Skip to main content

Federal Facility Security: Selected Agencies Should Improve Methods for Assessing and Monitoring Risk

GAO-18-72 Published: Oct 26, 2017. Publicly Released: Oct 26, 2017.
Skip to Highlights

Highlights

What GAO Found

None of the four agencies GAO reviewed—U.S. Customs and Border Protection (CBP), the Federal Aviation Administration (FAA), the Agricultural Research Service (ARS), and the Forest Service—used security assessment methodologies that fully aligned with the Interagency Security Committee's Risk Management Process for Federal Facilities standard (the ISC Standard). This standard requires that methodologies used to identify necessary facility countermeasures—such as fences and closed-circuit televisions—must:

  1. 1. Consider all of the undesirable events (i.e., arson and vandalism) identified by the ISC Standard as possible risks to facilities.
  2. 2. Assess three factors—threats, vulnerabilities, and consequences—for each of these events and use these three factors to measure risk.

All four agencies used methodologies that included some ISC requirements when conducting assessments. CBP and FAA assessed vulnerabilities but not threats and consequences. ARS and the Forest Service assessed threats, vulnerabilities, and consequences, but did not use these factors to measure risk. In addition, the agencies considered many, but not all 33 undesirable events related to physical security as possible risks to their facilities. Agencies are taking steps to improve their methodologies. For example, ARS and the Forest Service now use a methodology that measures risk and plan to incorporate the methodology into policy. Although CBP and FAA have updated their methodologies, their policies do not require methodologies that fully align with the ISC standard. As a result, these agencies miss the opportunity for a more informed assessment of the risk to their facilities.

All four agencies reported facing management challenges in conducting physical security assessments or monitoring assessment results. Specifically, CBP, ARS, and the Forest Service have not met the ISC's required time frame of every 3 years for conducting assessments. For example, security specialists have not conducted required reassessments of two ARS and one Forest Service higher-level facilities. While these three agencies have plans to address backlogs, CBP's plan does not balance conducting risk assessments with other competing security priorities, such as updating its policy manual, and ARS and the Forest Service lack a means to monitor completion of future assessments. Furthermore, CBP, ARS, and the Forest Service did not have the data or information systems to monitor assessment schedules or the status of countermeasures at facilities, and their policies did not specify such data requirements. For example, ARS and the Forest Service do not collect and analyze security-related data, such as countermeasures' implementation. FAA does not routinely monitor the performance of its physical security program. Without improved monitoring, agencies are not well equipped to prioritize their highest security needs, may leave facilities' vulnerabilities unaddressed, and may not take corrective actions to meet physical security program objectives. This is a public version of a sensitive report that GAO issued in August 2017. Information that the agencies under review deemed sensitive has been omitted.

Why GAO Did This Study

Protecting federal employees and facilities from security threats is of critical importance. Most federal agencies are generally responsible for their facilities and have physical security programs to do so.

GAO was asked to examine how federal agencies assess facilities' security risks. This report examines: (1) how selected agencies' assessment methodologies align with the ISC's risk management standard for identifying necessary countermeasures and (2) what management challenges, if any, selected agencies reported facing in conducting physical security assessments and monitoring the results.

GAO selected four agencies—CBP, FAA, ARS, and the Forest Service—based on their large number of facilities and compared each agency's assessment methodology to the ISC Standard; analyzed facility assessment schedules and results from 2010 through 2016; and interviewed security officials. GAO also visited 13 facilities from these four agencies, selected based on geographical dispersion and their high risk level.

Recommendations

GAO recommends: (1) that CBP and FAA update policies to require the use of methodologies fully aligned with the ISC Standard; (2) that CBP revise its plan to eliminate the assessments backlog; and (3) that all four agencies improve monitoring of their physical security programs. All four agencies agreed with the respective recommendations.

Recommendations for Executive Action

Agency Affected Recommendation Status
United States Customs and Border Protection To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Commissioner of U.S. Customs and Border Protection should, with regard to the updated Security Policy and Procedures Handbook, include the ISC's Risk Management Process for Federal Facilities requirement to assess all undesirable events, consider all three factors of risk, and document deviations from the standard.
Closed – Implemented
To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC) developed physical security standards for non-military federal facilities in the United States. One particular standard, called The Risk Management Process for Federal Facilities (ISC Standard), requires that methodologies used to identify necessary facility countermeasures-such as fences and closed-circuit televisions-must: (1) consider all of the undesirable events (i.e., arson and vandalism) identified by the ISC Standard as possible risks to facilities, (2) assess three factors of risk-threats, vulnerabilities, and consequences-for each of these events and use these three...
United States Customs and Border Protection To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Commissioner of U.S. Customs and Border Protection, with regard to the updated Security Policy and Procedures Handbook, should include data collection and analysis requirements for monitoring the performance of CBP's physical security program.
Closed – Implemented
To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC) developed physical security standards for non-military federal facilities in the United States. The ISC requires that agencies conduct physical security assessments at least once every 3 years for higher-level facilities. Standards for Internal Control state that agencies should use quality information on an ongoing basis as a means to monitor program activities and take corrective action, as necessary. In 2017, GAO reported that the U.S. Customs and Border Protection (CBP) Security Policy and Procedures Handbook, dated August 13, 2009, did not fully align with the ISC Risk...
United States Customs and Border Protection To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Commissioner of U.S. Customs and Border Protection, should revise the assumptions used in the plan to address the backlog to balance assessments with competing priorities, such as updating the policy manual and reviewing new construction design, to develop a feasible time frame for completing the assessment backlog.
Closed – Implemented
The U.S. Customs and Border Protection (CBP), the nation's largest law enforcement agency, has the responsibility for securing the country's borders. It also has the responsibility for conducting physical security assessments at about 1,200 facilities, including approximately 215 federally owned and agency-controlled higher-level facilities with security levels III and IV. The Interagency Security Committee (ISC) Standard requires agencies to follow a risk-management process when conducting assessments for each of their facilities. Specifically, the ISC requires that agencies assess higher-level facilities at least once every 3 years-an interval requirement to identify and address...
Department of Transportation To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to develop a plan that provides sufficient details on the activities needed and time frames within the date when FAA will implement an improved methodology.
Closed – Implemented
To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC) developed physical security standards for non-military federal facilities in the United States. The ISC gives agencies some flexibility to design their own security-assessment methodologies for identifying necessary countermeasures as long as the chosen methodology adheres to fundamental principles of a sound risk-management methodology. Specifically, methodologies must consider all of the undesirable events identified in the ISC Standard as possible risks to federal facilities, and assess three factors of risk (threats, vulnerabilities, and consequences) for each of the...
Department of Transportation To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to update FAA's policy to require the use of a methodology that fully aligns with the ISC's Risk Management Process for Federal Facilities for assessing all undesirable events, considering all three factors of risk, and documenting all deviations from the standard countermeasures.
Closed – Implemented
To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC) developed physical security standards for non-miliary federal facilities in the United States. The standards-called the Risk Management Process for Federal Facilities-gives federal agencies some flexibility to design their own security-assessment methodologies for identifying necessary countermeasures as long as the chosen methodology adheres to fundamental principles of sound risk-management. Agencies' methodologies must consider all undesirable events identified in ISC standards as possible risks to federal facilities and assess three factors of risk (threats,...
Department of Transportation To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to update FAA's policy to include ongoing monitoring of physical security information.
Closed – Implemented
To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC) developed physical security standards for non-miliary federal facilities in the United States. Standards for Internal Control state that agencies should use quality information on an ongoing basis as a means to monitor program activities and take corrective action, as necessary. ISC Standards also state that agencies should use physical security information to monitor their facilities so that they can make appropriate decisions for allocating resource. In October 2017, GAO found that FAA reported facing challenges in monitoring its physical security program because its policy...
Department of Agriculture To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Agriculture should include data collection and analysis requirements for monitoring the performance of agencies' physical security programs, in the department's revised physical-security manual.
Closed – Implemented
To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC) developed physical security standards for non-military federal facilities in the United States. The ISC requires that agencies conduct physical security assessments at least once every 3 years for facilities with a higher level of risk. Standards for Internal Control state that agencies should use quality information on an ongoing basis as a means to monitor program activities and take corrective action, as necessary. In 2017, GAO reported that agencies within the U.S. Department of Agriculture (USDA) were unable to demonstrate appropriate oversight of its physical security...
Department of Agriculture To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Agriculture should direct the Administrator of the Agricultural Research Service and the Chief of the Forest Service to implement and monitor a long-term assessment schedule with key milestones to ensure that higher-level facilities are reassessed at least once every 3 years.
Closed – Implemented
To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC) developed physical security standards for non-military federal facilities in the United States. The ISC requires that agencies conduct physical security assessments of higher-level facilities at least once every 3 years-an interval requirement to identify and address evolving risks. In 2017, GAO reported that the United States Department of Agriculture's Agricultural Research Service (ARS) and the Forest Service had not met the ISC's 3-year interval requirement for security assessments. Specifically, since the ISC issued its standard in 2010, ARS and the Forest Service have...

Full Report

GAO Contacts

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Public Inquiries

Topics

Facility securityFederal facilitiesInternal controlsMonitoringPhysical securityPrioritizingRisk assessmentRisk managementSecurity assessmentsSecurity threatsSecurity vulnerabilities