This is the accessible text file for GAO report number GAO-10-873 entitled 'Building Security: New Federal Standards Hold Promise, But Could Be Strengthened to Better Protect Leased Space' which was released on September 22, 2010. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Subcommittee on Financial Services and General Government, Committee on Appropriations, House of Representatives: United States Government Accountability Office: GAO: September 2010: Building Security: New Federal Standards Hold Promise, But Could Be Strengthened to Better Protect Leased Space: GAO-10-873: GAO Highlights: Highlights of GAO-10-873, a report to the Subcommittee on Financial Services and General Government, Committee on Appropriations, House of Representatives. Why GAO Did This Study: The federal government’s reliance on leased space underscores the need to physically secure this space and help safeguard employees, visitors, and government assets. In April 2010 the Interagency Security Committee (ISC), comprised of 47 federal agencies and departments and chaired by the Department of Homeland Security (DHS), issued Physical Security Criteria for Federal Facilities (the 2010 standards) which supersede previous ISC standards. In response to Congress’ direction to review ISC standards for leased space, this report (1) identifies challenges that exist in protecting leased space and (2) examines how the 2010 standards address these challenges. To conduct this work, GAO analyzed agency documents and interviewed federal officials from ISC, four federal departments selected as case studies based on their large square footage of leased space, and the Federal Protective Service (FPS). GAO also consulted prior work on federal real property and physical security, including key practices in facility protection. What GAO Found: Limited information about risks and the inability to control common areas and public access pose challenges to protecting leased space. Leasing officials do not always have the information needed to employ a risk management approach for allocating resources—a key practice in facility protection. Early risk assessments—those conducted before a lease is executed—can provide leasing officials with valuable information; however, FPS, which is the General Service Administration’s (GSA) physical security provider, generally does not perform these assessments for leased space under 10,000 square feet— which constitutes a majority of GSA’s leases. Under its memorandum of agreement (MOA) with GSA, FPS is not expected to perform these assessments and does not have the resources to do so. Another challenge in protecting leased space is tenant agencies’ lack of control over common areas (such as elevator lobbies, loading docks, and the building’s perimeter) which hampers their ability to mitigate risk from public access to leased space. In leased space, lessors, not tenant agencies, typically control physical security in common areas. To implement measures to counter risks in common areas, tenant agencies must typically negotiate with and obtain consent from lessors, who may be unwilling to implement countermeasures because of the potential burden or undue effect on other, nonfederal tenants. For example, tenant agencies in a high-risk, multitenant leased facility we visited have been unable to negotiate changes to the common space, including the installation of X-ray machines and magnetometers, because the lessor believed that the proposed countermeasures would inconvenience other tenants and the public. The 2010 standards show potential for addressing some challenges with leased space. These standards align with some key practices in facility protection because they prescribe a decision making process to determine, mitigate, and accept risks using a risk management approach. Further, by requiring that decision making be tracked and documented, the standards facilitate performance measurement that could help enable agency officials to determine if the most critical risks are being prioritized and mitigated. With its emphasis on the uniform use of early risk assessments, the 2010 standards provide a baseline requirement for agencies to consider as they develop protocols and allocate resources for protecting leased space. For example, GSA and FPS must now consider this requirement, which represents an expansion of the services currently expected of FPS, as they renegotiate their MOA. In contrast, a shortfall within the 2010 standards is that they offer little means for addressing tenant agencies’ lack of control over common areas and public access. While the 2010 standards outline specific countermeasures for addressing public access, they lack in-depth discussion and guidance—such as best practices—that could provide a framework for working with lessors to implement these countermeasures. Given the critical role that lessors play, such guidance is warranted. As the government’s central forum for exchanging information on facility protection, ISC is well positioned to develop and share this guidance. What GAO Recommends: GAO recommends that DHS instruct ISC to establish a working group or other mechanism to determine guidance for working with lessors, and to incorporate this guidance into a future ISC standard or other product, as appropriate. DHS concurred with the report’s recommendation. View [hyperlink, http://www.gao.gov/products/GAO-10-873] or key components. For more information, contact Mark Goldstein at (202) 512- 2834 or goldsteinm@gao.gov. [End of section] Contents: Letter: Background: Limited Risk Information and Lack of Control Over Common Areas and Public Access Pose Challenges to Protecting Leased Space: The 2010 Standards Show Potential for Addressing Some Challenges with Leased Space: Conclusions: Recommendation for Executive Action: Agency Comments and Our Evaluation: Appendix I: Comments from the Department of Homeland Security: Appendix II: GAO Contact and Staff Acknowledgments: Figures: Figure 1: Key Practices in Facility Protection: Figure 2: Portions of GSA-acquired leases over and under 10,000 square feet: Figure 3: General Depiction of Leased Space and Common Areas: Abbreviations: DEA: Drug Enforcement Agency: DHS: Department of Homeland Security: DOJ: Department of Justice: FBI: Federal Bureau of Investigation: FPS: Federal Protective Service: GSA: General Service Administration: ISC: Interagency Security Committee: MOA: memorandum of agreement: SFO: solicitation for offers: USDA: Department of Agriculture: VA: Department of Veterans Affairs: [End of section] United States Government Accountability Office: Washington, DC 20548: September 22, 2010: The Honorable José E. Serrano: Chairman: The Honorable Jo Ann Emerson: Ranking Member: Subcommittee on Financial Services and General Government: Committee on Appropriations: House of Representatives: In fiscal year 2009, the federal government leased domestically more than 253 million square feet of space with large portions leased by nonmilitary agencies including the General Services Administration (GSA), Department of Veterans Affairs (VA), Department of Agriculture (USDA), and Department of Justice (DOJ).[Footnote 1] GSA acts as the lead leasing agency, and leased the majority of this space on behalf of various federal agencies.[Footnote 2] The Federal Protective Service (FPS), in the Department of Homeland Security (DHS), is responsible for the security of GSA-acquired leased space. Other federal agencies--such as VA, USDA, and DOJ--acquire and provide physical security services for leased space, as well. The federal government's reliance on leasing has increased in recent years, underscoring the need for physical security to safeguard the employees, visitors, and government assets in leased space. Like with privately leased space, federally leased space faces threats such as theft, vandalism, and trespass. And, like federally owned space, federally leased space can be a target for acts of terrorism, violence, and destruction. A recent string of high-profile incidents, including shootings at the entrance to the Pentagon and at a Las Vegas federal courthouse as well as the intentional crash of a small airplane into an Internal Revenue Service office, demonstrate the dangerous nature of risks faced by federal employees in federal buildings and leased space. In 2004, the Interagency Security Committee (ISC), which has representation from all major federal departments and agencies, issued Security Standards for Leased Space (hereafter referred to as the 2004 standards), establishing physical security standards for federally leased space.[Footnote 3] These standards were recently superseded in April 2010 by ISC's Physical Security Criteria for Federal Facilities (hereafter referred to as "the 2010 standards"), which were intended to make security an integral part of the operations, planning, design, construction, renovation, or acquisition of federal facilities--whether in owned or leased space.[Footnote 4] In addition, we have identified in our prior work key practices in facility protection, including allocation of resources using a risk management approach.[Footnote 5] This report responds to House Report No. 110-207 that directed us to assess the "2004 standards" for protecting leased space.[Footnote 6] Based on discussions with your staff and in light of the recently issued 2010 standards, this report (1) identifies challenges that exist in protecting leased space and (2) examines how the 2010 standards address these challenges. To identify challenges in protecting leased space, we conducted case studies of four agencies and reviewed our prior work on facility protection. We selected GSA, VA, USDA, and DOJ as case studies based on their large square footage of leased spaces. As part of our case study analyses, we analyzed internal policies relevant to physical security and leasing and interviewed headquarters and field officials from GSA, FPS, VA, USDA, and DOJ responsible for physical security and leasing. For example, we analyzed the memorandum of agreement (MOA) between GSA and DHS and GSA data on its leased space inventory to determine the expectations for FPS performing early risk assessments. We administered a data collection instrument among officials responsible for physical security and also conducted 15 site visits to facilities leased by our case study agencies. We toured each leased space site and collected documents, when available, that contained site-specific information on security risks. At each site, we interviewed the tenant agency official(s) with primary responsibility for security or another designated official. At some sites, we also interviewed the security official responsible for the protecting the space and the lessor.[Footnote 7] We selected our sites to include a range of predominant use types,[Footnote 8] security levels,[Footnote 9] sole and multitenant facilities,[Footnote 10] geographic locations, and also considered the opinions of GSA officials. We corroborated the quantitative and qualitative data from our case study agencies and found the data sufficiently reliable for our purposes. The findings from our case studies and site visits exemplify physical security challenges in leased space, but cannot be generalized to challenges facing all federal government lessees. Additionally, we considered key practices in facility protection, as identified in our prior work, including allocating security resources using risk management, leveraging the use of security technology, coordinating protection efforts and sharing information with other stakeholders, measuring program performance and testing security initiatives, aligning assets to mission, and strategically managing human capital. To examine how the 2010 standards address challenges that exist in protecting leased space, we conducted a comparative analysis of the 2010 standards to the challenges we identified, as well as to the 2004 standards. We also interviewed officials from ISC about the chief differences between the 2004 and the 2010 standards. We reviewed our prior work on GSA and DHS's MOA and analyzed how the 2010 standards were applicable to their renegotiation of the MOA. We also interviewed agency officials from VA, USDA, and DOJ to determine the impact of the 2010 standards on efforts underway at their agencies. We performed our work from July 2009 to September 2010 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient and appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: Real property is generally defined as facilities, land, and anything constructed on or attached to land. The federal government leases real property (referred to in this report as leased space) for a variety of purposes including office spaces, warehouses, laboratories, and housing. Agencies and Relevant Laws: As the federal government's landlord, GSA designs, builds, manages, and safeguards buildings to support the needs of other federal agencies. GSA is authorized to enter into lease agreements with tenant agencies for up to 20 years that the Administrator of GSA considers to be in the interest of the federal government and necessary to accommodate a federal agency.[Footnote 11] GSA uses its authority to lease space for many federal government agencies, and in fiscal year 2009 acquired more than 182 million square feet, the most leased space of any federal agency.[Footnote 12] In response to our 2005 recommendation and to enhance coordination with the FPS, GSA established the Building Security and Policy Division within the Public Buildings Service. The division developed the Regional Security Network, which consists of several security officials for each of GSA's 11 regions, to further enhance coordination with FPS at the regional and building levels and to carry out GSA security policy in collaboration with FPS and tenant agencies. Some agencies have independent[Footnote 13] or delegated leasing authority[Footnote 14] which allow the agency to perform all necessary functions to acquire leased space without using GSA. In fiscal year 2009, VA, USDA, and DOJ, using GSA-delegated and/or independent leasing authority, leased a total of approximately 30 million of square feet to help meet their varying missions.[Footnote 15] Specifically, * VA leased approximately 10 million square feet and has a large inventory of real property, including medical centers, outpatient facilities, and ambulatory care clinics. * USDA leased approximately 17 million square feet. USDA uses leased space to administer programs which assist farmers and rural communities, oversee the safety of meat and poultry, provide low- income families access to nutritious food, and protect the nation's forests, among other things. * DOJ leased approximately 3 million square feet. DOJ is comprised of about 40 component agencies with wide-ranging missions, such as the U.S. Attorneys' Offices, Drug Enforcement Agency (DEA), and the Federal Bureau of Investigation (FBI). The Homeland Security Act of 2002 established DHS to centralize the federal government's efforts to prevent and mitigate terrorist attacks within the United States--including terrorism directed at federal facilities. Under the act, FPS was transferred from GSA to DHS. [Footnote 16] As of October 2009, FPS is organized within DHS's National Protection and Programs Directorate. FPS is the primary federal agency responsible for protecting and securing GSA facilities, visitors, and over 1 million federal employees across the country. FPS's basic security services include patrolling the building perimeter, monitoring building perimeter alarms, dispatching law enforcement officers through its control centers, conducting criminal investigations, and performing facility security assessments. FPS also provides building-specific security services, such as controlling access to building entrances and exits and checking employees and visitors. FPS is a fully reimbursable agency--that is, its services are fully funded by security fees collected from tenant agencies. FPS charges each tenant agency a basic security fee per square foot of space occupied in a GSA building (66 cents per square foot in fiscal year 2009), among other fees.[Footnote 17] ISC, established in 1995 by Executive Order 12977 after the bombing of the Alfred P. Murrah federal building in Oklahoma City, has representation from all the major property-holding agencies and a range of governmentwide responsibilities related to protecting nonmilitary facilities. These responsibilities generally involve developing policies and standards, ensuring compliance, and encouraging the exchange of security-related information. Executive Order 12977 called for each executive agency and department to cooperate and comply with the policies and recommendations of the Committee. DHS became responsible for chairing ISC, which, as of 2007, is housed in the Office of Infrastructure Protection within DHS's National Protection and Programs Directorate. Executive Order 13286, which amended Executive Order 12977, calls for the Secretary of DHS to monitor federal agency compliance with the standards issued by ISC. The 2004 standards, in conjunction with the Facility Security Level Determinations for Federal Facilities--which ISC issued in 2008 to update standards issued by DOJ in 1995--prescribed administrative procedures and various countermeasures for perimeter, entry, and interior, and, as well as blast and setbacks for leased spaces based upon five different facility security levels ranging between levels I and V, with level I being the lowest risk level and level V being the highest.[Footnote 18] The 2004 standards were specifically developed in response to a perceived need for security standards that could be applied in a leased space environment. The Facility Security Level Determinations for Federal Facilities and its precursors established the criteria and process for determining the security level of a facility which serves as the basis for implementing the countermeasures prescribed within other ISC standards, including the 2004 standards. According to the 2004 standards, when an agency is seeking a new lease, a security official should determine the security level of the leased space based on an early risk assessment,[Footnote 19] which is performed prior to entering into a new lease. Requirements based on the designated facility security level, as outlined within the standards, are to be incorporated into a solicitation for offers (SFO), which is sent to potential lessors, as minimum requirements. These minimum requirements must be met, with the exception of blast and setback requirements in existing buildings. Potential lessors who are unwilling or unable to meet the requirements are deemed nonresponsive according to the standards and eliminated from the SFO process. After a lease is entered into, the Facility Security Level Determinations for Federal Facilities states that risk assessments, such as facility security assessments (FSA), be conducted on a periodic and timely basis, with the facility security level being determined or adjusted as part of each risk assessment. Specifically, risk assessments are to be conducted every 5 years for facilities classified as facility security level I or II, and every 3 years for facilities classified as facility security level III, IV, or V. Key Practices in Facility Protection: We have previously identified, from the collective practices of federal agencies and the private sector, a set of key facility protection practices that provide a framework for guiding agencies' physical security efforts and addressing challenges.[Footnote 20] Key facility protection practices as shown in figure 1 include the following: * Information sharing and coordination establishes a means of communicating information with other government entities and the private sector to prevent and respond to security threats. * Allocating resources using risk management involves identifying potential threats, assessing vulnerabilities, identifying the assets that are most critical to protect in terms of mission and significance, and evaluating mitigation alternatives for their likely effect on risk and their cost. * Aligning assets to mission can reduce vulnerabilities by reducing the number of assets that need to be protected. * Strategic human capital management ensures that agencies are well equipped to recruit and retain high-performing security staff. * Leveraging technology supplements other countermeasures with technology in a cost-effective manner. * Performance measurement and testing evaluates efforts against broader program goals and ensures that they are met on time and within budgeting constraints. Figure 1: Key Practices in Facility Protection: [Refer to PDF for image: illustration] Information sharing and coordination; Allocating resources using risk management; Aligning assets to mission; Leveraging technology; Performance measurement and testing; Strategic human capital management. Source: GAO. [End of figure] Limited Risk Information and Lack of Control Over Common Areas and Public Access Pose Challenges to Protecting Leased Space: [See PDF for image] [End of figure] Leasing Officials Sometimes Lack the Information Needed to Employ a Risk Management Approach: Before a lease is signed, early risk assessments can help agencies allocate resources using a risk management approach, a key practice of facility protection. Through early risk assessments, security officials are able to collect key information about potential spaces, security risks, and needed countermeasures, which help leasing officials,[Footnote 21] in turn, identify the most appropriate space to lease and negotiate any needed countermeasures.[Footnote 22] Leasing officials primarily rely on security officials to supply information on physical security requirements for federally leased space. Some tenant agencies are able to supply leasing officials with key prelease information because they have developed the security expertise to conduct their own early risk assessments. For example, DEA has its own in-house security officials who work with leasing officials to conduct risk assessments early in the leasing process. This helps leasing officials assess risk and obtain space specific to DEA's security needs. Similarly, VA has created internal policy manuals that describe agency security requirements which help guide leasing and security officials on how to assess risk and obtain appropriate space. These manuals are circulated to VA leasing, facilities, and security officials, and GSA leasing officials are made familiar with VA's physical security requirements early in the leasing process for GSA-acquired space. Additionally, VA currently budgets $5 per net usable square foot for physical building security and sustainability requirements into all of its leases. At one site, VA officials are in the early stages of identifying space needs for the relocation of a community-based outpatient clinic. VA leasing officials and security officials, among others, are collaborating on decisions that integrate security with the function of the outpatient clinic that will help ensure funds are available to finance the security requirements. Despite the in-house expertise of some tenant agencies, leasing officials sometimes do not have the information they need to allocate resources using a risk management approach before a lease is signed because early risk assessments are not conducted for all leased space. Early risk assessments are absent for a significant portion of the GSA- acquired leased space portfolio because FPS does not uniformly conduct these assessments for spaces under 10,000 square feet--which constitute 69 percent of all GSA leases (see figure 2). While FPS is expected under the MOA to uniformly conduct early risk assessments for GSA-acquired space greater than or equal to 10,000 square feet, FPS and GSA officials agree that FPS is not expected to conduct early risk assessments for spaces under 10,000 square feet unless it has the resources to do so.[Footnote 23] Figure 2: Portions of GSA-acquired leases over and under 10,000 square feet: [Refer to PDF for image: pie-chart] Percentage of GSA-acquired leases less than 10,000 square feet: FPS is not expected to conduct early risk assessments: 69%; Percentage of GSA-acquired leases greater than or equal to 10,000 square feet: FPS is expected to perform early risk assessments: 31%. Source: GAO analysis of GSA fiscal year 2009 data. Note: The total number of leases used for this analysis is 10,480. This excludes leases that GSA acquired on behalf of DOD, Army, Air Force, and Navy and leases that did not have an assigned square footage. [End of figure] As we have previously reported, FPS faces funding and workforce challenges, which may limit the resources available to conduct early risk assessments on spaces under 10,000 square feet. Further, FPS may lack incentive for prioritizing early risk assessments on smaller spaces, given that it receives payment on a square footage basis only after a lease has been signed. Currently, the cost of early risk assessments is distributed across all tenant agencies. We are examining FPS's fee structure as part of our ongoing work in the federal building security area. According to FPS officials, FPS generally does not have enough time to complete early risk assessments on spaces less than 10,000 square feet, in part because GSA has requested early risk assessments too late or too close to the time when a site selection must be made. [Footnote 24] A GSA official involved with physical security stated that even when GSA gives FPS proper lead time, early risk assessments are still sometimes not conducted by FPS. For example, in October 2009, GSA requested FPS conduct an early risk assessment for a leased space under 10,000 square feet within 8 months. One week prior to the June 2010 deadline, GSA was still unsure if an FPS inspector had been assigned and if a risk assessment had been or would be conducted. Because FPS did not keep centralized records of the number of early risk assessments requested by GSA or completed by FPS in fiscal year 2009, we were unable to analyze how often early risk assessments are requested and the percentage of requested assessments that FPS completes.[Footnote 25] Leasing and security officials from our case study agencies agreed they are best able to negotiate necessary countermeasures before a lease is executed. Because of the immediate costs associated with relocating, after a tenant agency moves in, it may be forced to stay in its current leased space, having to accept unmitigated risk (if countermeasures cannot be negotiated) or expend additional time and resources to put countermeasures in place (and negotiate supplemental lease agreements) once a lease has been signed. For example, a DEA leasing official stated that relocation is often not a viable solution given costs, on average, of between $10 and $12 million to find and move an office to a new space. Furthermore, at one of our site visits, DEA officials have been working to install a costly fence--a DEA physical security requirement for this location that was originally planned as part of the built-to-suit facility, but canceled because of a lack of funds. According to DEA officials, now that DEA has acquired funding for the fence, they have been negotiating for more than a year with GSA and the lessor to receive supplemental lease agreements, lessor's design approval, and resolve issues over the maintenance and operation of the fence. According to DEA officials, fence construction is expected to commence in January 2011. Tenant Agencies' Lack of Control Over Common Areas in Leased Space Can Hamper Their Ability to Mitigate Risks: Balancing public access with physical security and implementing security measures in common areas of federally leased space are major challenges. The public visits both owned and leased federal facilities for government services, as well as for other business transactions. In leased space, the number and range of people accessing these buildings can be large and diverse, and building access is generally less restricted than in owned space. Fewer access restrictions and increased public access heighten the risk of violence, theft, and other harm to federal employees and the public. In leased space, it can be more difficult to mitigate risks associated with public access because tenant agencies typically do not control common areas, which are usually the lessor's responsibility, particularly in multitenant buildings. Common areas, as shown in figure 3, can include elevator lobbies, building corridors, restrooms, stairwells, loading docks, the building perimeter, and other areas. [Footnote 26] Figure 3: General Depiction of Leased Space and Common Areas: [Refer to PDF for image: illustration] The illustration is a floor plan, depicting the following: Common areas: Building entrance; Unrestricted lobby; Elevators; Corridor; Public bathrooms; Loading dock; Building perimeter (including roof). Leased space: Commercial business; Federal agency. Source: GAO. [End of figure] FSAs can identify countermeasures to address risks with public access, but FSA recommendations can be difficult to implement because tenant agencies must negotiate all changes with the lessor. Lessors may resist heightened levels of security in common areas--such as restricted public access--because of the potential adverse effect on other tenants in the building. For example, a multitenant facility security level IV building we visited, housing the United States Forest Service among other federal agencies, experienced difficulty installing X-ray machines and magnetometers in the main lobby. The lessor deemed these proposed countermeasures inconvenient and disruptive for some other tenants, including two commercial businesses located on the ground floor--a daycare center and a sundries shop--and for the public. Because the livelihood of these businesses depends on pedestrian traffic and because federal tenant agencies did not lease the lobby, per se, the lessor resisted having additional security countermeasures in place that would restrict public access. While some tenant agency officials at our site visits stated that lessors were responsive to security needs in common areas, other tenant agency officials we spoke with said that negotiating security enhancements to common areas with lessors is a problem that can lead to a lack of assurance that security risks and vulnerabilities are being mitigated.[Footnote 27] A regional GSA official involved with physical security stated that because GSA and tenant agencies do not control common areas in buildings where they lease space, it can be challenging to secure loading docks, hallways, and corridors.[Footnote 28] Another regional GSA official involved with physical security stated that tenant agencies do what they can by implementing countermeasures in their own leased space rather than in common areas, for example, by regulating access at the entrances to leased space rather than at the building entrances. At one site, a FBI official indicated that by relocating to a new leased space, FBI, as the sole tenant, would be able to better control common areas and public access. Overall, the negative effects of these challenges are significant because GSA, FPS, and tenant agencies can be poorly positioned to implement the practices that we have identified as key to protecting the physical security of leased spaces. Tenant agencies that are unable to identify and address vulnerabilities may choose space poorly, misallocate resources, and be limited in their ability to implement effective countermeasures. Furthermore, when tenant agencies are unable to allocate resources according to identified vulnerabilities, they may also be unable to employ the other key practices in facility protection. For example, tenant agencies may not be able to leverage technology to implement the most appropriate countermeasures if it requires a presence in common areas that are not under the control of the federal tenant. The 2010 Standards Show Potential for Addressing Some Challenges with Leased Space: The 2010 Standards' Focus on Decision Making and Documentation Aligns with Some Key Facility Protection Practices: In April 2010, ISC issued the Physical Security Criteria for Federal Facilities, also known as the 2010 standards.[Footnote 29] These standards define a decision-making process for determining the security measures required at a facility. According to the standards, it is critical that departments and agencies recognize and integrate the process as part of the real property acquisition process (i.e., leasing process) in order to be most effective. The 2010 standards provide in-depth descriptions of the roles of security officials who conduct and provide early risk assessments,[Footnote 30] the tenant agency, and the leasing agency (e.g., GSA) and also define each entity's respective responsibilities for implementing the standards' decision-making process. For example, the 2010 standards state that: * Tenant agencies are the decision maker as to whether to fully mitigate or accept risk. Tenant agencies must either pay for the recommended security measures and reduce the risk, or accept the risk and live with the potential consequences.[Footnote 31] * Leasing officials will determine how additional countermeasures will be implemented or consider expanding the delineated area, in conjunction with the tenant agency, during the leasing acquisition process. * Security officials are responsible for identifying and analyzing threats and vulnerabilities, and recommending appropriate countermeasures. Once a credible and documented risk assessment has been presented to and accepted by the tenant agency, the security official is not liable for any future decision to accept risk. The 2010 standards align with some key practices in facility protection because these standards focus on allocating resources using a risk management approach and measuring performance. As previously discussed, having information on risks and vulnerabilities allows tenant agencies to maximize the impact of limited resources and assure that the most critical risks are being prioritized and mitigated. Likewise, performance measurement, via tracking and documentation of decision making, can help agencies to determine the effectiveness of security programs and establish accountability at the individual facility level. By allocating resources using a risk management approach and measuring performance, tenant agencies and the federal government will be better positioned to comprehensively and strategically mitigate risk across the entire portfolio of real property. Allocating resources using a risk management approach is a central tenet of the 2010 standards. The 2010 standards prescribe a decision- making process to determine the risk posed to a facility (level of risk), the commensurate scope of security (level of protection) needed, and the acceptance of risk when countermeasures will not be implemented or implemented immediately. Like the 2004 standards, the 2010 standards outline a minimum set of physical security countermeasures for a facility based on the space's designated facility security level. The 2010 standards allow for this level of protection to be customized to address site specific conditions in order to achieve an acceptable level of risk. The 2004 standards allowed for some countermeasures to be unmet due to facility limitations, building owner acceptance, lease conditions, and the availability of adequate funds, but required a plan for moving to security compliant space in the future in such instances. According to the 2004 standards, these exemptions allowed agencies to obtain the best security solution available when no compliant space was available. According to the ISC Executive Director, the 2004 standards were, in effect, lower standards because of the operational considerations given to leased space.[Footnote 32] The Executive Director said that the 2010 standards correct this weakness by focusing on decision making that can lead to an acceptable level of protection and risk through a variety of means, rather than a standard that simply prescribes a fixed set of countermeasures that can then be circumvented by exemptions as in the 2004 standards. Additionally, the 2010 standards emphasize documentation of the decision-making process--a cornerstone for performance measurement. The 2004 standards required agencies to provide written justification for exceeding the standard and documentation of the limiting conditions that necessitated agencies to go below the standard. The 2010 standards more explicitly state that "the project documentation must clearly reflect the reason why the necessary level of protection cannot be achieved. It is extremely important that the rationale for accepting risk be well documented, including alternate strategies that are considered or implemented, and opportunities in the future to implement the necessary level of protection." More specifically, the 2010 standards state that any decision to reject implementation of countermeasures outright or defer implementation due to cost (or other factors) must be documented, including the acceptance of risk in such circumstances and that tenant agencies should retain documents pertinent to these decisions, such as risk assessments. The ISC Executive Director stated that after the standards are fully implemented, the federal government will be able to accurately describe the state of federal real property and physical security. For each facility, there will be documentation--a "final building report"-- containing information on physical security decision making, including the costs of implementing countermeasures. Each agency will be able to assess their entire portfolio of real property by aggregating these final building reports to determine the overall status and cost of physical security. These reports will be able to demonstrate the federal government's level of protection against potential threats, according to the executive director. We agree that if the standards succeed in moving agencies to track and document such information at a building level, then tenant agency, leasing, and security officials will be better able to determine if the most critical risks are being prioritized and mitigated across an entire real property portfolio and to determine the gaps and efficacy of agency-level security programs. [Footnote 33] ISC Standards Could Spur Agencies to Allocate the Resources Necessary for Early Risk Assessment: Early risk assessments are key initial steps in the decision-making process prescribed by the 2010 standards. The standards contain a direct call for risk assessments to be conducted and used early in the leasing process. The standards prescribe the following: * Prospective tenant agencies will receive information regarding whether the level of protection can be achieved in a delineated area. * Security officials will conduct risk assessments and determine facility security levels early to determine required countermeasures that leasing officials should include within SFOs. * Security officials will evaluate the proposed security plans of potential lessors responding to the SFOs and update the risk assessment on offers in the competitive range to identify threats and vulnerabilities for the specific properties and recommend any additional security measures to tenant agencies and leasing officials. The 2004 standards outlined more broadly that the initial facility security level should be determined by a security official based on a risk assessment and that those potential lessors who are unwilling or unable to meet the standard be considered unresponsive to the SFO. The 2010 standards also make no distinction or exemptions to the requirement for early risk assessments of leased space, based on a space's square footage or any other wholesale factor.[Footnote 34] Like the 2004 standards, the 2010 standards apply to all buildings and facilities in the United States occupied by federal employees for nonmilitary activities. Further, according to the 2010 standards, each executive agency and department shall comply with the policies and recommendations prescribed by the standards. Given this, the 2010 standards' language on early risk assessments, as previously discussed, should encourage agencies to perform and use these assessments in leased space--including spaces under 10,000 square feet. Specifically, language within the standards directing agencies to uniformly perform and use early risk assessments as part of the prescribed decision-making process is useful, because it provides a baseline for agencies to consider as they develop protocols and allocate resources for protecting leased space. Since leased space for nonmilitary activities acquired by GSA is subject to ISC standards, and FPS provides security services for GSA- acquired leased space, it is up to both agencies to figure out how to meet the 2010 standards in light of available resources. However, as previously discussed, FPS already faces resource and other challenges in conducting these early risk assessments. Given these current challenges, it will likely be difficult for FPS to meet the 2010 standards, which would necessitate an expansion of the services FPS is expected to perform under the current MOA. In October 2009, we reported that FPS and GSA recognized that the MOA renegotiation can serve as an opportunity to discuss service issues and develop mutual solutions.[Footnote 35] Both FPS and GSA officials reported that the delivery of early risk assessments was being reviewed as part of the MOA. As part of the MOA renegotiations, GSA's Regional Security Network developed a flowchart to expressly show the need for FPS services, such as early risk assessments. According to FPS officials, one of the goals of the MOA is to clarify how early and from whom GSA officials ought to request these risk assessments from FPS. Other agencies will also have to consider how they will meet the 2010 standards' requirement for early risk assessments. VA and USDA have efforts underway to further standardize their leasing guidance which represent opportunities for doing just this. According to VA officials, VA will review and update its leasing and security manuals to reflect the 2010 standards and is currently assessing what other additional revisions to these manuals may be warranted. VA can now incorporate the 2010 standards' baseline decision-making process for its leasing and security officials, which would help support the use of early risk assessments. USDA is also modifying a department-level leasing handbook to incorporate the 2010 standards, since leasing officials can play a significant role in physical security in the leasing process, particularly given the limited number of security officials within USDA. Additionally, USDA is considering realigning its few security officials to report to a department-level office (rather than be organized under each agency) in order to maximize available resources for performing such things as risk assessments. According to officials from agencies within VA and USDA, department- level direction is a valuable resource that leasing officials rely on for determining what activities must be undertaken during the leasing process. ISC Standards Lack Guidance for Working with Lessors: A shortfall within the 2010 standards is that they do not fully address the challenge of not controlling common areas and public access in leased space. Though the standards speak to tenant agencies, leasing officials, and security officials about their various roles and responsibilities in implementing the standard, the 2010 standards lack in-depth discussion for these entities about how to work with lessors to implement countermeasures. The 2010 standards outline specific countermeasures for addressing public access as part of protecting a facility's entrance and interior security, such as signage, guards, and physical barriers. Similar to the 2004 standards, the 2010 standards acknowledge that the ability to implement security countermeasures is dependent on lessors. Nevertheless, like the 2004 standards, there is little discussion on ways for tenant agencies, leasing officials, and security officials to work with or otherwise leverage lessors, which in our view is a significant omission given that implementing countermeasures can depend largely on lessors' cooperation. Given the critical role that lessors play, guidance for tenant agencies, leasing officials, and security officials--such as best practices--from ISC could be helpful for agencies as they attempt to meet the baseline level of protection prescribed within the 2010 standards for protecting leased space. Best practices comprise the collective practices, processes, and systems of leading organizations, including federal agencies and the private sector. Best practices can provide agencies, though diverse and complex, with a framework for meeting similar mission goals, such as facility protection. Guidance on working with lessors could suggest such practices as the inclusion of clauses within SFOs and lease agreements that obligate lessors to a level of protection in common areas as defined in ISC standards (i.e., deemed necessary by tenant agencies, in conjunction with security officials, as the result of FSAs conducted after a lease is executed). Currently, GSA standard leasing templates contain language stipulating that lessors must provide a level of security that reasonably prevents unauthorized entry during nonduty hours and deters loitering or disruptive acts in and around leased space. Prior to the execution of the lease, leasing officials and tenant agencies could also negotiate or stipulate a cost-sharing structure with lessors in the event that future countermeasures are needed. For example, GSA standard leasing templates already reserve that right of the government to temporarily increase security in the building under lease, at its own expense and with its own personnel during heightened security conditions due to emergency situations. A best practice could be that such existing language regarding common areas and the implementation of security countermeasures be articulated and linked to ISC standards more definitively within SFO and leasing agreements. This could provide tenant agencies, leasing officials, and security officials the leverage necessary for compelling lessors to allow or cooperatively implement security countermeasures in common areas in order to mitigate risks from public access. As the government's central forum for exchanging information and guidance on facility protection, ISC is well positioned to develop and share best practices. ISC has the capacity to create a working group or other mechanism to address this gap in its 2010 standards. ISC has previously developed best practices in physical security issues, and one of its five standing subcommittees is focused on developing best practices related to technology.[Footnote 36] Officials from our case study agencies reported that their agencies use ISC guidance and standards in developing policies and protocols for physical security and leasing. Moreover, we have reported that previous ISC standards have been viewed as useful in communicating increased physical security needs to private owners and involving them directly in the process of security program development for their buildings. Conclusions: Federal agencies continue to rely on leased space to meet various missions, but the limited use of early risk assessments and a lack of control over common areas present challenges to protecting this space. Though all risks can never be completely predicted or eliminated, it is imperative to address these challenges because they leave GSA, FPS, and tenant agencies poorly positioned to implement key practices in facility protection, such as allocating resources using a risk management approach, leveraging technology, and measuring performance. As the government-wide standard for protecting nonmilitary federal facilities, the 2010 standards are aligned with some of these practices, providing direction on the roles of various entities and their responsibilities in achieving minimum levels of protection and acceptable levels of risk. Specifically, the 2010 standards hold promise for positioning the federal government to begin comprehensively assessing risks with its requirement for documenting building-specific security decision making. The 2010 standards' prescription that risk assessments be used early in all new lease acquisitions is significant because it could provide the impetus for agencies to examine and allocate the resources needed for implementing early risk assessments, in particular for leases under 10,000 square feet. In contrast, the standards' lack of discussion on working with lessors is notable, given the significant role these entities have in implementing countermeasures that could mitigate risks from public access, particularly in common areas, such as lobbies and loading docks. Guidance to tenant agencies, leasing officials, and security officials on how to work with lessors, such as best practices, would give helpful direction as these entities work together to secure common areas and protect leased space. Recommendation for Executive Action: To enhance the value of ISC standards for addressing challenges with protecting leased space, we recommend that the Secretary of Homeland Security instruct the Executive Director of the ISC, in consultation, where appropriate, with ISC member agencies to: (1) establish an ISC working group or other mechanism to determine guidance for working with lessors, which may include best practices to secure common areas and public access, and: (2) subsequently incorporate these findings into a future ISC standard or other product, as appropriate. Agency Comments and Our Evaluation: We provided a draft of this report to DHS, GSA, VA, USDA, and DOJ for review and comment. DHS concurred with our recommendation and GSA, VA, USDA, and DOJ provided technical comments, which we incorporated as appropriate. DHS's comments are contained in Appendix I. We will send copies of this report to the Secretary of Homeland Security, FPS Director of DHS, the Administrator of GSA, the Secretary of VA, the Secretary of Agriculture, the Attorney General, and appropriate congressional committees. In addition, the report will be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you have any questions about this report, please contact me at (202) 512-2834 or goldsteinm@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix II. Signed by: Mark L. Goldstein: Director: Physical Infrastructure: [End of section] Appendix I: Comments from the Department of Homeland Security: U.S. Department of Homeland Security: Washington, DC 20528: August 30, 2010: Mr. Mark L. Goldstein: Director, Physical Infrastructure Issues: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Goldstein: Subject: Draft Report GA0-10-873, Building Security: New Federal Standards Hold Promise, But Could he Strengthened to Better Protect Leased Space (Job Code 543237): Thank you for the opportunity to review and comment on the above- referenced draft report. DHS recognizes the work GAO did to analyze agency documents, consult prior work on Federal real property and physical security, and interview various Federal officials. We appreciate your team's professionalism in conducting this review and willingness to discuss various aspects of the Interagency Security Committee (ISC) Compendium of Standards. Provided below are our responses to the recommendations made in the report. Recommendation 1: Establish an ISC working group or other mechanism to determine guidance for working with lessors, which may include best practices to secure common areas and public access. Response: Concur. The 1SC will address this recommendation at the September 17, 2010, meeting, The Future of Federal Protection: the Interagency Security Committee Security Summit. Recommendation 2: Subsequently incorporate these findings into a future ISC standard or other product, as appropriate. Response: Concur. The ISC will address this recommendation at the September 17, 2010, meeting, The Future of Federal Protection: the Interagency Security Committee Security Summit. We appreciate the opportunity to comment on this draft report, and we look forward to working with you on future homeland security issues. Sincerely, Signed by: Jerald E. Levine: Director: Departmental GAO-OIG Liaison Office: [End of section] Appendix II: GAO Contact and Staff Acknowledgments: GAO Contact: Mark L. Goldstein, (202) 512-2834 or goldsteinm@gao.gov: Staff Acknowledgments: In addition to the contact named above, David E. Sausville, Assistant Director; Delwen Jones; Susan Michal-Smith; Sara Ann Moessbauer; Meghan Squires; Kyle Stetler; and Friendly Vang-Johnson made key contributions to this report. [End of section] Footnotes: [1] This amount includes space that GSA leased on behalf of the Department of Defense (DOD), Army, Air Force, and Navy. For the purposes of this report, we defined "domestic" or "domestically held" leased space as being in the United States and U.S. territories. [2] Federal agencies can also be assigned space within assets already owned by GSA, for which FPS also provides physical security services. For the purposes of this report, our use of the term "GSA-acquired" with regard to leased space excludes space in GSA-owned buildings and refers only to space leased by GSA in facilities owned by nonfederal lessors. [3] Following the 1995 Oklahoma City bombing, Executive Order 12977 called for the creation of an interagency security committee to address the quality and effectiveness of physical security requirements for federal facilities by developing and evaluating security standards. DHS, Interagency Security Committee Security Standards for Leased Space, (Washington, D.C., September 2004). [4] DHS, Physical Security Criteria for Federal Facilities; An Interagency Security Committee Standard. (Washington, D.C., April 2010). [5] GAO, Homeland Security: Further Actions Needed to Coordinate Federal Agencies' Facility Protection Efforts and Promote Key Practices, [hyperlink, http://www.gao.gov/products/GAO-05-49] (Washington D.C.: Nov. 30, 2004). [6] H.R. Rep. No. 110-207, at 62-63 (2007). [7] For the purposes of this report, "security officials" include FPS law enforcement security officers (who are also called inspectors), GSA physical security specialists, and/or tenant agencies' in-house physical security specialists. [8] Predominant use is the main type of activity for which a facility is used, such as laboratory, barracks, office, warehouse, etc. Each leased space is defined by one predominant use. [9] In 1995, DOJ issued the DOJ Vulnerability Assessment of Federal Facilities, which set criteria for categorizing federal office facilities into five security levels (i.e., facility security levels, ranging from level I which is the lowest risk level to level V which is the highest risk level). As discussed later in this report, in 2008, ISC issued the Facility Security Level Determinations for Federal Facilities which superseded the DOJ standards for setting facility security levels. We excluded level V facilities, which are the highest risk level facilities, from our analysis because there are very few such facilities in leased space. [10] For the purposes of this report, a "sole tenant facility" is defined as a facility that is leased solely by the federal government and a "multitenant facility" is a facility in which some space is leased by federal government agencies and other space is leased by nonfederal tenants. [11] 40 U.S.C. § 585. [12] This amount includes space that GSA leased on behalf of the DOD, Army, Air Force, and Navy. [13] Federal agencies must rely on GSA to lease space on their behalf unless they have their own independent real estate leasing authority or have received delegated authority from GSA, as discussed in footnote 14. For example, VA has independent leasing authority to acquire space for medical facilities under 38 U.S.C. § 8103. [14] Under 40 U.S.C. § 121 the GSA Administrator is authorized to delegate its authority under the act which would include its real estate leasing authority. This authority allows agencies to perform all functions necessary to acquire leased space, including procurement and administering, managing, and enforcing the leases. For example, according to USDA officials, USDA uses delegated leasing authority as summarized within the GSA Federal Management Regulation Bulletin 2008 B-1. [15] These figures were obtained from the Office of Management and Budget which uses this data in order to compile the Federal Real Property Profile as directed under Executive Order 13327. These figures exclude GSA-acquired leases. [16] In addition to the delegated leasing authority as previously discussed, agencies are also allowed to request delegations of security authority under 41 CFR 102-72.95, which authorizes the assistant regional GSA administrator to grant this delegation so long as "the requesting agency demonstrates a compelling need for the delegated authority and the delegation is not inconsistent with the authorities of any other law enforcement agency." We have previously reported that since FPS's transfer to DHS, GSA has deferred to DHS for security delegations. See GAO, General Services Administration: Improvements Needed in Managing Delegated Authority of Real Property Activities, [hyperlink, http://www.gao.gov/products/GAO-07-1000] (Washington, D.C.: Sept. 5, 2007). Under 41 CFR 102-81.10, federal agencies on federal property under the charge and control of GSA that have been delegated security authority from DHS, must provide for the security and protection of the real estate they occupy, including the protection of persons within the property. [17] According to DHS, this fee is currently estimated to remain the same through fiscal year 2010 and 2011. [18] According to the Facility Security Level Determinations for Federal Facilities, a facility security level determination is made on the basis of a facility's mission criticality, symbolism, population, size, and threats to the tenant agency. Additionally, "the facility security level may be raised or lowered one level at the discretion of the deciding authority based on intangible factors" such as the duration of occupancy or the proximity to a highly attractive neighboring facility. ISC, Facility Security Level Determinations for Federal Facilities, an Interagency Security Committee Standard, (Washington, D.C., Mar. 10, 2008). [19] For the purposes of this report, we refer to all risk assessments that occur before a lease is signed, for example risk assessments conducted during or in association with the market survey or prelease assessment, as "early risk assessments." [20] [hyperlink, http://www.gao.gov/products/GAO-05-49]. [21] For the purposes of this report, "leasing officials" include both tenant agencies' in-house leasing officials as well as GSA leasing officials, unless specifically stated otherwise. [22] According to some GSA officials, including physical security requirements within SFOs may result in fewer numbers of lessors participating in the solicitation process and dampen competition. Nevertheless, we believe that by identifying and including such requirements early in the leasing process, tenant agencies would receive bids that more appropriately respond to their security needs. [23] According to the 2008 Facility Security Level Determinations for Federal Facilities, facility size is a factor used to determine a facility's security level. Facility size and other factors--including mission criticality, symbolism, facility population, threat to tenant population and facility size--are examined and a point value assigned. The sum of all points for all factors determines a facility's preliminary security level. Higher square footages correspond with higher points which correspond with higher facility security levels. While spaces less than 10,000 square feet may represent low risk using this point system, these spaces constitute a larger portion of GSA's leased space portfolio. [24] FPS is in the process of implementing previous GAO recommendations related to enhancing its allocation of resources. As previously reported, FPS has been continuously shifting staffing level goals and experienced delays in training all newly hired law enforcement security officers. Such challenges, if unaddressed, could limit the resources available for FPS to conduct early risk assessments on spaces less than 10,000 square feet in the future. To facilitate effective strategic management of FPS' workforce, we previously recommended that FPS develop a long-term strategic human capital plan that addresses key principles for effective strategic workforce planning. See GAO, Homeland Security: Federal Protective Service Should Improve Human Capital Planning and Better Communicate with Tenants, [hyperlink, http://www.gao.gov/products/GAO-09-749] (Washington, D.C.: July 30, 2009). A long-term strategic human capital plan would allow FPS to manage its current and future workforce needs, aligning its personnel to meet programmatic goals and helping FPS to better serve its customers. [25] The absence of this data may impact FPS's ability to develop its human capital plan. A strategic human capital plan relies on performance measurement data to identify, manage, and allocate resources to meet workload demands. [26] We use the term "common areas" to refer to publicly accessible locations or interior public spaces, such as elevator lobbies, building corridors, restrooms, stairwells, loading docks, and the building perimeter. In contrast, interior areas are defined as space inside a building that is controlled or occupied by the government. [27] In comparison, in federally owned space, the federal government is generally better able to mitigate such threats because it has control over common areas. [28] Other GSA officials reported that GSA controls common areas in some facilities where they lease space, if these areas are included within the lease agreement. These GSA officials also stated that GSA may petition DOJ under 40 U.S.C. § 3113 to condemn a common area in order to obtain control of the area, though it has rarely done so. GSA's standard SFO template indicates that GSA will have the right to employ certain public access screening measures, if GSA occupies 90 percent or more of the building's space. [29] The 2010 standards will be used for a validation period of 24 months. According to the ISC Executive Director, the 2010 standards will be subject to validation studies, which may result in the standards being revised in 2012. A report based on the 2-year trial period will be included in the final version of the 2010 standards. During this trial period, ISC members will begin implementing the 2010 standards and propose to ISC any needed changes. In the first 6 months of the trial period, DHS, ISC, and volunteers from ISC working groups will be testing implementation of the standards at facilities within the National Capital Region. Based on these tests, the group will create a template that will then be distributed to all member agencies. Member agencies will have 1 year to implement the standards, and collect data using this template from a sample of their facilities. They will then provide the template data to ISC. [30] The 2010 standards refer to the entity that performs risk assessments as the "security organization," which it defines as "the government agency or an internal agency component responsible for physical security for the specific facility." For the purposes of this report, we refer to these entities as security officials. [31] We have previously reported tenant agencies may be ill equipped for decision making around countermeasures because of the limited physical security expertise of their officials and information-sharing challenges. See GAO, Homeland Security: The Federal Protective Service Faces Several Challenges That Hamper Its Ability to Protect Federal Facilities, [hyperlink, http://www.gao.gov/products/GAO-08-683] (Washington, D.C.: June 11, 2008) and GAO, Homeland Security: Greater Attention to Key Practices Would Improve the Federal Protective Service's Approach to Facility Protection, GAO-10-142 (Washington, D.C.: Oct. 23, 2009). ISC recently began to develop guidance for tenant agencies to address such issues, as part of its standard on facility security committees, which are comprised of representatives from each tenant agency in federal facilities and exist in some leased space. [32] The 2010 standards were developed following ISC's determination that one approach should be followed in applying security standards and that security requirements should be driven by the security needs of the federal tenants occupying the space rather than the characterization of the space as leased or owned. As previously discussed, the 2004 standards had been developed in response to the perceived need for security standards that could be applied specifically to leased space. [33] However, in 2004 we reported that ISC's actions to ensure compliance and oversee implementation of its physical security standards had been limited. In June 2010, ISC officials confirmed to us that this remains the case. According to ISC officials, it is neither feasible nor desirable for ISC to "police" the implementation of its standards. [34] The Director of the Central Intelligence Agency may provide an exemption if he or she determines that compliance would jeopardize sources and methods. [35] GSA and FPS's review of the MOA is ongoing and there is no deadline for its completion. [36] DHS ISC, ISC Best Practices for Safe Mail Handling. (Washington, D.C., 2007). Available at: [hyperlink, http://www.dhs.gov/xlibrary/assets/isc_safe_mail_handling-2007.pdf]. ISC maintains 5 standing subcommittees: Steering Subcommittee, Standards Subcommittee, Technology Best Practices Subcommittee, Convergence Subcommittee, and Training Subcommittee. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: