Federal Facility Security: Selected Agencies Should Improve Methods for Assessing and Monitoring Risk
GAO-18-72
Published: Oct 26, 2017. Publicly Released: Oct 26, 2017.
Skip to Highlights
Highlights
What GAO Found
None of the four agencies GAO reviewed—U.S. Customs and Border Protection (CBP), the Federal Aviation Administration (FAA), the Agricultural Research Service (ARS), and the Forest Service—used security assessment methodologies that fully aligned with the Interagency Security Committee's Risk Management Process for Federal Facilities standard (the ISC Standard). This standard requires that methodologies used to identify necessary facility countermeasures—such as fences and closed-circuit televisions—must:
- 1. Consider all of the undesirable events (i.e., arson and vandalism) identified by the ISC Standard as possible risks to facilities.
- 2. Assess three factors—threats, vulnerabilities, and consequences—for each of these events and use these three factors to measure risk.
All four agencies used methodologies that included some ISC requirements when conducting assessments. CBP and FAA assessed vulnerabilities but not threats and consequences. ARS and the Forest Service assessed threats, vulnerabilities, and consequences, but did not use these factors to measure risk. In addition, the agencies considered many, but not all 33 undesirable events related to physical security as possible risks to their facilities. Agencies are taking steps to improve their methodologies. For example, ARS and the Forest Service now use a methodology that measures risk and plan to incorporate the methodology into policy. Although CBP and FAA have updated their methodologies, their policies do not require methodologies that fully align with the ISC standard. As a result, these agencies miss the opportunity for a more informed assessment of the risk to their facilities.
All four agencies reported facing management challenges in conducting physical security assessments or monitoring assessment results. Specifically, CBP, ARS, and the Forest Service have not met the ISC's required time frame of every 3 years for conducting assessments. For example, security specialists have not conducted required reassessments of two ARS and one Forest Service higher-level facilities. While these three agencies have plans to address backlogs, CBP's plan does not balance conducting risk assessments with other competing security priorities, such as updating its policy manual, and ARS and the Forest Service lack a means to monitor completion of future assessments. Furthermore, CBP, ARS, and the Forest Service did not have the data or information systems to monitor assessment schedules or the status of countermeasures at facilities, and their policies did not specify such data requirements. For example, ARS and the Forest Service do not collect and analyze security-related data, such as countermeasures' implementation. FAA does not routinely monitor the performance of its physical security program. Without improved monitoring, agencies are not well equipped to prioritize their highest security needs, may leave facilities' vulnerabilities unaddressed, and may not take corrective actions to meet physical security program objectives. This is a public version of a sensitive report that GAO issued in August 2017. Information that the agencies under review deemed sensitive has been omitted.
Why GAO Did This Study
Protecting federal employees and facilities from security threats is of critical importance. Most federal agencies are generally responsible for their facilities and have physical security programs to do so.
GAO was asked to examine how federal agencies assess facilities' security risks. This report examines: (1) how selected agencies' assessment methodologies align with the ISC's risk management standard for identifying necessary countermeasures and (2) what management challenges, if any, selected agencies reported facing in conducting physical security assessments and monitoring the results.
GAO selected four agencies—CBP, FAA, ARS, and the Forest Service—based on their large number of facilities and compared each agency's assessment methodology to the ISC Standard; analyzed facility assessment schedules and results from 2010 through 2016; and interviewed security officials. GAO also visited 13 facilities from these four agencies, selected based on geographical dispersion and their high risk level.
Recommendations
GAO recommends: (1) that CBP and FAA update policies to require the use of methodologies fully aligned with the ISC Standard; (2) that CBP revise its plan to eliminate the assessments backlog; and (3) that all four agencies improve monitoring of their physical security programs. All four agencies agreed with the respective recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| United States Customs and Border Protection | To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Commissioner of U.S. Customs and Border Protection should, with regard to the updated Security Policy and Procedures Handbook, include the ISC's Risk Management Process for Federal Facilities requirement to assess all undesirable events, consider all three factors of risk, and document deviations from the standard. |
To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC) developed physical security standards for non-military federal facilities in the United States. One particular standard, called The Risk Management Process for Federal Facilities (ISC Standard), requires that methodologies used to identify necessary facility countermeasures-such as fences and closed-circuit televisions-must: (1) consider all of the undesirable events (i.e., arson and vandalism) identified by the ISC Standard as possible risks to facilities, (2) assess three factors of risk-threats, vulnerabilities, and consequences-for each of these events and use these three factors to measure risk, and (3) document decisions that deviate from the ISC Standard. In 2017, GAO reported that the U.S. Customs and Border Protection (CBP) assessment methodology (based on its Security Policy and Procedures Handbook, dated August 13, 2009) did not fully align with the ISC Standard because it did not consider all of the undesirable events nor assess threat and consequence. At the time of GAO's review, CBP had started, but had not yet completed after 3 years, the update of the agency's handbook to align it with the ISC Standard. Delays in updating the handbook meant that CBP's policy would continue to not align with the ISC Standard. GAO reported that without an updated policy handbook that requires a methodology that assesses all undesirable events consistent with the ISC Standard, CBP cannot reasonably ensure that its facilities will have levels of protection commensurate to their risk. Therefore, GAO recommended that CBP include in its updated Security Policy and Procedures Handbook the ISC's Risk Management Process for Federal Facilities requirement to assess all undesirable events, consider all three factors of risk, and document deviations from the standard. In 2020, GAO confirmed that CBP issued its updated Physical Security Policies and Procedures Handbook on January 7, 2020, which supersedes its 2009 handbook. The updated handbook is applicable to all CBP owned, leased, or occupied offices, facilities, ports of entry, and stations. The updated handbook also describes the ISC's risk management process for federal facilities requirement to assess all 33 undesirable events, consider all three factors of risk, and document deviations from the ISC Standard. The updated handbook describes this formal process in Chapter 5 entitled, Risk-Informed Decision-Making. By updating the handbook to align with ISC requirements, CBP can have reasonable assurance that all required factors will be considered when conducting physical security assessments. This should result in recommendations that its facilities will have levels of protection commensurate to their risk.
|
| United States Customs and Border Protection | To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Commissioner of U.S. Customs and Border Protection, with regard to the updated Security Policy and Procedures Handbook, should include data collection and analysis requirements for monitoring the performance of CBP's physical security program. |
To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC) developed physical security standards for non-military federal facilities in the United States. The ISC requires that agencies conduct physical security assessments at least once every 3 years for higher-level facilities. Standards for Internal Control state that agencies should use quality information on an ongoing basis as a means to monitor program activities and take corrective action, as necessary. In 2017, GAO reported that the U.S. Customs and Border Protection (CBP) Security Policy and Procedures Handbook, dated August 13, 2009, did not fully align with the ISC Risk Management Process for Federal Facilities (the ISC Standard) because CBP had not yet updated the handbook. At the time of GAO's review, CBP had started, but after 3 years had not yet completed the agency's effort to update its handbook to align with the ISC Standard. GAO found that CBP official reported facing challenges in monitoring the agency's physical security program because its handbook did not specify data collection or monitoring requirements, as required by Standards for Internal Control. Specifically, the handbook did not include requirements for data collection and analysis for monitoring physical-security program activities. Absent these requirements, CBP facility managers and security officials did not enter assessment results, such as the countermeasures recommended for facilities, in the agency's real property database. Consequently, they did not have comprehensive data to manage their security program, assess overall performance, and take any necessary corrective actions. Without including data collection and analysis requirements in its updated handbook, CBP may have been unable to monitor the performance of its physical security program. Therefore, GAO recommended that CBP's updated Security Policy and Procedures Handbook include data collection and analysis requirements for monitoring the performance of CBP's physical security program. In 2020, GAO confirmed that CBP issued an updated Physical Security Policies and Procedures Handbook to include collection, analysis, and reporting of relevant performance-related data that facilitate decision-making to improve performance and accountability of physical security program measures. GAO also confirmed that CBP officials are collecting and analyzing information on the results of assessments by facility to help monitor the performance of its security program. By including data collection and analysis in its updated handbook, CBP is in a better position to have the information it needs to monitor the performance of its physical security program.
|
| United States Customs and Border Protection | To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Commissioner of U.S. Customs and Border Protection, should revise the assumptions used in the plan to address the backlog to balance assessments with competing priorities, such as updating the policy manual and reviewing new construction design, to develop a feasible time frame for completing the assessment backlog. |
The U.S. Customs and Border Protection (CBP), the nation's largest law enforcement agency, has the responsibility for securing the country's borders. It also has the responsibility for conducting physical security assessments at about 1,200 facilities, including approximately 215 federally owned and agency-controlled higher-level facilities with security levels III and IV. The Interagency Security Committee (ISC) Standard requires agencies to follow a risk-management process when conducting assessments for each of their facilities. Specifically, the ISC requires that agencies assess higher-level facilities at least once every 3 years-an interval requirement to identify and address evolving risks. In 2018, GAO reported that CBP data on assessments from August 2010 to September 2016 showed that the agency had not assessed a significant number of its high-level facilities. CBP security officials attributed the backlog to (1) having too few security specialists assigned to assess about 1,200 facilities and (2) the specialists working on competing priorities. At the time of GAO's review, CBP security officials said that they had developed a plan to eliminate the backlog by the end of fiscal year 2018 by prioritizing the completion of assessments. GAO reported that, without balancing assessments with competing priorities, CBP's time frames for completing the assessments by the end of fiscal year 2018 might not have been feasible and might also have resulted in the agency's not addressing other important physical security responsibilities. While the plan was comprehensive, the schedule did not seem feasible due to assumptions used to develop the plan. Therefore, GAO recommended that CBP revise the assumptions used in the plan to address the backlog to balance assessments with competing priorities, such as, updating the policy manual and reviewing new construction design, to develop a feasible time frame for completing the assessment backlog. In 2018, GAO confirmed that CBP had eliminated the backlog of security assessments at higher-level facilities by making revisions to its plan. Specifically, CBP (1) lowered the security level of 39 federally owned and agency-controlled facilities based on the ISC Standard and respective facility assessment-provided resources to prioritize the assessments of higher-level facilities and support other priorities, which extended the time for reassessing these facilities by 2-years; (2) assessed several facilities at a fast pace-15 facilities within 2-weeks-that were small size and with few personnel, which allowed the agency to conduct on-site assessments within one-day or less; (3) used the Federal Protective Service to assess some of the 1,200 facilities under the control of the General Services Administration, which provided relief from having to assess non-CBP owned facilities; and (4) conducted assessments of higher-level facilities that had not been previously assessed. By eliminating its backlog of security assessments, CBP has the information it needs to reduce the vulnerabilities and security risks to its facilities.
|
| Department of Transportation | To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to develop a plan that provides sufficient details on the activities needed and time frames within the date when FAA will implement an improved methodology. |
To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC) developed physical security standards for non-military federal facilities in the United States. The ISC gives agencies some flexibility to design their own security-assessment methodologies for identifying necessary countermeasures as long as the chosen methodology adheres to fundamental principles of a sound risk-management methodology. Specifically, methodologies must consider all of the undesirable events identified in the ISC Standard as possible risks to federal facilities, and assess three factors of risk (threats, vulnerabilities, and consequences) for each of the events. In October 2017, GAO reported that the Federal Aviation Administration's (FAA's) methodology does not fully align with the ISC Standard because it does not consider all 33 undesirable events (i.e., arson and vandalism) nor does it assess all three factors of risk-threat, vulnerability, and consequence. To address the resulting methodological gaps, FAA hired a contractor to design, develop, test, and validate an improved risk-assessment methodology. Subsequently, FAA improved its methodology in January 2017 to assess the threats, vulnerabilities, and consequences for 30 of the 33 undesirable events identified in the November 2016 revision to the ISC Standard. In April 2017, FAA officials told GAO of their plan for implementing this methodology and provided tentative milestone dates to conduct further testing, training, and analysis before deciding to use the improved methodology, which they expected to complete by January 2018. However, their plan lacked the necessary information to ensure successful implementation, such as detail on how many facilities they will test and how they will use the results of testing, training, and analysis to implement the improved methodology within 9 months. Without a detailed implementation plan to assess the methodology's impact on its security program, FAA cannot reasonably ensure that its facilities have the proper countermeasures. Therefore, GAO recommended that the FAA develop a plan that provides sufficient details on the activities needed and time frames when FAA will implement an improved methodology. In 2022, GAO confirmed that FAA developed such a plan. According to supporting documentation, FAA's plan included development of a risk-based methodology to assess all three factors of risk, a update to its facility security policy, initial testing, and deployment of the risk-assessment methodology to allow appropriate staff to become familiar with the system. Documentation showed that FAA trained staff on the risk-assessment software tool that complies with the ISC Standard by September, 2019, and by June 2021, showed completion, modification, and integration of a risk assessment tool that had been used by other federal agencies and approved by the ISC. FAA expects to fully implement its plan by October 2022, subject to agency's personnel policies. Having developed the plan, FAA has better assurances that its facilities will have the proper countermeasures.
|
| Department of Transportation | To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to update FAA's policy to require the use of a methodology that fully aligns with the ISC's Risk Management Process for Federal Facilities for assessing all undesirable events, considering all three factors of risk, and documenting all deviations from the standard countermeasures. |
To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC) developed physical security standards for non-miliary federal facilities in the United States. The standards-called the Risk Management Process for Federal Facilities-gives federal agencies some flexibility to design their own security-assessment methodologies for identifying necessary countermeasures as long as the chosen methodology adheres to fundamental principles of sound risk-management. Agencies' methodologies must consider all undesirable events identified in ISC standards as possible risks to federal facilities and assess three factors of risk (threats, vulnerabilities, and consequences) for each of the events. The standards also recommend countermeasures to mitigate threats and require executive departments and agencies to document decisions that deviate from the standards. In October 2017, GAO reported that FAA's facility security policy employed a risk-assessment methodology not fully aligned with ISC's standards because it did not consider all 33 ISC-identified undesirable events nor did it assess all three factors of risk-threat, vulnerability, and consequence. FAA also did not always document why it deviated from recommended countermeasures. To address the resulting methodological gaps, FAA hired a contractor to design, develop, test, and validate an improved risk-assessment methodology. Subsequently, FAA improved its methodology in January 2017 to assess the threats, vulnerabilities, and consequences for 30 of the 33 undesirable events identified in the November 2016 revision to the ISC standards. However, the improved methodology did not address undesirable events for which ISC issued countermeasures in May 2017. With changes that were ongoing to its security program, FAA had an opportunity to fully align its improved methodology with the ISC standards by including all 33 undesirable events and to update its policy requiring the use of such a methodology. Therefore, GAO recommended that FAA update its policy to require the use of a methodology that fully aligns with the ISC's Risk Management Process for Federal Facilities for assessing all undesirable events, considering all three factors of risk, and documenting all deviations from the standard countermeasures. In September 2023, FAA updated its facility security policy. The policy requires that the methodology fully aligned with the ISC standards. Specifically, the updated policy states that FAA's Office of Infrastructure Protection is to evaluate the threats of all ISC-identified undesirable events occurring at its facilities and the consequences to the mission that could result from those events. In addition to assessing threats and consequences, the updated policy requires an assessment of countermeasures to determine the degree to which they reduce facilities' vulnerabilities. With respect to documenting all deviations from the standard countermeasures, the updated policy states that risk assessment reports document the existing deviation from the necessary level of protection that affect the facility risk, indicate why the level of protection could not be achieved, and provide an explanation of the strategies in place to eliminate or mitigate the deviations, and thereby achieve the risk level associated with the necessary level of protection. By updating its policy and methodology to align with ISC standards, FAA can have reasonable assurance that all required risk factors will be considered when assessing the physical security risks to its facilities.
|
| Department of Transportation | To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to update FAA's policy to include ongoing monitoring of physical security information. |
To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC) developed physical security standards for non-miliary federal facilities in the United States. Standards for Internal Control state that agencies should use quality information on an ongoing basis as a means to monitor program activities and take corrective action, as necessary. ISC Standards also state that agencies should use physical security information to monitor their facilities so that they can make appropriate decisions for allocating resource. In October 2017, GAO found that FAA reported facing challenges in monitoring its physical security program because its policy did not specify monitoring requirements, as required by Standards for Internal Control. Specifically, FAA policy did not require ongoing monitoring of physical security information, such as the status of implementing recommended countermeasures. As a result, FAA officials did not proactively use physical security information to assess the overall performance of its physical security program, take corrective actions before an incident occurs, and make informed resource decisions. Without a policy requiring ongoing monitoring of information-an internal control activity-FAA was possibly unable to assess the overall performance of its security program and take necessary corrective actions. Therefore, GAO recommended that FAA update its policy to include ongoing monitoring of physical security information. In September 2023, FAA updated its facility security policy. The updated policy states that, through facility security information, the FAA associate administrator is to monitor FAA's facility security management program to ensure FAA entities develop and implement comprehensive security policies and procedures for its facilities. That associate administrator is to ensure that appropriate resources are obtained and budgets planned as needed for the execution and management of the facility security program. Facility managers are also required to monitor facility security information and correct any deviations from the necessary level of protection that are within the scope of the facility manager's authority. Once a corrective action is complete on a recommendation or finding, facility managers will notify their security managers to validate and close the item within the facility security reporting system database. Security managers verify that the required actions have been satisfactorily implemented. Closing findings and recommendations further mitigates identified risks. Supporting managers will review physical security information and update the status of open findings at assigned facilities at least semi-annually. By updating its policy to include ongoing monitoring of physical security information, FAA is better positioned to assess the overall performance of its security program and take necessary corrective actions.
|
| Department of Agriculture | To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Agriculture should include data collection and analysis requirements for monitoring the performance of agencies' physical security programs, in the department's revised physical-security manual. |
To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC) developed physical security standards for non-military federal facilities in the United States. The ISC requires that agencies conduct physical security assessments at least once every 3 years for facilities with a higher level of risk. Standards for Internal Control state that agencies should use quality information on an ongoing basis as a means to monitor program activities and take corrective action, as necessary. In 2017, GAO reported that agencies within the U.S. Department of Agriculture (USDA) were unable to demonstrate appropriate oversight of its physical security program because the department did not have a policy for collecting and managing agency-wide information. At the time of GAO's review, the department was drafting a departmental regulation to address this matter, but had not yet completed the effort to address data-reporting requirements for monitoring the performance of the physical security program. Without USDA including data collection and analysis requirements in its regulation, its agencies may not have been able to monitor the performance of its physical security program. Therefore, GAO recommended that the Secretary of Agriculture include data collection and analysis requirements for monitoring the performance of agencies' physical security programs in the department's revised physical-security manual. In January 2022, GAO confirmed that USDA issued a revised departmental regulation-dated December 9, 2021-that includes data collection and analysis requirements to monitor the status of a facility's security. Specifically, the regulation assigned the Office of Safety, Security, and Protection the responsibility to develop and maintain an electronic physical security assessment database and repository that identifies and monitors all USDA facilities with their corresponding facility security level, assessment due date, and completion date. The database also serves as storage for corresponding physical security assessments, risk mitigation plans, and other supporting documentation. Should physical security issues arise at USDA facilities, the staff is to inform the Director of Safety, Security, and Protection. By including data collection and analysis requirements in its revised departmental regulation, which met the intent of GAO's recommendation, USDA is in a better position to have the information it needs to monitor the performance of its physical security program and protect its facilities.
|
| Department of Agriculture | To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Agriculture should direct the Administrator of the Agricultural Research Service and the Chief of the Forest Service to implement and monitor a long-term assessment schedule with key milestones to ensure that higher-level facilities are reassessed at least once every 3 years. |
To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC) developed physical security standards for non-military federal facilities in the United States. The ISC requires that agencies conduct physical security assessments of higher-level facilities at least once every 3 years-an interval requirement to identify and address evolving risks. In 2017, GAO reported that the United States Department of Agriculture's Agricultural Research Service (ARS) and the Forest Service had not met the ISC's 3-year interval requirement for security assessments. Specifically, since the ISC issued its standard in 2010, ARS and the Forest Service have assessed their higher-level facilities at least once. However, these agencies have not reassessed all of their higher-level facilities within the 3-year interval requirement. For example, security specialists had not conducted required reassessments of two ARS and one Forest Service higher-level facilities, which GAO visited. GAO also found that ARS and the Forest Service had not implemented a long-term schedule with key milestones and lacked a means to monitor completion of assessments of higher-level facilities at least once every 3 years. Consequently, these agencies could not reasonably ensure that they had full knowledge of the risks to their facilities. Therefore, GAO recommended that the Administrator of the Agricultural Research Service and the Chief of the Forest Service implement and monitor a long-term assessment schedule with key milestones to ensure that higher-level facilities are reassessed at least once every 3 years. In 2021, GAO confirmed that ARS implemented a long-term assessment schedule with key milestones and developed the means to monitor the schedule. Specifically, the agency implemented a web-based system for officials in service areas across the country to monitor security assessment schedules. The system contains a list of facilities by security level, shows the date of last assessment and the due date of the next assessment, and serves as a repository for security assessment reports. The system also contains a security assessment calendar to help officials monitor when reassessments of facilities are needed. In 2021, we also confirmed that the Forest Service developed and implemented a plan to conduct and monitor security assessments with key milestones on almost 1,200 facilities agency-wide, including those facilities requiring assessments at least once every 3 years. According to Forest Service documentation, the plan provides a framework and process for agency-wide facility security assessments, and as a result, the Forest Service plans to monitor the program and expects to reach compliance with ISC standards within 5 years. In addition, Forest Service officials told us that they have implemented the physical security plan and are reporting the status of assessments to an ISC database. To help ensure reassessments are done at least once every 3-years, the Forest Service holds quarterly progress reviews involving security officials in headquarters and regions and provides progress reports to USDA headquarters, the Office of the Chief of the Forest Service, and regional offices. With these key aspects of a security program-the ability to complete assessments on time and the information to perform monitoring-in place, ARS and the Forest Service are in a better position to obtain full knowledge of security risks and take steps to protect their facilities.
|
Full Report
GAO Contacts
Public Inquiries
Topics
Facility securityFederal facilitiesInternal controlsMonitoringPhysical securityPrioritizingRisk assessmentRisk managementSecurity assessmentsSecurity threatsSecurity vulnerabilities