Federal Facility Security: Selected Agencies Should Improve Methods for Assessing and Monitoring Risk
Highlights
What GAO Found
None of the four agencies GAO reviewed—U.S. Customs and Border Protection (CBP), the Federal Aviation Administration (FAA), the Agricultural Research Service (ARS), and the Forest Service—used security assessment methodologies that fully aligned with the Interagency Security Committee's Risk Management Process for Federal Facilities standard (the ISC Standard). This standard requires that methodologies used to identify necessary facility countermeasures—such as fences and closed-circuit televisions—must:
- 1. Consider all of the undesirable events (i.e., arson and vandalism) identified by the ISC Standard as possible risks to facilities.
- 2. Assess three factors—threats, vulnerabilities, and consequences—for each of these events and use these three factors to measure risk.
All four agencies used methodologies that included some ISC requirements when conducting assessments. CBP and FAA assessed vulnerabilities but not threats and consequences. ARS and the Forest Service assessed threats, vulnerabilities, and consequences, but did not use these factors to measure risk. In addition, the agencies considered many, but not all 33 undesirable events related to physical security as possible risks to their facilities. Agencies are taking steps to improve their methodologies. For example, ARS and the Forest Service now use a methodology that measures risk and plan to incorporate the methodology into policy. Although CBP and FAA have updated their methodologies, their policies do not require methodologies that fully align with the ISC standard. As a result, these agencies miss the opportunity for a more informed assessment of the risk to their facilities.
All four agencies reported facing management challenges in conducting physical security assessments or monitoring assessment results. Specifically, CBP, ARS, and the Forest Service have not met the ISC's required time frame of every 3 years for conducting assessments. For example, security specialists have not conducted required reassessments of two ARS and one Forest Service higher-level facilities. While these three agencies have plans to address backlogs, CBP's plan does not balance conducting risk assessments with other competing security priorities, such as updating its policy manual, and ARS and the Forest Service lack a means to monitor completion of future assessments. Furthermore, CBP, ARS, and the Forest Service did not have the data or information systems to monitor assessment schedules or the status of countermeasures at facilities, and their policies did not specify such data requirements. For example, ARS and the Forest Service do not collect and analyze security-related data, such as countermeasures' implementation. FAA does not routinely monitor the performance of its physical security program. Without improved monitoring, agencies are not well equipped to prioritize their highest security needs, may leave facilities' vulnerabilities unaddressed, and may not take corrective actions to meet physical security program objectives. This is a public version of a sensitive report that GAO issued in August 2017. Information that the agencies under review deemed sensitive has been omitted.
Why GAO Did This Study
Protecting federal employees and facilities from security threats is of critical importance. Most federal agencies are generally responsible for their facilities and have physical security programs to do so.
GAO was asked to examine how federal agencies assess facilities' security risks. This report examines: (1) how selected agencies' assessment methodologies align with the ISC's risk management standard for identifying necessary countermeasures and (2) what management challenges, if any, selected agencies reported facing in conducting physical security assessments and monitoring the results.
GAO selected four agencies—CBP, FAA, ARS, and the Forest Service—based on their large number of facilities and compared each agency's assessment methodology to the ISC Standard; analyzed facility assessment schedules and results from 2010 through 2016; and interviewed security officials. GAO also visited 13 facilities from these four agencies, selected based on geographical dispersion and their high risk level.
Recommendations
GAO recommends: (1) that CBP and FAA update policies to require the use of methodologies fully aligned with the ISC Standard; (2) that CBP revise its plan to eliminate the assessments backlog; and (3) that all four agencies improve monitoring of their physical security programs. All four agencies agreed with the respective recommendations.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
United States Customs and Border Protection | To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Commissioner of U.S. Customs and Border Protection should, with regard to the updated Security Policy and Procedures Handbook, include the ISC's Risk Management Process for Federal Facilities requirement to assess all undesirable events, consider all three factors of risk, and document deviations from the standard. | To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC) developed physical security standards for non-military federal facilities in the United States. One particular standard, called The Risk Management Process for Federal Facilities (ISC Standard), requires that methodologies used to identify necessary facility countermeasures-such as fences and closed-circuit televisions-must: (1) consider all of the undesirable events (i.e., arson and vandalism) identified by the ISC Standard as possible risks to facilities, (2) assess three factors of risk-threats, vulnerabilities, and consequences-for each of these events and use these three... factors to measure risk, and (3) document decisions that deviate from the ISC Standard. In 2017, GAO reported that the U.S. Customs and Border Protection (CBP) assessment methodology (based on its Security Policy and Procedures Handbook, dated August 13, 2009) did not fully align with the ISC Standard because it did not consider all of the undesirable events nor assess threat and consequence. At the time of GAO's review, CBP had started, but had not yet completed after 3 years, the update of the agency's handbook to align it with the ISC Standard. Delays in updating the handbook meant that CBP's policy would continue to not align with the ISC Standard. GAO reported that without an updated policy handbook that requires a methodology that assesses all undesirable events consistent with the ISC Standard, CBP cannot reasonably ensure that its facilities will have levels of protection commensurate to their risk. Therefore, GAO recommended that CBP include in its updated Security Policy and Procedures Handbook the ISC's Risk Management Process for Federal Facilities requirement to assess all undesirable events, consider all three factors of risk, and document deviations from the standard. In 2020, GAO confirmed that CBP issued its updated Physical Security Policies and Procedures Handbook on January 7, 2020, which supersedes its 2009 handbook. The updated handbook is applicable to all CBP owned, leased, or occupied offices, facilities, ports of entry, and stations. The updated handbook also describes the ISC's risk management process for federal facilities requirement to assess all 33 undesirable events, consider all three factors of risk, and document deviations from the ISC Standard. The updated handbook describes this formal process in Chapter 5 entitled, Risk-Informed Decision-Making. By updating the handbook to align with ISC requirements, CBP can have reasonable assurance that all required factors will be considered when conducting physical security assessments. This should result in recommendations that its facilities will have levels of protection commensurate to their risk.
View More |
United States Customs and Border Protection | To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Commissioner of U.S. Customs and Border Protection, with regard to the updated Security Policy and Procedures Handbook, should include data collection and analysis requirements for monitoring the performance of CBP's physical security program. | To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC) developed physical security standards for non-military federal facilities in the United States. The ISC requires that agencies conduct physical security assessments at least once every 3 years for higher-level facilities. Standards for Internal Control state that agencies should use quality information on an ongoing basis as a means to monitor program activities and take corrective action, as necessary. In 2017, GAO reported that the U.S. Customs and Border Protection (CBP) Security Policy and Procedures Handbook, dated August 13, 2009, did not fully align with the ISC Risk...
|
United States Customs and Border Protection | To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Commissioner of U.S. Customs and Border Protection, should revise the assumptions used in the plan to address the backlog to balance assessments with competing priorities, such as updating the policy manual and reviewing new construction design, to develop a feasible time frame for completing the assessment backlog. | The U.S. Customs and Border Protection (CBP), the nation's largest law enforcement agency, has the responsibility for securing the country's borders. It also has the responsibility for conducting physical security assessments at about 1,200 facilities, including approximately 215 federally owned and agency-controlled higher-level facilities with security levels III and IV. The Interagency Security Committee (ISC) Standard requires agencies to follow a risk-management process when conducting assessments for each of their facilities. Specifically, the ISC requires that agencies assess higher-level facilities at least once every 3 years-an interval requirement to identify and address...
|
Department of Transportation | To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to develop a plan that provides sufficient details on the activities needed and time frames within the date when FAA will implement an improved methodology. | To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC) developed physical security standards for non-military federal facilities in the United States. The ISC gives agencies some flexibility to design their own security-assessment methodologies for identifying necessary countermeasures as long as the chosen methodology adheres to fundamental principles of a sound risk-management methodology. Specifically, methodologies must consider all of the undesirable events identified in the ISC Standard as possible risks to federal facilities, and assess three factors of risk (threats, vulnerabilities, and consequences) for each of the...
|
Department of Transportation | To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to update FAA's policy to require the use of a methodology that fully aligns with the ISC's Risk Management Process for Federal Facilities for assessing all undesirable events, considering all three factors of risk, and documenting all deviations from the standard countermeasures. | To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC) developed physical security standards for non-miliary federal facilities in the United States. The standards-called the Risk Management Process for Federal Facilities-gives federal agencies some flexibility to design their own security-assessment methodologies for identifying necessary countermeasures as long as the chosen methodology adheres to fundamental principles of sound risk-management. Agencies' methodologies must consider all undesirable events identified in ISC standards as possible risks to federal facilities and assess three factors of risk (threats,...
|
Department of Transportation | To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to update FAA's policy to include ongoing monitoring of physical security information. | To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC) developed physical security standards for non-miliary federal facilities in the United States. Standards for Internal Control state that agencies should use quality information on an ongoing basis as a means to monitor program activities and take corrective action, as necessary. ISC Standards also state that agencies should use physical security information to monitor their facilities so that they can make appropriate decisions for allocating resource. In October 2017, GAO found that FAA reported facing challenges in monitoring its physical security program because its policy...
|
Department of Agriculture | To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Agriculture should include data collection and analysis requirements for monitoring the performance of agencies' physical security programs, in the department's revised physical-security manual. | To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC) developed physical security standards for non-military federal facilities in the United States. The ISC requires that agencies conduct physical security assessments at least once every 3 years for facilities with a higher level of risk. Standards for Internal Control state that agencies should use quality information on an ongoing basis as a means to monitor program activities and take corrective action, as necessary. In 2017, GAO reported that agencies within the U.S. Department of Agriculture (USDA) were unable to demonstrate appropriate oversight of its physical security...
|
Department of Agriculture | To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Agriculture should direct the Administrator of the Agricultural Research Service and the Chief of the Forest Service to implement and monitor a long-term assessment schedule with key milestones to ensure that higher-level facilities are reassessed at least once every 3 years. | To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC) developed physical security standards for non-military federal facilities in the United States. The ISC requires that agencies conduct physical security assessments of higher-level facilities at least once every 3 years-an interval requirement to identify and address evolving risks. In 2017, GAO reported that the United States Department of Agriculture's Agricultural Research Service (ARS) and the Forest Service had not met the ISC's 3-year interval requirement for security assessments. Specifically, since the ISC issued its standard in 2010, ARS and the Forest Service have...
|