This is the accessible text file for GAO report number GAO-09-983 
entitled 'Homeland Security: Actions Needed to Improve Security 
Practices at National Icons and Parks' which was released on 
September 28, 2009. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to the Chairman, Committee on Homeland Security, House of 
Representatives: 

United States Government Accountability Office: 
GAO: 

August 2009: 

Homeland Security: 

Actions Needed to Improve Security Practices at National Icons and 
Parks: 

GAO-09-983: 

GAO Highlights: 

Highlights of GAO-09-983, a report to the Chairman, Committee on 
Homeland Security, House of Representatives. 

Why GAO Did This Study: 

The September 11 terrorist attacks have heightened concerns about the 
security of the nationís icons and parks, which millions of people 
visit every year. The National Park Service (Park Service) within the 
Department of the Interior (Interior) is responsible for securing 
nearly 400 park units that include icons and other parks. In 2004, GAO 
identified a set of key protection practices that include: allocating 
resources using risk management, leveraging technology, information 
sharing and coordination, performance measurement and testing, and 
strategic management of human capital. As requested, GAO determined 
whether the Park Serviceís security efforts for national icons and 
parks reflected key practices. To meet this objective, GAO used its key 
practices as criteria, reviewed five icons and parks to gain firsthand 
knowledge, analyzed Interior documents, and interviewed Interior 
officials. 

What GAO Found: 

The Park Service has implemented a range of security improvements since 
the September 11 terrorist attacks and has worked to integrate security 
into its primary mission to preserve national icons and parks for the 
publicís enjoyment. For example, it has established a senior-level 
security manager position and taken steps to strengthen security at the 
icons, and is developing a risk management program for small parks. 
These efforts exhibit some aspects of the key protection practices, but 
GAO found limitations in each of the areas. 

The Park Service does not allocate resources using risk management 
servicewide or cost-effectively leverage technology. While the Park 
Service, with assistance from Interior, has conducted risk assessments 
and implemented countermeasures to enhance security at the icons, some 
critical vulnerabilities remain. Moreover, the Park Service has not 
advanced this risk management approach for icons to the rest of its 
national parks. Without a servicewide risk management approach, the 
Park Service lacks assurance that security efforts are focused where 
they are needed. Furthermore, while icons and parks may use a variety 
of security technologies and other countermeasures, they do not have 
guidance for evaluating the cost-effectiveness of these investments, 
thus limiting assurances of efficiency and cost-effectiveness. 

Additionally, the Park Service faces limitations with sharing and 
coordinating information internally and lacks a servicewide approach 
for routine performance measurement and testing. Although the Park 
Service collaborates with external organizations, it lacks comparable 
arrangements for internal security communications and, as a result, 
parks are not equipped to share information with one another on common 
security problems and solutions. Furthermore, the Park Service has not 
established security performance measures and lacks an analysis tool 
that could be used to evaluate program effectiveness and inform an 
overall risk management strategy. Thus, icons and parks have little 
information on the status and performance of security that they can use 
to manage daily activities or that Park Service management can use to 
manage security throughout the organization. 

Finally, strategic human capital management is an area of concern 
because of the Park Serviceís lack of clearly defined security roles 
and a security training curriculum. For example, staff that are 
assigned security duties are generally not required to meet 
qualifications or undergo specialized training. Absent a security 
training curriculum, there is less assurance that staff are well-
equipped to effectively identify and mitigate risks at national icons 
and parks. 

What GAO Recommends: 

GAO is making six recommendations to the Secretary of the Interior. 
These include instructing the Park Service to develop a more 
comprehensive risk management approach, guidance and standards for 
leveraging technology, strategies to improve communications and to 
clearly define staff roles, and programs related to performance 
measurement, testing, and training. Interior concurred with the reportí
s recommendations. 

View [hyperlink, http://www.gao.gov/products/GAO-09-983] or key 
components. For more information, contact Mark L. Goldstein at (202) 
512-2834 or goldsteinm@gao.gov. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

The Park Service Does Not Manage Risk Servicewide or Ensure the Best 
Return on Security Technology Investments: 

The Park Service Lacks a Servicewide Approach to Sharing Information 
Internally and Measuring Performance: 

Human Capital Management Lacks a Security Focus: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Comments from the Department of the Interior: 

Appendix III: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: Examples of Technologies and Other Countermeasures that Icons 
and Parks Use to Enhance Security: 

Table 2: Examples of Information Sharing and Coordination at Park 
Service Regions, Icons, and Parks: 

Table 3: Examples of Security-related Tests, Exercises, and Drills: 

Table 4: Security Positions at Regions, and Examples of Activities: 

Table 5: Security Positions at Icons and Parks, and Examples of 
Activities: 

Table 6: Security Training Examples: 

Figures: 

Figure 1: Perimeter Fencing at the African Burial Ground: 

Figure 2: Performance Measures, Uses, and Results: 

Abbreviations: 

African Burial Ground: African Burial Ground National Monument: 

DHS: Department of Homeland Security: 

FAA: Federal Aviation Administration: 

FBI: Federal Bureau of Investigation: 

FLETC: Federal Law Enforcement Training Center: 

FPS: Federal Protective Service: 

Gateway Arch: Jefferson National Expansion Memorial: 

Gettysburg: Gettysburg National Military Park: 

Grand Canyon: Grand Canyon National Park: 

GSA: General Services Administration: 

HSPD-7: Homeland Security Presidential Directive 7: 

IG: Inspector General: 

Interior: Department of the Interior: 

ISC: Interagency Security Committee: 

JTTF: Joint Terrorism Task Force: 

OLES: Office of Law Enforcement and Security: 

Park Service: National Park Service: 

Park Police: U.S. Park Police: 

Statue of Liberty: Statue of Liberty National Monument: 

Smithsonian: Smithsonian Institution: 

TSA: Transportation Security Administration: 

[End of section] 

United States Government Accountability Office:
Washington, DC 20548: 

August 28, 2009: 

The Honorable Bennie G. Thompson: 
Chairman: 
Committee on Homeland Security: 
House of Representatives: 

Dear Mr. Chairman: 

The September 11 terrorist attacks have heightened concerns about the 
security of the nation's icons and parks, which millions of people 
visit every year. Attacks on these assets could have profound 
psychological and economic effects. The National Park Service (Park 
Service), within the Department of the Interior (Interior), is 
responsible for protecting close to 400 park units that include 5 units 
Interior has identified as national icons and other types of parks. 
[Footnote 1] While the Park Service has taken some steps to enhance 
security, especially at icons and parks along the southwest border, 
protecting these treasured assets can be a complex and contentious task 
for the agency, which must also ensure that the public has access to 
them. In 2002, the Secretary of the Interior established the Office of 
Law Enforcement and Security (OLES) to oversee Interior's security 
efforts and to ensure their consistent application across its bureaus 
and offices. OLES and the Park Service identified five national icons 
as critical assets as part of the government's homeland security 
initiatives. Additionally, the U.S. Park Police (Park Police) provides 
law enforcement and security services for icons and parks in 
Washington, D.C.; New York City; and San Francisco. 

We have reported on the challenges agencies face in protecting national 
icons. Such challenges include balancing security with public access, 
addressing jurisdictional issues and competing stakeholder interests, 
and leveraging limited resources.[Footnote 2] We have also identified a 
set of key protection practices--established from the collective 
practices of federal agencies and private sector entities--that can 
provide a framework for guiding agencies' efforts to protect physical 
assets, such as park properties and facilities, and address challenges. 
[Footnote 3] The key practices essentially form the foundation of a 
comprehensive, strategic approach to park protection. We have used 
these key practices as criteria to evaluate how the Department of 
Homeland Security (DHS)[Footnote 4] and the Smithsonian Institution 
[Footnote 5] (Smithsonian) secure their assets. Furthermore, the 
Interagency Security Committee[Footnote 6] (ISC), chaired by DHS, is 
using our key protection practices to guide its priorities and work 
activities. The following are the key practices we used for this 
review: 

* Allocation of resources using risk management: Identify threats, 
assess vulnerabilities, and determine critical assets to protect; use 
information on these and other elements to develop countermeasures; and 
prioritize the allocation of resources as conditions change. 

* Leveraging of technology: Select technologies to enhance asset 
security through methods like access control, detection, and 
surveillance systems. This involves not only using technology, but 
ensuring that there are positive returns on investment in the form of 
reduced vulnerabilities. 

* Information sharing and coordination: Establish means of coordinating 
and sharing security and threat information internally, within large 
organizations, and externally, with other government entities and the 
private sector. 

* Performance measurement and testing: Use metrics, such as 
implementation timelines, and active testing, such as unannounced on- 
site assessments, to ensure accountability for achieving program goals 
and improving security at facilities. 

* Strategic management of human capital: Manage human capital to 
maximize government performance and assure accountability in asset 
protection through, for example, recruitment of skilled staff, 
training, and retention. 

You requested that we determine whether the Park Service's approach to 
securing national icons and parks reflects key protection practices. In 
response, on June 19, 2009, we issued a sensitive but unclassified 
report. As that report contained information that was deemed to be 
either law enforcement sensitive or for official use only, this version 
of the report is intended to communicate our findings as related to 
each of the key protection practices that we reviewed and our 
recommendations while omitting sensitive information about icon and 
park security, including specific vulnerabilities, security breaches, 
and steps that Interior, Park Service, and Park Police have taken to 
address them. 

To meet the reporting objective, we used our key practices as a 
framework for assessing the Park Service's protection efforts. We 
interviewed Interior officials at the national, regional, and asset 
levels, including officials from the Office of the Inspector General 
(IG), OLES, Park Service, and Park Police. We reviewed five icons and 
parks to learn firsthand how the Park Service protects highly visible 
assets. We selected these assets because they have high public 
visitation, present other potential security considerations such as 
recent or planned facility construction, and are geographically 
diverse. We selected: 

* Two icons: the Statue of Liberty National Monument (Statue of 
Liberty) in New York City, and the Jefferson National Expansion 
Memorial (Gateway Arch) in St. Louis. 

* Three parks: the African Burial Ground National Monument (African 
Burial Ground) in New York, Gettysburg National Military Park 
(Gettysburg) in Pennsylvania, and Grand Canyon National Park (Grand 
Canyon) in Arizona.[Footnote 7] 

In doing our work, we also reviewed pertinent documents and policies, 
related directives, and prior and ongoing GAO studies. We conducted 
this performance audit from January 2008 through June 2009 in 
accordance with generally accepted government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objective. Appendix I contains a more 
detailed discussion of our scope and methodology. 

Results in Brief: 

The Park Service has implemented a range of security program 
improvements since the September 11 terrorist attacks. As an important 
steward of America's highly valued national icons and parks, the Park 
Service has worked to integrate security into its primary mission to 
preserve the natural and cultural resources and values of the national 
park system for the enjoyment, education, and inspiration of those who 
visit them. For example, it has established a senior-level security 
manager position and taken steps to strengthen security at the icons, 
and it is developing a risk management program for small parks. These 
efforts exhibit some aspects of key protection practices, but also have 
limitations. More specifically: 

* The Park Service does not have a systematic approach for allocating 
resources using risk management throughout its vast and diverse 
inventory of national icons and parks to address security issues. The 
Park Service, with assistance from Interior's OLES, has assessed risks 
and implemented security improvements at the five icons and some border 
parks, although we noted some cases in which recommended security 
measures were not implemented at icons and vulnerabilities remain. At 
other parks, however, risk assessments are done on an ad-hoc basis and 
the Park Service has not conducted a servicewide assessment of 
vulnerabilities. Instead, officials at individual parks use their 
discretion to request risk assessments from the Park Service or obtain 
them from other sources. For example, officials at the Grand Canyon-- 
with more than 4 million visitors annually--independently obtained a 
risk assessment from an outside counterterrorism organization, but the 
chief ranger was concerned that it was not thorough and that 
vulnerabilities remain. Without a servicewide risk management approach, 
the Park Service lacks assurance that security efforts are adequate and 
focused where they are needed. Furthermore, without risk assessment 
tools and other security guidance, some Park Service officials at 
regional offices are developing their own approaches to risk management 
without leveraging best practices and lessons learned throughout the 
Park Service. 

* The Park Service does not have guidance or standards that officials 
at individual icons and parks can use to leverage technology by 
evaluating the cost-effectiveness of security countermeasures. As a 
result, there is limited assurance that technology investments produce 
the greatest security benefits. Without guidance and standards, 
officials at icons and parks may rely on other methods such as trial 
and error to identify systems and equipment that best suit their needs. 
For example, officials at the Statue of Liberty were planning to lease 
magnetometers and X-ray machines to screen visitors, while officials at 
the Gateway Arch intend to continue purchasing the same equipment. 
Officials at both icons were making these decisions based on preference 
without assessing which approach was more cost-effective. These 
alternative methods may lead to inefficient resource allocation since 
icon and park officials have competing resource demands and regular 
developments in technology necessitate upgrades. Officials from the two 
icons and one of the regions said that guidance for investing in 
technology would be helpful. 

* The Park Service has information sharing and coordination 
arrangements with external organizations at the national, regional, 
icon, and park levels. However, the Park Service lacks comparable 
arrangements for internal security communications, and as a result, 
officials at icons and parks are not equipped to share information with 
one another on common security problems and solutions. For example, 
there is no servicewide Web portal for sharing security information 
internally, an approach other organizations have established. Thus, 
while officials at the Gateway Arch said they have collaborated with 
other federal agencies--such as the Transportation Security 
Administration (TSA) to form a federal screeners group to share best 
practices and learn about new technologies--the Park Service is limited 
in its ability to leverage these lessons learned throughout the 
organization--an activity that a shared Web portal could enable. In the 
absence of a servicewide security Web portal, some regional offices are 
developing their own Web sites, but functionality, content, and usage 
vary from region to region. 

* The Park Service does not have a servicewide approach for routine 
performance measurement and testing of its security efforts. The Park 
Service has not established security performance measures and lacks an 
analysis tool that it could use to track performance measures such as 
the number of risk assessments conducted, change in the total number of 
security-related incidents, identified security staff, and security 
training courses provided and attended. Without an overarching 
performance measurement and testing framework, officials at each 
region, icon, and park take their own approach to identifying security 
performance measures and tests. However, this ad hoc approach provides 
little assurance that performance measures and tests are effective and 
adequate, and that lessons learned can be identified and leveraged 
throughout the Park Service. Moreover, officials at regions, icons, and 
parks use their own tracking tools to record and report security 
incidents limiting the extent to which such information can be 
consolidated, analyzed, and leveraged to enhance security throughout 
the park system. Because of the limited activity in this area, icon and 
park personnel have little information on the status and performance of 
security methods that they can use to manage day-to-day activities or 
that Park Service management can use to manage security efforts 
throughout the organization. 

* Strategic human capital management is an area of concern because of 
the Park Service's lack of clearly defined security roles and a 
security training curriculum. Although the Park Service requires 
regions to assign security responsibilities to law enforcement staff, 
and icon and park superintendents designate physical security 
coordinators, these staff do not have to meet any qualifications, 
demonstrate expertise, or undergo any specialized training, and 
oversight of their activities is limited. For example, at the time of 
our review, neither the Park Service nor the Park Police employed a 
full-time security manager at the Statue of Liberty, despite such 
recommendations from the Interior IG and OLES. Moreover, park officials 
have not designated a physical security coordinator, and instead, have 
distributed those duties among several Park Police managers. While 
officials from regions, icons, and parks told us that they coordinate 
and participate in a variety of security training sessions, there is no 
overarching Park Service-specific training program or curriculum. 
Instead, security training is decentralized and thus there is little 
assurance that Park Service employees have the knowledge, skills, and 
awareness needed to contribute to overall park security. 

In order to better oversee and more efficiently manage the protection 
of the vast and diverse inventory of national icons and parks, we are 
recommending that the Secretary of the Interior take six actions. 
Specifically, the Secretary should instruct the Director of the 
National Park Service, in consultation with OLES, to develop and 
implement: (1) a more comprehensive, routine risk management approach 
for security; (2) guidance and standards for leveraging security 
technology; (3) an internal communications strategy for security to 
address communications gaps, including a timeline for the development 
of a servicewide Web portal for security; (4) a servicewide performance 
management and testing program that includes specific measures and an 
evaluation component; (5) a strategy for more clearly defining security 
roles and responsibilities within the Park Service; and (6) a 
servicewide security training program and related curriculum. We 
provided a draft of this report to Interior for official review and 
comment. Interior agreed with our assessment that actions are needed to 
improve security practices at national icons and parks, and agreed with 
the report's recommendations. Interior also provided additional 
information--including general comments from the Park Police--which is 
discussed near the end of this letter. Interior's official comments are 
contained in appendix II. Additionally, the Park Police provided 
technical comments that we incorporated, where appropriate. 

Background: 

Interior is responsible for the safety and security of more than 67,000 
employees, 280,000 volunteers, 1 million daily visitors, and 500 
million acres of public lands that include national icons and parks. 
After September 11, the Secretary of the Interior took steps to address 
serious organizational and management problems in the law enforcement 
and security components of the department. Of particular concern, 
according to the Interior IG, was the lack of coordination among these 
components and the absence of a meaningful single point of contact that 
the Secretary and senior managers could depend upon for reliable 
information and advice.[Footnote 8] The Secretary approved a Deputy 
Assistant Secretary for Law Enforcement and Security in July 2002, and 
established OLES to oversee the department's law enforcement and 
security efforts and ensure their consistent application across 
Interior's bureaus and offices. Specific to icon protection, in 2003, 
Homeland Security Presidential Directive 7 (HSPD-7) designated Interior 
as the sector-specific agency for the National Monuments and Icons 
critical infrastructure sector, and Interior selected OLES to carry out 
sector responsibilities.[Footnote 9] To fulfill its duties, OLES 
officials developed a national monuments and icons sector-specific plan 
in which they defined national icons as: (1) monuments, physical 
structures, or objects; (2) recognized both nationally and 
internationally as representing the nation's heritage, traditions, and/ 
or values or are recognized for their national, cultural, religious, 
historical, or political significance; and (3) serve the primary 
purpose of memorializing or representing significant aspects of our 
nation's heritage, traditions, or values and serve as points of 
interest for visitors and educational activities.[Footnote 10] In 
accordance with its assigned duties, OLES officials also developed a 
uniform risk assessment and ranking methodology to quantify risk, 
identify needed security enhancements, and measure risk-reduction 
benefits at icons. OLES officials used this methodology to assess risks 
at the icons during 2004 and 2006. OLES has also issued sector annual 
reports and established a sector government coordinating council. 

The Park Service's mission is the unimpaired preservation of the 
natural and cultural resources and values of the national park system. 
The Park Service is responsible for managing the national icons and the 
national park system. In 2008, the Park Service welcomed almost 275 
million visitors to its nearly 400 national park units throughout the 
United States, American Samoa, Guam, Puerto Rico, and the Virgin 
Islands. Within the Visitor and Resource Protection division of the 
Park Service, the Law Enforcement, Security, and Emergency Services 
branch provides policy formulation, oversight, support services, 
guidance, and leadership to assist park managers and law enforcement 
staff in accomplishing the Park Service's visitor protection goals and 
objectives. This branch is led by a chief and has one position 
dedicated to security and intelligence management. Park superintendents 
and rangers manage and provide security and law enforcement services at 
icons and parks throughout the United States in conjunction with their 
other duties. These other duties include the management of public use, 
dissemination of scientific and historical information, and protection 
and management of natural and cultural resources. The Park Police, 
which is a Park Service component, provides law enforcement and 
security services for national icons and parks in Washington, D.C.; New 
York City; and San Francisco. The Park Police has also staffed law 
enforcement specialists in four of seven Park Service regions including 
the National Capital, Northeast, Intermountain, and Pacific West 
regions.[Footnote 11] 

We have identified a set of six key protection practices from the 
collective practices of federal agencies to provide a framework for 
guiding agencies' protection efforts and addressing challenges. 
[Footnote 12] The following are the key practices we used for this 
review: 

* Allocation of resources using risk management: Identify threats, 
assess vulnerabilities, and determine critical assets to protect; use 
information on these and other elements to develop countermeasures; and 
prioritize the allocation of resources as conditions change. 

* Leveraging of technology: Select technologies to enhance asset 
security through methods like access control, detection, and 
surveillance systems. This involves not only using technology, but 
ensuring that there are positive returns on investment in the form of 
reduced vulnerabilities. 

* Information sharing and coordination: Establish means of coordinating 
and sharing security and threat information internally, within large 
organizations, and externally, with other government entities and the 
private sector. 

* Performance measurement and testing: Use metrics, such as 
implementation timelines, and active testing, such as unannounced on- 
site assessments, to ensure accountability for achieving program goals 
and improving security at facilities. 

* Strategic management of human capital: Manage human capital to 
maximize government performance and assure accountability in asset 
protection through, for example, recruitment of skilled staff, 
training, and retention. 

We have used the key practices to evaluate the efforts of the 
Smithsonian to protect its assets,[Footnote 13] DHS to protect its 
facilities,[Footnote 14] and federal agencies to protect icons and 
facilities on the National Mall.[Footnote 15] For example, in 2007, we 
found that while the Smithsonian follows key practices to protect its 
assets, it faces challenges related to ensuring that museum and 
facility directors are aware of information on security and funding 
constraints. Similarly, in 2005, we found that federal 
agencies[Footnote 16] on the National Mall--the Park Service, 
Smithsonian, National Gallery of Art, Department of Agriculture, and 
U.S. Botanic Garden--were using five of the six key practices to 
implement security enhancements. Also, in 2007, we reported that DHS 
had taken actions intended to improve the security of its facilities, 
but its efforts fell short in certain key areas, such as DHS components 
not fully implementing risk management. 

Moreover, the ISC--a body that addresses the quality and effectiveness 
of security requirements for federal facilities through developing and 
evaluating security standards for federal facilities--is using our key 
protection practices as key management practices to guide its 
priorities and work activities. For example, ISC established 
subcommittees for technology best practices and training, and working 
groups in the areas of performance measures and strategic human capital 
management. ISC also issued performance measurement guidance in 2009. 
[Footnote 17] 

The Park Service Does Not Manage Risk Servicewide or Ensure the Best 
Return on Security Technology Investments: 

While the Park Service, with the assistance of OLES, has assessed risks 
at the icons and southwest border parks, it has not adopted a 
servicewide approach to risk management, including policies, guidance, 
and tools to support risk assessments at the remaining parks. 
Furthermore, although icon and park officials have acquired a variety 
of technologies to enhance security, they do not have guidance to 
evaluate the cost-effectiveness of proposed or actual countermeasures. 

The Park Service Has Focused Risk Management Efforts on Icons and 
Border Parks but Vulnerabilities Remain: 

We have reported that most risk management approaches generally involve 
identifying the assets that are most critical to protect in terms of 
mission and significance, identifying potential threats, assessing 
vulnerabilities, and evaluating mitigation alternatives for their 
likely effect on risk and their cost.[Footnote 18] The Park Service and 
OLES generally employed such an approach in identifying five icons as 
critical assets to protect, assessing risks, and implementing 
countermeasures. Specifically, OLES conducted its first round of icon 
risk assessments during 2004, through which it identified 
vulnerabilities that the icons shared. Officials at the icons worked on 
implementing the assessments' recommendations; therefore OLES's 2006 
icon risk assessments and 2007 compliance reviews noted significant 
security improvements, including new surveillance and monitoring 
equipment, some barriers installed to protect against vehicle 
explosions, and enhanced visitor screening stations and procedures. 

In addition to prioritizing icon security, during 2008 the Secretary of 
the Interior directed the Park Service to focus on border park security 
through its "Safe Borderlands" initiative, and as a result, the Park 
Service has also taken steps to balance security and public access at 
southwest border parks. About 41 percent of the land along the U.S. 
southwest border is under the control and custody of Interior's land 
management bureaus, including five parks that are under the Park 
Service. These border parks face security challenges related to drug 
smuggling and other unlawful activities in the area, which have also 
caused significant environmental damage. The Safe Borderlands 
initiative aims to strengthen Interior's--including the Park Service's-
-law enforcement capabilities, improve its radio communications, and 
lessen the environmental impact of illegal activities. The Park Service 
and other Interior bureaus have assessed risks and increased staffing 
along the southwest border, and have installed security features, such 
as vehicle barricades and sensors at certain border locations, in an 
effort to prevent illegal aliens and drug smugglers from entering. 
According to Park Service officials from the Intermountain Region, all 
border parks in their region have ground sensors to detect illegal 
traffic and some have alarm systems. 

Despite the significant improvements made in icon security, we noted 
some cases in which recommended security countermeasures were not 
implemented and vulnerabilities remain.[Footnote 19] Park officials at 
the Statue of Liberty told us that the icon security plan had not been 
updated since its creation in 2002; however, later in our review, Park 
Police officials told us they updated this plan during 2008.[Footnote 
20] Park officials at the Gateway Arch have also made notable security 
improvements, such as moving the dispatch center away from the arch. 
However, vulnerabilities still exist at the park, and security breaches 
have occurred. Officials from both icons told us that, while they 
identify and prioritize security needs, security projects compete with 
other operational needs, and these officials must prioritize and 
balance competing interests as best they can. 

The Park Service Lacks a Systematic Approach for Allocating Resources 
Using Risk Management: 

Park Service officials at the national, regional, icon, and park levels 
told us that security awareness has increased throughout the 
organization, largely because of Interior's initiative to assess 
security risks at the icons, and the resources the Park Service has 
allocated to address these concerns; yet the Park Service has not 
formally applied risk management principles for the rest of its 
national parks inventory. We have reported that allocating resources 
using risk management is a systematic and analytical process to 
consider the likelihood that a threat will endanger an asset-- 
structure, individual, or function--and identify, evaluate, select, and 
implement actions that reduce the risk or mitigate the consequences of 
an event.[Footnote 21] However, the Park Service does not require that 
other parks undergo risk assessments and therefore there has been no 
comprehensive servicewide assessment, prioritization, and mitigation of 
vulnerabilities. Instead, Park Service officials use their discretion 
to request risk assessments from the Park Service or another entity, 
and as a result, risk assessments can vary in their scope and 
methodology from park to park. Even if Park Service officials obtain 
risk assessments, they may not use them to guide park operations, or 
they may find it challenging to interpret and implement recommended 
actions because they are unfamiliar with the risk assessment process. 
Of the three parks we reviewed, only the African Burial Ground had 
received a comprehensive risk assessment because it is in a high- 
security federal facility that is under the control and custody of the 
General Services Administration (GSA) and is protected by the Federal 
Protective Service (FPS).[Footnote 22] The risk assessments of the 
other two parks were limited in scope. 

* The African Burial Ground is adjacent to a high security multitenant 
federal building in New York City and the visitor center is inside the 
building. Therefore, the Park Service authorized FPS to provide law 
enforcement and security services--such as conducting security 
assessments and recommending countermeasures through a memorandum of 
understanding. Furthermore, because the Park Service is a tenant in a 
GSA building, it receives certain protection services from GSA. For 
example, FPS, GSA, and the Park Service collaborated to identify 
perimeter fencing for GSA to install around the monument that 
maintained park aesthetics and provided protection based on FPS and GSA 
security standards (see figure 1). Also, according to the Northeast 
regional chief ranger, the former regional physical security specialist 
completed a risk assessment of the park in 2006. In accordance with the 
memorandum, FPS will continue to address security vulnerabilities at 
the African Burial Ground, such as visitor screening, in collaboration 
with the park. 

Figure 1: Perimeter Fencing at the African Burial Ground: 

[Refer to PDF for image: photograph] 

Source: GAO. 

[End of figure] 

* In 2008, the Gettysburg Foundation--a private, nonprofit educational 
organization working with the Park Service at Gettysburg--hired a 
security consulting firm to complete a risk assessment specifically for 
the new visitor center and museum that it constructed on its land 
within the park. The assessment included recommendations for protecting 
artifacts, infrastructure, visitors, and staff, and the Gettysburg 
Foundation implemented some of the countermeasures. For example, the 
Gettysburg Foundation purchased surveillance cameras, and Park Service 
rangers monitor them. The Park Service is responsible for protecting 
visitors and providing a safe environment for visitors and staff. 
Moreover, the risk assessment was only for the visitor center and 
museum, not the park as a whole. According to the chief ranger, the 
park faces security challenges from the numerous roads leading into it 
and its open borders. 

* In 2006, Park Service officials at the Grand Canyon--with more than 4 
million visitors annually--requested a risk assessment through their 
participation in the Arizona Joint Terrorism Task Force (JTTF). 
[Footnote 23] The Arizona Counter Terrorism Information Center 
fulfilled the request and identified points of vulnerability and 
potential security improvements at the park. The center's assessment 
cited concerns with the location of the dispatch center and wiring 
system, and Park Service officials are taking steps to mitigate these 
risks, such as moving the dispatch center to a more secure location and 
upgrading the wiring. Additionally, Park Service officials enhanced 
security for the fee collection booths by having surveillance cameras 
installed. However, even though the assessment contained actionable 
items, the chief ranger told us it lacked details that would have made 
it more helpful. The chief ranger considered assigning a Park Service 
staff person to the center to learn more about the risk assessment 
methodology, but the time commitment was prohibitive. 

In addition to lacking a systematic approach for assessing risk 
throughout its inventory, the Park Service lacks guidance and tools 
that officials at icons and parks can use to develop risk management 
strategies. The Park Service's 40-chapter law enforcement manual, which 
was updated in 2008, focuses primarily on law enforcement policies and 
responsibilities. One chapter on physical security[Footnote 24] broadly 
outlines the duties of the physical security coordinator and delineates 
closed-circuit television policy, but does not include other guidance 
such as risk assessment procedures and how to use technology to enhance 
security. Park Service officials we spoke with had mixed views on the 
manual. Officials from three of the four regions we spoke with said the 
manual lacks comprehensive physical security information and guidance, 
while officials from the fourth region considered the manual to be 
useful. While officials at the Gateway Arch and Gettysburg told us that 
they used the manual and found it useful for physical security, 
officials at the Statue of Liberty and the Grand Canyon said they did 
not use the manual to guide park security operations. The 
superintendent at the African Burial Ground told us that other Park 
Service staff advising the park refer to the manual. Park Police 
officials told us that they do not use the Park Service's law 
enforcement manual. Instead, they rely on the Park Police law 
enforcement manual for security guidance at locations where the Park 
Police are responsible for physical security, such as the Statue of 
Liberty. 

The Park Service also relies on Interior's physical security manual 
which sets forth the policies designed to safeguard Interior personnel 
and facilities, including buildings, grounds, and other property. OLES 
developed the manual using the Department of Justice's facility 
security level standards and minimum security countermeasure standards. 
[Footnote 25] OLES officials told us that they adopted ISC's updated 
facility security level standards,[Footnote 26] and notified bureau 
security managers of changes. The Park Service's Acting Chief of the 
Law Enforcement, Security, and Emergency Services division and the 
Security and Intelligence Program Manager told us that they are 
developing a process for updating icons' and parks' individual facility 
security levels based on the revised standards. However, the department-
level physical security manual is focused on general facility 
protection and officials from the regions, icons, and parks told us it 
would be more useful if it were tailored to park-specific security 
issues. For example, officials from two of the regions we spoke with 
found the manual unhelpful, though officials from the other two regions 
considered the manual the main driver for security policy. Park Service 
officials at the icons and parks we spoke with had mixed reviews as 
well. For example, officials at the Gateway Arch and Gettysburg told us 
that they used the manual and found it useful--much as they did the 
Park Service's law enforcement manual--while officials at the Statue of 
Liberty and the Grand Canyon said they did not use the manual to guide 
park security operations. 

While officials at icons and parks are required to develop and 
implement physical security plans and conduct physical security 
surveys, there is no standardized approach, tools, or guidance for 
carrying out these responsibilities. In the absence of a standardized 
approach, some Park Service officials from the regions are developing 
their own risk assessment tools and guidance for parks to use. Although 
officials from the regions are taking actions that could help parks 
allocate resources using risk management in accordance with the key 
practice, these initiatives are being developed independently without a 
servicewide strategy. 

* The Intermountain regional office has provided parks with a physical 
security plan template and workbook with guidance on how to assess risk 
and identify appropriate countermeasures. 

* The Midwest regional office is updating a small parks assessment 
program that it originally created during 2002 by developing a physical 
security assessment checklist for Park Service rangers to identify 
deficiencies at parks. 

* The Northeast regional office plans to create a team made up of 
rangers and cultural staff that they can send to parks to work with 
staff to assess security and develop strategies to mitigate 
vulnerabilities. 

At the national level, the Park Service recognizes that parks should 
have tools available to help them assess risks and that physical 
security plans and assessments should be standardized. Therefore, the 
Park Service is developing a physical security handbook to standardize 
physical assessment processes servicewide. Park Service officials are 
using a U.S. Geological Survey physical security handbook and 
Interior's physical security manual to develop the Park Service's 
physical security handbook. The Park Service is also developing a small 
park assessment program based on the Midwest Region's program, which it 
intends to test in one region before implementing it servicewide. 
However, the Park Service has not considered the other regions' 
approaches and is therefore missing an opportunity to leverage best 
practices and lessons learned, and create buy-in for a new security 
program. For example, the Acting Chief of the Law Enforcement, 
Security, and Emergency Services division and the Security and 
Intelligence Program Manager were unfamiliar with the Intermountain 
Region's physical security template and workbook, explaining that 
officials at each regional office take their own approach to physical 
security. 

Lacking a systematic approach for assessing risk throughout the Park 
Service's inventory of icons and parks has negative effects. First and 
foremost, the Park Service lacks assurance that decisions about 
security are based on an assessment of potential threats and 
countermeasures. Although highly visible icons are the most plausible 
terrorist targets, it is not unreasonable to presume that parks with 
high visitor volumes or other national parks, monuments, memorials, and 
facilities that have symbolic value may also be targets. Second, risk 
management practices provide the foundation for a comprehensive 
protection program. Hence, efforts in the other key practice areas-- 
leveraging technology, information sharing and coordination, 
performance measurement and testing, and human capital management--are 
diminished if they are not part of a risk management approach which can 
be the vehicle for using these practices. Lastly, as previously 
discussed, individual efforts by officials at regions, icons, and parks 
to develop risk management tools and security approaches in the absence 
of overarching guidance are not conducive to sharing lessons learned 
and leveraging efficiencies. 

The Park Service Does Not Have Guidance or Standards That Would Assist 
Icons and Parks in Leveraging Technology: 

Officials at icons and parks use a variety of technologies and other 
countermeasures--such as video and surveillance monitoring equipment, 
visitor screening equipment, vehicle barriers, and door locks--to 
enhance security operations (see table 1). We have reported that by 
efficiently using technology to supplement and reinforce other security 
measures, agencies can more effectively address vulnerabilities 
identified through the risk management process with appropriate 
countermeasures.[Footnote 27] 

Table 1: Examples of Technologies and Other Countermeasures that Icons 
and Parks Use to Enhance Security: 

Icon or park: African Burial Ground; 
Technologies and other countermeasures: The park worked with FPS and 
GSA to identify and install perimeter fencing that would balance 
security with the aesthetics of the monument. 

Icon or park: Gateway Arch; 
Technologies and other countermeasures: The park installed bollards for 
perimeter protection, some of which can be controlled at the entry 
points by entering a code into a keypad, or remotely by the dispatch 
center. The park is modernizing its dispatch center which will 
incorporate radio-over-Internet-protocol technology and software-driven 
security equipment, ensuring continued operations should the dispatch 
center be damaged during an emergency. 

Icon or park: Gettysburg; 
Technologies and other countermeasures: The Gettysburg Foundation 
implemented keyless lock technology for the park's new visitor center, 
and the Park Service programs electronic key cards for each employee, 
thus limiting access to an employee's area of responsibility. The 
Gettysburg Foundation implemented video surveillance equipment, such as 
closed-circuit television and motion detectors, and the Park Service 
operates it. 

Icon or park: Grand Canyon; 
Technologies and other countermeasures: The park purchased and 
installed video and surveillance equipment, such as digital video 
recording technology and closed-circuit television, to secure fee 
collection booths at park entrances. 

Icon or park: Statue of Liberty; 
Technologies and other countermeasures: The park installed temporary 
visitor screening stations at Battery Park in New York City and Liberty 
State Park in New Jersey. Visitors and their belongings must go through 
magnetometer and X-ray screening before boarding the ferries to Liberty 
Island. The park also installed a secondary screening station at 
Liberty Island for visitors who want to go to the observation deck 
level of the statue. In addition to magnetometers and X-ray machines, 
this station has radiation and explosives detection devices. 

Sources: GAO site visits and analysis of Park Service data. 

[End of table] 

Additionally, officials at icons we reviewed are partnering with other 
agencies to test and obtain security technologies. By pooling resources 
and sharing equipment, officials at icons are leveraging expertise and 
cost-effectively enhancing their security. As we have reported, 
technology implementation costs can be high, and the type of technology 
used should be carefully analyzed to ensure its effectiveness and 
efficiency.[Footnote 28] For example, at the Statue of Liberty, the 
U.S. Air Force used the park as a testing ground for emerging 
technologies, and the arrangement allowed the Park Service to keep the 
equipment. For example, according to Park Service officials, the U.S. 
Air Force has tested wireless cameras, weather stations, and chemical, 
radiological, biological, nuclear, and explosives detection systems on 
Liberty Island. Park Service and Park Police officials told us that the 
weather stations are particularly useful to them since the Federal 
Aviation Administration (FAA) requires weather data for fining aircraft 
that violate airspace rules near the Statue of Liberty. According to 
the Park Police, this partnership has been extended into 2010. 

Despite icon and park officials' use of various technologies and other 
countermeasures to enhance security, the Park Service has not developed 
guidance on how to evaluate the cost-effectiveness of proposed or 
actual security investments. We have recognized that having an approach 
that allows for cost-effectively leveraging technology to supplement 
and reinforce other measures would represent an advanced security 
approach in this area.[Footnote 29] Without such guidance, icon and 
park officials rely on other methods to identify systems and equipment 
that best suit their needs. This, however, is an inefficient way to 
enhance security, particularly in light of icon and park officials' 
competing resource demands and regular developments in technology that 
necessitate upgrades. For example, officials from two Park Service 
regions told us that parks contact them for assistance in identifying 
security equipment. Officials at the icons we reviewed cited instances 
of using a trial and error approach to identify cost-effective and 
suitable technologies. For example, officials at both the Statue of 
Liberty and the Gateway Arch use magnetometers and X-ray machines to 
screen visitors and their belongings. After several years of purchasing 
security equipment, Park Police officials at the Statue of Liberty have 
realized that they can acquire new and more effective space-saving 
visitor screening equipment faster through leasing agreements. Park 
Police officials told us that they intend to lease equipment in the 
future to stay current with emerging technologies and ensure equipment 
is maintained. Moreover, in its 2007 compliance review, OLES 
recommended that park officials lease equipment because such an 
approach would allow for quicker and less costly upgrades as new 
technology is developed. In contrast, Park Service officials at the 
Gateway Arch plan to continue purchasing this equipment. Officials at 
both icons have made these decisions based on preference without formal 
cost-benefit analysis. Officials from the Midwest Regional Office, 
Statue of Liberty, and Gateway Arch suggested that the Park Service 
could better assist icon and park officials in making informed 
decisions about security technologies and other countermeasures. 

The Park Service Lacks a Servicewide Approach to Sharing Information 
Internally and Measuring Performance: 

The Park Service has information sharing and coordination arrangements 
with external organizations at the national, regional, icon, and park 
levels, but lacks comparable arrangements for internal security 
communications that would allow icon and park officials to share 
information with one another on common security problems and solutions. 
In addition, officials at the regions, icons, and parks have discretion 
to implement security performance measures and testing, but the Park 
Service lacks a servicewide approach for measuring and testing the 
results of its security efforts. As a result, little consolidated 
performance information is available for icon and park officials to use 
in managing their day-to-day activities or for Park Service management 
to use in managing security efforts throughout the organization. 

The Park Service Shares Information and Coordinates with External 
Organizations, but Internal Coordination Is Limited: 

At the national, regional, icon, and park levels, the Park Service has 
made progress in sharing information and coordinating with other law 
enforcement, security, and emergency management entities. We have 
reported that information sharing and coordination among organizations 
is crucial to producing comprehensive and practical approaches and 
solutions to addressing terrorist threats directed at federal assets. 
[Footnote 30] By having a process in place to obtain and share 
information on potential threats to federal assets, agencies can better 
understand the risks they face and more effectively determine what 
preventive measures should be implemented.[Footnote 31] At the national 
level, the Park Service's Security and Intelligence Program Manager 
analyzes intelligence from various sources including the Federal Bureau 
of Investigation (FBI), DHS, and Interior, and disseminates this 
information to officials at regions, icons, and parks. This manager 
also attends department-level quarterly meetings of Interior's Security 
Advisory Council.[Footnote 32] According to OLES officials, meeting 
attendees are encouraged to disseminate information discussed at the 
meetings to pertinent staff within their respective bureaus and 
offices. 

By collaborating with area law enforcement, security, and emergency 
management entities, officials at regions, icons, and parks receive 
threat information and leverage security expertise (see table 2). For 
example, officials at the Gateway Arch said they are collaborating with 
area federal agencies such as TSA, the Federal Air Marshal Service, and 
FBI to form a federal screeners working group to share best practices 
and learn about new technologies. 

Table 2: Examples of Information Sharing and Coordination at Park 
Service Regions, Icons, and Parks: 

Region: Intermountain; 
Collaborates with DHS on border park protection and has a memorandum of 
understanding for the two entities to establish radio-sharing 
responsibilities; 
Coordinates with the Bureau of Reclamation to secure dams; 
Receives intelligence information from the area JTTF. 

Region: Midwest; 
Participates on the Nebraska Anti-Terrorism Advisory Council; 
Attends regular meeting of area chiefs of police, sheriffs, and other 
law enforcement officials; 
Coordinates with law enforcement officials in the vicinity of Mount 
Rushmore National Memorial. 

Region: Northeast; 
Collaborated with the Smithsonian Institution on a risk assessment of a 
Smithsonian asset; 
Collaborated with FBI, the J. Paul Getty Trust, and the Smithsonian 
Institution to develop a 3-day museum security awareness conference. 

Pacific West; 
Receives intelligence information from area JTTFs. 

Icon or park: African Burial Ground; 
Coordinates with the New York Police Department for park events; 
Maintains a memorandum of understanding with DHS, which outlines FPS's 
security responsibilities for the park. 

Icon or park: Gateway Arch; 
Forming a federal screeners working group with area agencies such as 
TSA, the Federal Air Marshal Service, and FBI to share best practices 
and learn about new technologies; 
Provides a backup terminal for the Department of Justice 
Interoperability Project which is intended to unify various radio 
communications to enhance agencies' emergency response; 
Member of the Illinois State Terrorism Intelligence Center. 

Icon or park: Gettysburg; 
Pays for a seat on the local dispatch center, which provides 24-hour 
access and linkage to the state emergency center. 

Icon or park: Grand Canyon; 
Coordinates with FBI to dispense annual training for the park, and in 
turn the park provides space for FBI to conduct training for FBI and 
other agencies; 
Coordinates with the U.S. Marshals Service for warrant services and 
prisoner transport. 

Icon or park: Statue of Liberty; 
Connected to FAA's Domestic Events Network, allowing dispatch center 
staff to track nearby aircraft; 
Coordinates with FBI and the U.S. Coast Guard for maritime security; 
Has a Park Police detective assigned to the New York City JTTF. 

Source: GAO analysis of Park Service data. 

[End of table] 

While collaboration with partner agencies has expanded, the Park 
Service has not fully leveraged information sharing and coordination 
mechanisms that could strengthen the ability of officials at regions, 
icons, and parks to share threat information and identify common 
security problems and solutions. We have reported that sharing 
information on threats and incidents that others have experienced can 
help an organization identify trends better, understand the risks it 
faces, and determine what countermeasures it should implement.[Footnote 
33] Specifically, an information sharing practice that we have found to 
be an important success factor in protecting critical infrastructure is 
holding regularly scheduled meetings during which participants can 
share security management practices, discuss emerging technologies, and 
create committees to perform specific tasks such as policy setting. 
[Footnote 34] However, the Park Service's use of regularly scheduled 
security meetings is limited, and security discussions typically occur 
on an as-needed basis. The Park Service's Law Enforcement, Security, 
and Emergency Services branch holds a monthly conference call with 
regional chief rangers, which covers a variety of topics and is not 
solely focused on security. Regional officials we spoke with said they 
meet with icon and park officials to discuss security issues on an as-
needed basis. Icon and park officials can contact Park Service regional 
law enforcement or even the Park Service's Intelligence and Security 
Program Manager for security assistance as needed. 

Icon and park officials could access needed information anytime through 
a Park Service security Web portal, but this tool does not exist 
servicewide and is instead under development. We have reported that 
secure Web portals are another important success factor in protecting 
critical infrastructure and can ensure effective and timely 
communication among an organization's members.[Footnote 35] Web portals 
can be used to (1) disseminate all types of information, including 
alerts, advisories, reports, and other analysis; (2) provide methods 
for members to ask each other about particular incidents, 
vulnerabilities, or potential solutions; and (3) share sensitive 
information.[Footnote 36] For example, GSA's security division is 
developing a Web portal to track incidents, share threat information, 
post security policies and other related documents, and enable virtual 
security discussions. The Park Service recognizes a need to improve its 
use of technology to disseminate security information through 
mechanisms such as a Web site and Web conferencing, thereby enhancing 
its application of the information sharing and coordination key 
practice. However, the Park Service's security Web portal is still 
under development without a timetable for completion. According to OLES 
officials, Interior's Office of Emergency Management maintains a secure 
Web site known as SAFETALK, where sensitive information and policies 
can be exchanged and stored. However, only authorized individuals are 
allowed to access the portal, and over the course of our review, no 
Park Service or Park Police officials we spoke to at the national, 
regional, icon, or park levels cited this Web site as a primary 
security information source. Without its own Web portal, the Park 
Service is limited in its ability to disseminate key icon and park- 
specific security information and guidance to icons and parks 
efficiently and raise security awareness overall. 

In the absence of a servicewide secure Web portal, some Park Service 
regional offices have developed law enforcement and security Web sites, 
but the functionality, content, and usage of these sites vary from 
region to region. For example, while officials from the Intermountain 
regional office said that they regularly update their Web site with 
security resources, officials from the Midwest and Pacific West regions 
said their law enforcement and security Web sites were used 
infrequently and not to their fullest extent. The Midwest regional 
chief ranger told us that officials from the region's icons and parks 
make limited use of the regional Web site, instead preferring to 
contact someone in the regional office for assistance or to obtain 
policy documents. Officials from the Midwest and Pacific West regions 
acknowledged that more could be done to enhance the content of their 
Web sites and promote greater usage. For example, the Pacific West 
regional chief ranger cited the inability of parks to communicate with 
one another as a limitation on the usefulness of the regional Web site 
as a tool for protecting visitors and resources. The Web site offers 
one-way communication from the region to the field, but the region is 
trying to increase the site's functionality and usage by adding 
discussion threads and message boards, and displaying successful park 
security strategies and plans. Also, the Northeast regional chief 
ranger told us the office is considering creating a Web site to post 
security-related lessons learned and security assessment templates. 

The Park Service Lacks a Servicewide Approach for Routine Performance 
Measurement and Testing: 

The Park Service--at the national level--has no standardized 
performance measures, evaluation mechanisms, or a testing program for 
security servicewide. We have reported that successful performance 
measures should (1) be linked to an agency's mission and goals; (2) be 
clearly stated; (3) have quantifiable targets or other measurable 
values; (4) be reasonably free of significant bias or manipulation that 
would distort the accurate assessment of performance; (5) provide a 
reliable way to assess progress; (6) sufficiently cover a program's 
core activities; (7) have limited overlap with other measures; (8) have 
balance, or not emphasize one or two priorities at the expense of 
others; and (9) address governmentwide priorities.[Footnote 37] Linking 
goals to a security program can be used to hold agencies and program 
offices accountable for achieving those goals. Furthermore, we reported 
that such alignment increases the usefulness of performance information 
to decision makers.[Footnote 38] 

Although the Park Service requires icon and park officials to report 
security incidents, it has no centralized reporting and analysis 
mechanism, thus these Park Service units have created their own 
incident-tracking tools. The Park Service began developing an incident 
reporting and analysis tool in 2003, but Interior decided to transfer 
the project to OLES and leverage it for the whole department. 
Interior's intent is that all bureaus--including the Park Service--will 
use the Incident Management Analysis and Reporting System for a variety 
of security performance measurement and management activities, such as 
reporting incidents, identifying training and resource needs, 
justifying resource requests and expenditures, measuring program 
performance, and tracking training. These functions coincide with some 
of the uses and results of performance measurement that we have 
recognized, such as assessing the change in the total number of 
security incidents to evaluate program effectiveness and inform the 
overall risk management approach, as shown in figure 2.[Footnote 39] 
However, Interior expects that this tool will not be available until 
2011 or 2012, therefore, until the new system is implemented, the Park 
Service will continue to be limited in its ability to identify common 
threats and incidents--information which it could use to evaluate risk 
management strategies and countermeasures, identify problems, and 
develop solutions. 

Figure 2: Performance Measures, Uses, and Results: 

[Refer to PDF for image: illustration] 

Performance measure examples: 
* Risk assessments conducted; 
* Compliance with security policies; 
* Change in total number of security incidents; 
* Change in risk rating resulting from countermeasures deployed. 

Selected uses: 
* Ensure adequate protection; 
* Inform risk management; 
* Allocate security resources; 
* Hold employees accountable for security goals and objectives; 
* Evaluate program effectiveness. 

Potential results: 
* Improvement in physical security; 
* Physical security investments that justify costs; 
* Reduction in facilitiesí vulnerability to acts of terrorism and other 
forms of violence; 
* Prioritization of funding within and across agencies. 

Source: GAO. 

[End of figure] 

Regional officials may perform two to three park law enforcement 
operational evaluations annually by selecting parks for evaluation or 
responding to a park's request for an evaluation. These assessments 
have a small security component, but are not security evaluations. For 
example, the Midwest regional chief ranger examines the security of 
park fee collections and the types of locks on windows and doors of 
park facilities, according to this official. Officials from some of the 
icons and parks we reviewed recognized a need for standardized 
performance measures and testing. For example, Park Police officials at 
the Statue of Liberty told us they would like a standardized testing 
and evaluation program for security technologies, instead of solely 
relying on informal testing efforts such as the Park Police's 
collaboration with TSA to test visitor screening equipment. Similarly, 
Park Service officials from the Gateway Arch expressed an interest in 
coordinated reviews of the park's security that would incorporate 
markers for achievement. Because performance is measured and tested 
occasionally and inconsistently, officials from icons and parks have 
limited opportunities for sharing lessons learned or using performance 
data to manage security from a broader perspective. 

We have reported that performance measurement can help achieve broad 
program goals and improve security at the individual asset level. 
[Footnote 40] Without effective performance measurement data, decision 
makers may have insufficient information to evaluate whether their 
investments have improved security or reduced vulnerabilities to 
threats such as terrorism or crime. We have also reported that active 
testing, using methods such as on-site security assessments, can 
provide data on the effectiveness of efforts to reduce vulnerabilities. 
[Footnote 41] Because the Park Service's performance management and 
testing capability is limited, the agency has little information on the 
status and performance of security activities at the icons and parks it 
can use to manage day-to-day activities or that Park Service management 
can use to strategize security efforts throughout the organization. 
Absent a formal performance measurement system and testing program, 
officials at icons and parks individually identify security program 
components to test, such as focusing on equipment and procedural 
knowledge. We have reported that testing methods include conducting 
inspections to ensure that adequate levels of protection are employed, 
testing the effectiveness of security measures such as structural 
enhancements and physical barriers, and assessing preparedness through 
training exercises and drills.[Footnote 42] We found some examples of 
tests, exercises, and drills that park officials use to assess security 
performance at icons and parks (see table 3). For example, officials at 
the Grand Canyon said that they analyze law enforcement and security 
incidents to shape patrol strategies, and officials at the Statue of 
Liberty told us they hold emergency exercises with the New York Police 
Department and FBI. 

Table 3: Examples of Security-related Tests, Exercises, and Drills: 

Icon or park: African Burial Ground; 
Tests, exercises, and drills: FPS tests employee and visitor screening 
equipment. The park participates in biannual fire drills and annual 
shelter-in-place drills that GSA conducts for the facility. 

Icon or park: Gateway Arch; 
Tests, exercises, and drills: The park tests guards' operation of X-ray 
equipment for visitor screening daily. The park tests the arch's 
emergency power and fire alarm system annually. The park participated 
in continuity of operations and pandemic flu tabletop exercises and 
evaluations. 

Icon or park: Gettysburg; 
Tests, exercises, and drills: The chief ranger checked the 
effectiveness of the park's evacuation training by informally testing 
park staff on evacuation procedure recall. 

Icon or park: Grand Canyon; 
Tests, exercises, and drills: The park tests its evacuation plan 
biannually--one tabletop exercise and one drill of a component of the 
evacuation plan. 

Icon or park: Statue of Liberty; 
Tests, exercises, and drills: The guard service contractor has an 
internal audit program with four assigned program evaluators for the 
park to test security guards' performance. The park conducts several 
emergency exercises with the New York Police Department and FBI. The 
park participates in tabletop exercises with the New York and New 
Jersey Port Authority and the U.S. Coast Guard. 

Source: GAO analysis of Park Service data. 

[End of table] 

Human Capital Management Lacks a Security Focus: 

The Park Service assigns security duties to selected regional staff and 
requires that icon and park superintendents designate physical security 
coordinators, but it does not require these staff to have physical 
security experience or expertise, and it does not provide them with 
specialized security training. As a result, there is little assurance 
that staff are equipped to effectively identify and mitigate risks at 
icons and parks. 

Security Roles Are Not Well Defined and Training Is Limited: 

The Park Service has security staff at the national, regional, icon, 
and park levels that have a variety of security and other duties. We 
have reported that the strategic management of human capital is a key 
practice that can maximize the government's performance and ensure the 
accountability of its security-related efforts.[Footnote 43] At the 
national level, the Park Service has established a Security and 
Intelligence Program Manager position within its Law Enforcement, 
Security, and Emergency Services division. This position was created in 
2003, in response to a 2002 Interior IG recommendation that Interior 
bureaus install full-time security managers.[Footnote 44] We have also 
recognized the importance of having a chief security officer position 
and the security industry maintains that such a position is essential 
in organizations with large numbers of mission-critical assets. 
[Footnote 45] Moreover, a security trade organization--ASIS 
International[Footnote 46]--has developed chief security officer 
guidance for organizations to use in developing a security leadership 
position that would establish a comprehensive, integrated security risk 
strategy.[Footnote 47] 

The Acting Chief of the Law Enforcement, Security, and Emergency 
Services division and the Security and Intelligence Program Manager 
told us that the Park Service has structured the manager position to 
disseminate and coordinate information among Park Service units, 
instead of establishing a managerial position that oversees and directs 
security activities at regions, icons, and parks. The Security and 
Intelligence Program Manager performs a variety of duties, such as 
liaising with DHS to improve security within the southwest border 
parks, coordinating with OLES to develop semiannual security workshops, 
conducting risk assessments when parks request them, and gathering, 
analyzing, and disseminating intelligence information. This official 
also oversees some of the national initiatives we have previously 
described, such as the small parks assessment program and the security 
Web portal. According to the Security and Intelligence Program Manager, 
as the Park Service has become more aware of this resource, the 
manager's activities have increased, especially in the area of physical 
security. 

At the regional level, security responsibilities are assigned to law 
enforcement staff that also have other duties in the areas of law 
enforcement and emergency management. Of the four regional offices we 
reviewed, only the Northeast Regional Office, had a full-time position 
dedicated to security. From 2002 to 2007, the regional office employed 
a physical security and intelligence specialist who performed a variety 
of activities such as conducting risk assessments, establishing 
technology-sharing relationships with other federal agencies, and 
analyzing and disseminating intelligence throughout the agency. This 
position was vacated in 2007, but the regional chief ranger is trying 
to staff this position again and is revising the position description 
to focus on physical security. Park Police law enforcement specialists 
are staffed to the National Capital, Northeast, Intermountain, and 
Pacific West regional offices and can provide security assistance. 
Regional Park Service and Park Police staff who have security 
responsibilities are available to help icons and parks that request 
their services. These staff may conduct risk assessments or help 
identify security technologies or other countermeasures, as shown in 
table 4. 

Table 4: Security Positions at Regions, and Examples of Activities: 

Region: Intermountain; 
Activities: The regional chief ranger and two Park Police captains have 
security duties. The Park Police captain advises parks on security 
equipment costs and quality. The region has promoted the practice of 
parks upgrading and implementing alarms and cameras which they report 
has reduced vandalism. 

Region: Midwest; 
Activities: The regional chief ranger and assistant chief ranger have 
security duties, and the office uses the physical security specialist 
from the Gateway Arch to conduct risk assessments at parks throughout 
the region. The assistant chief ranger manages fee collections security 
programs, supports security programs in parks that do not have rangers 
on staff, and advises park superintendents on security matters. 

Region: Northeast; 
Activities: The regional chief ranger and assistant chief ranger have 
security duties. The region employed a physical security specialist 
from 2002 until 2007, and is trying to fill the vacancy. This 
specialist established contacts and coordinated with external agencies 
to acquire security intelligence and training; conducted park risk 
assessments; and provided training in explosive devices and checkpoint 
security for rangers at icons and urban parks. A Park Police captain 
currently assigned to the region has a background in icon protection 
and has been involved with protection efforts at the Statue of Liberty. 

Region: Pacific West; 
Activities: The region relies on the Park Police at the San Francisco 
Field Office for security expertise. A Park Police sergeant assists 
with security assessments throughout the region and at times may visit 
a park to conduct a comprehensive review of the facilities. 

Source: GAO analysis of Park Service data. 

[End of table] 

The Park Service requires icon and park superintendents to designate 
physical security coordinators and expects them to develop and 
implement park physical security plans and conduct physical security 
surveys of all structures. Park Service officials told us that, 
typically, physical security coordinators are park rangers or 
maintenance managers, who have other duties and responsibilities in 
addition to security. Moreover, because of the small size of some 
parks, one person may serve as the physical security coordinator for 
several parks. For example, the Intermountain Regional Chief Ranger 
told us that the region has 41 physical security coordinators 
positioned at about 56 of its 78 parks. We found that physical security 
coordinators perform a variety of duties, such as overseeing dispatch 
center operations and reviewing video surveillance images, as shown in 
table 5. Additionally, Park Service law enforcement rangers and Park 
Police staff at icons and parks have some security responsibilities in 
addition to law enforcement duties. 

Table 5: Security Positions at Icons and Parks, and Examples of 
Activities: 

Icon or park: African Burial Ground; 
Activities: The Northeast Regional Park Police captain will fulfill the 
role of the physical security coordinator until fiscal year 2010, when 
the park is fully staffed. The former Northeast region physical 
security specialist participated in visitor center design discussions 
and coordinated FPS involvement, review, and approval of security 
systems. 

Icon or park: Gateway Arch; 
Activities: The physical security specialist is the designated physical 
security coordinator and has responsibility for the operations, 
planning, and supervision of the dispatch center and operation of 
physical security checkpoints. The assistant chief ranger maintains 
oversight of the physical security and anti-terrorism branch of the 
ranger activities division. 

Icon or park: Grand Canyon; 
Activities: A law enforcement ranger is the physical security 
coordinator. The physical security coordinator supervises the fee 
collections law enforcement group. 

Icon or park: Statue of Liberty; 
Activities: A Park Police lieutenant is the physical security 
coordinator. The former Northeast region physical security specialist 
and Park Police officials have overseen technology enhancements and 
maintained equipment. 

Source: GAO analysis of Park Service data. 

[End of table] 

Despite the range of security duties assigned to regional staff, 
physical security coordinators, law enforcement rangers, and Park 
Police staff, the Park Service does not provide them with specialized 
training. Moreover, senior Park Service officials told us that they do 
not have an inventory of all the physical security coordinators 
servicewide, and they do not track their duties. We have noted that the 
effectiveness of a risk management approach depends on the involvement 
of experienced and professional security personnel and that the chances 
of omitting major steps in the risk management process increase if 
personnel are not well trained in applying risk management.[Footnote 
48] Without training for security staff, or evaluations of their 
security activities, there is little assurance that risks are 
identified and mitigated and that staff are held accountable for 
results. 

Though the Park Service lacks a physical security training program, it 
has partnered with OLES to organize security workshops at icons and 
other critical assets such as the Hoover Dam (see table 6). Park 
Service and Park Police staff are invited to attend, but attendance is 
contingent upon time and resource availability. For example, staff from 
the icons we reviewed and the regions we interviewed had attended some 
of these workshops, but no staff from the African Burial Ground, 
Gettysburg, or the Grand Canyon had attended. Officials at regions, 
icons, and parks may also develop security training internally or in 
collaboration with external agencies. We have reported that (1) 
training exercises are useful in assessing preparedness,(2) effective 
security entails having well-trained staff that follow and enforce 
policies and procedures, and (3) good training and practice are 
essential to successfully implementing policies by ensuring that 
personnel exercise good judgment in following security procedures. 
[Footnote 49] 

Table 6: Security Training Examples: 

Office: National; 
Types of training: The Park Service national office organizes security 
workshops in collaboration with OLES and other Interior bureaus. The 
workshops have been held at the Statue of Liberty in 2005, Hoover Dam 
in 2006, the Gateway Arch in 2007, and the Kennedy Space Center in 
2009. In September 2009, the Park Police will host a critical 
infrastructure and key resource protection training program for the 
Park Police and some Park Service and Interior staff. 

Office: Region: Intermountain; 
Types of training: In 2005, the region hosted a chief ranger conference 
that focused on physical security. Participants received training in 
developing physical security plans, guidance for conducting security 
surveys, and a checklist to assess risks and countermeasures. 

Office: Region: Midwest; 
Types of training: Every 18 months, the region hosts a chief ranger 
conference in the Black Hills area of South Dakota. At the 2008 
conference, an FBI official presented a session on icon and critical 
infrastructure and key resource protection. 

Office: Region: Northeast; 
Types of training: In 2008, the region hosted a museum and security 
conference, which focused on protecting cultural property, resources, 
and collections. 

Office: Region: Pacific West; 
Types of training: The region created an Operational Leadership 
Program, which targets safety and accident prevention. The program has 
started to gain national recognition and is the primary focus of the 
Park Service National Leadership Council. The region is training 100 
facilitators for the program. 

Office: Icon or park: African Burial Ground; 
Types of training: The northeast region and FPS provide physical 
security training. 

Office: Icon or park: Gateway Arch; 
Types of training: The physical security specialist has undertaken a 
number of training activities including creating and dispensing a 
security awareness presentation to orient new staff, inviting a U.S. 
Postal Service inspector to dispense mail screening training for 
employees directly involved in handling mail, and regularly sending 
security awareness tips via e-mail to park staff. 

Office: Icon or park: Gettysburg; 
Types of training: The park's museum services supervisor served as a 
keynote speaker at the Northeast region's museum and security awareness 
training in September 2008. The supervisor addressed how park and 
museum staff can work together to ensure security of collections. 

Office: Icon or park: Grand Canyon; 
Types of training: FBI provides a training course annually for the 
park. Past FBI training has covered topics such as evidence recovery, 
behavioral profiling, and violent crimes. 

Office: Icon or park: Statue of Liberty; 
Types of training: Security awareness training is provided to Park 
Police personnel through roll call and in-service training. Depending 
on available space, the Park Police may open up training to some Park 
Service employees and partners such as concessions providers. 

Source: GAO analysis of Park Service data. 

[End of table] 

Additionally, Park Service rangers can try to enroll in two physical 
security courses that are offered at the Federal Law Enforcement 
Training Center (FLETC)[Footnote 50]--the physical security training 
program and the critical infrastructure protection training program. 
However, according to Park Service officials, space in the courses is 
limited--the Park Service receives one or two slots per class--the 
courses are offered on a limited basis, training and travel are subject 
to resource constraints, and the training is not specific to icons and 
parks. For example, the physical security specialist at the Gateway 
Arch tried to enroll in the physical security course for more than 18 
months before gaining admission and completing the course in 2008. 
According to Park Service officials, this specialist may also be able 
to attend the critical infrastructure training. No park staff from the 
Statue of Liberty have completed the physical security course since 
2001.[Footnote 51] Moreover, Park Service officials told us that no 
staff from the African Burial Ground, Gettysburg, or Grand Canyon have 
completed either of the two FLETC training courses. The Grand Canyon 
chief ranger tried to enroll the physical security coordinator in the 
physical security training course, but the application for enrollment 
was not accepted; as a result, the park lacks staff with experience and 
formal training in physical security. 

While various security training opportunities arise throughout the Park 
Service, training is inconsistent and lacks cohesion, and there is 
little assurance that Park Service employees have the knowledge, 
skills, and awareness needed to contribute to overall park security. 
With limited security expertise, the Park Service will face challenges 
in implementing the other key practices. The lack of physical security 
expertise affects icon and park officials' ability to develop 
strategies for identifying their security vulnerabilities and 
determining how to mitigate them effectively and efficiently with 
limited resources. Such strategies would ensure that the Park Service 
has the expertise and resources at the national and regional levels to 
oversee the implementation of security advancements and practices. 
Moreover, physical security expertise allows icon and park officials to 
determine what countermeasures fit their specific needs and how well 
these countermeasures enhance their security performance. Finally, 
because all icon and park staff have a role in security, increasing 
overall security awareness enhances the security of the park. 

Human Capital Challenges Are a Particular Concern at Icons: 

We noted earlier that officials at icons have made improvements in 
security since 2001; however, the Interior IG and OLES have concerns 
about icon security that are related to human capital issues, including 
security expertise and the management of security operations. We have 
reported that it is widely recognized that there is a need for 
competent professionals who can effectively manage complex security 
programs that are designed to reduce threats to people and assets. 
[Footnote 52] Clearly defining roles and responsibilities and ensuring 
that security personnel are adequately trained are central aspects of 
this key practice. In its 2008 assessment of the Park Police, the IG 
recommended that the Park Service hire a qualified senior-level 
certified security professional to oversee Park Service security 
operations at all icons, including those that are managed by the Park 
Police, but the Park Service does not believe such action is necessary. 
[Footnote 53] Senior Park Service officials told us that the agency 
works closely with the Park Police, especially in areas with shared 
responsibility. However, the Park Service relies on its Security and 
Intelligence Program Manager to oversee icon security for icons that do 
not have a Park Police presence--the Gateway Arch, Independence 
National Historic Park, and Mount Rushmore National Memorial. The Park 
Service relies on the Park Police for security program management at 
the national mall icons and the Statue of Liberty. As a result, the 
Park Service has no comprehensive program with centralized senior-level 
oversight of icon security. This is an inefficient approach, since the 
five icons--while distinct--have a need to manage similar issues 
including guard services, surveillance and screening equipment, vehicle 
and pedestrian barriers, access to intelligence information, staff 
trained in security awareness, and security performance measurement and 
testing procedures. 

Moreover, until recently, the Park Service Security and Intelligence 
Program Manager lacked specialized physical security expertise. Trained 
as a law enforcement special agent, this official was not certified in 
physical security until 2008. According to OLES officials, the Park 
Service security manager meets the minimum security training 
requirements for senior-level security managers that OLES established 
in 2009.[Footnote 54] The Interior IG also recognized that this manager 
has been through extensive physical security training.[Footnote 55] 
Although the Park Police created an Homeland Security Division in 
October 2008 and established a security manager position in accordance 
with the IG's 2002 recommendation,[Footnote 56] the IG reported in 2009 
that the appointee to this position--a Deputy Chief--had no background 
in physical security and had only been through a basic 2 week critical 
infrastructure protection course at FLETC.[Footnote 57] According to 
the Park Police, the Deputy Chief is qualified for the position having 
(1) attended a 2 week DHS program on critical infrastructure and key 
resource protection in August 2008, (2) worked on icon protection 
issues for 4 years, (3) designed security upgrades at the Washington 
Monument, and, (4) over the course of 25 years, worked on security 
system alarm issues in Washington, D.C. and San Francisco. Furthermore, 
the Park Police told us that the Deputy Chief received a certification 
after completing DHS's Critical Infrastructure and Key Resources 
Protection course. OLES officials also told us that the Deputy Chief 
has met the department's minimum training requirements. 

The Interior IG and OLES officials are also concerned about the Park 
Service's management of security operations at individual icons. In its 
2003 icon protection report, the IG suggested that icons with the most 
significant threat potential should have trained and certified security 
managers on-site,[Footnote 58] and in 2008, recommended that the Park 
Service install trained and certified security professionals at each 
icon park to work under the direction of the security manager the IG 
had recommended for all of the icons.[Footnote 59] In its 2006 icon 
risk assessment and 2007 icon compliance reviews, OLES recommended that 
Independence National Historic Park and the Statue of Liberty hire 
security managers. While officials at these two icons have identified 
hiring security managers as a priority, they had yet to fill the 
positions at the time of our review. While park officials at the Statue 
of Liberty have identified hiring a security manager as a top priority, 
they have not determined whether the Park Service or the Park Police 
will fund the position.[Footnote 60] In 2007, the Park Police hired a 
security manager for the National Capital Region. The Deputy Chief of 
the Icon Protection Division told us that the Park Police intends to 
hire a technical assistant for this manager who can, for example, 
repair security equipment. 

Of the five icons, only the Gateway Arch has a full-time physical 
security specialist--a need the park identified on its own and filled 
with a qualified professional. Park officials at the Gateway Arch 
created and staffed this position during 2006 and had to give up one 
law enforcement position to do so. The park's assistant chief rangers, 
who are law enforcement officers, told us they believe the tradeoff was 
justified and the specialist's efforts may increase awareness among 
staff. The physical security specialist has undertaken a number of 
initiatives, such as conducting a risk assessment of the facility where 
park officials wanted to locate its dispatch center, testing security 
alarms in the visitor center, sending park employees security awareness 
e-mails, and forming partnerships with area federal departments and 
agencies such as DHS, the Department of Justice, and the U.S. Postal 
Service to enhance surveillance capabilities, acquire interoperable 
communications technology, and assess mail handling. Moreover, the 
Midwest Region has leveraged the specialist's expertise to help the 
region develop a risk assessment tool for its small parks security 
program. OLES officials told us that of the five icons, the Gateway 
Arch had the highest security policy compliance rating in 2007, and 
although they did not attribute this rating to the physical security 
specialist's work, it is worthwhile to note that the Gateway Arch is 
the only icon that has a full-time position dedicated solely to 
physical security. 

Conclusions: 

In addition to its primary mission to preserve the natural and cultural 
resources and values of the national park system for the enjoyment, 
education, and inspiration of those who visit them, the Park Service 
has a critical role related to security at national icons and parks and 
has taken important steps to improve the security of nearly 400 
national icons and parks. However, concerns persist that terrorists may 
attack the United States by targeting national icons such as the Statue 
of Liberty and the Gateway Arch, and by harming those who visit places 
emblematic of our nation's natural beauty and heritage, such as the 
Grand Canyon and Gettysburg. More emphasis on the key practices would 
provide greater assurance that Park Service assets are well protected 
and that Park Service resources are being used efficiently to improve 
protection. Critical to advancing the Park Service's security efforts, 
a more comprehensive risk management approach and related guidance-- 
which are currently lacking--would provide management with up-to-date 
information on threats and trends in security gaps and would allow 
management to target resources to address the greatest threats and 
vulnerabilities. Standards and guidance for technology investment, if 
developed, would provide better assurance that the Park Service's 
return on investment is maximized. In addition, a strategy for 
improving internal communication by, for example, expeditiously 
developing a security Web portal, could lead to more efficient 
information sharing and coordination. Implementing a more systematic 
performance measurement and testing program would inform risk 
management efforts and allow management to better gauge security 
performance. Finally, paying greater attention to the human capital 
component of security--by clearly defining security roles and 
responsibilities using risk management and establishing a security 
training program--would give Park Service staff the tools and awareness 
needed to protect the Park Service's assets and the people who visit 
them. 

Recommendations for Executive Action: 

In order to better oversee and more efficiently manage the protection 
of the vast and diverse inventory of national icons and parks, in the 
restricted version of this report, we recommended that the Secretary of 
the Interior take six actions. Specifically, the Secretary should 
instruct the Director of the National Park Service, in consultation 
with OLES, to develop and implement: 

1. a more comprehensive, routine risk management approach for security 
that encompasses the Park Service's vast inventory of icons and parks, 
including developing guidance, standards, and procedures for conducting 
risk assessments at the icon and park level and for using the results 
to inform resource allocation decisions at the national, regional, 
icon, and park levels; 

2. guidance and standards for leveraging security technology, including 
how to assess the costs and benefits of countermeasure alternatives 
while taking into account risk management results; 

3. an internal communications strategy for security to address 
coordination gaps, including a timeline for the development of a 
servicewide Web portal for security; 

4. a servicewide performance management and testing program that 
includes specific measures and an evaluation component, which can be 
used to inform broader risk management decision-making and to assess 
security performance; 

5. a strategy for more clearly defining security roles and 
responsibilities within the Park Service, which should, among other 
things, ensure that the Park Service is well equipped at the national 
and regional levels to oversee security improvements; and: 

6. a servicewide security training program and related curriculum to 
provide staff with the knowledge, skills, and awareness needed to 
improve Park Service security practices. 

Agency Comments and Our Evaluation: 

We provided a draft of the restricted version of this report to 
Interior for official review and comment. Interior agreed with our 
assessment that actions are needed to improve security practices at 
national icons and parks and agreed with the report's recommendations. 
Regarding the first recommendation to develop a more comprehensive, 
routine risk management approach for security, Interior cited the 
recent creation of a Homeland Security Division within the Park Police, 
stated that parks and regions have been working to develop a more 
comprehensive approach to security, and agreed to bring all of these 
efforts together in a more comprehensive, servicewide program. For the 
second recommendation to develop guidance and standards to leverage 
security technology, Interior cited some examples of the partnerships 
it has with other federal agencies and acknowledged that guidance and 
standards for leveraging technology, coupled with an effective 
communications strategy, would add to the effectiveness and efficiency 
of its security program for icons and parks. With respect to the third 
recommendation, Interior stated that a more formal internal 
communications strategy would enhance the effectiveness of its security 
program for icons and parks and noted that such a strategy should 
acknowledge the critical importance of the communication networks icons 
and parks establish at the asset level. For the fourth recommendation 
to develop and implement a servicewide performance management and 
testing program, Interior stated that while its current approach has 
been effective in some situations, applying a servicewide approach 
would benefit all icons and parks in the system. Regarding the fifth 
recommendation to develop and implement a strategy for more clearly 
defining security roles and responsibilities within the Park Service, 
Interior stated that it would continue to look for ways to leverage the 
expertise and experience of physical security staff and to clearly 
define their roles and responsibilities. 

Finally, for the sixth recommendation to develop and implement a 
servicewide security training program and related curriculum, Interior 
stated that a servicewide security training program and increased 
access to contemporary training on appropriate security subjects would 
be helpful and noted that it currently sends staff with security 
responsibilities to a variety of training programs within and outside 
of Interior, including the physical security training program offered 
through FLETC. While these other security courses may be helpful, as we 
reported, not all Park Service personnel that have security 
responsibilities are able to attend these training classes due to the 
space limitations of the entities offering these courses and resource 
constraints on the part of individual icons and parks. Furthermore, as 
we reported, the Park Service does not have a special training 
curriculum for its designated physical security coordinators. 
Therefore, it is important that the Park Service develop its own park- 
specific training program so that staff that have security 
responsibilities delegated to them can effectively carry out those 
duties and better ensure that icons and parks, and the people who visit 
and work at them, are well-protected. Interior's official comments are 
contained in appendix II. 

Interior also provided general and technical comments from the Park 
Police and we incorporated the technical comments where appropriate. In 
its general comments, the Park Police noted some of the security 
improvements it has made since September 11 for the icons under its 
purview in New York City and Washington, D.C. Specifically, the Park 
Police cited enhancements made to physical barriers, surveillance 
systems, visitor screening, and contract guard services. The Park 
Police also stated that in October 2008, it underwent its largest 
internal reorganization in 40 years and created a Homeland Security 
Division and added more officers and patrols to enhance icon protection 
efforts. Finally, with respect to information sharing and coordination, 
the Park Police stated that it has assigned three intelligence officers 
to enhance icon protection in Washington, D.C. and detectives to the 
JTTFs in New York City; Washington, D.C.; and San Francisco. Moreover, 
the Park Police has assigned a major to the Park Service's national 
office to liaise with the Park Service to protect all icons. 

As agreed with your office, unless you publicly announce the contents 
of this report, we plan no further distribution until 30 days from the 
report date. At that time, we will send copies of this report to the 
Secretary of the Interior and appropriate congressional committees. In 
addition, the report will be available at no charge on GAO's Web site 
at [hyperlink, http://www.gao.gov]. 

If you have any questions about this report, please contact me at (202) 
512-2834 or goldsteinm@gao.gov. Contact points for our Offices of 
Congressional Relations and Public Affairs may be found on the last 
page of this report. GAO staff who made major contributions to this 
report are listed in appendix III. 

Sincerely yours, 

Signed by: 

Mark L. Goldstein: 
Director, Physical Infrastructure Issues: 

[End of section] 

Appendix I: Objectives, Scope, and Methodology: 

Our objective was to determine whether the National Park Service's 
(Park Service) approach to security for national icons and parks 
reflects key protection practices. Through previous work, we identified 
a set of key protection practices from the collective practices of 
federal agencies and private sector entities that can provide a 
framework for guiding agencies' protection efforts and addressing 
challenges.[Footnote 61] The key practices essentially form the 
foundation of a comprehensive approach to asset protection and can be 
used to assess the management of security programs. We used our key 
protection practices as criteria to evaluate the Park Service's 
approach to security. Of the six key practices, we used the following 
as criteria: 

* Allocating resources using risk management. 

* Leveraging technology. 

* Information sharing and coordination. 

* Performance measurement and testing. 

* Strategic management of human capital. 

We did not consider the sixth key practice, aligning assets to mission, 
which focuses on realigning the federal real property inventory to 
better reflect agencies' missions. 

To examine the Park Service's application of key practices at the park 
level, we selected five icons and parks basing our selection on factors 
that included geographical diversity, high public visitation, and other 
potential security considerations such as recent or planned facility 
construction. To minimize duplication of effort, we considered our own 
and the Department of the Interior's (Interior) Office of the Inspector 
General's (IG) recent and ongoing work. For example, we did not select 
the national mall icons--the Washington Monument National Memorial, the 
Thomas Jefferson National Memorial, and the Lincoln National Memorial--
because the IG examined their security in 2008.[Footnote 62] We 
selected: 

* Two icons--the Statue of Liberty National Monument (Statue of 
Liberty) in New York City and the Jefferson National Expansion Memorial 
in St. Louis. 

* Three parks--the African Burial Ground National Monument in New York 
City, Gettysburg National Military Park in Pennsylvania, and Grand 
Canyon (Grand Canyon) National Park in Arizona. 

Collectively, the sites we selected illustrate a range of park 
protection practices applied by the Park Service. At each site, we 
interviewed Park Service officials with primary responsibility for 
security implementation, operation, and management. We also interviewed 
U.S. Park Police (Park Police) officials from the Statue of Liberty. We 
toured each site and observed the physical environment and the 
principal security elements to gain firsthand knowledge of the 
protection practices used at all the sites except the Grand Canyon 
where we used videoconferencing to interview Park Service officials. We 
reviewed and analyzed documents, when available, that contained site- 
specific information on security plans, policies, procedures, budgets, 
and staffing. Because we observed the Park Service's efforts to protect 
icons and parks at a limited number of sites, our observations of 
security issues at individual sites cannot be generalized to all the 
icons and parks that the Park Service is responsible for securing. To 
supplement these site visits, we interviewed Park Service regional 
chief rangers and other security officials from the three regions where 
we had selected icons and parks--the Northeast, Midwest, and 
Intermountain regions. We also interviewed the regional chief ranger 
from the Pacific West region because the Park Service once identified 
the Golden Gate Bridge as an icon and we wanted that region's 
perspective on icon and park protection. At the national level, we 
interviewed officials from the IG, Office of Law Enforcement and 
Security, Park Service, and Park Police. Furthermore, we collected 
supporting documentation including law enforcement and security 
manuals; IG reports on law enforcement, security, and icon protection; 
icon risk assessments and compliance reviews; and security plans, 
policies, procedures, budgets, and staffing information when available. 

We conducted this performance audit from January 2008 to June 2009 in 
accordance with generally accepted government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objective. 

[End of section] 

Appendix II: Comments from the Department of the Interior: 

United States Department of the Interior
Office Of The Secretary: 
Washington, D.C. 20240: 

June 12, 2009: 

Mr. Mark L. Goldstein: 
Director, Physical Infrastructure Issues: 
U.S. Government Accountability Office: 
441 G Street, N.W. 
Washington, D.C. 20548: 

Dear Mr. Goldstein: 

Thank you for providing the Department of the Interior (DO[) the 
opportunity to review and comment on the U.S. Government Accountability 
Office Draft report entitled, "Homeland Security Actions Needed to 
Improve Security Practices at National Icons and Parks," (GAO-09-605). 

The National Park Service (NPS) and the Department of the Interior have 
reviewed the draft report and appreciate the diligent work of the team 
in helping us further improve the security program for icons and parks 
in the National Park System. We will continue to examine policy and 
procedures and make adjustments as necessary to protect critical 
infrastructure under our jurisdiction. 

We believe the GAO has produced an informative summation of the complex 
issues associated with risk management. Following are our comments on 
the six actions recommended in the draft report. 

1) A more comprehensive, routine risk management approach for security: 

We concur that a more comprehensive approach to security would be 
beneficial to the Park Service. In our efforts to this end to date, the 
USPP has recently reorganized and created a Homeland Security Division. 
The many parks throughout the system and several regional offices not 
under the specific direction of the USPP have been and are continuing 
to develop a more comprehensive approach to security. We will continue 
to work toward bringing all of these efforts together in a more 
comprehensive, service-wide, program. 

2) Guidance and standards for leveraging security technology: 

We concur that increased guidance and standards for leveraging 
technology would be valuable to our program. 

We currently enjoy technology assistance, information and advice from 
many partners, including FLETC, OLES, DHS, TSA-TSL Labs and many more. 
We have just recently learned that the USPP program with the USAF has 
been funded for another year. Guidance and standards for leveraging 
technology, coupled with an effective communications strategy (see (3) 
below) will help our security program become more effective and 
efficient. 

3) An internal communications strategy for security to address 
communications gaps, including a time line for the development of a 
Park Service-wide Web portal for security: 

We concur that a more formal internal communications strategy for 
security concerns would be useful in helping to make our security 
program more effective. Currently, our senior-level Security and 
Intelligence program managers have regular contact with Icon Parks, non-
Icon parks and regional office staff. Parks themselves, throughout the 
country, enjoy both internal and external contacts, with their 
respective regional office staff, Washington Office staff as well as 
many local, regional and state law enforcement and security contacts. 
These latter contacts, which are less apparent to central office staff, 
are key to success in many of our rural and isolated park settings.
Overlaying a more formal communications strategy over the top of these 
many aforementioned contacts could assist in addressing communications 
gaps that may exist in the organization. It would be important for us, 
in crafting said strategy, to not imply that the ground-level contacts 
made by parks, throughout the system, are not critical to the success 
of park-level security programs. 

4) A Park Service-wide performance management and testing program that 
includes specific measures and an evaluation component: 

We concur that exploring the option of an appropriate and effective 
performance management and testing program for security would be 
beneficial. Although imperfect, the "ad-hoc" approach, as described in 
the report, has been effective in pockets throughout the system. 
Reviews and assessment of Icon Park and non-Icon Park security programs 
take place periodically. A Park Service-wide approach, however, would 
likely yield more positive and all inclusive results, thereby 
benefiting all parks in the system. 

5) A strategy for more clearly defining security roles and 
responsibilities within the Park Service: 

We concur that a strategy for defining security roles and 
responsibilities within the Park Service would be advantageous for a 
bureau-wide security program. Our two senior-level Security and 
Intelligence program managers for the NPS and the USPP are recognized 
and in-place today. These two positions are joined by several other key 
officials designated, including Captains and Lieutenants at the four 
Icon parks managed by the USPP. Additionally, parks and regions have 
their own designated Physical Security Coordinators in place today. We 
will continue to look for ways to leverage the expertise and experience 
of current physical security staff and to clearly define their roles 
and responsibilities. 

6) A Park Service-wide security training program and related 
curriculum: 

We concur that Park Service-wide security training and increased access 
to contemporary training on appropriate security subjects will continue 
to be helpful to our program. However, we would like to note that we 
currently send staff with security responsibilities to a variety of 
excellent training programs including local, regional, state and 
federally sponsored options. DHS has excellent training that we have, 
and continue to take advantage of. We regularly use the Basic Physical 
Security Training Program at the Federal Law Enforcement Training 
Center as base-line training. This course is recognized nationally as 
an excellent introduction to the world of Physical Security. Further, 
we work closely with the DOI. OLES for further formal and contemporary 
security training programs that include exposure to real-world 
security. 

In September of 2009, the USPP will be hosting the new FLETC. 80-hour 
Critical Infrastructure and Key Resources Protection training to 
Washington DC whereupon all key officials from the USPP, NPS. 01-ES and 
others will have the opportunity to attend. 

Thank you for the opportunity to comment on this informative report. We 
have and will continue to place a high priority on Security throughout 
the National Park System. We will also continue to interweave security 
concerns in all aspects of risk management of our parks and Icons.
We request that the vulnerabilities in park security programs stated in 
this report not be released to the public as we feel it could endanger 
visitors, employees, residents and facilities. 

Enclosed are specific itemized comments from the USPP, some of which 
have been previously addressed. We hope these comments will assist you 
in preparing the final report. 

If you have any questions, or need additional information, contact 
Acting Deputy Chief Kevin Hay, at 202-619-7085, or Chief, Division of 
Law Enforcement, Security, and Emergency Services, Lane Baker, at 202-
513-7084. 

Sincerely, 

Signed by: 

Pamela K. Haze: 
Deputy Assistant Secretary for Budget and Business Management: 

Enclosure: 

Hand written additional note: 
"Thank you for your help." 

[End of section] 

Appendix III: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Mark L. Goldstein, (202) 512-2834 or goldsteinm@gao.gov: 

Staff Acknowledgments: 

In addition to the contact named above, David Sausville, Assistant 
Director; Denise McCabe, Analyst-in-Charge; Anne Dilger; Elizabeth 
Eisenstadt; Brandon Haller; Robin Nye; Joshua Ormond; Susan Michal- 
Smith; and Adam Yu made key contributions to this report. 

[End of section] 

Footnotes: 

[1] The national park system is made up of close to 400 park units 
which include 5 national icons and 14 other types of parks such as 
monuments, national battlefields, and national parks. The park units 
that Interior considers to be national icons are: (1) the Statue of 
Liberty National Monument in New York City; (2) Independence National 
Historical Park in Philadelphia; (3) the Jefferson National Expansion 
Memorial in St. Louis; (4) Mount Rushmore National Memorial in South 
Dakota; and (5) the national mall icons--the Washington Monument 
National Memorial, the Thomas Jefferson National Memorial, and the 
Lincoln National Memorial in Washington, D.C. 

[2] GAO, Homeland Security: Actions Needed to Better Protect National 
Icons and Federal Office Buildings from Terrorism, [hyperlink, 
http://www.gao.gov/products/GAO-05-790] (Washington, D.C.: June 24, 
2005). 

[3] GAO, Homeland Security: Further Actions Needed to Coordinate 
Federal Agencies' Facility Protection Efforts and Promote Key 
Practices, [hyperlink, http://www.gao.gov/products/GAO-05-49] 
(Washington, D.C.: Nov. 30, 2004). We excluded one key practice--
aligning assets to mission--from this review. This key practice 
underscores the need to realign the federal real property inventory so 
that it can better reflect agencies' missions. 

[4] GAO, Federal Real Property: DHS Has Made Progress, but Additional 
Actions Are Needed to Address Real Property Management and Security 
Challenges, [hyperlink, http://www.gao.gov/products/GAO-07-658] 
(Washington, D.C.: June 22, 2007). 

[5] GAO, Smithsonian Institution: Funding Challenges Affect Facilities' 
Conditions and Security, Endangering Collections, [hyperlink, 
http://www.gao.gov/products/GAO-07-1127] (Washington, D.C.: Sept. 28, 
2007). 

[6] ISC was established by Executive Order 12977 in 1995 after the 
bombing of the Alfred P. Murrah Federal Building in Oklahoma City. 

[7] With the exception of the Grand Canyon--where we used 
videoconferencing to interview Park Service officials--we visited each 
of these sites. 

[8] U.S. Department of the Interior, Office of Inspector General, 
Disquieting State of Disorder: An Assessment of Department of the 
Interior Law Enforcement, Report 2002-I-0014 (Washington, D.C., January 
2002). 

[9] HSPD-7 identified 17 critical infrastructure sectors and designated 
federal entities, called sector-specific agencies, to be responsible 
for coordinating asset protection within their sector throughout all 
levels of government and the private sector. In June 2008, an 18th 
sector was added--Critical Manufacturing. 

[10] Department of Homeland Security and Department of the Interior, 
National Monuments and Icons Sector-Specific Plan (Washington, D.C., 
May 2007). 

[11] The other three Park Service regions include the Southeast, 
Midwest, and Alaska regions. 

[12] [hyperlink, http://www.gao.gov/products/GAO-05-49]. We excluded 
one key practice--aligning assets to mission--from this review. This 
key practice underscores the need to realign the federal real property 
inventory so that it can better reflect agencies' missions. 

[13] [hyperlink, http://www.gao.gov/products/GAO-07-1127]. 

[14] [hyperlink, http://www.gao.gov/products/GAO-07-658]. 

[15] GAO, National Mall: Steps Identified by Stakeholders Facilitate 
Design and Approval of Security Enhancements, [hyperlink, 
http://www.gao.gov/products/GAO-05-518] (Washington, D.C.: June 14, 
2005). 

[16] For the purposes of this report, we are referring to all of these 
entities as federal agencies. 

[17] ISC, Use of Physical Security Performance Measures, (Washington, 
D.C., June 16, 2009). 

[18] [hyperlink, http://www.gao.gov/products/GAO-05-49]. 

[19] This review did not include an assessment of security 
vulnerabilities at border parks. 

[20] According to the Park Police, it also updated icon protection 
plans for the national mall icons during 2008. 

[21] [hyperlink, http://www.gao.gov/products/GAO-05-49]. 

[22] FPS provides law enforcement and related security services to 
about 9,000 facilities under the control and custody of GSA. 

[23] JTTFs are chaired by the Federal Bureau of Investigation (FBI) and 
are composed of various federal, state, and local agencies. JTTFs aim 
to prevent, pre-empt, deter, and investigate terrorism and related 
activities affecting the United States and to apprehend terrorists. 

[24] Physical security is defined as physical or protective measures 
designed to safeguard personnel, facilities, national borders, and 
critical infrastructure and to prevent unauthorized access to material 
and documents, and to safeguard them against terrorism, espionage, 
sabotage, damage, weapons of mass destruction, and theft. 

[25] One day after the 1995 bombing of the Alfred P. Murrah Federal 
Building in Oklahoma City, the President directed the Department of 
Justice to assess the vulnerability of federal office buildings. In 
June 1995, DOJ issued a report entitled Vulnerability Assessment of 
Federal Facilities and the President directed that security at each 
federal facility be upgraded to the minimum security standards 
recommended by the study. 

[26] The Interagency Security Committee, Facility Security Level 
Determinations for Federal Facilities (Washington, D.C., Mar. 10, 
2008). 

[27] [hyperlink, http://www.gao.gov/products/GAO-05-49]. 

[28] [hyperlink, http://www.gao.gov/products/GAO-05-49]. 

[29] [hyperlink, http://www.gao.gov/products/GAO-05-49]. 

[30] [hyperlink, http://www.gao.gov/products/GAO-05-49]. 

[31] [hyperlink, http://www.gao.gov/products/GAO-05-49]. 

[32] According to OLES officials, the Security Advisory Council meets 
quarterly to discuss emerging protection technology and security best 
practices, as well as recent security trends and policies. The council 
also reviews proposed changes to department security policy for 
sufficiency and impact. 

[33] GAO, Information Sharing: Practices That Can Benefit Critical 
Infrastructure Protection, [hyperlink, 
http://www.gao.gov/products/GAO-02-24] (Washington, D.C.: Oct. 15, 
2001). 

[34] [hyperlink, http://www.gao.gov/products/GAO-02-24]. 

[35] [hyperlink, http://www.gao.gov/products/GAO-02-24]. 

[36] [hyperlink, http://www.gao.gov/products/GAO-02-24]. 

[37] GAO, Tax Administration: IRS Needs to Further Refine Its Tax 
Filing Season Performance Measures, [hyperlink, 
http://www.gao.gov/products/GAO-03-143] (Washington, D.C.: Nov. 22, 
2002). 

[38] GAO, Managing for Results: Enhancing Agency Use of Performance 
Information for Management Decision Making, [hyperlink, 
http://www.gao.gov/products/GAO-05-927] (Washington, D.C.: Sept. 9, 
2005). 

[39] GAO, Homeland Security: Guidance and Standards Are Needed for 
Measuring the Effectiveness of Agencies' Facility Protection Efforts, 
[hyperlink, http://www.gao.gov/products/GAO-06-612] (Washington, D.C.: 
May 31, 2006). 

[40] [hyperlink, http://www.gao.gov/products/GAO-05-49]. 

[41] [hyperlink, http://www.gao.gov/products/GAO-05-49]. 

[42] [hyperlink, http://www.gao.gov/products/GAO-05-49]. 

[43] [hyperlink, http://www.gao.gov/products/GAO-05-49]. 

[44] Interior IG Report 2002-I-0014. 

[45] [hyperlink, http://www.gao.gov/products/GAO-05-790]. 

[46] According to its Web site, ASIS International--an organization 
that reports to have more than 37,000 security industry members--is the 
pre-eminent international organization for professionals responsible 
for security, including managers and directors of security. 

[47] ASIS International, Chief Security Officer Guideline 2008. 

[48] [hyperlink, http://www.gao.gov/products/GAO-05-49]. 

[49] [hyperlink, http://www.gao.gov/products/GAO-05-49]. 

[50] FLETC serves as an interagency law enforcement training 
organization for more than 80 federal agencies and provides basic and 
advanced law enforcement training. The Park Service has assigned a 
superintendent to the FLETC campus in Glynco, Georgia to develop and 
manage basic and advanced training for Park Service law enforcement and 
line management, and to develop policy and guidelines for servicewide 
training and certification. 

[51] In its technical comments on a draft of this report, the Park 
Police stated that a USPP captain and a lieutenant from the Statue of 
Liberty attended a similar physical security course provided by the New 
York Police Department and that other officials in the New York Field 
Office have attended the police department's risk assessment course. 
Moreover, Park Police stated that dozens of its officers have taken the 
physical security course offered at FLETC. 

[52] [hyperlink, http://www.gao.gov/products/GAO-05-49]. 

[53] U.S. Department of the Interior, Office of the Inspector General, 
Assessment of the United States Park Police, Report PI-EV-NPS-0001-2007 
(Washington, D.C., February 2008). 

[54] In March 2009, OLES issued a memorandum outlining minimum training 
requirements for bureau and office-level security managers and 
officers. 

[55] U.S. Department of the Interior, Office of the Inspector General, 
3rd Progress Report on the Implementation of the Secretary's Directives 
for Law Enforcement Reform, PI-AT-MOA-0001-2008 (Washington, D.C., 
February 2009). 

[56] Interior IG Report 2002-I-0014. 

[57] Interior IG Report PI-AT-MOA-0001-2008. 

[58] U.S. Department of the Interior, Office of the Inspector General, 
Review of National Icon Park Security, Report 2003-I-0063 (Washington, 
D.C., August 2003). 

[59] Interior IG Report PI-EV-NPS-0001-2007. 

[60] In its technical comments on a draft of this report, the Park 
Police stated that a lieutenant has been serving as the security 
manager at the Statue of Liberty. 

[61] GAO, Homeland Security: Further Actions Needed to Coordinate 
Federal Agencies' Facility Protection Efforts and Promote Key 
Practices, [hyperlink, http://www.gao.gov/products/GAO-05-49] 
(Washington, D.C.: Nov. 30, 2004). 

[62] U.S. Department of the Interior, Office of the Inspector General, 
Assessment of the United States Park Police, Report PI-EV-NPS-0001-2007 
(Washington, D.C., February 2008). 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAOís actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAOís Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: