GAO-12-342SP: Homeland security/Law enforcement: 18. Federal Facility Risk Assessments

Homeland security/Law enforcement > 18. Federal Facility Risk Assessments

Agencies are making duplicate payments for facility risk assessments by completing their own assessments, while also paying the Department of Homeland Security for assessments that the department is not performing.

Why This Area Is Important

Since the 1995 bombing of the Alfred P. Murrah Federal Building in Oklahoma City, Oklahoma, and the September 11, 2001, terrorist attacks, the federal government has made significant changes in its approach to protecting federal facilities and the more than 1 million employees and members of the public that work in and visit these facilities annually. However, federal facilities continue to be vulnerable to terrorist attacks and other acts of violence, as evidenced by the 2010 attacks on the Internal Revenue Service (IRS) building in Austin, Texas, and the federal courthouse in Las Vegas, Nevada, which resulted in loss of life. These attacks highlight the importance of protecting federal facilities by, among other things, conducting timely and comprehensive risk assessments, which can help decision makers identify and evaluate potential threats so that countermeasures can be implemented to help prevent or mitigate the facilities’ vulnerabilities to those threats.

The Department of Homeland Security’s (DHS) Federal Protective Service (FPS) is the primary federal agency responsible for providing physical security and law enforcement services—including conducting risk assessments—for the approximately 9,000 federal facilities owned or leased by the General Services Administration (GSA).[1] Risk assessments for federal facilities, which FPS refers to as facility security assessments, are to be completed every 3 to 5 years according to DHS’s Interagency Security Committee (ISC) standards.[2] FPS’s assessments are to include a full examination of the facility, including a review of access points to the facility and the security of the facility’s perimeter, such as closed circuit television monitoring and lighting. Its risk assessment process entails gathering and reviewing facility information; conducting and recording interviews with tenant agencies; assessing the threats, vulnerabilities, and consequences associated with a facility; and recommending appropriate countermeasures in accordance with ISC standards to mitigate vulnerabilities to tenant agencies.



[1]GAO is referring to facilities that are under GSA’s control and custody as GSA-owned or leased facilities.

[2]The ISC, composed of representatives from 50 federal agencies and departments, was established under Executive Order 12977 to enhance the quality and effectiveness of security and protection of buildings and facilities in the United States occupied by federal employees for nonmilitary activities.

What GAO Found

GAO has found that there is duplication in the federal government’s approach to assessing risks at some of the 9,000 federal facilities managed by GSA. As GAO reported in June 2008 and as it has recently found, multiple federal agencies are expending additional resources to assess their own facilities; although, according to an FPS official, the agency received $236 million from federal agencies for risk assessments and other security services in fiscal year 2011. For example, an official from IRS said that IRS completed risk assessments based on concerns about risks unique to its mission for approximately 65 facilities that it also paid FPS to assess. Additionally, an official from the Federal Emergency Management Agency (FEMA) stated that FEMA has assessed its own facilities for several years because of dissatisfaction with the security levels FPS has assigned to its facilities, and Environmental Protection Agency (EPA) officials said that EPA has conducted its own assessments based on concerns with the quality and thoroughness of FPS’s assessments.[1] EPA officials also said that the agency’s assessments are conducted by teams of contractors and EPA employees, cost an estimated $6,000, and can take a few days to a week to complete. An official from the U.S. Army Corps of Engineers told GAO that it duplicates FPS’s assessments at some of its regional facilities because the agency follows U.S. Army force protection regulations, rather than the security requirements followed by FPS.

According to an FPS official, FPS planned to use its Risk Assessment and Management Program (RAMP) to complete assessments of about 700 federal facilities in fiscal year 2010 and 2,500 facilities in fiscal year 2011. However, since November 2009, according to an FPS official, the agency has only completed four risk assessments using RAMP, which does not provide adequate assurance that FPS is utilizing an effective risk management approach to help protect federal facilities and may contribute to more agencies completing their own assessments. RAMP was intended to provide FPS with the capability to assess risks at federal facilities based on threat, vulnerability, and consequence; and track countermeasures to mitigate those risks. As GAO reported in July 2011, FPS experienced cost overruns, schedule delays, and operational issues with developing RAMP and as a result the agency could not use it to complete risk assessments. Without risk assessments that identify threats and vulnerabilities and the resources required to achieve security goals, FPS has only limited assurance that programs will be prioritized and resources will be allocated to address existing and potential security threats in an efficient and effective manner. GAO recommended in July 2011 that FPS develop interim solutions for completing risk assessments while addressing RAMP’s challenges. FPS agreed with this recommendation and is in the process of developing an interim assessment tool.

As noted above, FPS charged federal agencies $236 million in basic security fees for risk assessments and security services in fiscal year 2011, although FPS has completed few risk assessments using RAMP.[2] As GAO reported in May 2011, FPS does not know how much of the basic security fee is used for completing risk assessments of federal facilities. Nonetheless, FPS increased the basic security fee from $.66 in fiscal year 2011 to $.74 per square foot in fiscal year 2012. GAO recommended in May 2011 that FPS make information on the estimated costs of key activities, as well as the basis for these cost estimates, readily available to affected parties to improve the transparency of the process for setting and using the fees.



[1]FPS is responsible for coordinating with tenant agencies to determine a facility’s security level, which ranges from I (lowest risk level) to V (highest risk level).

[2]In addition to risk assessments, the $236 million in basic security fees funds security services including ongoing review of facility countermeasures to ensure they are functioning as designed; assistance with emergency planning and exercises; response to criminal incidents and reports of suspicious activity; patrol of facilities to deter and detect criminal activity; and awareness training to inform tenants how to prevent and react to events in the facility.

Actions Needed

GAO has found that multiple federal agencies are incurring additional costs by completing their own assessments while paying FPS to complete risk assessments for the same facilities. However, DHS has not taken any actions to address the duplication and it is not clear whether FPS’s planned risk assessment tool will help minimize duplication. Achieving the financial and other benefits that may result from reducing duplication and increased cost that occurs in assessing risks at federal facilities will require additional effort on the part of DHS and other key stakeholders.

GAO recommended in July 2011 that the Secretary of DHS

  • direct the Director of FPS to develop interim solutions for completing risk assessments while addressing RAMP’s challenges.

GAO recommended in May 2011 that the Director of FPS

  • make information about the estimated costs of key activities and the basis for these estimates available to affected parties to improve transparency.

In addition, DHS should

  • work with federal agencies to determine their reasons for duplicating the activities included in FPS’s risk assessments and identify measures to reduce this duplication.

How GAO Conducted Its Work

The information contained in this analysis is based on findings from the products listed in the related GAO products section and additional work GAO conducted to be published as a separate product in 2012. To update that information and identify continuing issues related to duplication and overlap in risk assessments for federal facilities, GAO interviewed officials from FPS, EPA, FEMA, GSA, Immigration and Customs Enforcement, IRS, U.S. Army Corps of Engineers, and the Department of Veterans Affairs.

Agency Comments & GAO Contact

GAO provided a draft of this report section to DHS for review and comment. DHS agreed with GAO’s previous two recommendations and has begun action on both. DHS did not provide comments on GAO’s newly identified action needed. DHS also provided technical comments, which were incorporated as appropriate. In its response, DHS stated that although FPS has only completed four risk assessments using RAMP, the agency is collecting data, through site visits, interviews of facility occupants, and evaluation of countermeasures, which will be used to generate risk assessments when its interim assessment tool is implemented in spring 2012. As part of its routine audit work, GAO will track agency action to address these recommendations and report to Congress.

For additional information about this area, contact Mark Goldstein at (202) 512-2834 or goldsteinm@gao.govand Susan J. Irving at (202) 512-6806 or irvings@gao.gov