Facility Security: Greater Outreach by DHS on Standards and Management Practices Could Benefit Federal Agencies

What GAO Found

Agencies draw upon a variety of information sources in developing and updating their physical security programs. The most widely used source, according to survey responses from 32 agencies, is the institutional knowledge or subject matter expertise in physical security that agencies' security staff have developed through their professional experience. The second most used source are standards issued by the Interagency Security Committee (ISC). The standards, which are developed based on leading security practices across the government, set forth a decision-making process to help ensure that agencies have effective physical security programs in place. However, according to survey responses, the extent of agencies' use of ISC standards varied--with some agencies using them in a limited way. Agency officials from the case-study agencies said that certain conditions at their agencies--such as the types of facilities in the agencies' portfolios and their existing physical security requirements--contribute to limited use of the standards. ISC officials said that the standards are designed to be used by all agencies regardless of the types of facilities or their existing security programs; the standards can be customized to the needs of individual facilities and do not require the use of specific countermeasures. ISC has an opportunity to clarify how the standards are intended to be used when it trains agencies on them; during quarterly meetings with member agencies, where ISC can share best practices on the use of the standards; or when ISC engages in other outreach on the standards. Clarifying how agencies can use the standards may result in their greater use. Greater use of the standards may maximize the effectiveness and efficiency of agencies' physical security programs.

Agencies use a range of management practices to oversee physical security activities. For example, 22 surveyed agencies reported that they have a manager at the agency-wide level responsible for monitoring and overseeing physical security at individual facilities. In addition, 22 surveyed agencies reported that they have some documented performance measures for physical security. Such performance measures can help agencies evaluate the effectiveness of their physical security programs and identify changes needed to better meet program objectives. Agencies' use of management practices such as having a physical security manager responsible for allocating resources and using performance measures to justify investment decisions could also contribute to more efficient allocation of physical security resources across an agency's portfolio of facilities. However, some agencies make limited use of such practices to allocate resources. For example, only 13 reported that they have a manager for allocating resources based on risk assessments. In contrast, a majority of agencies reported having managers for other aspects of physical security, including those related to oversight. Greater use of management practices for allocating resources is particularly relevant given that the surveyed agencies identified allocating resources as the greatest challenge. As the government's central forum for exchanging information and disseminating guidance on physical security, ISC is well positioned to develop and disseminate guidance about management practices that can help agencies allocate resources across a portfolio of facilities. However, ISC's key physical security standards do not currently address management practices for allocating resources across an agency's entire portfolio of facilities.

Why GAO Did This Study

GAO has designated federal real property management as a high-risk area due, in part, to the continued challenge of facility protection. Executive branch agencies are responsible for protecting about 370,000 non-military buildings and structures; the Federal Protective Service (FPS) protects over 9,000 of these. ISC--an interagency organization led by the Department of Homeland Security (DHS)--issues physical security standards for agencies' use in designing and updating physical security programs. GAO was asked to review physical security programs at executive branch agencies with facilities that FPS does not protect. This report examines (1) the sources that inform agencies' physical security programs and (2) the management practices agencies use to oversee physical security and allocate resources. GAO reviewed and analyzed survey responses from 32 agencies. GAO also interviewed officials and reviewed documents from 5 of these agencies, which were selected as case studies for more indepth analysis. The survey and results can be found at GAO-13-223SP.