Federal Facilities: Improved Oversight Needed for Security Recommendations

Fast Facts

The Department of Homeland Security is responsible for security at federal buildings and facilities.

We previously reported that federal agencies don't implement many of DHS's Federal Protective Service recommendations for security improvements. When we followed up with agency representatives, they cited cost or feasibility concerns.

DHS requires federal agencies to self-report some information about security recommendations. But because DHS does not verify this information, it can't be sure that facilities are protected. We recommended ways to strengthen this oversight.

DHS protects many federal buildings, including this U.S. Courthouse in Mobile, Alabama.

Exterior of the U.S. Courthouse in Mobile, Alabama, with American flag waving in the front of it

Highlights

What GAO Found

The Federal Protective Service (FPS) conducts security assessments and recommends countermeasures—such as security cameras—to address vulnerabilities at federal facilities. FPS maintains a database with information on its assessments and on agencies' decisions to approve or reject these recommendations. As GAO reported in 2022, FPS data indicate that agencies did not respond to over half of FPS's recommendations in fiscal years 2017 through 2021 (GAO-22-106177).

In the discussion groups GAO held with facilities' representatives, participants cited several reasons why agencies might not act on FPS recommendations. Reasons included the cost or feasibility of implementing recommended countermeasures.

Security Cameras as an Example of a Facility Countermeasure

The Interagency Security Committee (ISC), established by Executive Order 12977, is required to oversee the implementation of appropriate countermeasures in certain federal facilities, among other responsibilities. The Department of Homeland Security (DHS) chairs this organization, which is comprised of 66 federal agencies The ISC requires non-military executive branch agencies to self-report some information on the degree to which they comply with ISC's federal security standards. For example, these agencies report on the extent to which they documented their acceptance of risk for countermeasures they did not implement. However, GAO found that ISC's oversight does not verify that these agencies have:

implemented FPS-recommended countermeasures, or
documented the acceptance of risk for those countermeasures they do not implement at their facilities.

Without an oversight mechanism to verify if these federal facilities are implementing the appropriate countermeasures or accepting the risk of not doing so, the federal government lacks reasonable assurance that such facilities are secure.

Why GAO Did This Study

FPS protects over 9,000 federal facilities with over 1.4 million employees and visitors. As part of its services, FPS conducts facility security assessments and recommends countermeasures to help address vulnerabilities at federal facilities. FPS conducts these assessments based on ISC security standards. Agencies are responsible for acting on these countermeasures.

GAO was asked to review the implementation of countermeasures recommended by FPS. This report (1) identifies information that FPS maintains on its assessments and recommendations, (2) identifies factors that affect agencies' decisions to act on these recommendations, and (3) examines how ISC assesses compliance with its security standards and countermeasures.

GAO reviewed FPS guidance on the information collected from its assessments, and how that information is entered into its database. In addition, GAO held discussion groups with officials representing 27 selected facilities where FPS conducted security assessments between 2017 and 2021, as well as FPS and ISC officials. GAO also reviewed ISC documentation and guidance.

Recommendations

GAO is making two recommendations to DHS that it improve its oversight ability to (1) assess countermeasure implementation and (2) identify the acceptance of risk at facilities where recommended countermeasures are not implemented. DHS concurred with GAO's recommendations.

Recommendations for Executive Action

Agency Affected	Recommendation	Status
Department of Homeland Security	The Secretary of Homeland Security should ensure that the Cybersecurity and Infrastructure Security Agency improves its oversight of security measures by modifying its compliance and verification process to assess the implementation of FPS's recommended countermeasures. (Recommendation 1)	Open DHS concurred with our recommendation. Previously, we reported that DHS's Interagency Security Committee (ISC) began using an annual questionnaire in 2019 to assess federal agencies' compliance with its policies and standards. In May 2024, ISC officials told us that they are updating the annual questionnaire to include questions on implementation of FPS-recommended countermeasures. ISC officials told us that they plan to finalize the updated questionnaire in 2024. We will continue to monitor these efforts.
Department of Homeland Security	The Secretary of Homeland Security should ensure that the Cybersecurity and Infrastructure Security Agency improves its oversight of security measures by modifying its compliance and verification process to identify the recommendations for which agencies did not implement the recommended countermeasure and did not document the acceptance of the risk. (Recommendation 2)	Closed – Implemented The Federal Protective Service (FPS) is responsible for protecting 9,000 federal facilities with over 1.4 million employees and visitors. As part of its services, FPS conducts facility security assessments and recommends countermeasures, to help address vulnerabilities at federal facilities. The Interagency Security Committee (ISC), is responsible for developing facility security standards and overseeing federal agency implementation of recommended countermeasures at federal facilities. ISC security standards require, among other things, that federal agencies accept the risk of recommended countermeasures they do not implement and document the acceptance of that risk. In 2023, GAO reported that the ISC's oversight mechanisms did not verify the implementation of appropriate countermeasures at federal facilities through its annual organizational or facility compliance reporting. In addition, ISC's verification process did not verify the acceptance of risk for countermeasures that are not implemented in federal facilities. Specifically, the ISC relies on an annual self-reported questionnaire to agencies to conduct oversight. However, the questionnaire did not include questions on the extent to which departments and agencies implemented FPS-recommended countermeasures at facilities and did not verify that federal facilities documented the acceptance of the risk of not implementing countermeasures. ISC officials told GAO that they were developing a pilot to verify agencies' self-reported compliance with ISC standards at facilities but had not completed the pilot at the time of GAO's report. Without an oversight mechanism to verify if departments and agencies are implementing the appropriate countermeasures recommended by FPS or accepting the risk of not doing so, the federal government does not have reasonable assurance that its facilities are secure. Therefore, GAO recommended that the ISC improve its oversight of security measures by modifying its compliance and verification process to identify the recommendations for which agencies did not implement the recommended countermeasure and did not document the acceptance of the risk. In November 2023, the ISC updated its standard operating procedures for its compliance and verification process to, among other things, identify the documentation of the acceptance of risk as facilities where recommended countermeasures are not implemented by agencies. Specifically, the procedures state that ISC will evaluate the accuracy of the agency responses in ISC's annual questionnaire, including the extent to which recommended countermeasures are not implemented at agencies' facilities. ISC officials told us that they review FPS data, agency documentation, or agency data systems to identify the recommended countermeasures not implemented by agencies prior to the ISC verification reviews. The ISC procedures then state that for recommended countermeasures not implemented, ISC will review documentation submitted by agencies to verify that agencies documented the acceptance of risk. In May 2024, ISC completed its pilot to verify selected facilities' compliance with ISC security standards using these new procedures. ISC found that facilities are largely not compliant in documenting risk when not implementing the necessary countermeasures and has made recommendations to agencies on improving the documentation and communication of risk acceptance. The ISC will continue its compliance and verification reviews for over 100 facilities in 2024. As a result of these actions, the federal government has a greater level of assurance that its facilities are meeting ISC's security standards to protect the more than 1.4 million federal employees and members of the public who visit these facilities each year.

Full Report

Highlights Page (1 page)

Full Report (26 pages)

Accessible PDF (32 pages)

GAO Contacts

Catina Latham

Director

Health Care

lathamc@gao.gov

(202) 512-7114

Media Inquiries

Sarah Kaczmarek

Managing Director

Office of Public Affairs

kaczmareks@gao.gov

(202) 512-4800

Public Inquiries

Public Affairs

PublicAffairs@gao.gov

(202) 512-4800

Topics

Government Operations

Agency evaluationsCompliance oversightCritical infrastructure protectionCybersecurityDatabase management systemsFacility securityFederal agenciesFederal employeesFederal facilitiesHomeland securityRisk assessmentRisk managementSecurity assessmentsSecurity risksSecurity vulnerabilitiesStrategic planning