. As the government’s central forum 
for exchanging information on facility protection, ISC is well 
positioned to develop and share this guidance. 

What GAO Recommends: 

GAO recommends that DHS instruct ISC to establish a working group or 
other mechanism to determine guidance for working with lessors, and to 
incorporate this guidance into a future ISC standard or other product, 
as appropriate. DHS concurred with the report’s recommendation. 

View [hyperlink, http://www.gao.gov/products/GAO-10-873] or key 
components. For more information, contact Mark Goldstein at (202) 512-
2834 or goldsteinm@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

Limited Risk Information and Lack of Control Over Common Areas and 
Public Access Pose Challenges to Protecting Leased Space: 

The 2010 Standards Show Potential for Addressing Some Challenges with 
Leased Space: 

Conclusions: 

Recommendation for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Comments from the Department of Homeland Security: 

Appendix II: GAO Contact and Staff Acknowledgments: 

Figures: 

Figure 1: Key Practices in Facility Protection: 

Figure 2: Portions of GSA-acquired leases over and under 10,000 square 
feet: 

Figure 3: General Depiction of Leased Space and Common Areas: 

Abbreviations: 

DEA: Drug Enforcement Agency: 

DHS: Department of Homeland Security: 

DOJ: Department of Justice: 

FBI: Federal Bureau of Investigation: 

FPS: Federal Protective Service: 

GSA: General Service Administration: 

ISC: Interagency Security Committee: 

MOA: memorandum of agreement: 

SFO: solicitation for offers: 

USDA: Department of Agriculture: 

VA: Department of Veterans Affairs: 

[End of section] 

United States Government Accountability Office:
Washington, DC 20548: 

September 22, 2010: 

The Honorable José E. Serrano: 
Chairman: 
The Honorable Jo Ann Emerson: 
Ranking Member: 
Subcommittee on Financial Services and General Government: 
Committee on Appropriations: 
House of Representatives: 

In fiscal year 2009, the federal government leased domestically more 
than 253 million square feet of space with large portions leased by 
nonmilitary agencies including the General Services Administration 
(GSA), Department of Veterans Affairs (VA), Department of Agriculture 
(USDA), and Department of Justice (DOJ).[Footnote 1] GSA acts as the 
lead leasing agency, and leased the majority of this space on behalf 
of various federal agencies.[Footnote 2] The Federal Protective 
Service (FPS), in the Department of Homeland Security (DHS), is 
responsible for the security of GSA-acquired leased space. Other 
federal agencies--such as VA, USDA, and DOJ--acquire and provide 
physical security services for leased space, as well. The federal 
government's reliance on leasing has increased in recent years, 
underscoring the need for physical security to safeguard the 
employees, visitors, and government assets in leased space. 

Like with privately leased space, federally leased space faces threats 
such as theft, vandalism, and trespass. And, like federally owned 
space, federally leased space can be a target for acts of terrorism, 
violence, and destruction. A recent string of high-profile incidents, 
including shootings at the entrance to the Pentagon and at a Las Vegas 
federal courthouse as well as the intentional crash of a small 
airplane into an Internal Revenue Service office, demonstrate the 
dangerous nature of risks faced by federal employees in federal 
buildings and leased space. In 2004, the Interagency Security 
Committee (ISC), which has representation from all major federal 
departments and agencies, issued Security Standards for Leased Space 
(hereafter referred to as the 2004 standards), establishing physical 
security standards for federally leased space.[Footnote 3] These 
standards were recently superseded in April 2010 by ISC's Physical 
Security Criteria for Federal Facilities (hereafter referred to as 
"the 2010 standards"), which were intended to make security an 
integral part of the operations, planning, design, construction, 
renovation, or acquisition of federal facilities--whether in owned or 
leased space.[Footnote 4] In addition, we have identified in our prior 
work key practices in facility protection, including allocation of 
resources using a risk management approach.[Footnote 5] 

This report responds to House Report No. 110-207 that directed us to 
assess the "2004 standards" for protecting leased space.[Footnote 6] 
Based on discussions with your staff and in light of the recently 
issued 2010 standards, this report (1) identifies challenges that 
exist in protecting leased space and (2) examines how the 2010 
standards address these challenges. 

To identify challenges in protecting leased space, we conducted case 
studies of four agencies and reviewed our prior work on facility 
protection. We selected GSA, VA, USDA, and DOJ as case studies based 
on their large square footage of leased spaces. As part of our case 
study analyses, we analyzed internal policies relevant to physical 
security and leasing and interviewed headquarters and field officials 
from GSA, FPS, VA, USDA, and DOJ responsible for physical security and 
leasing. For example, we analyzed the memorandum of agreement (MOA) 
between GSA and DHS and GSA data on its leased space inventory to 
determine the expectations for FPS performing early risk assessments. 
We administered a data collection instrument among officials 
responsible for physical security and also conducted 15 site visits to 
facilities leased by our case study agencies. We toured each leased 
space site and collected documents, when available, that contained 
site-specific information on security risks. At each site, we 
interviewed the tenant agency official(s) with primary responsibility 
for security or another designated official. At some sites, we also 
interviewed the security official responsible for the protecting the 
space and the lessor.[Footnote 7] We selected our sites to include a 
range of predominant use types,[Footnote 8] security levels,[Footnote 
9] sole and multitenant facilities,[Footnote 10] geographic locations, 
and also considered the opinions of GSA officials. We corroborated the 
quantitative and qualitative data from our case study agencies and 
found the data sufficiently reliable for our purposes. The findings 
from our case studies and site visits exemplify physical security 
challenges in leased space, but cannot be generalized to challenges 
facing all federal government lessees. Additionally, we considered key 
practices in facility protection, as identified in our prior work, 
including allocating security resources using risk management, 
leveraging the use of security technology, coordinating protection 
efforts and sharing information with other stakeholders, measuring 
program performance and testing security initiatives, aligning assets 
to mission, and strategically managing human capital. 

To examine how the 2010 standards address challenges that exist in 
protecting leased space, we conducted a comparative analysis of the 
2010 standards to the challenges we identified, as well as to the 2004 
standards. We also interviewed officials from ISC about the chief 
differences between the 2004 and the 2010 standards. We reviewed our 
prior work on GSA and DHS's MOA and analyzed how the 2010 standards 
were applicable to their renegotiation of the MOA. We also interviewed 
agency officials from VA, USDA, and DOJ to determine the impact of the 
2010 standards on efforts underway at their agencies. 

We performed our work from July 2009 to September 2010 in accordance 
with generally accepted government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient and 
appropriate evidence to provide a reasonable basis for our findings 
and conclusions based on our audit objectives. We believe that the 
evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. 

Background: 

Real property is generally defined as facilities, land, and anything 
constructed on or attached to land. The federal government leases real 
property (referred to in this report as leased space) for a variety of 
purposes including office spaces, warehouses, laboratories, and 
housing. 

Agencies and Relevant Laws: 

As the federal government's landlord, GSA designs, builds, manages, 
and safeguards buildings to support the needs of other federal 
agencies. GSA is authorized to enter into lease agreements with tenant 
agencies for up to 20 years that the Administrator of GSA considers to 
be in the interest of the federal government and necessary to 
accommodate a federal agency.[Footnote 11] GSA uses its authority to 
lease space for many federal government agencies, and in fiscal year 
2009 acquired more than 182 million square feet, the most leased space 
of any federal agency.[Footnote 12] In response to our 2005 
recommendation and to enhance coordination with the FPS, GSA 
established the Building Security and Policy Division within the 
Public Buildings Service. The division developed the Regional Security 
Network, which consists of several security officials for each of 
GSA's 11 regions, to further enhance coordination with FPS at the 
regional and building levels and to carry out GSA security policy in 
collaboration with FPS and tenant agencies. 

Some agencies have independent[Footnote 13] or delegated leasing 
authority[Footnote 14] which allow the agency to perform all necessary 
functions to acquire leased space without using GSA. In fiscal year 
2009, VA, USDA, and DOJ, using GSA-delegated and/or independent 
leasing authority, leased a total of approximately 30 million of 
square feet to help meet their varying missions.[Footnote 15] 
Specifically, 

* VA leased approximately 10 million square feet and has a large 
inventory of real property, including medical centers, outpatient 
facilities, and ambulatory care clinics. 

* USDA leased approximately 17 million square feet. USDA uses leased 
space to administer programs which assist farmers and rural 
communities, oversee the safety of meat and poultry, provide low-
income families access to nutritious food, and protect the nation's 
forests, among other things. 

* DOJ leased approximately 3 million square feet. DOJ is comprised of 
about 40 component agencies with wide-ranging missions, such as the 
U.S. Attorneys' Offices, Drug Enforcement Agency (DEA), and the 
Federal Bureau of Investigation (FBI). 

The Homeland Security Act of 2002 established DHS to centralize the 
federal government's efforts to prevent and mitigate terrorist attacks 
within the United States--including terrorism directed at federal 
facilities. Under the act, FPS was transferred from GSA to DHS. 
[Footnote 16] As of October 2009, FPS is organized within DHS's 
National Protection and Programs Directorate. FPS is the primary 
federal agency responsible for protecting and securing GSA facilities, 
visitors, and over 1 million federal employees across the country. 
FPS's basic security services include patrolling the building 
perimeter, monitoring building perimeter alarms, dispatching law 
enforcement officers through its control centers, conducting criminal 
investigations, and performing facility security assessments. FPS also 
provides building-specific security services, such as controlling 
access to building entrances and exits and checking employees and 
visitors. FPS is a fully reimbursable agency--that is, its services 
are fully funded by security fees collected from tenant agencies. FPS 
charges each tenant agency a basic security fee per square foot of 
space occupied in a GSA building (66 cents per square foot in fiscal 
year 2009), among other fees.[Footnote 17] 

ISC, established in 1995 by Executive Order 12977 after the bombing of 
the Alfred P. Murrah federal building in Oklahoma City, has 
representation from all the major property-holding agencies and a 
range of governmentwide responsibilities related to protecting 
nonmilitary facilities. These responsibilities generally involve 
developing policies and standards, ensuring compliance, and 
encouraging the exchange of security-related information. Executive 
Order 12977 called for each executive agency and department to 
cooperate and comply with the policies and recommendations of the 
Committee. DHS became responsible for chairing ISC, which, as of 2007, 
is housed in the Office of Infrastructure Protection within DHS's 
National Protection and Programs Directorate. Executive Order 13286, 
which amended Executive Order 12977, calls for the Secretary of DHS to 
monitor federal agency compliance with the standards issued by ISC. 

The 2004 standards, in conjunction with the Facility Security Level 
Determinations for Federal Facilities--which ISC issued in 2008 to 
update standards issued by DOJ in 1995--prescribed administrative 
procedures and various countermeasures for perimeter, entry, and 
interior, and, as well as blast and setbacks for leased spaces based 
upon five different facility security levels ranging between levels I 
and V, with level I being the lowest risk level and level V being the 
highest.[Footnote 18] The 2004 standards were specifically developed 
in response to a perceived need for security standards that could be 
applied in a leased space environment. The Facility Security Level 
Determinations for Federal Facilities and its precursors established 
the criteria and process for determining the security level of a 
facility which serves as the basis for implementing the 
countermeasures prescribed within other ISC standards, including the 
2004 standards. 

According to the 2004 standards, when an agency is seeking a new 
lease, a security official should determine the security level of the 
leased space based on an early risk assessment,[Footnote 19] which is 
performed prior to entering into a new lease. Requirements based on 
the designated facility security level, as outlined within the 
standards, are to be incorporated into a solicitation for offers 
(SFO), which is sent to potential lessors, as minimum requirements. 
These minimum requirements must be met, with the exception of blast 
and setback requirements in existing buildings. Potential lessors who 
are unwilling or unable to meet the requirements are deemed 
nonresponsive according to the standards and eliminated from the SFO 
process. 

After a lease is entered into, the Facility Security Level 
Determinations for Federal Facilities states that risk assessments, 
such as facility security assessments (FSA), be conducted on a 
periodic and timely basis, with the facility security level being 
determined or adjusted as part of each risk assessment. Specifically, 
risk assessments are to be conducted every 5 years for facilities 
classified as facility security level I or II, and every 3 years for 
facilities classified as facility security level III, IV, or V. 

Key Practices in Facility Protection: 

We have previously identified, from the collective practices of 
federal agencies and the private sector, a set of key facility 
protection practices that provide a framework for guiding agencies' 
physical security efforts and addressing challenges.[Footnote 20] Key 
facility protection practices as shown in figure 1 include the 
following: 

* Information sharing and coordination establishes a means of 
communicating information with other government entities and the 
private sector to prevent and respond to security threats. 

* Allocating resources using risk management involves identifying 
potential threats, assessing vulnerabilities, identifying the assets 
that are most critical to protect in terms of mission and 
significance, and evaluating mitigation alternatives for their likely 
effect on risk and their cost. 

* Aligning assets to mission can reduce vulnerabilities by reducing 
the number of assets that need to be protected. 

* Strategic human capital management ensures that agencies are well 
equipped to recruit and retain high-performing security staff. 

* Leveraging technology supplements other countermeasures with 
technology in a cost-effective manner. 

* Performance measurement and testing evaluates efforts against 
broader program goals and ensures that they are met on time and within 
budgeting constraints. 

Figure 1: Key Practices in Facility Protection: 

[Refer to PDF for image: illustration] 

Information sharing and coordination; 
Allocating resources using risk management; 
Aligning assets to mission; 
Leveraging technology; 
Performance measurement and testing; 
Strategic human capital management. 

Source: GAO. 

[End of figure] 

Limited Risk Information and Lack of Control Over Common Areas and 
Public Access Pose Challenges to Protecting Leased Space: 

[See PDF for image] 

[End of figure] 

Leasing Officials Sometimes Lack the Information Needed to Employ a 
Risk Management Approach: 

Before a lease is signed, early risk assessments can help agencies 
allocate resources using a risk management approach, a key practice of 
facility protection. Through early risk assessments, security 
officials are able to collect key information about potential spaces, 
security risks, and needed countermeasures, which help leasing 
officials,[Footnote 21] in turn, identify the most appropriate space 
to lease and negotiate any needed countermeasures.[Footnote 22] 

Leasing officials primarily rely on security officials to supply 
information on physical security requirements for federally leased 
space. Some tenant agencies are able to supply leasing officials with 
key prelease information because they have developed the security 
expertise to conduct their own early risk assessments. For example, 
DEA has its own in-house security officials who work with leasing 
officials to conduct risk assessments early in the leasing process. 
This helps leasing officials assess risk and obtain space specific to 
DEA's security needs. Similarly, VA has created internal policy 
manuals that describe agency security requirements which help guide 
leasing and security officials on how to assess risk and obtain 
appropriate space. These manuals are circulated to VA leasing, 
facilities, and security officials, and GSA leasing officials are made 
familiar with VA's physical security requirements early in the leasing 
process for GSA-acquired space. Additionally, VA currently budgets $5 
per net usable square foot for physical building security and 
sustainability requirements into all of its leases. At one site, VA 
officials are in the early stages of identifying space needs for the 
relocation of a community-based outpatient clinic. VA leasing 
officials and security officials, among others, are collaborating on 
decisions that integrate security with the function of the outpatient 
clinic that will help ensure funds are available to finance the 
security requirements. 

Despite the in-house expertise of some tenant agencies, leasing 
officials sometimes do not have the information they need to allocate 
resources using a risk management approach before a lease is signed 
because early risk assessments are not conducted for all leased space. 
Early risk assessments are absent for a significant portion of the GSA-
acquired leased space portfolio because FPS does not uniformly conduct 
these assessments for spaces under 10,000 square feet--which 
constitute 69 percent of all GSA leases (see figure 2). While FPS is 
expected under the MOA to uniformly conduct early risk assessments for 
GSA-acquired space greater than or equal to 10,000 square feet, FPS 
and GSA officials agree that FPS is not expected to conduct early risk 
assessments for spaces under 10,000 square feet unless it has the 
resources to do so.[Footnote 23] 

Figure 2: Portions of GSA-acquired leases over and under 10,000 square 
feet: 

[Refer to PDF for image: pie-chart] 

Percentage of GSA-acquired leases less than 10,000 square feet: FPS is 
not expected to conduct early risk assessments: 69%; 
Percentage of GSA-acquired leases greater than or equal to 10,000 
square feet: FPS is expected to perform early risk assessments: 31%. 

Source: GAO analysis of GSA fiscal year 2009 data. 

Note: The total number of leases used for this analysis is 10,480. 
This excludes leases that GSA acquired on behalf of DOD, Army, Air 
Force, and Navy and leases that did not have an assigned square 
footage. 

[End of figure] 

As we have previously reported, FPS faces funding and workforce 
challenges, which may limit the resources available to conduct early 
risk assessments on spaces under 10,000 square feet. Further, FPS may 
lack incentive for prioritizing early risk assessments on smaller 
spaces, given that it receives payment on a square footage basis only 
after a lease has been signed. Currently, the cost of early risk 
assessments is distributed across all tenant agencies. We are 
examining FPS's fee structure as part of our ongoing work in the 
federal building security area. 

According to FPS officials, FPS generally does not have enough time to 
complete early risk assessments on spaces less than 10,000 square 
feet, in part because GSA has requested early risk assessments too 
late or too close to the time when a site selection must be made. 
[Footnote 24] A GSA official involved with physical security stated 
that even when GSA gives FPS proper lead time, early risk assessments 
are still sometimes not conducted by FPS. For example, in October 
2009, GSA requested FPS conduct an early risk assessment for a leased 
space under 10,000 square feet within 8 months. One week prior to the 
June 2010 deadline, GSA was still unsure if an FPS inspector had been 
assigned and if a risk assessment had been or would be conducted. 
Because FPS did not keep centralized records of the number of early 
risk assessments requested by GSA or completed by FPS in fiscal year 
2009, we were unable to analyze how often early risk assessments are 
requested and the percentage of requested assessments that FPS 
completes.[Footnote 25] 

Leasing and security officials from our case study agencies agreed 
they are best able to negotiate necessary countermeasures before a 
lease is executed. Because of the immediate costs associated with 
relocating, after a tenant agency moves in, it may be forced to stay 
in its current leased space, having to accept unmitigated risk (if 
countermeasures cannot be negotiated) or expend additional time and 
resources to put countermeasures in place (and negotiate supplemental 
lease agreements) once a lease has been signed. For example, a DEA 
leasing official stated that relocation is often not a viable solution 
given costs, on average, of between $10 and $12 million to find and 
move an office to a new space. Furthermore, at one of our site visits, 
DEA officials have been working to install a costly fence--a DEA 
physical security requirement for this location that was originally 
planned as part of the built-to-suit facility, but canceled because of 
a lack of funds. According to DEA officials, now that DEA has acquired 
funding for the fence, they have been negotiating for more than a year 
with GSA and the lessor to receive supplemental lease agreements, 
lessor's design approval, and resolve issues over the maintenance and 
operation of the fence. According to DEA officials, fence construction 
is expected to commence in January 2011. 

Tenant Agencies' Lack of Control Over Common Areas in Leased Space Can 
Hamper Their Ability to Mitigate Risks: 

Balancing public access with physical security and implementing 
security measures in common areas of federally leased space are major 
challenges. The public visits both owned and leased federal facilities 
for government services, as well as for other business transactions. 
In leased space, the number and range of people accessing these 
buildings can be large and diverse, and building access is generally 
less restricted than in owned space. Fewer access restrictions and 
increased public access heighten the risk of violence, theft, and 
other harm to federal employees and the public. 

In leased space, it can be more difficult to mitigate risks associated 
with public access because tenant agencies typically do not control 
common areas, which are usually the lessor's responsibility, 
particularly in multitenant buildings. Common areas, as shown in 
figure 3, can include elevator lobbies, building corridors, restrooms, 
stairwells, loading docks, the building perimeter, and other areas. 
[Footnote 26] 

Figure 3: General Depiction of Leased Space and Common Areas: 

[Refer to PDF for image: illustration] 

The illustration is a floor plan, depicting the following: 

Common areas: 
Building entrance; 
Unrestricted lobby; 
Elevators; 
Corridor; 
Public bathrooms; 
Loading dock; 
Building perimeter (including roof). 

Leased space: 
Commercial business; 
Federal agency. 

Source: GAO. 

[End of figure] 

FSAs can identify countermeasures to address risks with public access, 
but FSA recommendations can be difficult to implement because tenant 
agencies must negotiate all changes with the lessor. Lessors may 
resist heightened levels of security in common areas--such as 
restricted public access--because of the potential adverse effect on 
other tenants in the building. For example, a multitenant facility 
security level IV building we visited, housing the United States 
Forest Service among other federal agencies, experienced difficulty 
installing X-ray machines and magnetometers in the main lobby. The 
lessor deemed these proposed countermeasures inconvenient and 
disruptive for some other tenants, including two commercial businesses 
located on the ground floor--a daycare center and a sundries shop--and 
for the public. Because the livelihood of these businesses depends on 
pedestrian traffic and because federal tenant agencies did not lease 
the lobby, per se, the lessor resisted having additional security 
countermeasures in place that would restrict public access. 

While some tenant agency officials at our site visits stated that 
lessors were responsive to security needs in common areas, other 
tenant agency officials we spoke with said that negotiating security 
enhancements to common areas with lessors is a problem that can lead 
to a lack of assurance that security risks and vulnerabilities are 
being mitigated.[Footnote 27] A regional GSA official involved with 
physical security stated that because GSA and tenant agencies do not 
control common areas in buildings where they lease space, it can be 
challenging to secure loading docks, hallways, and corridors.[Footnote 
28] Another regional GSA official involved with physical security 
stated that tenant agencies do what they can by implementing 
countermeasures in their own leased space rather than in common areas, 
for example, by regulating access at the entrances to leased space 
rather than at the building entrances. At one site, a FBI official 
indicated that by relocating to a new leased space, FBI, as the sole 
tenant, would be able to better control common areas and public access. 

Overall, the negative effects of these challenges are significant 
because GSA, FPS, and tenant agencies can be poorly positioned to 
implement the practices that we have identified as key to protecting 
the physical security of leased spaces. Tenant agencies that are 
unable to identify and address vulnerabilities may choose space 
poorly, misallocate resources, and be limited in their ability to 
implement effective countermeasures. Furthermore, when tenant agencies 
are unable to allocate resources according to identified 
vulnerabilities, they may also be unable to employ the other key 
practices in facility protection. For example, tenant agencies may not 
be able to leverage technology to implement the most appropriate 
countermeasures if it requires a presence in common areas that are not 
under the control of the federal tenant. 

The 2010 Standards Show Potential for Addressing Some Challenges with 
Leased Space: 

The 2010 Standards' Focus on Decision Making and Documentation Aligns 
with Some Key Facility Protection Practices: 

In April 2010, ISC issued the Physical Security Criteria for Federal 
Facilities, also known as the 2010 standards.[Footnote 29] These 
standards define a decision-making process for determining the 
security measures required at a facility. According to the standards, 
it is critical that departments and agencies recognize and integrate 
the process as part of the real property acquisition process (i.e., 
leasing process) in order to be most effective. The 2010 standards 
provide in-depth descriptions of the roles of security officials who 
conduct and provide early risk assessments,[Footnote 30] the tenant 
agency, and the leasing agency (e.g., GSA) and also define each 
entity's respective responsibilities for implementing the standards' 
decision-making process. For example, the 2010 standards state that: 

* Tenant agencies are the decision maker as to whether to fully 
mitigate or accept risk. Tenant agencies must either pay for the 
recommended security measures and reduce the risk, or accept the risk 
and live with the potential consequences.[Footnote 31] 

* Leasing officials will determine how additional countermeasures will 
be implemented or consider expanding the delineated area, in 
conjunction with the tenant agency, during the leasing acquisition 
process. 

* Security officials are responsible for identifying and analyzing 
threats and vulnerabilities, and recommending appropriate 
countermeasures. Once a credible and documented risk assessment has 
been presented to and accepted by the tenant agency, the security 
official is not liable for any future decision to accept risk. 

The 2010 standards align with some key practices in facility 
protection because these standards focus on allocating resources using 
a risk management approach and measuring performance. As previously 
discussed, having information on risks and vulnerabilities allows 
tenant agencies to maximize the impact of limited resources and assure 
that the most critical risks are being prioritized and mitigated. 
Likewise, performance measurement, via tracking and documentation of 
decision making, can help agencies to determine the effectiveness of 
security programs and establish accountability at the individual 
facility level. By allocating resources using a risk management 
approach and measuring performance, tenant agencies and the federal 
government will be better positioned to comprehensively and 
strategically mitigate risk across the entire portfolio of real 
property. 

Allocating resources using a risk management approach is a central 
tenet of the 2010 standards. The 2010 standards prescribe a decision-
making process to determine the risk posed to a facility (level of 
risk), the commensurate scope of security (level of protection) 
needed, and the acceptance of risk when countermeasures will not be 
implemented or implemented immediately. Like the 2004 standards, the 
2010 standards outline a minimum set of physical security 
countermeasures for a facility based on the space's designated 
facility security level. The 2010 standards allow for this level of 
protection to be customized to address site specific conditions in 
order to achieve an acceptable level of risk. The 2004 standards 
allowed for some countermeasures to be unmet due to facility 
limitations, building owner acceptance, lease conditions, and the 
availability of adequate funds, but required a plan for moving to 
security compliant space in the future in such instances. According to 
the 2004 standards, these exemptions allowed agencies to obtain the 
best security solution available when no compliant space was 
available. According to the ISC Executive Director, the 2004 standards 
were, in effect, lower standards because of the operational 
considerations given to leased space.[Footnote 32] The Executive 
Director said that the 2010 standards correct this weakness by 
focusing on decision making that can lead to an acceptable level of 
protection and risk through a variety of means, rather than a standard 
that simply prescribes a fixed set of countermeasures that can then be 
circumvented by exemptions as in the 2004 standards. 

Additionally, the 2010 standards emphasize documentation of the 
decision-making process--a cornerstone for performance measurement. 
The 2004 standards required agencies to provide written justification 
for exceeding the standard and documentation of the limiting 
conditions that necessitated agencies to go below the standard. The 
2010 standards more explicitly state that "the project documentation 
must clearly reflect the reason why the necessary level of protection 
cannot be achieved. It is extremely important that the rationale for 
accepting risk be well documented, including alternate strategies that 
are considered or implemented, and opportunities in the future to 
implement the necessary level of protection." More specifically, the 
2010 standards state that any decision to reject implementation of 
countermeasures outright or defer implementation due to cost (or other 
factors) must be documented, including the acceptance of risk in such 
circumstances and that tenant agencies should retain documents 
pertinent to these decisions, such as risk assessments. The ISC 
Executive Director stated that after the standards are fully 
implemented, the federal government will be able to accurately 
describe the state of federal real property and physical security. For 
each facility, there will be documentation--a "final building report"--
containing information on physical security decision making, including 
the costs of implementing countermeasures. Each agency will be able to 
assess their entire portfolio of real property by aggregating these 
final building reports to determine the overall status and cost of 
physical security. These reports will be able to demonstrate the 
federal government's level of protection against potential threats, 
according to the executive director. We agree that if the standards 
succeed in moving agencies to track and document such information at a 
building level, then tenant agency, leasing, and security officials 
will be better able to determine if the most critical risks are being 
prioritized and mitigated across an entire real property portfolio and 
to determine the gaps and efficacy of agency-level security programs. 
[Footnote 33] 

ISC Standards Could Spur Agencies to Allocate the Resources Necessary 
for Early Risk Assessment: 

Early risk assessments are key initial steps in the decision-making 
process prescribed by the 2010 standards. The standards contain a 
direct call for risk assessments to be conducted and used early in the 
leasing process. The standards prescribe the following: 

* Prospective tenant agencies will receive information regarding 
whether the level of protection can be achieved in a delineated area. 

* Security officials will conduct risk assessments and determine 
facility security levels early to determine required countermeasures 
that leasing officials should include within SFOs. 

* Security officials will evaluate the proposed security plans of 
potential lessors responding to the SFOs and update the risk 
assessment on offers in the competitive range to identify threats and 
vulnerabilities for the specific properties and recommend any 
additional security measures to tenant agencies and leasing officials. 

The 2004 standards outlined more broadly that the initial facility 
security level should be determined by a security official based on a 
risk assessment and that those potential lessors who are unwilling or 
unable to meet the standard be considered unresponsive to the SFO. The 
2010 standards also make no distinction or exemptions to the 
requirement for early risk assessments of leased space, based on a 
space's square footage or any other wholesale factor.[Footnote 34] 

Like the 2004 standards, the 2010 standards apply to all buildings and 
facilities in the United States occupied by federal employees for 
nonmilitary activities. Further, according to the 2010 standards, each 
executive agency and department shall comply with the policies and 
recommendations prescribed by the standards. Given this, the 2010 
standards' language on early risk assessments, as previously 
discussed, should encourage agencies to perform and use these 
assessments in leased space--including spaces under 10,000 square 
feet. Specifically, language within the standards directing agencies 
to uniformly perform and use early risk assessments as part of the 
prescribed decision-making process is useful, because it provides a 
baseline for agencies to consider as they develop protocols and 
allocate resources for protecting leased space. 

Since leased space for nonmilitary activities acquired by GSA is 
subject to ISC standards, and FPS provides security services for GSA-
acquired leased space, it is up to both agencies to figure out how to 
meet the 2010 standards in light of available resources. However, as 
previously discussed, FPS already faces resource and other challenges 
in conducting these early risk assessments. Given these current 
challenges, it will likely be difficult for FPS to meet the 2010 
standards, which would necessitate an expansion of the services FPS is 
expected to perform under the current MOA. In October 2009, we 
reported that FPS and GSA recognized that the MOA renegotiation can 
serve as an opportunity to discuss service issues and develop mutual 
solutions.[Footnote 35] Both FPS and GSA officials reported that the 
delivery of early risk assessments was being reviewed as part of the 
MOA. As part of the MOA renegotiations, GSA's Regional Security 
Network developed a flowchart to expressly show the need for FPS 
services, such as early risk assessments. According to FPS officials, 
one of the goals of the MOA is to clarify how early and from whom GSA 
officials ought to request these risk assessments from FPS. 

Other agencies will also have to consider how they will meet the 2010 
standards' requirement for early risk assessments. VA and USDA have 
efforts underway to further standardize their leasing guidance which 
represent opportunities for doing just this. According to VA 
officials, VA will review and update its leasing and security manuals 
to reflect the 2010 standards and is currently assessing what other 
additional revisions to these manuals may be warranted. VA can now 
incorporate the 2010 standards' baseline decision-making process for 
its leasing and security officials, which would help support the use 
of early risk assessments. USDA is also modifying a department-level 
leasing handbook to incorporate the 2010 standards, since leasing 
officials can play a significant role in physical security in the 
leasing process, particularly given the limited number of security 
officials within USDA. Additionally, USDA is considering realigning 
its few security officials to report to a department-level office 
(rather than be organized under each agency) in order to maximize 
available resources for performing such things as risk assessments. 
According to officials from agencies within VA and USDA, department-
level direction is a valuable resource that leasing officials rely on 
for determining what activities must be undertaken during the leasing 
process. 

ISC Standards Lack Guidance for Working with Lessors: 

A shortfall within the 2010 standards is that they do not fully 
address the challenge of not controlling common areas and public 
access in leased space. Though the standards speak to tenant agencies, 
leasing officials, and security officials about their various roles 
and responsibilities in implementing the standard, the 2010 standards 
lack in-depth discussion for these entities about how to work with 
lessors to implement countermeasures. The 2010 standards outline 
specific countermeasures for addressing public access as part of 
protecting a facility's entrance and interior security, such as 
signage, guards, and physical barriers. Similar to the 2004 standards, 
the 2010 standards acknowledge that the ability to implement security 
countermeasures is dependent on lessors. Nevertheless, like the 2004 
standards, there is little discussion on ways for tenant agencies, 
leasing officials, and security officials to work with or otherwise 
leverage lessors, which in our view is a significant omission given 
that implementing countermeasures can depend largely on lessors' 
cooperation. 

Given the critical role that lessors play, guidance for tenant 
agencies, leasing officials, and security officials--such as best 
practices--from ISC could be helpful for agencies as they attempt to 
meet the baseline level of protection prescribed within the 2010 
standards for protecting leased space. Best practices comprise the 
collective practices, processes, and systems of leading organizations, 
including federal agencies and the private sector. Best practices can 
provide agencies, though diverse and complex, with a framework for 
meeting similar mission goals, such as facility protection. Guidance 
on working with lessors could suggest such practices as the inclusion 
of clauses within SFOs and lease agreements that obligate lessors to a 
level of protection in common areas as defined in ISC standards (i.e., 
deemed necessary by tenant agencies, in conjunction with security 
officials, as the result of FSAs conducted after a lease is executed). 
Currently, GSA standard leasing templates contain language stipulating 
that lessors must provide a level of security that reasonably prevents 
unauthorized entry during nonduty hours and deters loitering or 
disruptive acts in and around leased space. Prior to the execution of 
the lease, leasing officials and tenant agencies could also negotiate 
or stipulate a cost-sharing structure with lessors in the event that 
future countermeasures are needed. For example, GSA standard leasing 
templates already reserve that right of the government to temporarily 
increase security in the building under lease, at its own expense and 
with its own personnel during heightened security conditions due to 
emergency situations. A best practice could be that such existing 
language regarding common areas and the implementation of security 
countermeasures be articulated and linked to ISC standards more 
definitively within SFO and leasing agreements. This could provide 
tenant agencies, leasing officials, and security officials the 
leverage necessary for compelling lessors to allow or cooperatively 
implement security countermeasures in common areas in order to 
mitigate risks from public access. 

As the government's central forum for exchanging information and 
guidance on facility protection, ISC is well positioned to develop and 
share best practices. ISC has the capacity to create a working group 
or other mechanism to address this gap in its 2010 standards. ISC has 
previously developed best practices in physical security issues, and 
one of its five standing subcommittees is focused on developing best 
practices related to technology.[Footnote 36] Officials from our case 
study agencies reported that their agencies use ISC guidance and 
standards in developing policies and protocols for physical security 
and leasing. Moreover, we have reported that previous ISC standards 
have been viewed as useful in communicating increased physical 
security needs to private owners and involving them directly in the 
process of security program development for their buildings. 

Conclusions: 

Federal agencies continue to rely on leased space to meet various 
missions, but the limited use of early risk assessments and a lack of 
control over common areas present challenges to protecting this space. 
Though all risks can never be completely predicted or eliminated, it 
is imperative to address these challenges because they leave GSA, FPS, 
and tenant agencies poorly positioned to implement key practices in 
facility protection, such as allocating resources using a risk 
management approach, leveraging technology, and measuring performance. 
As the government-wide standard for protecting nonmilitary federal 
facilities, the 2010 standards are aligned with some of these 
practices, providing direction on the roles of various entities and 
their responsibilities in achieving minimum levels of protection and 
acceptable levels of risk. Specifically, the 2010 standards hold 
promise for positioning the federal government to begin 
comprehensively assessing risks with its requirement for documenting 
building-specific security decision making. The 2010 standards' 
prescription that risk assessments be used early in all new lease 
acquisitions is significant because it could provide the impetus for 
agencies to examine and allocate the resources needed for implementing 
early risk assessments, in particular for leases under 10,000 square 
feet. In contrast, the standards' lack of discussion on working with 
lessors is notable, given the significant role these entities have in 
implementing countermeasures that could mitigate risks from public 
access, particularly in common areas, such as lobbies and loading 
docks. Guidance to tenant agencies, leasing officials, and security 
officials on how to work with lessors, such as best practices, would 
give helpful direction as these entities work together to secure 
common areas and protect leased space. 

Recommendation for Executive Action: 

To enhance the value of ISC standards for addressing challenges with 
protecting leased space, we recommend that the Secretary of Homeland 
Security instruct the Executive Director of the ISC, in consultation, 
where appropriate, with ISC member agencies to: 

(1) establish an ISC working group or other mechanism to determine 
guidance for working with lessors, which may include best practices to 
secure common areas and public access, and: 

(2) subsequently incorporate these findings into a future ISC standard 
or other product, as appropriate. 

Agency Comments and Our Evaluation: 

We provided a draft of this report to DHS, GSA, VA, USDA, and DOJ for 
review and comment. DHS concurred with our recommendation and GSA, VA, 
USDA, and DOJ provided technical comments, which we incorporated as 
appropriate. DHS's comments are contained in Appendix I. 

We will send copies of this report to the Secretary of Homeland 
Security, FPS Director of DHS, the Administrator of GSA, the Secretary 
of VA, the Secretary of Agriculture, the Attorney General, and 
appropriate congressional committees. In addition, the report will be 
available at no charge on the GAO Web site at [hyperlink, 
http://www.gao.gov]. 

If you have any questions about this report, please contact me at 
(202) 512-2834 or goldsteinm@gao.gov. Contact points for our Offices 
of Congressional Relations and Public Affairs may be found on the last 
page of this report. GAO staff who made major contributions to this 
report are listed in appendix II. 

Signed by: 

Mark L. Goldstein: 
Director: 
Physical Infrastructure: 

[End of section] 

Appendix I: Comments from the Department of Homeland Security: 

U.S. Department of Homeland Security: 
Washington, DC 20528: 

August 30, 2010: 

Mr. Mark L. Goldstein: 
Director, Physical Infrastructure Issues: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Mr. Goldstein: 

Subject: Draft Report GA0-10-873, Building Security: New Federal 
Standards Hold Promise, But Could he Strengthened to Better Protect 
Leased Space (Job Code 543237): 

Thank you for the opportunity to review and comment on the above-
referenced draft report. 

DHS recognizes the work GAO did to analyze agency documents, consult 
prior work on Federal real property and physical security, and 
interview various Federal officials. We appreciate your team's 
professionalism in conducting this review and willingness to discuss 
various aspects of the Interagency Security Committee (ISC) Compendium 
of Standards. Provided below are our responses to the recommendations 
made in the report. 

Recommendation 1: Establish an ISC working group or other mechanism to 
determine guidance for working with lessors, which may include best 
practices to secure common areas and public access. 

Response: Concur. The 1SC will address this recommendation at the 
September 17, 2010, meeting, The Future of Federal Protection: the 
Interagency Security Committee Security Summit. 

Recommendation 2: Subsequently incorporate these findings into a 
future ISC standard or other product, as appropriate. 

Response: Concur. The ISC will address this recommendation at the 
September 17, 2010, meeting, The Future of Federal Protection: the 
Interagency Security Committee Security Summit. 

We appreciate the opportunity to comment on this draft report, and we 
look forward to working with you on future homeland security issues. 

Sincerely, 

Signed by: 

Jerald E. Levine: 
Director: 
Departmental GAO-OIG Liaison Office: 

[End of section] 

Appendix II: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Mark L. Goldstein, (202) 512-2834 or goldsteinm@gao.gov: 

Staff Acknowledgments: 

In addition to the contact named above, David E. Sausville, Assistant 
Director; Delwen Jones; Susan Michal-Smith; Sara Ann Moessbauer; 
Meghan Squires; Kyle Stetler; and Friendly Vang-Johnson made key 
contributions to this report. 

[End of section] 

Footnotes: 

[1] This amount includes space that GSA leased on behalf of the 
Department of Defense (DOD), Army, Air Force, and Navy. For the 
purposes of this report, we defined "domestic" or "domestically held" 
leased space as being in the United States and U.S. territories. 

[2] Federal agencies can also be assigned space within assets already 
owned by GSA, for which FPS also provides physical security services. 
For the purposes of this report, our use of the term "GSA-acquired" 
with regard to leased space excludes space in GSA-owned buildings and 
refers only to space leased by GSA in facilities owned by nonfederal 
lessors. 

[3] Following the 1995 Oklahoma City bombing, Executive Order 12977 
called for the creation of an interagency security committee to 
address the quality and effectiveness of physical security 
requirements for federal facilities by developing and evaluating 
security standards. DHS, Interagency Security Committee Security 
Standards for Leased Space, (Washington, D.C., September 2004). 

[4] DHS, Physical Security Criteria for Federal Facilities; An 
Interagency Security Committee Standard. (Washington, D.C., April 
2010). 

[5] GAO, Homeland Security: Further Actions Needed to Coordinate 
Federal Agencies' Facility Protection Efforts and Promote Key 
Practices, [hyperlink, http://www.gao.gov/products/GAO-05-49] 
(Washington D.C.: Nov. 30, 2004). 

[6] H.R. Rep. No. 110-207, at 62-63 (2007). 

[7] For the purposes of this report, "security officials" include FPS 
law enforcement security officers (who are also called inspectors), 
GSA physical security specialists, and/or tenant agencies' in-house 
physical security specialists. 

[8] Predominant use is the main type of activity for which a facility 
is used, such as laboratory, barracks, office, warehouse, etc. Each 
leased space is defined by one predominant use. 

[9] In 1995, DOJ issued the DOJ Vulnerability Assessment of Federal 
Facilities, which set criteria for categorizing federal office 
facilities into five security levels (i.e., facility security levels, 
ranging from level I which is the lowest risk level to level V which 
is the highest risk level). As discussed later in this report, in 
2008, ISC issued the Facility Security Level Determinations for 
Federal Facilities which superseded the DOJ standards for setting 
facility security levels. We excluded level V facilities, which are 
the highest risk level facilities, from our analysis because there are 
very few such facilities in leased space. 

[10] For the purposes of this report, a "sole tenant facility" is 
defined as a facility that is leased solely by the federal government 
and a "multitenant facility" is a facility in which some space is 
leased by federal government agencies and other space is leased by 
nonfederal tenants. 

[11] 40 U.S.C. § 585. 

[12] This amount includes space that GSA leased on behalf of the DOD, 
Army, Air Force, and Navy. 

[13] Federal agencies must rely on GSA to lease space on their behalf 
unless they have their own independent real estate leasing authority 
or have received delegated authority from GSA, as discussed in 
footnote 14. For example, VA has independent leasing authority to 
acquire space for medical facilities under 38 U.S.C. § 8103. 

[14] Under 40 U.S.C. § 121 the GSA Administrator is authorized to 
delegate its authority under the act which would include its real 
estate leasing authority. This authority allows agencies to perform 
all functions necessary to acquire leased space, including procurement 
and administering, managing, and enforcing the leases. For example, 
according to USDA officials, USDA uses delegated leasing authority as 
summarized within the GSA Federal Management Regulation Bulletin 2008 
B-1. 

[15] These figures were obtained from the Office of Management and 
Budget which uses this data in order to compile the Federal Real 
Property Profile as directed under Executive Order 13327. These 
figures exclude GSA-acquired leases. 

[16] In addition to the delegated leasing authority as previously 
discussed, agencies are also allowed to request delegations of 
security authority under 41 CFR 102-72.95, which authorizes the 
assistant regional GSA administrator to grant this delegation so long 
as "the requesting agency demonstrates a compelling need for the 
delegated authority and the delegation is not inconsistent with the 
authorities of any other law enforcement agency." We have previously 
reported that since FPS's transfer to DHS, GSA has deferred to DHS for 
security delegations. See GAO, General Services Administration: 
Improvements Needed in Managing Delegated Authority of Real Property 
Activities, [hyperlink, http://www.gao.gov/products/GAO-07-1000] 
(Washington, D.C.: Sept. 5, 2007). Under 41 CFR 102-81.10, federal 
agencies on federal property under the charge and control of GSA that 
have been delegated security authority from DHS, must provide for the 
security and protection of the real estate they occupy, including the 
protection of persons within the property. 

[17] According to DHS, this fee is currently estimated to remain the 
same through fiscal year 2010 and 2011. 

[18] According to the Facility Security Level Determinations for 
Federal Facilities, a facility security level determination is made on 
the basis of a facility's mission criticality, symbolism, population, 
size, and threats to the tenant agency. Additionally, "the facility 
security level may be raised or lowered one level at the discretion of 
the deciding authority based on intangible factors" such as the 
duration of occupancy or the proximity to a highly attractive 
neighboring facility. ISC, Facility Security Level Determinations for 
Federal Facilities, an Interagency Security Committee Standard, 
(Washington, D.C., Mar. 10, 2008). 

[19] For the purposes of this report, we refer to all risk assessments 
that occur before a lease is signed, for example risk assessments 
conducted during or in association with the market survey or prelease 
assessment, as "early risk assessments." 

[20] [hyperlink, http://www.gao.gov/products/GAO-05-49]. 

[21] For the purposes of this report, "leasing officials" include both 
tenant agencies' in-house leasing officials as well as GSA leasing 
officials, unless specifically stated otherwise. 

[22] According to some GSA officials, including physical security 
requirements within SFOs may result in fewer numbers of lessors 
participating in the solicitation process and dampen competition. 
Nevertheless, we believe that by identifying and including such 
requirements early in the leasing process, tenant agencies would 
receive bids that more appropriately respond to their security needs. 

[23] According to the 2008 Facility Security Level Determinations for 
Federal Facilities, facility size is a factor used to determine a 
facility's security level. Facility size and other factors--including 
mission criticality, symbolism, facility population, threat to tenant 
population and facility size--are examined and a point value assigned. 
The sum of all points for all factors determines a facility's 
preliminary security level. Higher square footages correspond with 
higher points which correspond with higher facility security levels. 
While spaces less than 10,000 square feet may represent low risk using 
this point system, these spaces constitute a larger portion of GSA's 
leased space portfolio. 

[24] FPS is in the process of implementing previous GAO 
recommendations related to enhancing its allocation of resources. As 
previously reported, FPS has been continuously shifting staffing level 
goals and experienced delays in training all newly hired law 
enforcement security officers. Such challenges, if unaddressed, could 
limit the resources available for FPS to conduct early risk 
assessments on spaces less than 10,000 square feet in the future. To 
facilitate effective strategic management of FPS' workforce, we 
previously recommended that FPS develop a long-term strategic human 
capital plan that addresses key principles for effective strategic 
workforce planning. See GAO, Homeland Security: Federal Protective 
Service Should Improve Human Capital Planning and Better Communicate 
with Tenants, [hyperlink, http://www.gao.gov/products/GAO-09-749] 
(Washington, D.C.: July 30, 2009). A long-term strategic human capital 
plan would allow FPS to manage its current and future workforce needs, 
aligning its personnel to meet programmatic goals and helping FPS to 
better serve its customers. 

[25] The absence of this data may impact FPS's ability to develop its 
human capital plan. A strategic human capital plan relies on 
performance measurement data to identify, manage, and allocate 
resources to meet workload demands. 

[26] We use the term "common areas" to refer to publicly accessible 
locations or interior public spaces, such as elevator lobbies, 
building corridors, restrooms, stairwells, loading docks, and the 
building perimeter. In contrast, interior areas are defined as space 
inside a building that is controlled or occupied by the government. 

[27] In comparison, in federally owned space, the federal government 
is generally better able to mitigate such threats because it has 
control over common areas. 

[28] Other GSA officials reported that GSA controls common areas in 
some facilities where they lease space, if these areas are included 
within the lease agreement. These GSA officials also stated that GSA 
may petition DOJ under 40 U.S.C. § 3113 to condemn a common area in 
order to obtain control of the area, though it has rarely done so. 
GSA's standard SFO template indicates that GSA will have the right to 
employ certain public access screening measures, if GSA occupies 90 
percent or more of the building's space. 

[29] The 2010 standards will be used for a validation period of 24 
months. According to the ISC Executive Director, the 2010 standards 
will be subject to validation studies, which may result in the 
standards being revised in 2012. A report based on the 2-year trial 
period will be included in the final version of the 2010 standards. 
During this trial period, ISC members will begin implementing the 2010 
standards and propose to ISC any needed changes. In the first 6 months 
of the trial period, DHS, ISC, and volunteers from ISC working groups 
will be testing implementation of the standards at facilities within 
the National Capital Region. Based on these tests, the group will 
create a template that will then be distributed to all member 
agencies. Member agencies will have 1 year to implement the standards, 
and collect data using this template from a sample of their 
facilities. They will then provide the template data to ISC. 

[30] The 2010 standards refer to the entity that performs risk 
assessments as the "security organization," which it defines as "the 
government agency or an internal agency component responsible for 
physical security for the specific facility." For the purposes of this 
report, we refer to these entities as security officials. 

[31] We have previously reported tenant agencies may be ill equipped 
for decision making around countermeasures because of the limited 
physical security expertise of their officials and information-sharing 
challenges. See GAO, Homeland Security: The Federal Protective Service 
Faces Several Challenges That Hamper Its Ability to Protect Federal 
Facilities, [hyperlink, http://www.gao.gov/products/GAO-08-683] 
(Washington, D.C.: June 11, 2008) and GAO, Homeland Security: Greater 
Attention to Key Practices Would Improve the Federal Protective 
Service's Approach to Facility Protection, GAO-10-142 (Washington, 
D.C.: Oct. 23, 2009). ISC recently began to develop guidance for 
tenant agencies to address such issues, as part of its standard on 
facility security committees, which are comprised of representatives 
from each tenant agency in federal facilities and exist in some leased 
space. 

[32] The 2010 standards were developed following ISC's determination 
that one approach should be followed in applying security standards 
and that security requirements should be driven by the security needs 
of the federal tenants occupying the space rather than the 
characterization of the space as leased or owned. As previously 
discussed, the 2004 standards had been developed in response to the 
perceived need for security standards that could be applied 
specifically to leased space. 

[33] However, in 2004 we reported that ISC's actions to ensure 
compliance and oversee implementation of its physical security 
standards had been limited. In June 2010, ISC officials confirmed to 
us that this remains the case. According to ISC officials, it is 
neither feasible nor desirable for ISC to "police" the implementation 
of its standards. 

[34] The Director of the Central Intelligence Agency may provide an 
exemption if he or she determines that compliance would jeopardize 
sources and methods. 

[35] GSA and FPS's review of the MOA is ongoing and there is no 
deadline for its completion. 

[36] DHS ISC, ISC Best Practices for Safe Mail Handling. (Washington, 
D.C., 2007). Available at: [hyperlink, 
http://www.dhs.gov/xlibrary/assets/isc_safe_mail_handling-2007.pdf]. 
ISC maintains 5 standing subcommittees: Steering Subcommittee, 
Standards Subcommittee, Technology Best Practices Subcommittee, 
Convergence Subcommittee, and Training Subcommittee. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: