This is the accessible text file for GAO report number GAO-12-37 entitled 'Maritime Security: Coast Guard Should Conduct Required Inspections of Offshore Energy Infrastructure' which was released on October 28, 2011. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office: GAO: Report to Congressional Requesters: October 2011: Maritime Security: Coast Guard Should Conduct Required Inspections of Offshore Energy Infrastructure: GAO-12-37: GAO Highlights: Highlights of GAO-12-37, a report to congressional requesters. Why GAO Did This Study: Congressional interest in the security of offshore energy infrastructure has increased because of the lives lost and the substantial damages that resulted from the Deepwater Horizon incident in April 2010. The U.S. Coast Guard-—a component of the Department of Homeland Security (DHS)-—is the lead federal agency for maritime security, including the security of offshore energy infrastructure. The Coast Guard oversees two main types of offshore energy infrastructure—-facilities on the Outer Continental Shelf (OCS) and deepwater ports. GAO was asked to examine (1) Coast Guard actions to ensure the security of OCS facilities and what additional actions, if any, are needed; (2) Coast Guard actions to ensure the security of deepwater ports and what additional actions, if any, are needed; and (3) what limitations in oversight authority, if any, the Coast Guard faces in ensuring the security of offshore energy infrastructure. GAO reviewed Coast Guard documents, such as inspection records, and relevant laws and regulations and interviewed Coast Guard inspectors and officials, including those at Coast Guard headquarters and the two Coast Guard districts that oversee all OCS facilities and deepwater ports that are subject to security requirements. What GAO Found: The Coast Guard has taken actions to address the security of OCS facilities (that is, facilities regulated for security pursuant to 33 C.F.R. part 106), but could improve its process for managing security inspections. For example, the Coast Guard developed a security plan for the Gulf of Mexico, in which all 57 OCS facilities are located, and it reviews security plans developed by the owners and operators of OCS facilities. It has also issued guidance, which states that Coast Guard personnel should conduct security inspections of OCS facilities annually, but has conducted about one-third of these inspections from 2008 through 2010. Further, the Coast Guard does not have procedures in place to ensure that its field units conduct these inspections. Consequently, the Coast Guard may not be meeting one of its stated goals of reducing the risk and mitigating the potential results of an act that could threaten the security of personnel, the OCS facility, the environment, and the public. The Coast Guard also faces challenges in summarizing inspection results. Specifically, its database for storing inspection data has limitations that make it difficult to determine if security inspections were conducted. For example, there is no data field to identify OCS facilities, which makes it difficult to readily analyze whether required inspections were conducted. By addressing some of these challenges, Coast Guard managers could more easily use the data as a management tool to inform decision making. The Coast Guard has also taken actions to ensure the security of the four deepwater ports, but opportunities exist for improvement. The Coast Guard’s actions to ensure the security of deepwater ports are similar to actions it has taken to ensure the security of OCS facilities. For example, Coast Guard security plans address security at deepwater ports, and the Coast Guard also reviews security plans developed by the owners and operators of the deepwater ports. However, Coast Guard guidance for deepwater ports does not call for annual security inspections, and it has conducted only one security inspection at a deepwater port from 2008 through 2010. Coast Guard officials said that the Coast Guard plans to begin annual security inspections of deepwater ports in recognition of the risk of a transportation security incident. However, limitations in the Coast Guard’s inspection database and lack of guidance available to database users may complicate the Coast Guard’s management and oversight of inspections at deepwater ports. For example, the data field for deepwater ports has been incorrectly applied to other types of infrastructure and some deepwater ports are recorded under multiple names. Unless the Coast Guard addresses these database limitations and issues updated guidance to database users, it will be difficult for the Coast Guard to verify that the deepwater ports are complying with applicable maritime security requirements. The Coast Guard has limited authority regarding the security of mobile offshore drilling units (MODU) registered to foreign countries, such as the Deepwater Horizon. The Coast Guard is taking action, though, to gain a fuller understanding of the security risks associated with MODUs by conducting a study to help determine whether additional actions could better ensure the security of offshore energy infrastructure in the Gulf of Mexico, including MODUs. What GAO Recommends: GAO recommends that the Coast Guard develop policies or guidance to ensure that (1) annual security inspections are conducted at OCS facilities and (2) information entered into its database for both OCS facilities and deepwater ports is more useful for management. DHS and the Coast Guard concurred with these recommendations. View [hyperlink, http://www.gao.gov/products/GAO-12-37] or key components. For more information, contact Stephen L. Caldwell at (202) 512-9610 or caldwells@gao.gov. [End of section] Contents: Letter: Background: Coast Guard Could Further Ensure the Security of OCS Facilities by Improving Its Process for Managing Security Inspections: Actions Are Needed to Further Ensure the Security of Deepwater Ports: Coast Guard Has Limited Authority over the Security of MODUs Registered to Foreign Countries: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Scope and Methodology: Appendix II: Status of Action Items from National Level Exercise 2009: Appendix III: Comments from the Department of Homeland Security: Appendix IV: GAO Contact and Staff Acknowledgments: Related GAO Products: Tables: Table 1: Security Inspections Required and Conducted of OCS Facilities, 2008 through 2010: Table 2: Security Inspections Required and Conducted of OCS Facilities, by Type, 2008 through 2010: Table 3: Status of Action Items Resulting from National Level Exercise 2009: Figures: Figure 1: OCS Facility in the Gulf of Mexico: Figure 2: Types of OCS Facilities and Deepwater Ports and the Applicable Security Related Regulations: Figure 3: Coast Guard Security Requirements Applicable to MODUs Operating in U.S. Federal Waters: Figure 4: Aftermath of the Explosion of the Deepwater Horizon Drilling Unit in the Gulf of Mexico, April 2010: Abbreviations: BOEMRE: Bureau of Ocean Energy Management, Regulation and Enforcement: BSEE: Bureau of Safety and Environmental Enforcement: DHS: Department of Homeland Security: ISPS Code: International Ship and Port Facility Security Code: LNG: Liquefied Natural Gas: LOOP: Louisiana Offshore Oil Port: MARSEC Level: Maritime Security Level: MISLE: Marine Information for Safety and Law Enforcement: MODU: mobile offshore drilling unit: MTSA: Maritime Transportation Security Act of 2002: NLE: National Level Exercise: NVIC: Navigation and Vessel Inspection Circular: OCS: Outer Continental Shelf: SAFE Port Act: Security and Accountability For Every Port Act of 2006: TSA: Transportation Security Administration: TWIC: Transportation Worker Identification Credential: [End of section] United States Government Accountability Office: Washington, DC 20548: October 28, 2011: Congressional Requesters: The explosion of the Deepwater Horizon in April 2010 resulted in 11 deaths, serious injuries, and the largest oil spill in the history of the United States. The spill resulted in widespread and substantial environmental consequences and had an adverse impact on workers and businesses, with an estimated cost to compensate for these damages totaling billions of dollars. While the explosion was not the result of a breakdown in security procedures or a terrorist attack, other countries have experienced attacks by terrorists or other criminals on offshore energy infrastructure--facilities that produce, transport, or receive oil and natural gas. For example, attacks on oil facilities in the Niger River Delta in Africa have occurred in the last several years. Further, in 2004, a terrorist attack on an offshore oil terminal in Iraq using speedboats packed with explosives killed two U.S. Navy sailors and a U.S. Coast Guardsman. Domestically, offshore energy infrastructure may be an attractive target to terrorists given the importance of oil and natural gas to the nation's economy and security. In May 2011, the Department of Homeland Security (DHS) issued a press statement that intelligence information showed that throughout 2010 there was continuing interest by members of al Qaeda in targeting oil tankers and commercial oil infrastructure at sea. In addition, congressional interest in potential attacks on offshore energy infrastructure has increased because of the economic and environmental damages that resulted from the Deepwater Horizon incident. The U.S. Coast Guard--a component of DHS--is the lead federal agency responsible for maritime security, including the security of offshore energy infrastructure. In this role, the Coast Guard seeks to mitigate many kinds of security challenges in the maritime environment. Doing so is a key part of its overall security mission and a starting point for identifying security gaps and taking actions to address them. Offshore energy infrastructure presents security challenges because some of this infrastructure is located many miles from shore. The Maritime Transportation Security Act (MTSA) of 2002--enacted in the aftermath of the terrorist attacks of September 11, 2001-- underscored the importance of deterring, preventing, or disrupting a terrorist attack on key infrastructure in and around the nation's ports and waterways.[Footnote 1] In accordance with MTSA, and its implementing regulations, the Coast Guard undertakes efforts to ensure maritime security by, among other things, reviewing and approving security plans produced by owners and operators of regulated vessels and facilities.[Footnote 2] The Security and Accountability For Every (SAFE) Port Act of 2006 subsequently amended provisions of MTSA to, among other things and subject to the availability of appropriations, require verification of the effectiveness of facility security plans at least twice a year.[Footnote 3] There are two main types of offshore energy infrastructure that the Coast Guard oversees for security. The first type of offshore energy infrastructure includes facilities that operate on the outer continental shelf (OCS) and are generally described as facilities temporarily or permanently attached to the subsoil or seabed of the OCS that engage in exploration, development, or production of oil, natural gas, or mineral resources.[Footnote 4] There are about 3,900 such facilities, and if a facility of this type meets or exceeds any one of three thresholds for production or personnel--(1) producing greater than 100,000 barrels of oil a day, (2) producing more than 200 million cubic feet of natural gas per day, or (3) hosting more than 150 persons for 12 hours or more in each 24-hour period continuously for 30 days or more--it is subject to security requirements in accordance with 33 C.F.R. part 106.[Footnote 5] In this report, we discuss the 57 facilities regulated for security in accordance with part 106 because they met or exceeded these criteria at some point from 2008 through 2010. We refer to these facilities as "OCS facilities."[Footnote 6] The second type of offshore energy infrastructure is called a deepwater port. Deepwater ports fall under a different set of regulations than OCS facilities.[Footnote 7] Deepwater ports are fixed or floating manmade structures used or intended for use as a port or terminal for the transportation, storage, or handling of oil or natural gas to any state and include the transportation of oil or natural gas from the United States's OCS.[Footnote 8] There are currently four licensed deepwater ports[Footnote 9]--two in the Gulf of Mexico and two in Massachusetts Bay. Unlike OCS facilities, which are involved in the production of oil or natural gas, deepwater ports enable tankers to offload oil or liquefied natural gas for transport to land by underwater pipelines. In partnership with the Coast Guard, owners and operators of offshore energy infrastructure also play a key role in securing OCS facilities and deepwater ports. For example, working in conjunction with appropriate Coast Guard personnel, owners and operators are responsible for assessing risks and implementing security measures at their facilities. They may assess risks by identifying the vulnerabilities of their facilities to possible attack scenarios and, in so doing they identify ways to mitigate vulnerabilities in and around their facilities. Owners and operators also have security officers that are responsible for carrying out appropriate security measures. Given the role that the Coast Guard plays in ensuring the security of OCS facilities and deepwater ports, we were asked to address the following three questions: * What has the Coast Guard done to ensure the security of OCS facilities, and what additional actions, if any, are needed? * What has the Coast Guard done to ensure the security of deepwater ports, and what additional actions, if any, are needed? * What limitations in oversight authority, if any, does the Coast Guard face in ensuring the security of offshore energy infrastructure? This report supplements our August 2011 testimony that focused on Coast Guard risk assessments of OCS facilities and deepwater ports. [Footnote 10] In this report, we focus on Coast Guard security inspections of OCS facilities and deepwater ports. To address all three objectives in this report, we interviewed officials in Coast Guard headquarters in Washington, D.C., and district offices in New Orleans, Louisiana, and Boston, Massachusetts, about offshore energy infrastructure security because officials in these offices are responsible for ensuring the security of OCS facilities or deepwater ports.[Footnote 11] In addition, we reviewed relevant laws, regulations, and Coast Guard guidelines for ensuring the security of OCS facilities and deepwater ports. We also reviewed our previous work on Coast Guard efforts to assess security plans and to conduct security inspections of shoreside maritime facilities. [Footnote 12] To address the first question, we visited the Coast Guard's field unit in Morgan City, Louisiana, because Coast Guard officials at this location are responsible for inspecting the most OCS facilities of any unit in the Coast Guard. We also interviewed Coast Guard marine inspectors by telephone at Coast Guard field units located in Mobile, Alabama; Morgan City, Louisiana; New Orleans, Louisiana; Corpus Christi, Texas; Galveston, Texas; and Port Arthur, Texas. We selected these offices because they constitute all Coast Guard offices responsible for conducting security inspections of OCS facilities. We also visited an OCS facility in the Gulf of Mexico to observe security measures that had been implemented and to interview the facility security officer. We visited this facility because the local Coast Guard marine inspectors and the facility's security officer were able to accommodate our visit without interrupting operations. We also interviewed representatives from two companies that together operate 18 OCS facilities that are subject to annual security inspections. We selected these two companies because they own and operate the most OCS facilities in the Gulf of Mexico. We cannot generalize the results of our visit and interviews with these representatives to all owners and operators of OCS facilities; however, the information we obtained provided further insights into the Coast Guard's and owners' and operators' efforts to ensure the security of offshore energy infrastructure. In addition, we interviewed relevant officials and analyzed information and data on the National Level Exercise (NLE) 2009--an exercise that tested, among other things, the Coast Guard's capabilities for preventing a hypothetical terrorist attack on offshore energy facilities in the Gulf of Mexico. Regarding NLE 2009, we also reviewed data on "action items" resulting from the exercise to determine whether corrective actions had been implemented. We assessed the reliability of these data by interviewing Coast Guard officials who use the data and by reviewing relevant documentation, such as the after action report produced by the Coast Guard. We concluded that the data were sufficiently reliable for the purpose of assessing action items that have not been resolved. For those action items from NLE 2009 that had not been addressed, we followed up with Coast Guard and DHS officials responsible for tracking such action items to verify the status of the action items. To further address the first question, we analyzed inspection data and reports for OCS facilities from 2008 through 2010 from the Coast Guard's Marine Information for Safety and Law Enforcement (MISLE) database--the database that the Coast Guard uses to, among other things, record its inspection results. We also analyzed security inspection data for 2011 (through June 24, 2011), but did not report on these data because most of the annual security inspections of OCS facilities are typically not conducted until the fall. We assessed the reliability of these data by interviewing Coast Guard officials who use the data and by reviewing relevant documentation. As discussed later in this report, we identified some problems with the data and worked with Coast Guard officials to address these problems. Appendix I has a more detailed discussion on our scope and methodology in analyzing the MISLE database. Based on the steps we took to assess data reliability, we found the data to be sufficiently reliable for the purpose of determining the extent to which the Coast Guard conducted security inspections of OCS facilities. We also interviewed officials from the Department of the Interior's Bureau of Safety and Environmental Enforcement (BSEE), formerly the Bureau of Ocean Energy Management, Regulation and Enforcement (BOEMRE), to determine what role, if any, BSEE plays in ensuring the security of OCS facilities. [Footnote 13] We also reviewed our Standards for Internal Control in the Federal Government[Footnote 14] and compared the standards for control activities with the Coast Guard's policies and procedures for conducting security inspections of OCS facilities and for recording inspection results in MISLE. To address the second question, we reviewed Coast Guard documents on the security of deepwater ports and interviewed owners and operators of deepwater ports to discuss their role in the security of their facilities. We also visited a deepwater port in the Gulf of Mexico called the Louisiana Offshore Oil Port (LOOP) to observe security measures that had been implemented and to interview the facility security officer. We visited the LOOP because it is the only operational deepwater port in the Gulf of Mexico. While we cannot generalize our findings from this visit to all deepwater ports, the information we obtained provided us with valuable insights about the role of facility security officers and Coast Guard efforts to ensure the security of such facilities. We also interviewed Coast Guard officials responsible for inspecting deepwater ports in Morgan City, Louisiana, and Boston, Massachusetts. We selected these locations because these are the only Coast Guard units in which there are federally regulated deepwater ports. We analyzed inspection data from 2008 through 2010 for deepwater ports from the Coast Guard's MISLE database. We assessed the reliability of these data by interviewing Coast Guard officials who use the data and by reviewing relevant documentation to ensure its integrity. As discussed later in this report, we identified some problems with the data and worked with Coast Guard officials to address these problems. On the basis of the steps we took to assess data reliability, we found the data to be sufficiently reliable for the purpose of determining the extent to which the Coast Guard conducted security inspections of deepwater ports. We also reviewed Coast Guard policies and procedures for ensuring the security of deepwater ports. Further, we reviewed the Standards for Internal Control in the Federal Government[Footnote 15] and compared the standards for control activities with the Coast Guard's policies and procedures for recording inspection results in MISLE. To address the third question, we reviewed relevant international requirements, such as the International Maritime Organization's International Ship and Port Facility Security (ISPS) Code and U.S. regulations for ensuring the security of OCS facilities, which may include mobile offshore drilling units (MODU). We also reviewed reports on the Deepwater Horizon incident, including the Coast Guard's report[Footnote 16] from the joint investigation it conducted with BSEE's predecessor, BOEMRE,[Footnote 17] and a report from the National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling.[Footnote 18] We also discussed international agreements and U.S. regulations that apply to OCS facilities and MODUs with Coast Guard officials. We conducted this performance audit from October 2010 through October 2011 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background: OCS Facilities and Deepwater Ports Are Important and Vulnerable: The nation's economy and security are dependent, in part, on domestic offshore exploration and production of oil and natural gas. OCS facilities play a significant and growing role in domestic production. For example, oil production from offshore sources helped offset declines in land-based production in recent decades. The OCS is in an area of federal jurisdiction that contains an estimated 85 billion barrels of oil, more than all onshore resources and those in shallower state waters combined (see figure 1 for a photograph of an OCS facility in the Gulf of Mexico).[Footnote 19] In addition, the LOOP is responsible for transporting to shore about 10 percent of imported oil to the United States. Figure 1: OCS Facility in the Gulf of Mexico: [Refer to PDF for image: photograph] Source: GAO. [End of figure] Offshore production of oil and natural gas is critical in supporting businesses, the military, and individuals who rely on a steady supply of these resources. In addition, the leasing of offshore lands and the collection of royalties on the production of oil and natural gas results in billions of dollars in revenue for the federal government. Because of their importance to the economy and national security, OCS facilities and deepwater ports are possible targets for al Qaeda and other groups with malevolent intent. For example, in May 2011, DHS issued a press statement that intelligence information showed that throughout 2010 there was continuing interest by members of al Qaeda in targeting oil tankers and commercial oil infrastructure at sea. In addition, other countries have experienced attacks by terrorists or criminals. For example, in 2006, Nigerian militants attacked energy facilities and abducted foreign oil workers in the oil-rich Niger delta. These attacks have continued in recent years and, in August 2011, the United Nations Security Council expressed concern about the attacks. Potential attack methods identified by the Coast Guard or owners and operators of offshore energy infrastructure include (1) crashing an aircraft into a facility; (2) using a submarine vessel, diver, or other means of attacking a facility underwater; (3) ramming a facility with a vessel; and (4) sabotage by an employee.[Footnote 20] OCS facilities and deepwater ports may be at risk for an attack because they are located in open waters and generally are many miles away from Coast Guard assets and personnel. For example, owners and operators of OCS facilities expressed concern about recreational and fishing boats and divers operating near or attempting to attach themselves to an OCS facility. Another risk is that many OCS facilities do not have personnel on-board the facility who can detect or report unauthorized incursions. According to Coast Guard officials, OCS facilities and deepwater ports are generally not considered to be high-risk targets. Rather, Coast Guard officials also noted that OCS facilities and deepwater ports are lower risk targets because of their remote location because an attack on them would not likely result in a significant disruption of maritime commerce. However, if an incident occurs, it would be difficult for the Coast Guard to respond quickly because deepwater ports and OCS facilities are generally isolated and located many miles from the closest Coast Guard unit. Characteristics of OCS Facilities and Deepwater Ports Vary: Of the roughly 3,900 offshore facilities on the OCS, from January 1, 2008, through December 31, 2010, there were 57 facilities which, at some point during that period of time, met the production or personnel thresholds subjecting them to security requirements. OCS facilities generally consist of two different types of facilities: (1) fixed OCS facilities and (2) floating OCS facilities. For example, 41 of the OCS facilities are fixed OCS facilities that are permanently fixed to the sea floor. Of those, 34 are primarily involved in the transportation of large volumes of oil or natural gas and are called "transmission platforms."[Footnote 21] These facilities, unlike facilities that produce oil and natural gas, may not be staffed, but instead may have automated operations or could be operated remotely from shore. The remaining 16 facilities are floating OCS facilities, which are buoyant facilities that are securely moored to the seabed.[Footnote 22] An example of such a facility is a floating offshore installation, which is a floating structure that is moored to the seafloor in a semipermanent manner, to be kept at that location for the primary purpose of producing oil and natural gas from wells drilled into the sea floor.[Footnote 23] Further, we determined there were four deepwater ports in operation during the time period covered by our review. Deepwater ports can be one of two types: (1) oil deepwater ports and (2) liquefied natural gas (LNG) deepwater ports. The LOOP is an oil deepwater port that has two above the water fixed platforms in addition to buoys that float on the surface, while the remaining three deepwater ports involve an underwater buoy system that tankers use to offload LNG and have no above the water infrastructure.[Footnote 24] When LNG tankers are not using these ports, the ports are not visible above the water. Figure 2 shows these facilities by type, number of each type from 2008 through 2010, and the applicable security regulation. Figure 2: Types of OCS Facilities and Deepwater Ports and the Applicable Security Related Regulations: [Refer to PDF for image: illustrated table] Type of offshore energy infrastructure: Fixed OCS facility[A]: Illustration showing underwater infrastructure: Applicable security regulation: 33 C.F.R. part 106; Number from 2008 through 2010[D]: 41. Type of offshore energy infrastructure: Floating OCS facility[B]: Floating offshore installation; Illustration showing underwater infrastructure: Applicable security regulation: 33 C.F.R. part 106; Number from 2008 through 2010[D]: 15. Type of offshore energy infrastructure: Floating OCS facility[B]: Mobile offshore drilling unit[C]; Illustration showing underwater infrastructure: Applicable security regulation: 33 C.F.R. part 10; Number from 2008 through 2010[D]: 1. Type of offshore energy infrastructure: Oil deepwater port; Illustration showing underwater infrastructure: Applicable security regulation: C.F.R. § 150.15(x); Number from 2008 through 2010[D]: 1. Type of offshore energy infrastructure: LNG deepwater port; Illustration showing underwater infrastructure: Applicable security regulation: C.F.R. § 150.15(x); Number from 2008 through 2010[D]: 3. Sources: U.S. Coast Guard; BOEMRE; GDF Suez Energy North America; LOOP, LLC; and GAO. [A] A fixed OCS facility is a bottom-founded facility permanently attached to the seabed or subsoil of the OCS, including platforms, guyed towers and other structures. Fixed OCS facilities include (1) production platforms that produce oil and/or natural gas; and (2) transmission platforms, whose primary purpose is the pumping, maintenance, and/or inspection of transfer pipelines. [B] A floating OCS facility is a buoyant facility securely and substantially moored so that it cannot be moved without a special effort. This term includes tension leg platforms and permanently moored semisubmersibles or shipshape hulls, but does not include mobile offshore drilling units or other vessels. [C] A mobile offshore drilling unit (MODU) is a vessel, other than a public vessel of the United States, capable of engaging in drilling operations for exploration or exploitation of subsea resources. MODUs that are not self (or mechanically) propelled are regulated for security under 33 C.F.R. part 106 if they meet or exceed the relevant threshold criteria. For the purposes of this report, we refer to such MODUs subject to 33 C.F.R. part 106 as floating OCS facilities. Self- propelled MODUs are generally regulated for security as vessels pursuant to 33 C.F.R. part 104. We describe security regulations over MODUs in more detail later in figure 3. [D] The number of OCS facilities may change each year based on whether a facility continues to meet or exceed the production or personnel thresholds, as determined by the Coast Guard. For example, there were 56 OCS facilities in 2008, 53 OCS facilities in 2009, and 51 OCS facilities in 2010. [End of figure] All OCS facilities, as defined in this report, are located in the Gulf of Mexico. Among the four deepwater ports, the LOOP and one LNG deepwater port are located in the Gulf of Mexico and the other two LNG ports are located offshore in Massachusetts Bay near Boston. During the course of our review, the operator of the LNG deepwater port in the Gulf of Mexico notified the Coast Guard that it intended to decommission the facility. As a result, the rest of this report's discussion of deepwater ports will focus on the remaining three deepwater ports. Multiple Stakeholders Have Responsibility for Security: Coast Guard Is the Lead Federal Agency: As the lead federal agency for maritime security, the Coast Guard has broad responsibilities for ensuring the security of OCS facilities and deepwater ports. For example, staff at Coast Guard headquarters oversee and develop policies and procedures for field staff to follow when conducting security inspections of offshore energy infrastructure and to assist affected owners and operators so that they can comply with maritime security regulations.[Footnote 25] Such policies and procedures offer guidance for (1) reviewing security plans produced by owners and operators of OCS facilities and (2) ensuring the security of OCS facilities. Among other things, Coast Guard marine inspectors in field units are to conduct security inspections of OCS facilities and deepwater ports by taking helicopter rides to facilities that can range up to 200 miles offshore. Once arriving, inspectors are to conduct on-site interviews with facility security officers and observe operations to verify whether required security measures are in place. As of August 2011, the Coast Guard had about 12 active marine inspectors who were qualified to conduct security inspections of OCS facilities. These inspectors work out of six field units near the Gulf of Mexico. After conducting security inspections of OCS facilities and deepwater ports, and in accordance with the guidance, inspectors are to record the results of these inspections in the MISLE database. Coast Guard marine inspectors are to record information such as any deficiencies that were identified and enforcement actions that were used to ensure compliance by the owners and operators. In addition to recording the results of offshore security inspections in MISLE, Coast Guard staff are to record other actions that are not related to offshore inspections, such as the results of search and rescue missions. Owners and Operators Partner with the Coast Guard: Owners and operators of OCS facilities and deepwater ports have a shared responsibility with the Coast Guard to ensure the security of their offshore facilities and ports. For example, owners and operators of OCS facilities must carry out measures intended to improve the security in and around their facilities.[Footnote 26] These measures include designating a company security officer and a facility security officer for each OCS facility the company operates. Company and facility security officers have responsibilities that include reporting security incidents to the National Response Center,[Footnote 27] submitting facility security plans to the Coast Guard for approval, and ensuring their facilities comply with the security plans. Among other things, each facility security plan must address any vulnerabilities identified through a facility security assessment. [Footnote 28] Although not subject to the same security requirements as OCS facilities, owners and operators of deepwater ports must develop security plans comparable to those required for OCS facilities and that address, among other things, risk identification and procedures for detecting and deterring terrorist or subversive activity.[Footnote 29] Coast Guard Could Further Ensure the Security of OCS Facilities by Improving Its Process for Managing Security Inspections: Coast Guard Actions to Ensure Security: The Coast Guard has taken actions to ensure the security of OCS facilities in the Gulf of Mexico, within which all OCS facilities are presently located. For example, within a greater maritime security preparedness program, it established an Area Maritime Security Committee for the Gulf of Mexico in 2004. An Area Maritime Security Committee is responsible for, among other things, identifying critical infrastructure and operations, identifying risks, and providing advice to the Coast Guard for developing the Area Maritime Security Plan. The Gulf of Mexico Area Maritime Security Committee covers a broad area that crosses jurisdictional boundaries of multiple Coast Guard field units. Among other things, the Gulf of Mexico committee has representatives from stakeholders, such as federal law enforcement, state emergency responders, and owners and operators of OCS facilities. The committee has taken actions to enhance information sharing among stakeholders by holding annual meetings and offering training to OCS facility security officers on the command structure for responding to a transportation security incident. One of the functions of the committee is to contribute to the development of an Area Maritime Security Plan, which is discussed in more detail below. The Coast Guard, in consultation with the Gulf of Mexico Area Maritime Security Committee and reliance on information in OCS facility security plans, has also developed an Area Maritime Security Plan specific to the offshore environment in the Gulf of Mexico.[Footnote 30] One of the primary objectives of the plan is to provide a framework for communication and coordination among stakeholders and law enforcement officials and to identify and reduce vulnerabilities to security threats in and near the marine transportation system in the Gulf of Mexico. For example, the plan specifies security measures to be taken at OCS facilities under certain security conditions. Furthermore, the plan discusses the broader security environment, including security measures at facilities and vessels that are not currently regulated with respect to security under part 106, which includes fixed transmission platforms or MODUs that do not exceed the production or personnel thresholds in part 106, and provides that the Coast Guard may consider requiring additional security measures for such facilities. Additionally, the Coast Guard has conducted exercises and has taken corrective action, as appropriate, to strengthen its ability to prevent a terrorist attack on OCS facilities. In particular, in July 2009, the Coast Guard participated in a National Level Exercise (NLE)-- a major exercise that involved multiple agencies, including DHS; the Department of Justice; the White House; and other federal, state, and local stakeholders--that tested the effectiveness of federal agencies in preventing a hypothetical attack on the nation's energy infrastructure, including OCS facilities.[Footnote 31] According to officials in the Coast Guard's Exercise Policy and Budget Division, the Coast Guard's role in this exercise was its most extensive involvement in an NLE to that date. As a result of the exercise, to address the lessons learned from the exercise, the Coast Guard developed 99 remedial action items that were assigned to Coast Guard units.[Footnote 32] According to Coast Guard data, 88 of these 99 action items have been resolved. For example, two field units that oversee the Gulf of Mexico clarified procedures for notifying relevant stakeholders of changes in risk levels.[Footnote 33] Additionally, the Office of the Director of National Intelligence[Footnote 34] has established a working group to examine the issue of information sharing with the private sector with the aim of finding a balance between sharing and securing sensitive information. Actions are being taken to address items that are not yet fully resolved. For more information about the status of action items from NLE 2009, see appendix II. All OCS facilities that meet the production and personnel thresholds to be regulated for security are required to operate in accordance with facility security plans that the Coast Guard has approved. Coast Guard officials have reviewed and approved security plans produced by owners and operators of all OCS facilities. A Coast Guard port security specialist uses a detailed checklist to review the facility security plans to ensure that the plans satisfactorily address regulatory requirements.[Footnote 35] For example, in reviewing a facility security plan, the port security specialist ensures that the plan includes provisions to provide security training to OCS facility personnel, including full-time and part-time contractors and temporary and permanent employees. Upon approval, a facility security plan remains valid for 5 years. Facility owners and operators must submit updated security plans to the Coast Guard at least every 5 years for approval, and regulations also require owners and operators to review their plans annually and submit any amendments to the Coast Guard for approval. The Coast Guard also undertakes to assess the effectiveness of such facility plans by, for example, conducting security inspections, as discussed in the next section.[Footnote 36] Procedures Are Needed to Ensure OCS Facility Inspections Are Conducted: Coast Guard OCS facility guidance[Footnote 37] provides that Coast Guard personnel are to conduct security inspections of OCS facilities annually, but our analysis of inspections data shows that the Coast Guard has not conducted such inspections for most of these OCS facilities.[Footnote 38] For example, the Coast Guard conducted about one-third of annual inspections of OCS facilities from 2008 through 2010 (see table 1).[Footnote 39] In 2008 the Coast Guard inspected 7 of 56 OCS facilities, which was 13 percent of the annual inspections. More recently, in 2010, the Coast Guard inspected 23 of 51 OCS facilities (45 percent) that the Coast Guard should have inspected. Table 1: Security Inspections Required and Conducted of OCS Facilities, 2008 through 2010: Coast Guard field unit: Corpus Christi; 2008: Inspections required: 2; Inspections conducted: 1; 2009: Inspections required: 2; Inspections conducted: 1; 2010: Inspections required: 2; Inspections conducted: 1. Coast Guard field unit: Galveston; 2008: Inspections required: 5; Inspections conducted: 2; 2009: Inspections required: 4; Inspections conducted: 3; 2010: Inspections required: 4; Inspections conducted: 4. Coast Guard field unit: Mobile; 2008: Inspections required: 1; Inspections conducted: 0; 2009: Inspections required: 1; Inspections conducted: 0; 2010: Inspections required: 1; Inspections conducted: 0. Coast Guard field unit: Morgan City; 2008: Inspections required: 31; Inspections conducted: 3; 2009: Inspections required: 32; Inspections conducted: 7; 2010: Inspections required: 31; Inspections conducted: 7. Coast Guard field unit: New Orleans; 2008: Inspections required: 10; Inspections conducted: 1; 2009: Inspections required: 7; Inspections conducted: 2; 2010: Inspections required: 6; Inspections conducted: 5. Coast Guard field unit: Port Arthur; 2008: Inspections required: 7; Inspections conducted: 0; 2009: Inspections required: 7; Inspections conducted: 7; 2010: Inspections required: 7; Inspections conducted: 6. Coast Guard field unit: Total (%); 2008: Inspections required: 56; Inspections conducted: 7 (13%); 2009: Inspections required: 53; Inspections conducted: 20 (38%); 2010: Inspections required: 51; Inspections conducted: 23 (45%). Source: GAO analysis of data provided by the U.S. Coast Guard. Note: The number of OCS facilities fluctuates year-to-year based on whether a facility continues to meet or exceed the threshold criteria. For example, in 2009 there were 53 OCS facilities, but in 2010, 2 of the facilities became "deregulated." Once a facility (1) is below the production thresholds for a year or below the personnel threshold for 30 days; (2) has informed the Coast Guard; and (3) provided relevant documentation supporting that the facility is below the thresholds, the Coast Guard considers it no longer subject to 33 C.F.R. part 106 requirements and the facility will no longer be subject to security inspections. [End of table] Our analysis of Coast Guard inspections data shows that the Coast Guard generally inspected a greater percentage of floating OCS facilities than fixed OCS facilities (see table 2). For example, from 2008 through 2010, the Coast Guard conducted annual security inspections of 54 percent of floating OCS facilities, compared to 24 percent of fixed OCS facilities. During our interviews with Coast Guard marine inspectors and their supervisors, we learned that some field units did not know that they were responsible for conducting security inspections of fixed OCS facilities, approximately one-third of which are not staffed because operations are automated. For example, marine inspectors in the Coast Guard field unit that oversees more than half of the OCS facilities stated that they had only recently learned that they were responsible for conducting security inspections of fixed OCS facilities. These marine inspectors stated that they thought that security inspections of the fixed OCS facilities within their area of responsibility were carried out by another field unit and that they had only been conducting annual security inspections of the floating OCS facilities. Further, other Coast Guard officials stated that it is easier to arrange for security inspections of floating OCS facilities because marine inspectors visit those facilities more frequently for other types of inspections, such as hull or safety inspections, whereas for fixed OCS facilities, the Coast Guard conducts an initial safety inspection when they are first installed and then are only required to visit the fixed OCS facilities once a year for annual security inspections.[Footnote 40] Table 2: Security Inspections Required and Conducted of OCS Facilities, by Type, 2008 through 2010: Type: Fixed OCS facility; Inspections required: 119; Inspections conducted: 28; Percentage: 24%. Type: Floating OCS facility; Inspections required: 41; Inspections conducted: 22; Percentage: 54%. Source: GAO analysis of data provided by the U.S. Coast Guard. [End of table] The Coast Guard does not have procedures in place to help ensure that its field units conduct security inspections of OCS facilities annually in accordance with its guidance. Standards for Internal Control in the Federal Government state that internal controls should include control activities, such as policies, procedures, and mechanisms that help ensure management directives are carried out. However, the Coast Guard does not have such control activities in place. For example, the Coast Guard's OCS facility guidance does not describe specific procedures for the way in which Coast Guard staff should track whether annual security inspections have been conducted. Further, Coast Guard district officials and most local field unit supervisors and marine inspectors we spoke with do not maintain any kind of tool, such as a spreadsheet or calendar, to remind them when annual security inspections of OCS facilities are due. Coast Guard officials from five of the six Coast Guard field units that conduct annual security inspections of OCS facilities told us that they do not maintain a spreadsheet or other management tool to track whether annual security inspections had been conducted. For example, at three of these locations, Coast Guard officials told us they rely on owners and operators to inform them when inspections were due rather than tracking themselves when annual inspections were due. As a result of the lack of procedures or control activities to manage the offshore security inspection program, the Coast Guard is not positioned to ensure OCS facility compliance with established maritime security requirements for most of the OCS facilities. Without conducting annual inspections of OCS facilities, the Coast Guard may not be meeting one of its stated goals of reducing the risk and mitigating the potential results of an act that could threaten the security of personnel, the OCS facility, the environment, and the public. During the course of our review, Coast Guard officials stated that they are planning to update the OCS facility guidance, policies, and procedures--which have not been updated since 2003--for implementing security requirements for OCS facilities. In September 2011, in response to our findings, Coast Guard officials indicated that they may issue a separate policy letter to Coast Guard marine inspectors to address these weaknesses, but they noted that they were still considering how to best address the problem to achieve a higher level of compliance. Inconsistent Documentation and Database Limitations: In addition to challenges in the Coast Guard's inspection efforts, inconsistent documentation of security inspections as well as limitations in the MISLE database--the database in which security inspection results are recorded--hinder the Coast Guard's ability to manage the offshore security inspection program or analyze inspection data needed for making management decisions about OCS facilities. During the course of our review, we found inconsistencies in how security inspection data were recorded in MISLE. For example, in most cases, marine inspectors select the "MTSA-related" inspection type to designate that an annual security inspection of an OCS facility was completed in accordance with 33 C.F.R. part 106. However, among the 50 security inspections of OCS facilities that were conducted from 2008 through 2010, marine inspectors did not select this inspection type for 5 records.[Footnote 41] Instead, the inspectors selected another inspection type (such as a safety inspection) and indicated in the narrative section that a security inspection was conducted. Without reviewing the narrative of each inspection report, Coast Guard management may not be able to determine if security inspections of OCS facilities were conducted.[Footnote 42] In July 2011, and in response in part to our review, the Coast Guard issued new MISLE guidance on documenting the annual security inspections of OCS facilities in MISLE and distributed this guidance to all of the relevant field units. Specifically, the guidance provides step by step instructions for entering information on annual security inspections into MISLE for both fixed and floating OCS facilities. If effectively implemented, this guidance should help to ensure that all future security inspections of OCS facilities are recorded consistently, which would enhance program management and oversight of these facilities. In addition to the inconsistencies with how inspections are recorded in MISLE, we also identified limitations with the MISLE database in the following three areas: * No OCS facility data field: There is no data field[Footnote 43] in the MISLE database to identify a facility as an OCS facility, which makes it difficult to readily analyze and summarize information on this type of facility.[Footnote 44] Coast Guard officials recognize that not having an OCS facility data field makes it difficult to readily summarize information and they created an alternative method using standardized language in another data field.[Footnote 45] However, this alternative method only applies to the fixed OCS facilities and there is no alternative method to identify floating OCS facilities in MISLE. Officials noted that it would be useful if there were a data field for both fixed and floating OCS facilities because this would allow the Coast Guard field units to generate a report each year that would help local officials see when security inspections are due for the OCS facilities within their area of responsibility. * Multiple entries for facilities: In the MISLE data we reviewed and analyzed, we found that 14 of the 57 OCS facilities were listed multiple times under slightly different facility names and, as such, had multiple entries in the database. According to Coast Guard officials, because of the MISLE database's limited search functions, staff wishing to enter the results of an inspection or other activity might not be able to find the OCS facility in MISLE because the information they entered was not an exact match to how the facility was recorded in MISLE. Consequently, the staff may assume that the facility is not in MISLE and create a new entry to record their results. For example, Coast Guard staff might not be able to find the "Green Canyon 55" facility in MISLE because the facility name was entered into MISLE initially as "GC 55." As a result, data records in MISLE are listed under several names and identification numbers, which make it difficult to determine how many security inspections have been conducted of an OCS facility.[Footnote 46] Coast Guard marine inspectors stated this issue can make it difficult to (1) locate previous inspection records, which the marine inspectors review prior to conducting an inspection and (2) compile a history of a facility's inspections. * OCS facilities may be considered either "facilities" or "vessels" in MISLE: Infrastructure in the MISLE database is classified as either a "facility" or a "vessel," and information on these two types cannot be gathered simultaneously. While the fixed OCS facilities are considered "facilities" in the MISLE database, the floating OCS facilities are considered "vessels."[Footnote 47] This distinction exacerbates the potential for creating multiple entries in MISLE for the same OCS facility. For example, 13 of the 57 OCS facilities were listed in the MISLE database as both a "facility" and a "vessel" under different names and identification numbers. Further, officials at one location reported that they entered security inspection reports for the facilities within their area of responsibility into MISLE twice--once as a vessel and once as a facility. As a result, data analysts cannot gather information on both fixed and floating OCS facilities at the same time without first searching for and eliminating duplicate entries, which complicates data analyses.[Footnote 48] The Coast Guard could benefit from enhancing and facilitating the use of performance information to make improved management decisions. [Footnote 49] One way to enhance the use of performance information is to improve the usefulness of such information to better meet management's decision-making needs. We reported previously that to be useful, performance information must meet users' needs for completeness, accuracy, consistency, timeliness, validity, and ease of use.[Footnote 50] However, due to the MISLE database limitations noted above, it is difficult for Coast Guard managers to determine if annual security inspections have been conducted. Coast Guard officials indicated that they are taking action to address not having an OCS data field and that they plan to create such a data field for both fixed and floating OCS facilities when they release an updated version of MISLE in early 2013. However, while the Coast Guard is in the process of updating MISLE, it remains unclear whether problems with (1) multiple facility names and (2) considering OCS facilities both vessels and facilities will be addressed in the updated MISLE version. Further, the new MISLE guidance on documenting security inspections for OCS facilities in MISLE that was issued in July 2011 does not describe policies or procedures that would address the MISLE database limitations described above. Addressing such problems, either in the updated version of MISLE or through updated guidance that addresses these problems, could enhance the Coast Guard's ability to summarize data on OCS facilities and make informed decisions. Actions Are Needed to Further Ensure the Security of Deepwater Ports: Coast Guard Actions to Ensure Security: The Coast Guard has taken actions to ensure the security of deepwater ports that are similar to actions it has taken to ensure the security of OCS facilities. For example, the three deepwater ports are located in areas that are covered by Area Maritime Security Plans--the LOOP is mentioned in the Gulf of Mexico Area Maritime Security Plan, and the two LNG deepwater ports in Massachusetts Bay are mentioned in the Boston Area Maritime Security Plan.[Footnote 51] Further, the Coast Guard has conducted some exercises that address the security of the LOOP, which was an attack target in a 2008 exercise as well as in NLE 2009.[Footnote 52] The Coast Guard has also reviewed and approved deepwater port operations manuals for the three deepwater ports that, among other things, must include deepwater port security plans that are comparable to the security plans required for OCS facilities pursuant to 33 C.F.R. part 106.[Footnote 53] In addition, the Coast Guard has taken additional actions to ensure the security of deepwater ports. For example, the Coast Guard has established security zones around the two LNG deepwater ports in Massachusetts Bay.[Footnote 54] In the context of a deepwater port, a security zone is a designated area for such time as deemed necessary to safeguard the port from destruction, loss, or injury from sabotage or other subversive acts. [Footnote 55] In particular, the establishment of a security zone prohibits a person or vessel from entering the designated area without permission and authorizes the Coast Guard to take appropriate enforcement actions against such unauthorized persons or vessels. [Footnote 56] Additionally, the Coast Guard has access to live video feeds from the two LNG deepwater ports in Massachusetts Bay.[Footnote 57] Coast Guard Could Improve the Security of Deepwater Ports by Conducting Security Inspections: The Coast Guard has conducted only one security inspection of a deepwater port from 2008 through 2010. Following the LOOP's 2010 annual self-inspection--an inspection conducted by owners and operators that generally assesses maintenance and repair issues--Coast Guard marine inspectors conducted a security inspection at the LOOP in November 2010 and found deficiencies.[Footnote 58] Specifically, Coast Guard marine inspectors determined that the facility security officer was not familiar with the facility security plan. Based on MISLE inspection records, this was the only security inspection conducted for a deepwater port from 2008 through 2010. However, according to Coast Guard officials, Coast Guard marine inspectors have observed security measures at the deepwater ports as part of their responsibilities for overseeing the vessels that connect to these ports. For example, as part of a vessel examination, the Coast Guard might observe whether physical security measures at the deepwater port prevent unauthorized access to the port and the vessel.[Footnote 59] Additionally, Coast Guard officers can ask questions of the vessel crew about security practices to ensure that the vessel is complying with either U.S. or international security requirements, as applicable. Because deepwater ports are subject to different regulations than OCS facilities, the Coast Guard has different sets of policies and procedures for these two types of facilities.[Footnote 60] Unlike its requirement for OCS facilities, the Coast Guard's deepwater port guidance does not call for annual security inspections.[Footnote 61] According to Coast Guard officials, deepwater ports were specifically excluded from the regulatory definition of OCS facilities because of the different statutory and regulatory regimes governing these two types of offshore energy infrastructure and because the security risk factors at deepwater ports may be different from those at OCS facilities.[Footnote 62] For example, deepwater ports are not connected, directly or via a pipeline network, to the source of oil or natural gas production. Therefore, the oil or natural gas that could be released as a result of an attack on a deepwater port would be limited to the volume contained in the tankers that connect to the deepwater port rather than the generally larger volumes contained in source wells that are connected to OCS facilities. As a result, according to Coast Guard officials, an attack on a deepwater port could have lesser consequences compared to an attack on an OCS facility that is directly connected to an oil or natural gas source. While current Coast Guard deepwater port guidance does not require annual security inspections of deepwater ports, the Coast Guard is mandated by statute to verify the effectiveness of facility security plans for those facilities that could be involved in a transportation security incident.[Footnote 63] While deepwater port operators are required to develop security plans as part of their operations manuals, which are to be approved by the Coast Guard, and the Coast Guard acknowledges that its mandate to verify the effectiveness of security plans applies to deepwater ports where an incident may meet the definition of a transportation security incident, the Coast Guard has not implemented procedures for conducting inspections to verify the effectiveness of the deepwater port security plans on annual basis. Officials at Coast Guard headquarters, however, recognize that an incident at the LOOP or either of the two LNG deepwater ports in Massachusetts Bay could be considered a transportation security incident. We discussed the statutory requirement to assess the effectiveness of facility security plans and the general lack of security inspections at deepwater ports with Coast Guard officials who generally agreed with our observations. Based on this discussion, Coast Guard officials stated that by the end of 2011 they plan to (1) update applicable Coast Guard guidance to require annual security inspections of deepwater ports and (2) add new procedures for conducting such security inspections. In addition to this Coast Guard headquarters initiative, the Coast Guard field unit in Boston is planning to develop and implement a local security inspection program for the two LNG deepwater ports in Massachusetts Bay, and the Coast Guard field unit in Morgan City, Louisiana, plans to perform annual site safety and security inspections at the LOOP. As the Coast Guard moves forward with updating its deepwater port guidance, one challenge it faces is the inherent differences between the LOOP and the two LNG deepwater ports. These differences may necessitate approaching security inspections of these facilities in different ways. For example, the LOOP and the two LNG deepwater ports in Massachusetts Bay differ in terms of their potential consequences, economic importance, and physical structure. * Potential consequences of an incident may be greater for the LOOP than for the LNG deepwater ports: While the Coast Guard views the LOOP and the LNG deepwater ports as having the potential for a transportation security incident, an incident at the LOOP could have greater consequences than an incident at the LNG ports. In particular, an oil spill resulting from an attack on the LOOP could have greater environmental consequences than the release of LNG from an attack on one of the LNG deepwater ports because oil does not dissipate as quickly as LNG does, and it must be removed from the water. Additionally, there can be personnel stationed at the LOOP's offshore location; therefore, potential death and injury consequences could also be a consideration for the LOOP. In contrast, no staff are stationed at the LNG deepwater ports, except when a tanker is attached to the buoy and offloading LNG. Therefore, if an incident were to occur at an LNG deepwater port, such as an explosion, the potential for deaths or injuries could be limited to the crew aboard the LNG tanker. * The LOOP has greater importance to the economy than the LNG deepwater ports: The LOOP is the only crude oil port in the United States that can receive oil transfers from the largest crude oil tankers. Additionally, about half of the oil consumed in the United States is imported and the LOOP accounts for approximately 10 percent of U.S. crude oil imports. In contrast, most of the natural gas consumed in the United States is produced domestically, and the two LNG deepwater ports import a relatively low volume of LNG compared to onshore LNG port facilities. As a result, an attack on the LOOP could have greater economic impact than an attack on the LNG deepwater ports. * Due to the structural nature of the ports, security inspections of the LOOP may be more feasible than security inspections of the LNG deepwater ports: In addition to the buoys that connect to oil tankers, the LOOP has a fixed platform structure above the water surface, similar to some of the OCS facilities, and the Coast Guard plans to conduct on-site inspections of the LOOP. In contrast, the structural nature of the two LNG deepwater ports may make these ports difficult to inspect. Specifically, the LNG deepwater ports are submerged buoy systems, meaning that buoys are submerged whenever they are not connected to an LNG tanker, and these buoys are connected by pipeline to shoreside facilities. As a result, when an LNG tanker is not connected to the port's buoy, there is no visible infrastructure above the water to inspect. Coast Guard officials in the Boston field unit, which oversees these deepwater ports, said that they could conduct an onshore security inspection that could include a review of the deepwater port security plan with the facility security officer to discuss how security measures are being implemented. The differences between the LOOP and the two LNG deepwater ports described above could play a role in how the Coast Guard decides to conduct security inspections of these deepwater ports. For example, on- site inspections of the LOOP could be warranted because of its importance and the fact that a major part of the facility is above the water, while inspections of LNG deepwater ports could potentially be done, at least in part, at those ports' onshore facilities since these ports do not have infrastructure above the water, except when a tanker is offloading. As the Coast Guard updates its guidance for deepwater ports, the factors described above could be considered in determining how to carry out future security inspections of these deepwater ports. Database and Guidance Limitations Could Hinder Inspections: When the Coast Guard begins annual security inspections of deepwater ports, limitations in the MISLE database may complicate Coast Guard management and oversight of such facilities. Similar to the problems we found with MISLE regarding OCS facilities, we also noted the following weaknesses in MISLE specific to deepwater ports: * Deepwater port data field incorrectly used for other types of infrastructure: The MISLE database contains a data field for deepwater ports; however, this term is not defined in MISLE guidance and has been incorrectly applied to facilities that do not meet the definition of a deepwater port in applicable federal regulations.[Footnote 64] According to Coast Guard officials, staff sometimes select the deepwater port data field for shoreside ports that have deep drafts, which allow large ships to enter these ports. For example, the MISLE deepwater port data we reviewed identified 80 facilities as deepwater ports rather than just the 3 currently active and 1 soon to be decommissioned deepwater ports that meet the definition established by applicable federal regulations. Further, Coast Guard MISLE guidance does not define a deepwater port nor does it make reference to the applicable federal regulations or definitions. As a result, it is difficult to identify deepwater ports in MISLE for the purpose of summarizing data that may inform management decisions. * Multiple entries for deepwater ports: We also found that some of the deepwater ports in MISLE were listed multiple times under slightly different names. For example, the LOOP appeared in MISLE under four different names. This situation may have occurred in part because the Coast Guard's MISLE guidance does not provide naming conventions for how deepwater ports are to be entered into MISLE. The existence of multiple names for the same deepwater port and the limited search function of MISLE make it difficult for Coast Guard marine inspectors and managers to locate previous inspection records. Similar to what we found with MISLE regarding OCS facilities, limitations in the MISLE database, as well as no guidance on recording inspection results into MISLE, make it difficult for the Coast Guard to analyze security inspection results and other information on deepwater ports. As previously discussed, performance information must meet users' needs for completeness, accuracy, and consistency if it is to be useful. According to the Standards for Internal Control in the Federal Government, controls such as policies, procedures, and mechanisms help ensure management directives are carried out. One way to enforce management directives involves policies and procedures that ensure accurate and timely recording of transactions and events, such as security inspections. However, the Coast Guard's MISLE guidance does not describe procedures related to information on deepwater ports and it is difficult to use the information currently in the database as a management tool. Correcting MISLE limitations and developing guidance related to deepwater ports, including information on how deepwater ports are named in MISLE and how the results of security inspections are to be entered into MISLE, would allow the Coast Guard to better manage security inspections and verify that the deepwater ports are complying with applicable maritime security requirements. Coast Guard Has Limited Authority over the Security of MODUs Registered to Foreign Countries: While the Deepwater Horizon incident was not the result of a breakdown in security procedures or the result of a terrorist attack, the loss of the Deepwater Horizon and the resulting oil spill have raised concerns about U.S. oversight over MODUs that are registered to foreign countries.[Footnote 65] In this regard, various circumstances govern the extent to which the Coast Guard oversees the security of MODUs. In general, MODUs operating on the OCS implement security measures consistent with applicable security requirements-- specifically, they implement requirements in accordance with U.S. security regulations and the International Maritime Organization's ISPS Code.[Footnote 66] Depending on the particular characteristics and operations of the MODU--for example, its method of propulsion or its personnel levels--it may be subject to Coast Guard security regulations governing vessels (33 C.F.R. part 104) or OCS facilities (33 C.F.R. part 106). MODUs will fall under applicable Coast Guard regulations if (1) they are self-propelled--that is, they are capable of relocating themselves, as opposed to other types that require another vessel to tow them--in which case they are subject to the ISPS Code and 33 C.F.R. part 104, or (2) they meet production or personnel levels specified in 33 C.F.R. part 106. In the case of self-propelled, foreign-flagged MODUs, the Coast Guard will assess compliance with part 104 by reviewing a MODU's International Ship Security Certificate, which certifies compliance with the ISPS Code; in all other cases where MODUs are subject to Coast Guard security requirements, the Coast Guard assesses compliance with part 104 or part 106 through annual security inspections.[Footnote 67] Figure 3 illustrates the types of MODUs, the applicable security requirements, and the means by which the Coast Guard assesses compliance. Figure 3: Coast Guard Security Requirements Applicable to MODUs Operating in U.S. Federal Waters: [Refer to PDF for image: illustration] Self-Propelled (ISPS Code Applicable): U.S.-flagged: 33 C.F.R. part 104; The Coast Guard assesses compliance through annual security inspections[A]; 1 MODU[B]. Foreign-flagged: 33 C.F.R. part 104; The Coast Guard assesses compliance by verifying that the MODU has a valid International Ship Security Certificate, which reflects compliance with the ISPS Code; 9 MODUs[B]. Not Self-Propelled (ISPS Code Not Applicable): U.S.-flagged: 33 C.F.R. part 106 Applicable if threshold criteria are met; The Coast Guard assesses compliance through annual security inspections; 0 MODUs[B]. 33 C.F.R. part 106 Not Applicable if threshold criteria are not met; The Coast Guard does not assess compliance; 5 MODUs[B]. Foreign-flagged: 33 C.F.R. part 106 Applicable if threshold criteria are met; Coast Guard assesses compliance through annual security inspections; 0 MODUs[B]. 33 C.F.R. part 106 Not Applicable if threshold criteria are not met; The Coast Guard does not assess compliance; 34 MODUs[B]. Source: GAO analysis of ISPS Code, 33 C.F.R. parts 104 and 106, and Coast Guard MISLE data, and U.S. Coast Guard. [A] A self-propelled, U.S.-flagged MODU must also comply with the ISPS Code and possess an International Ship Security Certificate if it is on an international voyage. 33 C.F.R. part 104 security regulations, which govern self-propelled, U.S.-flagged MODUs, are consistent with the ISPS Code. [B] There are no MODUs operating in U.S. federal waters that meet the threshold criteria of 33 C.F.R. part 106. The numbers for other categories of MODUs shown above--those that are subject to 33 C.F.R. part 104 and those that do not meet the threshold criteria of 33 C.F.R. part 106--are the number of MODUs in each category that are, according to the Coast Guard, drilling in the Gulf of Mexico as of September 23, 2011. [End of figure] * Self-propelled MODUs: Among other things, the ISPS Code establishes an international framework, involving cooperation between contracting governments, government agencies, local administrations, and the shipping and port industries to detect and assess security threats and take preventive measures against security incidents affecting ships or port facilities in international trade, and to ensure confidence that adequate and proportionate maritime security measures are in place. MODUs that are self-propelled are considered vessels and are subject to the ISPS Code. In general, the country to which a vessel is registered (the flag state) enforces its own as well as applicable international requirements. Coast Guard regulations governing vessel security (33 C.F.R. part 104) are consistent with the requirements of the ISPS code. For example, a MODU may be registered to a foreign flag state, such as the Marshall Islands or Panama, and if self-propelled, the Coast Guard is able to ensure compliance with applicable U.S. security requirements by ensuring the MODU possesses a current International Ship Security Certificate issued by the flag state. Whereas the Coast Guard may physically inspect a U.S.-flagged MODU to ensure compliance with applicable security requirements, the Coast Guard's oversight of foreign-flagged MODUs is more limited.[Footnote 68] For example, Coast Guard inspectors may board a self-propelled, foreign-flagged MODU to verify the issuance of an International Ship Security Certificate, observe security measures, and ask security related questions of personnel; however, absent consent from the flag state, the inspectors generally do not have authority to review the MODU's vessel security plan. * MODUs that are not self-propelled: In contrast, MODUs that are not self-propelled--those that require another vessel to move them from one location to another--are not subject to the ISPS Code, and countries in whose jurisdiction drilling occurs may individually determine how they choose to regulate such MODUs. In U.S. federal waters, both U.S.-flagged and foreign-flagged MODUs that are not self- propelled may be subject to the security requirements of 33 C.F.R. part 106, which govern OCS facilities, if they meet the applicable production or personnel thresholds. While some non-self-propelled MODUs could meet the personnel thresholds that would make them subject to part 106, most such MODUs do not meet the applicable production or personnel thresholds.[Footnote 69] Since 2008, security regulations for OCS facilities have applied to one foreign-flagged MODU and no U.S.-flagged MODUs. Because most MODUs are not regulated for security under part 106, the owners and operators are not required to provide security plans to the Coast Guard and the Coast Guard does not conduct security inspections. The Coast Guard may not be fully aware of the security measures implemented by self-propelled, foreign-flagged MODUs because of its limited oversight of such MODUs. The Coast Guard and BOEMRE conducted a joint investigation into the Deepwater Horizon incident, and the Coast Guard's report from the investigation emphasized the need to strengthen the system of Coast Guard oversight of foreign-flagged MODUs. The Coast Guard's report from the joint investigation stated that the Coast Guard's regulatory scheme for overseeing the safety of foreign-flagged MODUs is insufficient because it defers heavily to the flag state to ensure safety. The report noted that deferring to a flag state could work if the flag state conducts inspections comparable to those conducted by the Coast Guard on U.S.-flagged MODUs; however, the report found deficiencies in the way that the flag state for the Deepwater Horizon exercised its oversight responsibilities. The investigation also found that Coast Guard examinations of foreign- flagged vessels, which include foreign-flagged, self-propelled MODUs, are less stringent than for U.S.-flagged vessels, and the report stated that had the Deepwater Horizon been a U.S.-flagged MODU, the Coast Guard likely would have become aware of some of the deficiencies onboard. The joint investigation team recommended, among other things, that the Commandant of the Coast Guard develop more comprehensive inspection standards for foreign-flagged MODUs operating on the OCS. The Commandant concurred with this recommendation and has chartered an Outer Continental Shelf Activities Matrix Team, which has been tasked with providing recommendations on the establishment and implementation of an enhanced oversight regime for foreign-flagged MODUs on the U.S. OCS. While the investigation focused on issues that were not related to security, such as safety, these findings may have implications for security oversight because the Coast Guard also relies on the flag state to carry out responsibilities for assessing compliance with security requirements. Further, in its report to the President, the National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling reported that the risks involved with deepwater drilling are not yet completely addressed by reviews on where it is safe to drill, what could go wrong, or how to respond if something does go awry. While the report did not address the federal role in ensuring the security of offshore energy infrastructure, it did address risk management and challenges in responding to the consequences of an incident on a MODU operating in deepwater. In particular, the report noted that when a failure happens at such depths, regaining control is a formidable challenge. This potential for adverse consequences could be of greater concern as drilling technologies advance and more drilling occurs in deeper waters. For example, drilling in deeper water means that the Coast Guard or other response resources are generally going to be further away from the drilling sites. Figure 4 depicts the aftermath of the Deepwater Horizon explosion, which demonstrates the possible consequences of a successful terrorist attack or other security incident on offshore energy infrastructure. Figure 4: Aftermath of the Explosion of the Deepwater Horizon Drilling Unit in the Gulf of Mexico, April 2010: [Refer to PDF for image: photograph] Source: U.S. Coast Guard. [End of figure] According to Coast Guard officials, it is likely that MODUs operating in deepwater would be subject to security requirements because the industry is increasingly using dynamically positioned MODUs that are able to maintain position without being anchored to the seabed, and as such MODUs are self-propelled, they would be subject to the ISPS Code and 33 C.F.R. part 104.[Footnote 70] Additionally, the Coast Guard is aware of potential risks regarding MODUs and is conducting a study designed to help determine whether additional actions could better ensure the security of offshore energy infrastructure in the Gulf of Mexico, including MODUs. This study is expected to be completed in the fall of 2011. Gaining a fuller understanding of the security risks associated with MODUs could better inform Coast Guard decisions and potentially improve the security of these facilities. Further, the Coast Guard has implemented a new risk-based oversight policy for MODUs, including foreign-flagged MODUs, to address safety and environmental protection issues. This policy includes a targeting matrix to assist inspectors in determining whether a foreign-flagged MODU may require increased oversight, based on inspection history or other related factors, through more frequent examinations by the Coast Guard. Additionally, the policy calls on Coast Guard field units to conduct random, unannounced examinations of a portion of all MODUs in their areas of responsibility. Although this policy does not directly address security, increased oversight resulting from this new policy could help mitigate some of the ways in which a MODU might be at risk of a terrorist attack. Conclusions: The threat of terrorism and the significant damages resulting from the Deepwater Horizon incident point to the importance of the Coast Guard having robust policies and procedures in place to better ensure the security of OCS facilities and deepwater ports. Because the Coast Guard has not conducted annual security inspections of all OCS facilities in accordance with Coast Guard requirements, it could benefit from having procedures in place across its field units to ensure that such inspections are conducted. Because it is not complying with its established maritime security requirements, the Coast Guard may not be adequately meeting one of its stated goals of reducing the security risk and mitigating the potential results of an act that could threaten the security of personnel, the OCS facility, the environment, and the public. We also found limitations in the MISLE database which make it difficult for Coast Guard managers to determine if security inspections were conducted when reviewing the data, and current guidance does not describe policies and procedures that would fully address these limitations. By addressing some of these inconsistencies and other limitations, Coast Guard managers could more easily summarize data, identify issues related to OCS facilities, and use the data as a management tool to inform decision making. Finally, we also found weaknesses in the MISLE database related to deepwater ports, such as not defining a deepwater port in MISLE guidance and the use of multiple names for such ports in the MISLE database. These weaknesses could inhibit the Coast Guard's ability to analyze information on security inspections of such ports. Although the Coast Guard has conducted only one security inspection of a deepwater port from 2008 through 2010, Coast Guard officials have recognized the importance of conducting annual security inspections of deepwater ports and are planning to update guidance to require such inspections and to address the way in which such inspections are to be conducted. Correcting MISLE limitations and developing guidance related to how deepwater ports are to be inspected and how the results of security inspections are to be entered into MISLE could allow the Coast Guard to (1) ensure more consistency in how the results of inspections are recorded in MISLE, (2) better manage such security inspections, and (3) verify that the deepwater ports are complying with applicable maritime security requirements. Recommendations for Executive Action: To strengthen the Coast Guard's efforts to ensure the security of OCS facilities and deepwater ports, we recommend that the Commandant of the Coast Guard take the following three actions: * Develop policies and procedures to monitor and track annual security inspections for OCS facilities to better ensure that such inspections are consistently conducted. * Make improvements to the MISLE database or MISLE guidance to better ensure that all OCS facilities, both fixed and floating, are accurately and consistently identified and that the results of security inspections are consistently recorded to allow for better data analyses and management of the security inspections process. * Ensure that information on deepwater ports in MISLE can be used as a management tool for decision making. These actions should include (1) issuing guidance on how information on deepwater ports and their security inspections should be entered into MISLE; (2) defining deepwater ports in MISLE guidance; and (3) making any changes necessary in the database to ensure that deepwater ports regulated under 33 C.F.R. parts 148-150 can be identified within MISLE. Agency Comments and Our Evaluation: On October 7, 2011, we provided a draft of this report to DHS and the Coast Guard for comment. On October 24, 2011, DHS provided written comments on the draft report, which are reproduced in full in appendix III. DHS and the Coast Guard concurred with the findings and recommendations in the report, and DHS stated that the Coast Guard is taking actions to implement our recommendations. The Coast Guard also provided technical comments, which we incorporated, as appropriate. The Coast Guard concurred with our first recommendation that it develop policies and procedures to monitor and track annual security inspections for OCS facilities. Specifically, the Coast Guard stated that it is planning to update (1) its MISLE database to identify if a vessel or facility is regulated as an OCS facility under 33 C.F.R. part 106 and (2) its OCS facility policy guidance for field units to monitor and track annual security inspections for OCS facilities to better ensure that such inspections are consistently conducted. These actions should improve the Coast Guard's ability to ensure that such inspections are consistently conducted on an annual basis, thereby addressing the intent of our recommendation. The Coast Guard also concurred with our second recommendation to make improvements to the MISLE database or MISLE guidance to better ensure that all OCS facilities are accurately and consistently identified and that the results of security inspections are consistently recorded to allow for better data analyses and management of the security inspections process. Specifically, the Coast Guard stated that it developed guidance in 2011 to improve MISLE database quality. However, as we discuss in this report, the MISLE guidance issued in July 2011 does not describe policies or procedures that would address the MISLE database limitations we identified. In particular, we noted that within MISLE (1) there is no data field to identify OCS facilities, (2) there are multiple entries for some facilities, and (3) OCS facilities may be considered either "facilities" or "vessels." While the update to the MISLE database mentioned in relation to our first recommendation should address the need to identify OCS facilities in MISLE, the Coast Guard would need to issue additional guidance or further update MISLE to resolve the other two database limitations to fully address the intent of our recommendation. Finally, the Coast Guard concurred with our third recommendation to ensure that information on deepwater ports in MISLE can be used as a management tool for decision making. The Coast Guard stated that it plans to modify MISLE to include facilities, such as deepwater ports, that do not fall under maritime security regulations in parts 101 to 106 of Title 33, Code of Federal Regulations, which implement provisions of MTSA. However, according to the Coast Guard, this modification will take a few years to complete. If, in addition to the MISLE modification, the Coast Guard issues accompanying guidance for how information on deepwater ports and their security inspections are to be entered into MISLE, these actions should, collectively, address the intent of our recommendation. We are distributing this report to the Secretary of Homeland Security, the Commandant of the Coast Guard, and other relevant DHS officials. We are also sending copies of this report to interested congressional committees. In addition, the report will be available at no charge on the GAO website at [hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report or wish to discuss the matter further, please contact me at (202) 512-9610 or caldwells@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix IV. Signed by: Stephen L. Caldwell: Director, Homeland Security and Justice Issues: List of Requesters: The Honorable Jay D. Rockefeller IV: Chairman: Committee on Commerce, Science, and Transportation: United States Senate: The Honorable Susan M. Collins: Ranking Member: Committee on Homeland Security and Governmental Affairs: United States Senate: The Honorable Fred Upton: Chairman: The Honorable Henry A. Waxman: Ranking Member: Committee on Energy and Commerce: House of Representatives: The Honorable John L. Mica: Chairman: Committee on Transportation and Infrastructure: House of Representatives: The Honorable Bennie G. Thompson: Ranking Member: Committee on Homeland Security: House of Representatives: The Honorable Edward J. Markey: Ranking Member: Committee on Natural Resources: House of Representatives: The Honorable Michael T. McCaul: Chairman: Subcommittee on Oversight, Investigations, and Management: Committee on Homeland Security: House of Representatives: [End of section] Appendix I: Scope and Methodology: This appendix describes in more detail our scope and methodology for analyzing the Coast Guard's Marine Information for Safety and Law Enforcement (MISLE) database. We used this database to address the objectives on what the Coast Guard has done to ensure the security of Outer Continental Shelf (OCS) facilities and deepwater ports, and what additional actions, if any, are needed. To determine the extent to which the Coast Guard conducted security inspections of OCS facilities, we analyzed security inspection data for OCS facilities recorded in the MISLE database for calendar years 2008 through 2010. We requested and obtained all MISLE inspection records for this time period for inspections conducted by the six field units responsible for conducting security inspections on all of the OCS facilities: Mobile, Alabama; Morgan City, Louisiana; New Orleans, Louisiana; Corpus Christi, Texas; Galveston, Texas; and Port Arthur, Texas. The MISLE data were provided in two spreadsheets: (1) a facility inspections spreadsheet that included fixed OCS facilities, among others and (2) a vessel inspections spreadsheet that included floating OCS facilities, among others. To assess the reliability of the MISLE data, we (1) performed electronic testing for errors in accuracy and completeness; (2) reviewed related documentation, such as MISLE user guides and data dictionaries; and (3) held meetings and exchanged correspondence with Coast Guard information systems officials and marine inspectors at the field units to discuss data entry, analysis procedures, and results. We analyzed the spreadsheets separately and, after taking the steps described below, manually merged them to summarize the results. We also obtained security inspection data for 2011 (through June 24, 2011), but did not report on this information because most annual security inspections of OCS facilities are typically not conducted until the fall. Because MISLE does not have a data field for OCS facilities, we obtained a separate list from the Coast Guard that identified the 57 OCS facilities that had been regulated for security under 33 C.F.R. part 106 at any point from 2008 through 2010. We planned to use information contained in the list, including facility names, identification numbers, and the dates on which facilities were deregulated (that is, no longer subject to 33 C.F.R part 106), to identify OCS facilities in the MISLE database. Prior to linking the Coast Guard list of OCS facilities to the MISLE data, we assessed the reliability of this list by interviewing Coast Guard officials responsible for maintaining the list, as well as marine inspectors at the field units who are to who conduct security inspections of the OCS facilities. In addition, to assess the completeness of the Coast Guard list, we used MISLE data to look for indicators that additional facilities were regulated for security under 33 C.F.R. part 106 but were not included on the Coast Guard list. The indicators in the MISLE data that we considered included, for example, references made in the free-form, narrative portions of the MISLE data to "33 C.F.R. part 106" and "OCS" because these terms would likely be used to describe an OCS facility. When we found discrepancies, we brought these to the Coast Guard's attention and worked with officials to correct them. After conducting these steps, we determined that the list was reliable for the purpose of identifying facilities that were regulated for security under 33 C.F.R. part 106 at some point from 2008 through 2010, which we refer to as OCS facilities, and that there were 57 such facilities during that time period. During our interviews with Coast Guard officials and marine inspectors, we learned that the same OCS facility could be entered into MISLE multiple times under slightly different facility names and that there may be annual security inspection records for OCS facilities recorded under different facility names than those included in the Coast Guard list of OCS facilities. Failure to identify these facilities as the same facilities in the Coast Guard list could result in a possible undercount of annual security inspections at the 57 OCS facilities. To address this issue, we conducted searches for facilities in the MISLE database with matching, partially matching, or similar names and locations based on the Coast Guard list of 57 facilities to flag possible matches for OCS facilities in MISLE. Through these efforts, we identified alternative facility names for 14 of the OCS facilities on the Coast Guard list. For our analysis of the inspection records of the 57 OCS facilities, we combined the inspection records of the facilities identified in MISLE using the facility names provided by the Coast Guard with those of the 14 additional facility names we subsequently identified. We also used the Coast Guard list of OCS facilities to determine the years for which the facilities were subject to the 33 C.F.R. part 106 requirements. According to the Coast Guard, an OCS facility that meets applicable production or personnel thresholds becomes regulated for security once its facility security plan is approved. A facility stays on the regulated list until the Coast Guard receives documentation from the facility that it no longer meets the thresholds to be regulated for security. In particular, once a facility has been below the production thresholds for 1 year or below the personnel thresholds for 30 days, the facility can inform the Coast Guard and provide supporting documentation. Upon reviewing this documentation, the Coast Guard may determine that the facility is no longer subject to the 33 C.F.R. part 106 requirements and it becomes "deregulated." For our analysis, based on the date of deregulation included in the Coast Guard list of OCS facilities, we only considered a facility to be subject to 33 C.F.R. part 106 for a particular year if it was regulated during the entire calendar year. For example, if a facility had its facility security plan approved prior to January 2008 and it was deregulated in October 2010, we considered that facility to be subject to security regulations in 2008 and 2009 only. We determined that there were 57 different facilities subject to 33 C.F.R. part 106 at some point from 2008 through 2010. In 2008, there were 56 OCS facilities. In 2009, 1 OCS facility became operational and 4 facilities were deregulated, for a total of 53 OCS facilities. In 2010, 2 facilities were deregulated for a total of 51 OCS facilities. For our analysis of the MISLE inspection records of the 57 OCS facilities, we worked with Coast Guard officials to determine how marine inspectors documented annual security inspections of OCS facilities in MISLE because there was no guidance on documenting such inspections. This approach included identifying inspections in which marine inspectors selected a "MTSA-related" inspection type to designate that an annual security inspection was completed in accordance with 33 C.F.R. part 106, and we identified 52 security inspections from 2008 through 2010 in accordance with this approach. Further, at the advice of Coast Guard officials, we also searched the free-form, narrative portions of the MISLE data for indicators that a security inspection had been conducted. We used search terms such as "MTSA" and "security" in these searches and found 6 additional security inspections, for a total of 58 inspections. Prior to conducting our analysis of the data, we looked for duplicative security inspection records and errors and we removed 8 of these records, for a total of 50 annual security inspections. Specifically, 5 inspection records were removed because the same security inspection had been recorded twice in the MISLE database, including 1 of the 6 records that had be identified by reviewing the narrative. Of those 5 inspection records (1) 3 records had two inspections recorded on the same date under the same facility name and (2) 2 records had two inspections recorded on the same date under two different facility names for the same OCS facility. Further, 3 additional inspection records were removed because, based on the date of deregulation, the security inspection took place during a year that we determined the facility was not subject to regulation for security under 33 C.F.R. part 106. Therefore, out of the 50 annual security inspections we analyzed, 45 were identified in accordance with the Coast Guard's suggested approach and 5 were identified solely through reviewing the inspection narratives. We also analyzed MISLE data to determine the extent to which the Coast Guard had conducted security inspections of deepwater ports for calendar years 2008 through 2010. We requested and obtained all MISLE inspection records for 2008 through 2010 for deepwater ports as well as a MISLE-generated list of all facilities that were designated as deepwater ports in the database. To assess the reliability of the deepwater port data, we took similar steps with the data as those described above for OCS facilities. For example, we conducted searches in the MISLE database to identify deepwater ports with matching, partially matching, or similar names based on the names and locations of the deepwater ports. We also searched the narrative portions of the deepwater port inspection data for indicators that a security inspection had been conducted. Through these efforts, we identified one security inspection of a deepwater port from 2008 through 2010. After conducting the above steps, we determined that the MISLE data were sufficiently reliable to determine the extent to which the Coast Guard conducted security inspections at OCS facilities and deepwater ports from 2008 through 2010. Our report discusses MISLE data problems in more detail, along with the steps the Coast Guard is taking to address some of the issues, and additional steps we believe are still needed. We conducted this performance audit from October 2010 through October 2011 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Status of Action Items from National Level Exercise 2009: This appendix provides additional information on action items developed in response to the National Level Exercise (NLE) 2009. In July 2009, the Coast Guard participated in NLE 2009, which focused on preventing a hypothetical attack on the nation's energy infrastructure, including offshore facilities in the Gulf of Mexico. In accordance with Coast Guard policy, the Coast Guard developed 111 remedial action items to address lessons learned in response to the exercise. According to Coast Guard data, as of May 31, 2011, 99 of these 111 action items were assigned to Coast Guard units and 12 of them were assigned to the Department of Homeland Security (DHS). According to those data, 88 of the 111 action items have been resolved and 23 are unresolved. For example, according to the data, the Coast Guard and DHS have not yet established a process for engaging the private sector to address the observation from the exercise that information sharing with private sector stakeholders occurred at multiple levels without clear synchronization. Among the 23 unresolved action items, 9 are pending resolution, meaning that the Coast Guard has taken steps to address an action item and is conducting a review to determine whether the steps are sufficient to change the action item's status to "resolved." According to Coast Guard data, among the 9 action items that are pending resolution, the latest anticipated resolution date is December 31, 2012. Table 3: Status of Action Items Resulting from National Level Exercise 2009: Action office: DHS; Total: 12; Resolved action items: 0; Action items pending resolution: 0; Action items not resolved: 12. Action office: Coast Guard Commandant; Total: 34; Resolved action items: 26; Action items pending resolution: 6; Action items not resolved: 2. Action office: Atlantic Area Command; Total: 4; Resolved action items: 4; Action items pending resolution: 0; Action items not resolved: 0. Action office: District 8; Total: 24; Resolved action items: 21; Action items pending resolution: 3; Action items not resolved: 0. Action office: Sector Corpus Christi; Total: 11; Resolved action items: 11; Action items pending resolution: 0; Action items not resolved: 0. Action office: Sector Houston/Galveston; Total: 6; Resolved action items: 6; Action items pending resolution: 0; Action items not resolved: 0. Action office: Sector New Orleans; Total: 20; Resolved action items: 20; Action items pending resolution: 0; Action items not resolved: 0. Action office: Total; Total: 111; Resolved action items: 88; Action items pending resolution: 9; Action items not resolved: 14. Source: GAO analysis of Coast Guard data maintained in the Coast Guard's Remedial Action Management Program database. [End of table] There is little information available on the status of action items assigned to DHS because, according to an official at DHS's Office of Operations Coordination and Planning, at the time the Coast Guard assigned these action items, DHS did not have a clear process for tracking DHS-internal action items. However, according to this DHS official, DHS is in the process of changing the way it tracks such action items. In particular, the National Exercise Division within the Federal Emergency Management Agency is working to establish a DHS Exercise and Evaluation Program, which will include a process for the National Exercise Division to coordinate DHS internal action items. [End of section] Appendix III: Comments from the Department of Homeland Security: U.S. Department of Homeland Security: Washington, D.C. 20525: October 24, 2011: Stephen L. Caldwell: Director, Homeland Security and Justice: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Re: Draft Report GAO-12-37, "Maritime Security: Coast Guard Should Conduct Required Inspections of Offshore Energy Infrastructure" Dear Mr. Caldwell: Thank you for the opportunity to review and comment on this draft report. The U.S. Department of Homeland Security appreciates the U.S. Government Accountability Office's (GAO's) work in planning and conducting its review and issuing this report. The Department is pleased to note the report's acknowledgment that the United States Coast Guard has taken actions to address the security of Outer Continental Shelf (OCS) facilities and those of the deepwater ports. As the lead federal agency for maritime security, the Coast Guard remains committed to continuing its work with its interagency partners to meet the challenge of security in these facilities and ports for the safety of our Nation. The draft report contained three recommendations directed to the Coast Guard, with which the Department concurs, Specifically, GAO recommended that the Commandant of the Coast Guard: Recommendation 1: Develop policies and procedures to monitor and track annual security inspections for OCS facilities to better ensure that such inspections are consistently conducted. Response: Concur. In 2008, Coast Guard District Eight requested the Marine Information for Safety and Law Enforcement (MISLE) database to include features to identify if a vessel or facility was regulated as an OCS facility under the Maritime Transportation Security Act (MTSA, 33 CFR 106). This feature has since been approved for addition to the MISLE database and will be incorporated into a future update of the database. Additionally, the Coast Guard is updating OCS facility policy guidance for field units and anticipates completion in calendar year (CY) 2012. Recommendation 2: Make improvements to the MISLE database or MISLE guidance to better ensure that all OCS facilities, both fixed and floating, are accurately and consistently identified and that the results of security inspections are consistently recorded to allow for better data analyses and management of the security inspections process. Response: Concur. The Coast Guard has developed a MISLE database process guide that has greatly improved database quality. This process guide was released in CY 2011. Recommendation 3: Ensure that information on deepwater ports in MISLE can be used as a management tool for decision-making. These actions should include (1) issuing guidance on how information on deepwater ports and their security inspections should be entered into MISLE; (2) defining deepwater ports in MISER guidance; and (3) making any changes necessary in the database to ensure that deepwater ports regulated under 33 C.F.R. parts 148-150 can be identified within MISLE. Response: Concur. Deepwater ports have not traditionally been inspected under MTSA. However, in the permitting of deepwater ports, security plans are required to be developed. The modification of the MISI.E database to include non-MTSA facilities is planned, but will require substantial lead time to complete. A request for a change to the database was approved in CY 2011. Again, thank you for the opportunity to review and comment on this draft report. Technical and sensitivity comments were provided under separate cover. We look forward to working with you on future Homeland Security issues. Sincerely, Signed by: Jim H. Crumpacker: Director: Departmental GAO-0IG Liaison Office: [End of section] Appendix IV: GAO Contact and Staff Acknowledgments: GAO Contact: Stephen L. Caldwell, (202) 512-9610 or caldwells@gao.gov: Acknowledgments: Key contributors to this report were Christopher Conrad, Assistant Director; Neil Asaba, Analyst-in-Charge; Alana Finley; Colleen McEnearney; and Erin O'Brien. Chuck Bausell contributed economic expertise, Pamela Davidson assisted with design and methodology, Thomas Lombardi provided legal support, Joshua Ormond provided assistance with graphics, and Jessica Orr provided assistance in report preparation. [End of section] Related GAO Products: Maritime Security: Progress Made, but Further Actions Needed to Secure the Maritime Energy Supply. [hyperlink, http://www.gao.gov/products/GAO-11-883T]. Washington, D.C.: August 24, 2011. Maritime Security: Updating U.S. Counterpiracy Action Plan Gains Urgency as Piracy Escalates off the Horn of Africa. [hyperlink, http://www.gao.gov/products/GAO-11-449T]. Washington, D.C.: March 15, 2011. Maritime Security: Federal Agencies Have Taken Actions to Address Risks Posed By Seafarers, but Efforts Can Be Strengthened. [hyperlink, http://www.gao.gov/products/GAO-11-195]. Washington, D.C.: January 14, 2011. Maritime Security: Ferry Security Measures Have Been Implemented, but Evaluating Existing Studies Could Further Enhance Security. [hyperlink, http://www.gao.gov/products/GAO-11-207]. Washington, D.C.: December 3, 2010. Maritime Security: Actions Needed to Assess and Update Plan And Enhance Collaboration among Partners Involved in Countering Piracy off the Horn of Africa. [hyperlink, http://www.gao.gov/products/GAO-10-856]. Washington, D.C.: September 24, 2010. Maritime Security: DHS Progress and Challenges in Key Areas of Port Security. [hyperlink, http://www.gao.gov/products/GAO-10-940T]. Washington, D.C.: July 21, 2010. Maritime Security: Varied Actions Taken to Enhance Cruise Ship Security, but Some Concerns Remain. [hyperlink, http://www.gao.gov/products/GAO-10-400]. Washington, D.C.: April 9, 2010. Maritime Security: Vessel Tracking Systems Provide Key Information, but the Need for Duplicate Data Should Be Reviewed. [hyperlink, http://www.gao.gov/products/GAO-09-337]. Washington, D.C.: March 17, 2009. Maritime Security: National Strategy and Supporting Plans Were Generally Well-Developed and Are Being Implemented. [hyperlink, http://www.gao.gov/products/GAO-08-672]. Washington, D.C.: June 20, 2008. Maritime Security: Coast Guard Inspections Identify and Correct Facility Deficiencies, but More Analysis Needed of Program's Staffing, Practices, and Data. [hyperlink, http://www.gao.gov/products/GAO-08-12]. Washington, D.C.: February 14, 2008. Maritime Security: Federal Efforts Needed to Address Challenges in Preventing and Responding to Terrorist Attacks on Energy Commodity Tankers. [hyperlink, http://www.gao.gov/products/GAO-08-141]. Washington, D.C.: December 10, 2007. [End of section] Footnotes: [1] See Pub. L. No. 107-295, 116 Stat. 2064 (2002). [2] Maritime security regulations implementing provisions of MTSA relevant to this report are codified at parts 101 to 106 of title 33, Code of Federal Regulations. [3] See Pub. L. No. 109-347, § 103, 120 Stat. 1884, 1888 (2006) (codified at 46 U.S.C. § 70103(c)(4)(D)). [4] See 33 C.F.R. § 101.105. The OCS is a designation for all submerged lands extending seaward from generally 3 nautical miles off the coastline to at least 200 nautical miles, and of which the subsoil and seabed appertain to the U.S. and are subject to its jurisdiction and control. See 43 U.S.C. § 1331(a); 33 C.F.R. § 140.10. [5] See 33 C.F.R. § 106.105. Facilities meeting any of the threshold criteria are often referred to as MTSA-regulated facilities. Production means those activities which take place after the successful completion of any means for the removal of minerals, including, but not limited to, such removal, field operations, transfer of minerals to shore, operation monitoring, maintenance, and workover. See 33 C.F.R. § 140.10. According to the Coast Guard, the statement; "transfer of minerals to shore," encompasses fixed facilities that operate as "transmission facilities." Production quantities shall be calculated as the sum of all sources of production from wells on the primary and any attending platform(s), including the throughput of other pipelines transferring product across the same platform(s). [6] For those facilities that do not meet production or personnel thresholds under 33 C.F.R. part 106, the Coast Guard may conduct other oversight functions, such as safety inspections. [7] See 33 C.F.R. pts. 148-150. [8] See 33 C.F.R. § 148.5. Although deepwater ports are generally not regulated for security in accordance with MTSA, owners and operators generally carry out similar measures to those carried out for OCS facilities by, among other things, developing security plans comparable to those implemented by OCS facilities pursuant to part 106. See 33 C.F.R. § 150.15(x). [9] The term deepwater port is sometimes used to refer to shoreside ports that have deep drafts, which allow large ships to enter these ports. This report, however, uses "deepwater port" in accordance with its regulatory definition. See 33 C.F.R. § 148.5. [10] GAO, Maritime Security: Progress Made, but Further Actions Needed to Secure the Maritime Energy Supply, [hyperlink, http://www.gao.gov/products/GAO-11-883T] (Washington D.C.: Aug. 24, 2011). In this testimony, we reported that the Coast Guard has taken actions to assess risks to such facilities, such as coordinating its risk assessment efforts with the intelligence community and with key stakeholders. We also reported that the Coast Guard faces challenges in data and scope that hinder its risk assessment efforts. For example, we reported that the Coast Guard did not assess the risks to 12 of 50 OCS facilities in 2011 which, pursuant to Coast Guard risk assessment guidance, should have been assessed. The Coast Guard generally agreed with our findings and has taken action to conduct the required risk assessments. Further, we determined that the Coast Guard's current set of policies and procedures do not call for an updated list of OCS facilities to be provided to analysts to assess the risks to such facilities annually. Doing so is important in that the number of OCS facilities could change each year. Coast Guard officials acknowledged that their policies and procedures do not include this requirement and agreed with our recommendation to revise their policies and procedures to add this requirement. [11] Currently, the Eighth Coast Guard District in New Orleans, Louisiana, and the First Coast Guard District in Boston, Massachusetts, are the only two districts that have OCS facilities or deepwater ports operating in their respective areas of responsibility. [12] GAO, Maritime Security: Coast Guard Inspections Identify and Correct Facility Deficiencies, but More Analysis Needed of Program's Staffing, Practices, and Data, [hyperlink, http://www.gao.gov/products/GAO-08-12] (Washington D.C.: Feb. 14, 2008). [13] BSEE is the federal agency responsible for enforcing safety, environment, and conservation compliance regarding offshore resources on the OCS. We are currently reviewing, among other things, the Department of the Interior's recent reorganization of its bureaus which oversee offshore oil and natural gas activities and recent policy changes to the way in which it reviews drilling permits and its offshore inspection program. We are doing this work at the request of the Chairman of the Subcommittee on Oversight, Committee on Environment and Public Works, U.S. Senate. We expect to issue this related report in the winter 2012. [14] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: November 1999). These standards, issued pursuant to the requirements of the Federal Managers' Financial Integrity Act of 1982 (FMFIA), provide the overall framework for establishing and maintaining internal control in the federal government. Also pursuant to FMFIA, the Office of Management and Budget (OMB) issued Circular A- 123, revised December 21, 2004, to provide the specific requirements for assessing the reporting on internal controls. Internal control standards and the definition of internal control in OMB Circular A-123 are based on GAO's Standards for Internal Control in the Federal Government. [15] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [16] U.S. Coast Guard, Report of Investigation into the Circumstances Surrounding the Explosion, Fire, Sinking and Loss of Eleven Crew Members Aboard the Mobile Offshore Drilling Unit Deepwater Horizon in the Gulf of Mexico April 20 - 22, 2010, Volume I (Washington, D.C.: September 2011). [17] On October 1, 2011, BOEMRE reorganized into two independent entities: the Bureau of Ocean Energy Management and BSEE. The Bureau of Ocean Energy Management is responsible for managing development of the nation's offshore resources in an environmentally and economically responsible way, and its activities include oversight of leasing, environmental studies, and economic analysis. BSEE is responsible for enforcing safety and environmental regulations. [18] National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling, Deep Water: The Gulf Oil Disaster and the Future of Offshore Drilling (Washington D.C.: January 2011). [19] This estimate comes from the National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling, Deep Water: The Gulf Oil Disaster and the Future of Offshore Drilling (Washington D.C.: January 2011). [20] One technique used by owners and operators to reduce the risk of sabotage is to check the background of their employees and other staff who board or work on offshore infrastructure. Among other things, they use Transportation Worker Identification Credentials (TWIC) that are issued by the Transportation Security Administration (TSA)--an agency within DHS with primary responsibility for transportation security. Owners and operators can require employees and other staff to submit to a background investigation by TSA as one means of ensuring security. We have previously reported on problems with TWIC, such as internal controls in the enrollment and background checking processes are not designed to provide reasonable assurance that (1) only qualified individuals can acquire TWICs; (2) adjudicators follow a process with clear criteria for applying discretionary authority when applicants are found to have extensive criminal convictions; or (3) once issued a TWIC, TWIC-holders have maintained their eligibility. See GAO, Transportation Worker Identification Credential: Internal Control Weaknesses Need to Be Corrected to Help Achieve Security Objectives, [hyperlink, http://www.gao.gov/products/GAO-11-657] (Washington D.C.: May 10, 2011). [21] According to a Coast Guard official, some of these facilities may also be involved in producing oil, but their primary function is as a transmission facility. [22] A floating OCS facility is a buoyant OCS facility securely and substantially moored so that it cannot be moved without a special effort and includes tension leg platforms and permanently moored semisubmersibles or shipshape hulls, but does not include mobile offshore drilling units or other vessels. However, for the purposes of this report, we include non-self-propelled MODUs that meet relevant production or personnel thresholds in the category of floating OCS facilities because such MODUs are also regulated for security under 33 C.F.R. part 106. [23] Floating offshore installations include, but are not limited to, tension leg platforms, semisubmersible floating production systems, and spar platforms. [24] According to the Coast Guard, on April 13, 2011, the LNG deepwater port in the Gulf of Mexico gave notice of its intent to be decommissioned in the near future. [25] See, e.g., Navigation and Vessel Inspection Circular (NVIC) 05- 03, Implementation Guidance for the Maritime Security Regulations Mandated by the Maritime Transportation Security Act of 2002 for Outer Continental Shelf Facilities (December 15, 2003) and NVIC 03-05, Guidance for Oversight of Post-Licensing Activities Associated with Development of Deepwater Ports (May 16, 2005). We refer to NVIC 05-03 as "OCS facility guidance" and NVIC 03-05 as "deepwater port guidance." [26] See, e.g., 33 C.F.R. §§ 106.200-.280. Corporate security officials told us that they also apply security measures to offshore facilities that do not meet the thresholds for production or personnel under 33 C.F.R. part 106. [27] The primary function of the National Response Center is to serve as the sole national point of contact for reporting all oil, chemical, radiological, biological, and other discharges into the environment anywhere in the United States and its territories. In addition, the National Response Center serves as a conduit of information to and from law enforcement agencies. This includes reports of suspicious activity and actual security breaches. [28] See 33 C.F.R. §§ 106.300-.310 (addressing facility security assessments), 106.400-.415 (addressing facility security plans). [29] See 33 C.F.R. § 150.15(x). [30] According to the Coast Guard, the Gulf of Mexico Area Maritime Security Plan is one of 43 Area Maritime Security Plans that were developed in 2004. The Coast Guard completed a formal 5-year review and approval process for these plans in August 2009. According to the Coast Guard, during this process the plans were updated to implement additional requirements of the SAFE Port Act regarding the inclusion of salvage response plans. Coast Guard policy requires that each plan be reviewed on an annual basis, and these plans are to be tested annually within an Area Maritime Security Training and Exercise Program exercise. [31] Additional exercises include a 2006 exercise to assess and validate information and procedures in the Gulf of Mexico Area Maritime Security Plan and a 2008 exercise scenario that involved a terrorist seizure of one or more offshore oil platforms. [32] These remedial action items are corrective actions that the Coast Guard tracks and analyzes as part of a continuous corrective action program. [33] Maritime Security (MARSEC) Levels advise the maritime community and the public of the level of risk to the maritime elements of the national transportation system. The Coast Guard uses the three-tiered system of MARSEC Levels, which is designed to easily communicate to Coast Guard assets and its maritime industry partners preplanned responses for credible threats. MARSEC Levels are set to reflect the prevailing threat environment to the marine elements of the national transportation system, including ports, vessels, facilities, and critical assets and infrastructure located on or adjacent to waters subject to the jurisdiction of the United States. MARSEC Levels apply to vessels, Coast Guard-regulated facilities within the jurisdiction of the United States, and to Coast Guard operations. [34] The Director of National Intelligence serves as the head of the Intelligence Community, overseeing and directing the implementation of the National Intelligence Program and acting as the principal advisor to the President, the National Security Council, and the Homeland Security Council for intelligence matters related to the national security. The goal of the Office of the Director of National Intelligence is to effectively integrate foreign, military, and domestic intelligence in defense of the homeland and of United States interests abroad. [35] 33 C.F.R. § 106.405 lists the required components of a facility security plan, which are further described throughout part 106. [36] See, e.g., 46 U.S.C. § 70103(c)(4)(D). [37] We use the term OCS facility guidance to refer to the Coast Guard's NVIC 05-03, Implementation Guidance for the Maritime Security Regulations Mandated by the Maritime Transportation Security Act of 2002 for Outer Continental Shelf Facilities (December 15, 2003). [38] The Coast Guard conducts annual security inspections for the purpose of ensuring compliance with applicable security requirements and verifying the effectiveness of facility security plans. Pursuant to 46 U.S.C. § 70103(c)(4)(D), as amended by the SAFE Port Act of 2006, the Secretary of Homeland Security, subject to the availability of appropriations, must verify the effectiveness of facility security plans periodically, but not less than two times per year, at least one of which must be an inspection of the facility conducted without notice. Coast Guard officials stated that in many cases, unannounced inspections can be logistically challenging because of the arrangements that are needed to fly out to OCS facilities. The 2003 OCS facility guidance (NVIC 05-03) provides for annual security inspections but does not specifically address the 2006 amendment to § 70103(c)(4)(D). This report, however, focuses on Coast Guard efforts to conduct annual inspections of facilities regulated under 33 C.F.R. part 106 pursuant to its existing guidance. [39] We only present security inspection data from 2008 through 2010. We also analyzed security inspection data for 2011 (through June 24, 2011), but did not report on this information because most of the annual security inspections on OCS facilities are typically not conducted until the fall. From January through June 2011, the Coast Guard conducted four inspections of the OCS facilities. [40] Per Coast Guard regulations, all fixed offshore facilities engaged in OCS activities are subject to inspection by BSEE, formerly the Minerals Management Service, on behalf of the Coast Guard. According to a mutually agreed upon arrangement between the two agencies, the Coast Guard will conduct the initial safety inspection on new fixed OCS facilities, after which BSEE handles subsequent safety inspections. However, for floating facilities the Coast Guard still carries out various inspections throughout the year, including hull inspections. [41] For more information on how we addressed and corrected data issues pertaining to the inconsistencies in how security inspections were recorded in MISLE, see appendix I. [42] Our prior work involving the MISLE database has also noted flaws that complicated the Coast Guard's ability to analyze inspection activities. For example, in February 2008 we reported that the Coast Guard was limited in its ability to accurately assess shoreside facility oversight activities because the MISLE database suffered from such problems as missing, duplicate, and inconsistent compliance activity data. We recommended that the Secretary of Homeland Security direct the Commandant of the Coast Guard to assess MISLE compliance data, including the completeness of the data, data entry, and consistency, and make any changes needed to more effectively use MISLE data. DHS agreed with this recommendation. In response to our findings in that report, the Coast Guard described steps taken to improve consistency and data entry time. In June 2011, DHS's Office of the Inspector General reviewed the Coast Guard's offshore vessel inspection program and similarly noted that improvements are needed to ensure the completeness and accuracy of vessel safety inspection data input into MISLE. See GAO, Maritime Security: Coast Guard Inspections Identify and Correct Facility Deficiencies, but More Analysis Needed of Program's Staffing, Practices, and Data, [hyperlink, http://www.gao.gov/products/GAO-08-12] (Washington, D.C.: Feb. 14, 2008). [43] A data field is a location in a data set where the same information (such as facility name) is entered for each case. [44] For more information on how we identified OCS facilities in the MISLE data for our analysis, see appendix I. [45] Using the alternative method, officials select the data field for shore-based facilities regulated under 33 C.F.R part 105 and note that the fixed OCS facility is regulated under 33 C.F.R. part 106 in its facility description. According to officials, this method will help them to identify the OCS facilities regulated under 33 C.F.R. part 106 until other changes are made to the MISLE database. [46] For more information on how we addressed and corrected data issues pertaining to multiple entries for the same OCS facility, see appendix I. [47] According to Coast Guard officials, floating OCS facilities are considered "vessels" in MISLE based on their structural components. For example, floating OCS facilities, like vessels, have hulls and require hull inspections. [48] For more information on how we addressed and corrected data issues pertaining to OCS facilities listed as both a fixed and floating OCS facility in MISLE, see appendix I. [49] We have identified such practices in prior work. See GAO, Managing for Results: Enhancing Agency Use of Performance Information for Management Decision Making, [hyperlink, http://www.gao.gov/products/GAO-05-927] (Washington, D.C.: Sept. 9, 2005). [50] See GAO, Results-Oriented Government: GPRA Has Established a Solid Foundation for Achieving Greater Results, [hyperlink, http://www.gao.gov/products/GAO-04-38] (Washington, D.C.: Mar. 10, 2004). [51] The most recent update to the Boston Area Maritime Security Plan occurred in March 2009, prior to one of the two LNG deepwater ports becoming operational. However, the anticipated time frame for the port becoming operational is mentioned in the plan. The ongoing and annual reviews and exercises of Area Maritime Security Plans support periodic plan refinements between the formal review and approvals, which occur on a 5-year cycle, to maintain currency. The next formal nationwide Area Maritime Security Plan review and approval cycle is scheduled to be completed in 2014. [52] According to the Coast Guard, Coast Guard exercises have not included the two LNG deepwater ports in the Massachusetts Bay because, due to the infrequency of shipments arriving at the deepwater port, other port facilities are considered to be higher risk. However, the deepwater port owners and operators have conducted exercises and drills as required by regulation. [53] See 33 C.F.R. § 150.5(x). [54] According to the Coast Guard, it does not have authority to establish permanent security zones around OCS facilities or deepwater ports located beyond the territorial sea, which extends 12 nautical miles from the coast. The two LNG deepwater ports in Massachusetts Bay are located within the territorial sea, but the LOOP is further away from the coast. [55] See 33 C.F.R. pt. 165, subpart D. [56] See 33 C.F.R. § 165.33. Violation of Coast Guard-established security zones may subject the offending party to civil or criminal penalties as appropriate. [57] The LOOP also has a private security patrol boat that monitors the area surrounding the deepwater port. [58] See 33 C.F.R. §§ 150.100 (providing that a marine inspector may conduct an inspection of a deepwater port, with or without advance notice, at any time the Officer in Charge of Marine Inspection deems necessary); 150.105 (providing that the owner or operator of each manned deepwater port must ensure compliance with applicable requirements through regular inspections conducted annually). [59] The Coast Guard conducts inspections of U.S.-flagged vessels and examinations of foreign-flagged vessels pursuant to 33 C.F.R. part 104 to ensure compliance with applicable security requirements. See 33 C.F.R. § 104.115. All of the vessels that deliver LNG to the deepwater ports in Massachusetts Bay are foreign-flagged. [60] Although deepwater ports are not considered to be "MTSA- regulated" (that is, do not meet the regulatory criteria of 33 C.F.R. parts 101-106), Coast Guard officials explained that MTSA nonetheless influenced the security requirements for deepwater ports. For example, deepwater ports must have a security plan comparable to security plans required under part 106 and must participate in the TWIC program. [61] We use the term deepwater port guidance to refer to the Coast Guard's NVIC 03-05, Guidance for Oversight of Post-Licensing Activities Associated with Development of Deepwater Ports (May 16, 2005). There are two types of inspections that apply to deepwater ports: Coast Guard biennial inspections and owner/operator self- inspections. Coast Guard guidance states that the Coast Guard should conduct an initial inspection prior to a port's initial operation and biennially thereafter. However, the scope of the biennial inspections is left to the discretion of the responsible Coast Guard field unit. By regulation, the owner or operator of each staffed deepwater port must ensure that the port is annually inspected to determine whether the facility is in compliance with regulatory requirements. See 33 C.F.R. § 150.105. However, according to the Coast Guard, the self- inspections typically focus on maintenance and repair issues. The LOOP, the only staffed deepwater port, has submitted self-inspection reports to the Coast Guard; however, none of its self-inspection reports from 2008 through 2010 specifically addressed security issues. Deepwater port inspection requirements are not security specific. [62] Whereas the Coast Guard promulgates regulations governing the security OCS facilities pursuant to MTSA, the Coast Guard promulgates regulations governing deepwater ports pursuant to the Deepwater Port Act of 1974, Pub. L. No. 93-627, 88 Stat. 2126 (1975), as amended. See 33 U.S.C. §§ 1501-24. [63] A transportation security incident is defined as a security incident resulting in a significant loss of life, environmental damage, transportation system disruption, or economic disruption in a particular area. See 33 C.F.R. § 101.105. Subject to the availability of appropriations, the Coast Guard has responsibility for periodically verifying the effectiveness of the security plan at each facility that may be involved in a transportation security incident, but not less than two times per year, at least one of which should be an inspection of the facility that is conducted without notice to the facility. See 46 U.S.C. § 70103(c)(2)(A), (c)(4)(D). Although the Coast Guard does not consider deepwater ports to be OCS facilities for purposes of part 106 security regulation, the Coast Guard recognizes that a deepwater port may nonetheless be involved in a transportation security incident. [64] 33 C.F.R. § 148.5 defines a deepwater port as a fixed or floating manmade structure located beyond state seaward boundaries that is used or intended for use as a port or terminal for the transportation, storage, or handling of oil or natural gas for transportation to any state and includes the transportation of oil or natural gas from the United States's OCS. [65] The Deepwater Horizon was registered to the Republic of the Marshall Islands. [66] The Coast Guard's security regulations--33 C.F.R. parts 101 through 106--are consistent with the ISPS Code. The International Maritime Organization is the international body responsible for improving maritime safety. It primarily regulates maritime safety and security through the International Convention for the Safety of Life at Sea, 1974. [67] The Deepwater Horizon was self-propelled and foreign-flagged. [68] As a self-propelled, foreign-flagged MODU, the Deepwater Horizon was subject to the requirements of the ISPS Code. In July 2009, Coast Guard inspectors conducted a certificate of compliance examination on the Deepwater Horizon in which the inspectors reviewed all applicable licenses and other compliance documents, including those related to security; the inspectors found no deficiencies during this examination. [69] Currently, there are no MODUs subject to regulation under 33 C.F.R. part 106. For a MODU to be regulated under 33 C.F.R. part 106, it must exceed any one of three thresholds for production or personnel--(1) producing greater than 100,000 barrels of oil a day; (2) producing more than 200 million cubic feet of natural gas per day; or (3) hosting more than 150 persons for 12 hours or more in each 24- hour period continuously for 30 days or more. MODUs are involved with drilling rather than production, and therefore, they are only likely to be regulated under part 106 if they exceed the personnel threshold. [70] Deepwater is defined as water more than 1,000 feet deep. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: