GAO-10-901, Homeland Security: Addressing Weaknesses with Facility Security Committees Would Enhance Protection of Federal Facilities


This is the accessible text file for GAO report number GAO-10-901 
entitled 'Homeland Security: Addressing Weaknesses with Facility 
Security Committees Would Enhance Protection of Federal Facilities' 
which was released on August 5, 2010. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

United States Government Accountability Office: 
GAO: 

August 2010: 

Homeland Security: 

Addressing Weaknesses with Facility Security Committees Would Enhance 
Protection of Federal Facilities: 

GAO-10-901: 

GAO Highlights: 

Highlights of GAO-10-901, a report to congressional requesters. 

Why GAO Did This Study: 

To accomplish its mission of protecting about 9,000 federal 
facilities, the Federal Protective Service (FPS) currently has a 
budget of about $1 billion, about 1,225 full-time employees, and about 
15,000 contract security guards. However, protecting federal 
facilities and their occupants from a potential terrorist attack or 
other acts of violence remains a daunting challenge for the Department 
of Homeland Security’s (DHS) Federal Protective Service. 

GAO has issued numerous reports on FPS’s efforts to protect the 
General Services Administration’s (GSA) facilities. This report (1) 
recaps the major challenges we reported that FPS faces in protecting 
federal facilities and discusses FPS’s efforts to address them and (2) 
identifies an additional challenge that FPS faces related to the 
facility security committees (FSC), which are responsible for 
addressing security issues at federal facilities. This report is based 
primarily on our previous work and recent FPS interviews. 

What GAO Found: 

Since 2007, we have reported that FPS faces significant challenges 
with protecting federal facilities, and in response FPS has recently 
started to take steps to address some of them. In 2008, we reported 
that FPS does not use a risk management approach that links threats 
and vulnerabilities to resource requirements. Without a risk 
management approach that identifies threats and vulnerabilities and 
the resources required to achieve FPS’s security goals, there is 
limited assurance that programs will be prioritized and resources will 
be allocated to address existing and potential security threats in an 
efficient and effective manner. FPS recently began implementing a new 
system referred to as the Risk Assessment Management Program (RAMP). 
This system is designed to be a central database for capturing and 
managing facility security information, including the risks posed to 
federal facilities and the countermeasures that are in place to 
mitigate risk. FPS expects that RAMP will enhance its approach to 
assessing risk, managing human capital, and measuring performance. Our 
July 2009 report on FPS’s contract guard program also identified a 
number of challenges that the agency faces in managing its contract 
guard program, including ensuring that the 15,000 guards that are 
responsible for helping to protect federal facilities have the 
required training and certification to be deployed at a federal 
facility. In response to our report, FPS took a number of immediate 
actions with respect to contract guard management. For example, FPS 
has increased the number of guard inspections it conducts at federal 
facilities in some metropolitan areas and revised its guard training. 
We have not reviewed whether these actions are sufficient to fulfill 
our recommendations. Another area of continuing concern is that FPS 
continues to operate without a human capital plan and does not have an 
accurate estimate of its current and future workforce needs. In our 
July 2009 report, we recommended that FPS develop a human capital plan 
to guide its current and future workforce planning efforts. While FPS 
agreed with this recommendation, it has not yet fully developed or 
implemented a human capital plan. 

As we reported in 2009, FPS’s ability to protect GSA facilities is 
further complicated by the FSC structure. Each FSC includes FPS, GSA, 
and a tenant agency representative and is responsible for addressing 
security issues at its respective facility and approving the funding 
and implementation of security countermeasures recommended by FPS. 
However, there are several weaknesses with the FSC. First, FSCs have 
operated since 1995 without procedures that outline how they should 
operate or make decisions, or that establish accountability. Second, 
the tenant agency representatives to the FSC generally do not have any 
security knowledge or experience but are expected to make security 
decisions for their respective agencies. Third, many of the FSC tenant 
agency representatives also do not have the authority to commit their 
respective organizations to fund security countermeasures. No actions 
have been taken on these issues since our 2009 report, and thus these 
weaknesses continue to result in ad hoc security and increased risk at 
some federal facilities. 

What GAO Recommends: 

GAO recommends that the Secretary of DHS direct the Director of FPS to 
work in consultation with other representatives of the FSC to develop 
and implement procedures that, among other things, outline the 
committees’ organization structure, operations, and accountability. 
DHS concurred with GAO’s recommendation. 

View [hyperlink, http://www.gao.gov/products/GAO-10-901] or key 
components. For more information, contact Mark Goldstein at (202) 512-
2834 or goldsteinm@gao.gov. 

[End of section] 

Contents: 

Letter: 

FPS Faces Challenges in Protecting Federal Facilities and Is Taking 
Some Actions to Address Them: 

Facility Security Committee Structure Hampers Protection of Federal 
Facilities: 

Conclusions: 

Recommendation for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Status of GAO Recommendations to the Federal Protective 
Service: 

Appendix II: Comments from the Department of Homeland Security: 

Appendix III: GAO Contacts and Staff Acknowledgments: 

Abbreviations: 

DHS: Department of Homeland Security: 

FPS: Federal Protective Service: 

FSA: facility security assessment: 

FSC: facility security committee: 

GSA: General Service Administration: 

ICE: Immigration and Customs Enforcement: 

ISC: Interagency Security Committee: 

NIPP: National Infrastructure Protection Plan: 

NPPD: National Protection and Programs Directorate: 

RAMP: Risk Assessment Management Program: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

August 5, 2010: 

Congressional Requesters: 

Protecting federal facilities and their occupants from a potential 
terrorist attack or other acts of violence remains a daunting 
challenge for the Department of Homeland Security's (DHS) Federal 
Protective Service (FPS). Since 2008, our work has shown that FPS has 
experienced significant operational, management, and funding 
challenges that have hampered its ability to protect the 9,000 federal 
facilities under the control and custody of the General Services 
Administration (GSA). We have made numerous recommendations to help 
FPS address these challenges, and while DHS agreed with our 
recommendations, the majority of them have not yet been fully 
implemented. See appendix I for a complete list of our recommendations 
and their current status. 

To assist Congress in its oversight of FPS, this report (1) recaps the 
major challenges we reported that FPS faces in protecting federal 
facilities and discusses actions FPS is taking to address them and (2) 
identifies an additional challenge FPS faces related to the facility 
security committees (FSC). Each FSC consists of representatives from 
each of the tenant agencies in the federal facility and is responsible 
for addressing security issues at their respective facility and 
approving the implementation of security countermeasures recommended 
by FPS. This report is based primarily on our previous work and recent 
interviews with FPS officials to obtain the current status of planned 
initiatives.[Footnote 1] We conducted our work from January 2010 
through July 2010 in accordance with generally accepted government 
auditing standards. Those standards require that we plan and perform 
the audit to obtain sufficient, appropriate evidence to provide a 
reasonable basis for our findings and conclusions based on our audit 
objectives. We believe that the evidence obtained provides a 
reasonable basis for our findings and conclusions based on our audit 
objectives. 

FPS Faces Challenges in Protecting Federal Facilities and Is Taking 
Some Actions to Address Them: 

FPS Has Begun to Develop a Risk Management Approach to Protecting 
Federal Facilities: 

In 2008, we reported that FPS does not use a comprehensive risk 
management approach that links threats and vulnerabilities to resource 
requirements.[Footnote 2] Without a risk management approach that 
identifies threats and vulnerabilities and the resources required to 
achieve FPS's security goals, there is only limited assurance that 
programs will be prioritized and resources will be allocated to 
address existing and potential security threats in an efficient and 
effective manner. FPS uses a facility-by-facility approach to risk 
management. Under this approach, FPS assumes that all facilities with 
the same security level have the same risk regardless of their 
location. For example, a level IV facility in a metropolitan area is 
generally treated the same as one in a rural area.[Footnote 3] We also 
reported in 2008 that FPS's approach does not include a process for 
examining comprehensive risk across the entire portfolio of GSA's 
facilities. Both our and DHS's risk management frameworks include 
processes for assessing comprehensive risk across assets in order to 
prioritize countermeasures based on the overall needs of the system. 
FPS's building-by-building approach, however, prevents it from 
comprehensively identifying and prioritizing vulnerabilities and 
making countermeasure recommendations at a strategic level.[Footnote 4] 

Over the years we have advocated the use of a risk management approach 
that links threats and vulnerabilities to resource requirements and 
allocation. A risk management approach entails a continuous process of 
managing risk through a series of actions, including setting strategic 
goals and objectives, assessing risk, allocating resources based on 
risk, evaluating alternatives, selecting initiatives to undertake, and 
implementing and monitoring those initiatives. Risk assessment, an 
important element of a risk management approach, helps decision makers 
identify and evaluate potential risks so that countermeasures can be 
designed and implemented to prevent or mitigate the effects of the 
risks. 

In response to our recommendations in this area, FPS began developing 
a new system referred to as the Risk Assessment Management Program 
(RAMP). This system is designed to be a central database for capturing 
and managing facility security information, including the risks posed 
to federal facilities and the countermeasures in place to mitigate 
risk. FPS also anticipates that RAMP will allow inspectors to obtain 
information from one electronic source, generate reports 
automatically, enable FPS to track selected countermeasures throughout 
their life cycle, address some concerns about the subjectivity 
inherent in facility security assessments (FSA), and reduce the amount 
of time inspectors and managers spend on administrative work.[Footnote 
5] FPS designed RAMP so that it will produce risk assessments that are 
compliant with Interagency Security Committee (ISC) standards, which, 
among other things, require risk assessment methodologies to be 
credible, reproducible, and defensible and for FSAs to be done every 3 
to 5 years.[Footnote 6] According to FPS, RAMP is also compatible with 
the risk management framework set forth by the National Infrastructure 
Protection Plan (NIPP), and consistent with the business processes 
outlined in the memorandum of agreement with GSA.[Footnote 7] 

According to FPS, RAMP will support all components of the FSA process, 
including gathering and reviewing building information; conducting and 
recording interviews; assessing threats, vulnerabilities, and 
consequences to develop a detailed risk profile; recommending 
appropriate countermeasures; and producing FSA reports. FPS also plans 
to use RAMP to track and analyze certain workforce data, contract 
guard program data, and other performance data, such as the types and 
definitions of incidents and incident response times. Currently, FPS 
is in the process of implementing the first phase of RAMP and plans to 
have it fully implemented by the end of 2011. We are reviewing the 
design and implementation of RAMP and will provide Congress with a 
final report next year. 

FPS Has Taken Some Steps to Improve Oversight of the Contract Guard 
Program: 

We reported in July 2009 and April 2010 that FPS faces challenges in 
ensuring that many of the 15,000 contract security guards that FPS 
relies on to help protect federal facilities have the required 
training and certification to be deployed at federal 
facilities.[Footnote 8] We also identified substantial security 
vulnerabilities related to FPS's guard program. Each time they tried, 
in April and May 2009, our investigators successfully passed 
undetected through security checkpoints monitored by FPS's guards, 
with the components for an improvised explosive device concealed on 
their persons at 10 level IV facilities in four major metropolitan 
areas. FPS also took a number of immediate actions to address concerns 
raised about contract guard management in our July 2009 contract guard 
report. For example, since July 2009, FPS has increased its 
penetration tests in some regions and the number of guard inspections 
it conducts at federal facilities in some metropolitan areas. FPS 
currently requires its inspectors to complete two guard inspections a 
week at level IV facilities. Prior to this new requirement, FPS did 
not have a national requirement for guard inspections, and each region 
we visited had requirements ranging from no inspections to five 
inspections per month per FPS inspector. FPS is also in the process of 
providing additional X-ray and magnetometer training in response to 
our July 2009 testimony. FPS anticipates that guards will be fully 
trained by the end of 2010. Under FPS's revised training program, 
inspectors must receive 30 hours of X-ray and magnetometer training 
and guards must receive 16 hours. Prior to this revision, guards 
needed 8 hours of training on X-ray and magnetometer machines. 
However, despite these changes, we remain concerned about FPS's 
oversight of the contract guard program and made recommendations for 
additional improvements in our April 2010 report. For example, we 
reported that despite FPS's recent actions, guards were continuing to 
neglect or inadequately perform their assigned responsibilities. We 
also remained concerned that FPS had not acted diligently in ensuring 
the terms of its guard contract and taken enforcement action when 
noncompliance occurred. Thus, we recommended, among other things, that 
FPS identify other approaches that would be cost-beneficial for 
protecting federal facilities. FPS agreed with this recommendation but 
has not yet implemented it. 

DHS Transferred FPS to NPPD: 

We have reported on several issues related to locating FPS within 
DHS's Immigration and Customs Enforcement (ICE). For example, we 
reported in 2008 that some of FPS's operational and funding challenges 
stemmed from it being part of ICE. In October 2009, to enable FPS to 
better focus on its primary facility protection mission, the Secretary 
of Homeland Security transferred FPS from ICE to the National 
Protection and Programs Directorate (NPPD). According to DHS, 
transferring FPS to NPPD will enhance oversight and efficiency while 
maximizing the department's overall effectiveness in protecting 
federal buildings across the country. We are reviewing the transition 
of FPS into NPPD and will provide Congress with a final report in 2011. 

Several Key Workforce Issues Remain Unresolved: 

FPS has yet to fully ensure that its recent move to an inspector-based 
workforce does not hinder its ability to protect federal facilities. 
In 2007, FPS essentially eliminated its police officer position and 
moved to an all-inspector-based workforce. FPS also decided to place 
more emphasis on physical security activities, such as completing 
FSAs, and less emphasis on law enforcement activities, such as 
proactive patrol. We reported in 2008 that these changes may have 
contributed to diminished security and increases in inspectors' 
workload. Specifically, we found that when FPS is not providing 
proactive patrol at some federal facilities, there is an increased 
potential for illegal entry and other criminal activity. For example, 
in one city we visited, a deceased individual had been found in a 
vacant GSA facility that was not regularly patrolled by FPS. 

Under its inspector-based workforce approach, FPS will rely more on 
local police departments to handle crime and protection issues at 
federal facilities. However, at about 400 federal facilities across 
the United States, the federal government has exclusive jurisdiction, 
and it is unclear if local police have the authority to respond to 
incidents inside those facilities. Additionally, FPS has not entered 
into any memorandums of agreement for increased law enforcement 
assistance at federal facilities. In most of the cities we visited, 
local law enforcement officials said they would not enter into any 
agreements with FPS that involve increased responsibility for 
protecting federal facilities because of liability concerns, existing 
shortages of staff, and the need to respond to crime in their cities 
that would make it difficult to divert resources from their primary 
mission. For example, local law enforcement officials from one 
location we visited said they are significantly understaffed and 
overburdened with their current mission and would not be able to take 
responsibility for protecting federal facilities. We believe that it 
is important that FPS ensure that its decision to move to an inspector-
based workforce does not hamper its ability to protect federal 
facilities. We recommended in 2008 that FPS clarify roles and 
responsibilities of local law enforcement agencies in responding to 
incidents at GSA facilities. While FPS agreed with this 
recommendation, FPS has decided not to pursue agreements with local 
law enforcement officials, in part because of reluctance on the part 
of local law enforcement officials to sign such agreements. In 
addition, FPS believes that the agreements are not necessary because 
96 percent of the properties in its inventory are listed as concurrent 
jurisdiction facilities where both federal and state governments have 
jurisdiction over the property. Nevertheless, we continue to believe 
that these agreements would, among other things, clarify roles and 
responsibilities of local law enforcement agencies when responding to 
crime or other incidents. 

While FPS has recently increased the size of its workforce as mandated 
by Congress, we reported in our 2009 report that FPS has operated 
without a human capital plan.[Footnote 9] We recommended that FPS 
develop a human capital plan to guide its current and future workforce 
planning efforts. We have identified human capital management as a 
high-risk issue throughout the federal government, including within 
DHS. Without a long-term strategy for managing its current and future 
workforce needs, including effective processes for hiring, training, 
and staff development, FPS will be challenged to align its personnel 
with its programmatic goals. FPS concurred with this recommendation 
and has drafted a workforce analysis plan but has not yet fully 
developed or implemented a human capital plan. 

Appropriate Funding Mechanism Has Not Been Determined: 

FPS's primary means of funding its operations--the basic security fee 
charged to some federal agencies--does not account for a building's 
level of risk, the level of service provided, or the cost of providing 
those services. We reported in 2008 that this issue raises questions 
about whether some federal agencies are being overcharged by 
FPS.[Footnote 10] FPS also does not have a detailed understanding of 
its operational costs, including accurate information about the cost 
of providing its security services at federal facilities with 
different risk levels. Without this type of information, FPS has 
difficulty justifying the rate of the basic security fee to its 
customers. We have found that by having accurate cost information, an 
organization can demonstrate its cost-effectiveness and productivity 
to stakeholders, link levels of performance with budget expenditures, 
provide baseline and trend data for stakeholders to compare 
performance, and provide a basis for focusing an organization's 
efforts and resources to improve its performance. In addition, FPS's 
fee-based funding system has not always generated sufficient revenue 
to cover its operational costs. In 2007 we reported that FPS's 
collections fell short of covering its projected operational costs, 
and the steps it took to address the projected shortfalls reduced 
staff morale, increased attrition rates, and diminished security at 
some GSA facilities. FPS has yet to evaluate whether its fee-based 
system or an alternative funding mechanism is most appropriate for 
funding the agency as we recommended in our 2008 report. FPS agreed 
with our recommendation and has taken some action, including the 
development and implementation of an Activity Based Cost framework. We 
are assessing FPS's efforts in this area as part of our ongoing review 
of FPS's fee-base structure and will provide Congress with a final 
report in 2011. 

FPS Faces Limitations in Assessing Its Performance: 

We have reported that FPS is limited in its ability to assess the 
effectiveness of its efforts to protect federal facilities.[Footnote 
11] To determine how well it is accomplishing its mission to protect 
federal facilities, FPS has identified some output measures. These 
measures include determining whether security countermeasures have 
been deployed and are fully operational, the amount of time it takes 
to respond to an incident, and the percentage of FSAs completed on 
time. While output measures are helpful, outcome measures are also 
important because they can provide FPS with broader information on 
program results, such as the extent to which its decision to move to 
an inspector-based workforce will enhance security at federal 
facilities or help identify the security gaps that remain at federal 
facilities and determine what action may be needed to address them. 

In addition, FPS does not have a reliable data management system that 
will allow it to accurately track these measures or other important 
measures such as the number of crimes and other incidents occurring at 
GSA facilities. Without such a system, it is difficult for FPS to 
evaluate and improve the effectiveness of its efforts to protect 
federal employees and facilities, allocate its limited resources, or 
make informed risk management decisions. For example, weaknesses in 
one of FPS's countermeasure tracking systems make it difficult to 
accurately track the implementation status of recommended 
countermeasures such as security cameras and X-ray machines. Without 
this ability, FPS has difficulty determining whether it has mitigated 
the risk of federal facilities to crime or a terrorist attack. FPS 
concurred with our recommendations and states that its efforts to 
address them will be completed in 2012 when its automated information 
systems are fully implemented. 

Facility Security Committee Structure Hampers Protection of Federal 
Facilities: 

FPS's ability to protect federal facilities under the control or 
custody of GSA is further complicated by the FSC structure. The 
Department of Justice's 1995 Vulnerability Assessment of Federal 
Facilities guidelines directed GSA to establish a FSC in each federal 
facility under its control. FSCs have experienced several issues that 
may have increased the risk at some federal facilities. For example, 
FSCs have operated since 1995 without guidelines, policies, or 
procedures that outline how they should operate, make decisions, or 
establish accountability. This results in ad hoc security that 
undermines effective protection of individual facilities as well as 
the entire facilities' portfolio. 

Each FSC consists of a representative from each of the tenant agencies 
in the facility and is responsible for addressing security issues at 
its respective facility and approving the implementation of security 
countermeasures recommended by FPS. After completing its FSAs, FPS 
makes recommendations to GSA and tenant agencies for building security 
countermeasures. For example, tenant agencies decide whether to fund 
countermeasures for security equipment, and FPS is responsible for 
acquiring, installing, and maintaining approved security equipment. 
However, we reported in November 2009 that the tenant agency 
representatives generally do not have any security knowledge or 
experience but are expected to make security decisions for their 
respective agencies. We also reported that some of the FSC tenant 
agency representatives also do not have the authority to commit their 
respective organizations to fund security countermeasures. Thus, when 
funding for security countermeasures is needed, each federal tenant 
agency representative that does not have funding authority must obtain 
approval from his or her headquarters office. According to some FSC 
members, in some instances funding for security countermeasures is not 
always available because the request for funding is generally made 
after the budget is formulated. In addition, while FPS, GSA, and 
tenant agencies are responsible for some aspects of protecting federal 
facilities, it is unclear who is the final arbiter or accountable for 
final decisions. 

We reported in November 2009 that the FSC structure may not contribute 
to effective protection of federal facilities for several reasons. 
[Footnote 12] 

* Some FSC members may not have the security expertise needed to make 
risk-based decisions. 

* They may find the associated costs prohibitive. 

* Tenant agencies may lack complete understanding of why recommended 
countermeasures are necessary because they do not receive an adequate 
amount of information from FPS. 

Moreover, we found some instances in 2008 and 2009 where the FSC 
structure contributed to increased risk at some federal facilities. 
For example, an FPS official in a major metropolitan area stated that 
over the last 4 years inspectors have recommended 24-hour coverage at 
one high-risk facility located in a high-crime area multiple times; 
however, the FSC was not able to obtain approval from all its members. 
In addition, several FPS inspectors stated that their regional 
managers have instructed them not to recommend security 
countermeasures in FSAs if FPS would be responsible for funding the 
measures because there is not sufficient funding in regional budgets 
to purchase and maintain the security equipment. Moreover, at a 
different location, members of a FSC told us that they met as needed, 
although even when they hold meetings, one of the main tenant agencies 
typically does not participate. GSA officials commented that this 
tenant adheres to its agency's building security protocols and does 
not necessarily follow GSA's tenant policies and procedures, which GSA 
thinks creates security risks for the entire building. 

ISC recently began to develop guidance for FSC operations, which may 
address some of these issues. The committee, however, has yet to 
announce an anticipated date for issuance of this guidance. 

Conclusions: 

In response to our many recommendations, FPS has a number of ongoing 
improvements that, once fully implemented, should enhance its ability 
to protect the over 1 million federal government employees and members 
of the public who visit federal facilities each year. In addition, 
FSCs have a significant role in ensuring the effective protection of 
federal facilities; however, they face a number of issues in carrying 
out their security responsibilities. For example, they have operated 
without any procedures since their creation in 1995, and efforts to 
develop guidance are incomplete. Without specific guidance or 
procedures, FSCs have operated in an ad hoc manner, and there is a 
lack of assurance that federal facilities under the control and 
custody of GSA are effectively protected by FPS. Moreover, no actions 
have been taken on these issues since we identified them in our 
November 2009 report. As such, these weaknesses continue to result in 
ad hoc security and increased risk at some federal facilities. 
Therefore, we are making a recommendation for the Secretary of DHS to 
address this matter. 

Recommendation for Executive Action: 

GAO recommends that the Secretary of DHS direct the Under Secretary of 
NPPD and the Director of FPS to work in consultation with GSA and ISC 
to develop and implement procedures that, among other things, outline 
the FSCs' organizational structure, operations, decision-making 
authority, and accountability. 

Agency Comments and Our Evaluation: 

We provided a draft of this report to DHS for review and comment. DHS 
concurred with the recommendation in this report. Regarding the status 
of our recommendations listed in appendix I, FPS commented that it is 
actively pursuing initiatives and implementing measures to address the 
nine recommendations that we reported as not implemented. We believe 
our characterization of FPS's efforts to address our recommendations 
reflects the data provided by FPS. We are also concerned that the 
steps FPS described in its documents are not comprehensive enough to 
address the recommendations that we reported as not implemented. For 
example, regarding our recommendation to identify other approaches and 
options that would be most beneficial and financially feasible for 
protecting federal facilities, FPS states that it most recently 
coordinated with DHS's Science and Technology Directorate to better 
define requirements for the next generation of security technology. 
However, we continue to believe that given the challenges FPS faces 
with managing its contract guard program, among other things, FPS 
needs to undertake a comprehensive review of how it protects federal 
facilities. FPS has not provided us with this type of analysis or 
information. We are also concerned about the reliability of the 
preliminary data FPS used to evaluate whether its fee-based system or 
an alternative funding mechanism is appropriate to fund the agency. We 
are currently reviewing the reliability of FPS's Activity Based 
Costing framework and will reassess FPS's efforts to address this 
recommendation at the end of our review. DHS's comments are presented 
in appendix II. DHS also provided technical clarifications, which we 
incorporated into the report as appropriate. 

We are sending copies of this report to appropriate congressional 
committees, the Secretary of Homeland Security, and other interested 
parties. In addition, the report will be available at no charge on 
GAO's Web site at [hyperlink, http://www.gao.gov]. If you have any 
questions about this report, please contact me at (202) 512-2834 or 
goldsteinm@gao.gov. Contact points for our Offices of Congressional 
Relations and Public Affairs may be found on the last page of this 
report. GAO staff who made major contributions to this report are 
listed in appendix III. 

Signed by: 

Mark L. Goldstein: 
Director, Physical Infrastructure Issues: 

List of Requesters: 

The Honorable Joseph I. Lieberman: 
Chairman: 
The Honorable Susan M. Collins: 
Ranking Member: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate: 

The Honorable Daniel K. Akaka: 
Chairman: 
The Honorable George V. Voinovich: 
Ranking Member: 
Subcommittee on Oversight of Government Management, the Federal 
Workforce and the District of Columbia: 
Committee on Homeland Security and Governmental Affairs: 
United States Senate: 

The Honorable Bennie G. Thompson: 
Chairman: 
The Honorable Peter T. King: 
Ranking Member: 
Committee on Homeland Security: 
House of Representatives: 

The Honorable James L. Oberstar: 
Chairman: 
Committee on Transportation and Infrastructure: 
House of Representatives: 

The Honorable Eleanor Holmes Norton: 
Chairwoman: 
Subcommittee on Economic Development, Public Buildings, and Emergency 
Management: 
Committee on Transportation and Infrastructure: 
House of Representatives: 

[End of section] 

Appendix I: Status of GAO Recommendations to the Federal Protective 
Service: 

Report number: GAO-10-341: 

Recommendation: 1; Identify other approaches and options that would be 
most beneficial and financially feasible for protecting federal 
facilities; 
Status: Not implemented. 

Recommendation: 2; Rigorously and consistently monitor guard 
contractors' and guards' performance and step up enforcement against 
contractors that are not complying with the terms of the contract; 
Status: In process. 

Recommendation: 3; Complete all contract performance evaluations in 
accordance with FPS and FAR requirements; 
Status: In process. 

Recommendation: 4; Issue a standardized record-keeping format to 
ensure that contract files have required documentation; 
Status: Not implemented. 

Recommendation: 5; Develop a mechanism to routinely monitor guards at 
federal facilities outside metropolitan areas; 
Status: In process. 

Recommendation: 6; Provide building-specific and scenario-based 
training and guidance to its contract guards; 
Status: In process. 

Recommendation: 7; Develop and implement a management tool for 
ensuring that reliable, comprehensive data on the contract guard 
program are available on a real-time basis; 
Status: In process. 

Recommendation: 8; Verify the accuracy of all guard certification and 
training data before entering them into the Risk Assessment Management 
Program (RAMP), and periodically test the accuracy and reliability of 
RAMP data to ensure that FPS management has the information needed to 
effectively oversee its guard program; 
Status: In process. 

Report number: GAO-10-142: 

Recommendation: 1; Provide the Secretary with regular updates, on a 
mutually agreed-to schedule, on the status of RAMP and the National 
Countermeasures Program, including the implementation status of 
deliverables, clear timelines for completion of tasks and milestones, 
and plans for addressing any implementation obstacles; 
Status: In process. 

Recommendation: 2; In conjunction with the National Countermeasures 
Program, develop a methodology and guidance for assessing and 
comparing the cost-effectiveness of technology alternatives; 
Status: Not implemented. 

Recommendation: 3; Reach consensus with GSA on what information 
contained in the facility security assessment is needed for GSA to 
fulfill its responsibilities related to the protection of federal 
buildings and occupants, and accordingly, establish internal controls 
to ensure that shared information is adequately safeguarded; 
guidance for employees to use in deciding what information to protect 
with sensitive but unclassified designations; 
provisions for training on making designations, controlling, and 
sharing such information with GSA and other entities; 
and a review process to evaluate how well this information sharing 
process is working, with results reported to the Secretary regularly 
on a mutually agreed-to schedule; 
Status: Not implemented. 

Report number: GAO-09-749: 

Report number: 1; 
Recommendation: 1; Improve how FPS headquarters collects data on its 
workforce's knowledge, skills, and abilities to help it better manage 
and understand current and future workforce needs; 
Status: In process. 

Recommendation: 2; Use these data in the development and 
implementation of a long-term strategic human capital plan that 
addresses key principles for effective strategic workforce planning, 
including establishing programs, policies, and practices that will 
enable the agency to recruit, develop, and retain a qualified 
workforce; 
Status: Not implemented. 

Recommendation: 3; Collect and maintain an accurate and comprehensive 
list of all facility-designated points of contact, as well as a system 
for regularly updating this list; 
Status: In process. 

Recommendation: 4; Develop and implement a program for education and 
outreach to all customers to ensure they are aware of the current 
roles, responsibilities, and services provided by FPS; 
Status: Not implemented. 

Report number: GAO-08-683: 

Recommendation: 1; Develop and implement a strategic approach to 
manage FPS's staffing resources that, among other things, determines 
the optimum number of employees needed to accomplish its facility 
protection mission and allocate these resources based on risk 
management principles and the agency's goals and performance measures; 
Status: In process. 

Recommendation: 2; Clarify roles and responsibilities of local law 
enforcement agencies in regard to responding to incidents at GSA 
facilities; 
Status: Not implemented. 

Recommendation: 3; Improve FPS's use of the fee-based system by 
developing a method to accurately account for the cost of providing 
security services to tenant agencies and ensuring that its fee 
structure takes into consideration the varying levels of risk and 
service provided at GSA facilities; 
Status: Not implemented. 

Recommendation: 4; Evaluate whether FPS's current use of a fee-based 
system or an alternative funding mechanism is the most appropriate 
manner to fund the agency; 
Status: Not implemented. 

Recommendation: 5; Develop and implement specific guidelines and 
standards for measuring its performance, including outcome measures to 
assess its performance and improve the accountability of FPS; 
Status: In process. 

Recommendation: 6; Improve how FPS categorizes, collects, and analyzes 
data to help it better manage and understand the results of its 
efforts to protect GSA facilities; 
Status: In process. 

Source: GAO. 

[End of table] 

[End of section] 

Appendix II: Comments from the Department of Homeland Security: 

U.S. Department of Homeland Security: 
Washington, DC 20528: 

July 27, 2010: 

Mr. Mark L. Goldstein: 
Director, Physical Infrastructure Issues: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Mr. Goldstein: 

Subject: Draft Report GA0-10-901, Homeland Security: Addressing 
Weaknesses with Facility Security Committees Would Enhance Protection 
of Federal Facilities (Job Code 543250): 

The National Protection and Programs Directorate (NPPD)/Federal 
Protective Service (FPS) appreciates the opportunity to respond to the 
above referenced draft report (technical comments have been provided 
under separate cover). As described in the draft report, there is work 
to be done, but we are pleased to note the report's positive 
acknowledgment of the recent actions taken to address previous 
recommendations, including development of the Risk Assessment and 
Management Program (RAMP), increased penetration testing, increased 
frequency of guard inspections, more focused guard training and, 
significantly, the transfer of FPS to NPPD from Immigration and 
Customs Enforcement. 

Recommendation: GAO recommends that the Secretary of the Department of 
Homeland Security (DHS) direct the Under Secretary of NPPD and the 
Director of FPS to work in consultation with the General Services 
Administration (GSA) and the Interagency Security Committee (ISC) to 
develop and implement procedures that, among other things, outlines 
the Federal Security Committees' (FSCs') organizational structure, 
operations, decision making authority, and accountability. No other 
recommendations are made. 

Response: NPPD concurs with the recommendation. FPS and GSA currently 
co-chair an ISC Facility Security' Committee working group that is 
charged with developing and presenting an ISC Standard titled Facility 
Security Committees. The standard, among other things, addresses FSC 
duties and procedures, organizational structure, decision making 
processes, and accountability. The working group anticipates that the 
standard will be submitted to the ISC membership by December 31, 2010. 

Draft Report Discussion: 

With respect to the draft report itself, while we are pleased that GAO 
acknowledged actions and progress made toward closing GAO 
recommendations, DHS would like to emphasize that FPS is actively 
pursuing, and has reported its progress on, the closure of all open 
recommendations. In a March 30, 2010, update to GAO, and in the FPS 
response to Draft Report GA0-10-341, Federal Protective Service's 
Contract Guard Program Requires More Oversight and Reassessment of Use 
of Contract Guards. FPS provided evidence to support closure of seven 
open recommendations and to demonstrate substantial progress that has 
been made toward closure of all remaining open recommendations. DHS 
offers the following evidence that FPS is actively pursuing 
initiatives and implementing measures to address recommendations for 
which GAO indicated in the draft report there has been no activity. 
The draft report shows (Appendix I) nine recommendations as "not 
implemented." As indicated and documented in the March 30, 2010, 
update and the response to the GA0-10-341 draft report, FPS considers 
all of the open recommendations listed in Appendix I as "in process." 

In April, GAO recommended in its Draft Report GAO-10-341 that "FPS 
identify other approaches that would be cost-beneficial for protecting 
federal facilities," but noted that FPS had not yet implemented the 
recommendation. On the contrary, FPS notified GAO of progress made 
toward meeting this recommendation in the response to that draft 
report. Specifically, FPS informed GAO that since its creation in 
1971, FPS has consistently examined past actions, best practices, and 
available resources and technology to determine the best available 
means to protect federal facilities. FPS added that largely due to 
resource constraints, FPS' approaches and options to protecting 
federal facilities have focused on providing more robust and 
analytical risk assessments, enhancing the training and oversight of 
protective security officers, and streamlining the implementation of 
countermeasures through the use of national contract vehicles. FPS 
also described its recently increased interaction with the research 
and development community, through the OHS Science and Technology 
Directorate, to better define requirements for the next generation of 
security technology. FPS explained that it is simultaneously testing 
new developments in countermeasures to assess their maximum 
effectiveness as part of the integrated set of countermeasures. 

GAO asserts that, "FPS has yet to evaluate whether its fee-based 
system or an alternative funding mechanism is most appropriate for 
funding the agency as we recommended in our 2008 report." However, in 
the March 30, 2010 update to GAO open recommendations, FPS reported 
that it had used preliminary data obtained from the recently deployed 
Activity Based Costing Framework (ABC) and risk-based workforce 
performance metrics to initiate an analysis of the current fee-based 
system and complete a study of alternative funding strategies that may 
better support the security and protection mission of the FPS within 
DHS. FPS' evaluation of the fee-based system currently used has 
concluded that fee collections have not been sufficient to cover 
projected operational costs in recent years, and the agency has faced 
shortfalls related to providing basic security services. 

Therefore, FPS conducted an Alternative Funding Model analysis with 
three primary objectives: (1) ensure that FPS security charges are 
appropriate, are aligned with operational costs, and do not result in 
further budgetary shortfalls; (2) possess sufficient flexibility to 
account for risks associated with specific buildings; and (3) clearly 
demonstrate the link between security charges to the customer agencies 
and underlying security costs. This analysis resulted in the 
identification and consideration of the following three alternatives, 
which are still being evaluated: (1) a direct FPS appropriation; (2) a 
more thorough review of the current fee-based system (four 
methodologies for assessing charges are proposed); and (3) the 
utilization of GSA services for billing and collection. 

GAO also refers to FPS' limited ability to assess the effectiveness of 
its efforts to protect federal facilities. It adds that FPS has 
identified some output measures to determine how well it is 
accomplishing its mission to protect federal facilities, but that FPS 
needs to develop outcome measures. Again. in the March 30, 2010, 
update, FPS responded to the GAO recommendation pertaining to 
performance measures by including sample outcome performance measures 
that have been implemented and are being monitored by FPS. Moreover, 
in the update, FPS reported that it has developed and is using 
guidelines, standards, and templates to ensure that performance, both 
output and outcome measures, possess the attributes recommended by 
GAO. FPS also explained that these measures are part of an agency-wide 
effort to establish a robust performance management program in 
response to GAO recommendations and in accordance with the guidelines 
of the Government Performance and Results Act, the Office of 
Management and Budget, and the DHS Office of Program Analysis and 
Evaluation. FPS concluded the update to this recommendation by adding 
that continuing through FY2012, implementation of automated 
information systems will continue to support efforts to fully address 
this GAO recommendation. Chief among these are the RAMP, Post Tracking 
System (PTS), and the Computer Aided Dispatch and Information System 
(CADIS). As these systems are brought on line, they are expected to 
provide detailed and robust information, previously unavailable, to 
assess FPS performance in providing integrated security and law 
enforcement services for the Federal community. 

NPPD/FPS remains committed to continuous improvement, and we will 
provide progress reports to you on efforts to address the previous 
recommendations referenced in this report. 

Sincerely, 

Signed by: 

Jerald E. Levine: 
Director: 
Departmental GAO/OIG Liaison Office: 

[End of section] 

Appendix III GAO Contacts and Staff Acknowledgments: 

GAO Contact: 

Mark L. Goldstein, (202) 512-2834 or goldsteinm@gao.gov: 

Acknowledgments: 

In addition to the contact name above, Tammy Conquest, Assistant 
Director; Jennifer Clayborne; Delwen Jones; and Susan Michal-Smith 
made key contributions to this report. 

[End of section] 

Footnotes: 

[1] This report draws upon the following primary sources: GAO, 
Homeland Security: Federal Protective Service's Contract Guard Program 
Requires More Oversight and Reassessment of Use of Contract Guards, 
[hyperlink, http://www.gao.gov/products/GAO-10-341] (Washington, D.C.: 
Apr. 13, 2010); Homeland Security: Greater Attention to Key Practices 
Would Improve the Federal Protective Service's Approach to Facility 
Protection, [hyperlink, http://www.gao.gov/products/GAO-10-142] 
(Washington, D.C.: Oct. 23, 2009); Homeland Security: Preliminary 
Results Show Federal Protective Service's Ability to Protect Federal 
Facilities Is Hampered by Weaknesses in Its Contract Security Guard 
Program, [hyperlink, http://www.gao.gov/products/GAO-09-859T] 
(Washington, D.C.: July 8, 2009); Homeland Security: Federal 
Protective Service Should Improve Human Capital Planning and Better 
Communicate with Tenants, [hyperlink, 
http://www.gao.gov/products/GAO-09-749] (Washington, D.C.: July 30, 
2009); and Homeland Security: The Federal Protective Service Faces 
Several Challenges That Hamper Its Ability to Protect Federal 
Facilities, [hyperlink, http://www.gao.gov/products/GAO-08-683] 
(Washington, D.C.: June 11, 2008). 

[2] [hyperlink, http://www.gao.gov/products/GAO-08-683]. 

[3] On March, 10, 2008, the Interagency Security Committee issued new 
standards for determining the security level of federal facilities 
that supersede the standards developed in the Department of Justice's 
1995 Vulnerability Assessment Guidelines. These guidelines have five 
security levels. A level I facility is typically a small storefront- 
type operation such as a military recruiting office with 10 or fewer 
employees and a low volume of public contact. A level II facility has 
from 11 to 150 employees; a level III facility has from 151 to 450 
employees and a moderate to high volume of public contact; a level IV 
facility has over 450 employees, a high volume of public contact, and 
includes high-risk law enforcement and intelligence agencies. FPS does 
not have responsibility for a level V facility such as the White House 
or the Central Intelligence Agency. 

[4] [hyperlink, http://www.gao.gov/products/GAO-10-142]. 

[5] An FSA, formerly referred to as a building security assessment, is 
a type of security evaluation conducted by FPS to determine how 
susceptible a facility is to various forms of threats or attacks. FSAs 
included countermeasure recommendations to mitigate threats and reduce 
vulnerabilities. 

[6] Following the Oklahoma City bombing, Executive Order 12977 called 
for the creation of an Interagency Security Committee to address the 
quality and effectiveness of physical security requirements for 
federal facilities by developing and evaluating security standards. 
ISC has representation from all major federal departments and 
agencies. In 2003, the Chair of the ISC moved from GSA to DHS. 

[7] The NIPP was founded through the Homeland Security Presidential 
Directive-7 and sets forth national policy on how the plan's risk 
management framework and sector partnership model are to be 
implemented by sector-specific agencies. FPS is the agency responsible 
for the government facilities sector. 

[8] [hyperlink, http://www.gao.gov/products/GAO-09-859T] and 
[hyperlink, http://www.gao.gov/products/GAO-10-341]. 

[9] [hyperlink, http://www.gao.gov/products/GAO-09-749]. 

[10] [hyperlink, http://www.gao.gov/products/GAO-08-683]. 

[11] [hyperlink, http://www.gao.gov/products/GAO-08-863] and 
[hyperlink, http://www.gao.gov/products/GAO-10-236T]. 

[12] [hyperlink, http://www.gao.gov/products/GAO-10-236T]. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: