New Federal Standards Hold Promise, But Could Be Strengthened to Better Protect Leased Space
GAO-10-873: Published: Sep 22, 2010. Publicly Released: Sep 22, 2010.
The federal government's reliance on leased space underscores the need to physically secure this space and help safeguard employees, visitors, and government assets. In April 2010 the Interagency Security Committee (ISC), comprised of 47 federal agencies and departments and chaired by the Department of Homeland Security (DHS), issued Physical Security Criteria for Federal Facilities (the 2010 standards) which supersede previous ISC standards. In response to Congress' direction to review ISC standards for leased space, this report (1) identifies challenges that exist in protecting leased space and (2) examines how the 2010 standards address these challenges. To conduct this work, GAO analyzed agency documents and interviewed federal officials from ISC, four federal departments selected as case studies based on their large square footage of leased space, and the Federal Protective Service (FPS). GAO also consulted prior work on federal real property and physical security, including key practices in facility protection.
Limited information about risks and the inability to control common areas and public access pose challenges to protecting leased space. Leasing officials do not always have the information needed to employ a risk management approach for allocating resources--a key practice in facility protection. Early risk assessments--those conducted before a lease is executed--can provide leasing officials with valuable information; however, FPS, which is the General Service Administration's (GSA) physical security provider, generally does not perform these assessments for leased space under 10,000 square feet--which constitutes a majority of GSA's leases. Under its memorandum of agreement (MOA) with GSA, FPS is not expected to perform these assessments and does not have the resources to do so. Another challenge in protecting leased space is tenant agencies' lack of control over common areas (such as elevator lobbies, loading docks, and the building's perimeter) which hampers their ability to mitigate risk from public access to leased space. In leased space, lessors, not tenant agencies, typically control physical security in common areas. To implement measures to counter risks in common areas, tenant agencies must typically negotiate with and obtain consent from lessors, who may be unwilling to implement countermeasures because of the potential burden or undue effect on other, nonfederal tenants. For example, tenant agencies in a high-risk, multitenant leased facility we visited have been unable to negotiate changes to the common space, including the installation of X-ray machines and magnetometers, because the lessor believed that the proposed countermeasures would inconvenience other tenants and the public. The 2010 standards show potential for addressing some challenges with leased space. These standards align with some key practices in facility protection because they prescribe a decision making process to determine, mitigate, and accept risks using a risk management approach. Further, by requiring that decision making be tracked and documented, the standards facilitate performance measurement that could help enable agency officials to determine if the most critical risks are being prioritized and mitigated. With its emphasis on the uniform use of early risk assessments, the 2010 standards provide a baseline requirement for agencies to consider as they develop protocols and allocate resources for protecting leased space. For example, GSA and FPS must now consider this requirement, which represents an expansion of the services currently expected of FPS, as they renegotiate their MOA. In contrast, a shortfall within the 2010 standards is that they offer little means for addressing tenant agencies' lack of control over common areas and public access. While the 2010 standards outline specific countermeasures for addressing public access, they lack in-depth discussion and guidance--such as best practices--that could provide a framework for working with lessors to implement these countermeasures. Given the critical role that lessors play, such guidance is warranted. As the government's central forum for exchanging information on facility protection, ISC is well positioned to develop and share this guidance. GAO recommends that DHS instruct ISC to establish a working group or other mechanism to determine guidance for working with lessors, and to incorporate this guidance into a future ISC standard or other product, as appropriate. DHS concurred with the report's recommendation.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: In 2010, we reported that Interagency Security Committee (ISC) issued Physical Security Criteria for Federal Facilities (the 2010 standards). We assessed the 2010 standards and found that they held promise for positioning the federal government to begin comprehensively assessing risks with its requirement for documenting building-specific security decision making. However, the standards' lack of discussion on working with lessors is notable, given the significant role these entities have in implementing countermeasures that could mitigate risks from public access, particularly in common areas, such as lobbies and loading docks. Guidance to tenant agencies, leasing officials, and security officials on how to work with lessors, such as best practices, would give helpful direction as these entities work together to secure common areas and protect leased space. We recommended that the Department of Homeland Security instruct ISC to establish a working group or other mechanism to determine guidance for working with lessors. In 2014, we confirmed that ISC had established this working group and it had drafted such guidance. As the government's central forum for exchanging information on facility protection, ISC has effectively used its position to lead the develop of guidance on facility protection.
Recommendation: To enhance the value of ISC standards for addressing challenges with protecting leased space, the Secretary of Homeland Security should instruct the Executive Director of the ISC, in consultation, where appropriate, with ISC member agencies to establish an ISC working group or other mechanism to determine guidance for working with lessors, which may include best practices to secure common areas and public access.
Agency Affected: Department of Homeland Security
Comments: On July 19, 2012, ISC emailed GAO a draft copy of best practices for working with lessors. This met our recommendation that the Secretary of Homeland Security instruct the Executive Director of the ISC, in consultation, where appropriate, with ISC member agencies to (1) establish an ISC working group or other mechanism to determine guidance for working with lessors, which may include best practices to secure common areas and public access, and (2) subsequently incorporate these findings into a future ISC standard or other product, as appropriate.
Recommendation: To enhance the value of ISC standards for addressing challenges with protecting leased space, the Secretary of Homeland Security should instruct the Executive Director of the ISC, in consultation, where appropriate, with ISC member agencies to subsequently incorporate these findings into a future ISC standard or other product, as appropriate.
Agency Affected: Department of Homeland Security