Federal Protective Service:

Actions Needed to Resolve Delays and Inadequate Oversight Issues with FPS's Risk Assessment and Management Program

GAO-11-705R: Published: Jul 15, 2011. Publicly Released: Aug 15, 2011.

Additional Materials:

Contact:

Mark L. Goldstein
(202) 512-6670
GoldsteinM@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Federal Protective Service (FPS), which is within the Department of Homeland Security's (DHS) National Protection and Programs Directorate (NPPD), is responsible for protecting the more than 1 million federal employees and members of the public who work in and visit the over 9,000 federal facilities owned or leased by the General Services Administration (GSA) from a potential terrorist attack or other acts of violence. To accomplish its facility protection mission, FPS has about 1,200 full-time employees and approximately 13,200 contract security guards. FPS has an annual budget of about $1 billion and receives its funding from the revenues and collections of security fees charged to tenant agencies for protective services such as facility security assessments (FSA) and providing contract security guard services. Since 2008, we have issued numerous reports that address major challenges FPS faces in protecting federal facilities. For example, in 2009 and 2010 we reported that FPS had problems completing high-quality FSAs in a timely manner and did not provide adequate oversight of its contract guard program. In September 2007, FPS decided to address the challenges with its legacy security assessment and guard management systems with a new system. On August 1, 2008, DHS's Immigration and Customs Enforcement (ICE) competitively awarded and FPS funded a $21 million, 7-year contract to develop and maintain the Risk Assessment and Management Program (RAMP) system. RAMP is a web-enabled risk assessment and guard management system, and its initial implementation was scheduled for July 31, 2009. Among other things, RAMP is intended to: (2) provide FPS with the capability to assess risks at federal facilities based on threat, vulnerability, and consequence, and track countermeasures to mitigate those risks; and (2) improve the agency's ability to monitor and verify that its contract security guards are trained and certified to be deployed to federal facilities. In response to congressional request that we examine RAMP, this report addresses the following questions: (1) What is RAMP's current status, including whether it can be used as planned? (2) What are the factors that contributed to this status? (3) What are the actions FPS is taking to develop and implement RAMP?

RAMP is over budget, behind schedule, and cannot be used to complete FSAs and reliable guard inspections as intended. RAMP's contract award amount totals $57 million, almost three times more than the $21 million original development contract amount. As of June 2011, FPS has spent almost $35 million of the $57 million to develop RAMP. RAMP's costs increased in part because FPS changed the original system requirements and the contractor had to add additional resources to accommodate the changes. FPS also has experienced delays in developing and implementing RAMP, as it is almost 2 years behind its original July 2009 implementation date. FPS cannot use RAMP to complete FSAs because the agency did not verify the accuracy of the federal facility data it obtained from GSA or include an edit feature in RAMP that would allow inspectors to edit these data when necessary. FPS is also experiencing difficulty using RAMP to ensure that its approximately 13,200 contract guards have met training and certification requirements to be deployed at federal facilities because it does not have a process for verifying this information before it is entered into RAMP. RAMP also does not yet fully incorporate certain government security standards. For example, according to an FPS official, RAMP does not support the April 2010 ISC Physical Security Criteria for Federal Facilities because FPS did not have time to incorporate it in the June 2010 version of RAMP. FPS is planning to incorporate these standards in the next version of RAMP. Several factors have contributed to FPS being unable to use RAMP as planned. Most importantly, FPS and ICE did not adequately follow GAO's project management best practices in developing and implementing RAMP. FPS is taking some steps to address RAMP's problems. Most notably, FPS has preliminarily decided to discontinue its current RAMP development contract and is considering using a new contractor to finish developing RAMP. FPS is also working to incorporate ISC's Physical Security Criteria for Federal Facilities into RAMP before the next version is implemented. Given the technological changes that may have occurred since FPS began developing RAMP 4 years ago, there could be alternative systems that would better meet FPS's needs. However, FPS has not evaluated whether further developing RAMP is the most cost-beneficial approach compared to possible alternatives. In addition, FPS has not developed a plan to address the problems we found with RAMP, for example, ensuring the accuracy of federal facility and contract guard data. Given the challenges FPS faced thus far with developing RAMP, technological changes that may have occurred in the last 4 years, and to help guide and ensure the successful development and implementation of any risk assessment and contract guard management system, we recommend that the Secretary of Homeland Security direct the Under Secretary of NPPD and the Director of FPS to take the following four actions: (1) evaluate whether it is cost-beneficial to finish developing RAMP or if other alternatives for completing FSAs and managing security guards would be more appropriate, (2) increase the use of project management best practices by managing requirements and conducting user acceptance testing for any future RAMP development efforts, (3) establish a process for verifying the accuracy of federal facility and guard training and certification data before entering them into RAMP, and (4) develop interim solutions for completing FSAs and guard inspections while addressing RAMP's challenges. To improve contract administration, we recommend that the Secretary of Homeland Security direct the Directors of ICE and FPS to complete contract performance evaluations for the current RAMP contractor, and ensure that the evaluations and other required documents are maintained in the contract file in accordance with DHS's acquisition policy and the Federal Acquisition Regulation (FAR).

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: We reported in 2011 that the Federal Protective Service (FPS) experienced cost overruns and schedule delays with its Risk Assessment and Management Program (RAMP) contract. Specifically, we reported that FPS spent about $35 million and 4 years developing RAMP, essentially a web-enabled risk assessment and guard management system, but ultimately could not use it to complete facility security assessments or reliable guard inspections. Thus, we recommended that FPS evaluate whether it was cost beneficial to finish developing RAMP or if other alternatives for completing security assessments would be more appropriate. In May 2011, FPS determined that it was not cost beneficial to finish developing RAMP and considered other alternatives. FPS ultimately decided to develop an interim vulnerability assessment tool referred to as the Modified Infrastructure Survey Tool (MIST). In May 2012, FPS started training its personnel to use MIST and plans to use MIST to resume assessing security at federal facilities.

    Recommendation: Given the challenges FPS faced thus far with developing RAMP, technological changes that may have occurred in the last 4 years, and to help guide and ensure the successful development and implementation of any risk assessment and contract guard management system, the Secretary of Homeland Security should direct the Under Secretary of NPPD and the Director of FPS to evaluate whether it is cost-beneficial to finish developing RAMP or if other alternatives for completing FSAs and managing security guards would be more appropriate.

    Agency Affected: Department of Homeland Security

  2. Status: Closed - Implemented

    Comments: In 2011, GAO reported that the Federal Protective Service (FPS) faced a number of challenges with its Risk Assessment and Management Program (RAMP) that prevented it from conducting risk assessments of federal facilities and reliable guard inspections as intended. Specifically, GAO reported that FPS did not adequately follow project management best practices in developing and implementing RAMP. For example, FPS did not manage requirement changes or conduct user acceptance testing with its inspectors. Therefore, GAO recommended that FPS increase the use of project management best practices by managing requirement changes and conducting user acceptance testing for any future RAMP development efforts. In response, in May 2011, FPS determined that it was not cost beneficial to finish developing RAMP and considered other alternatives. In September 2011, FPS decided to develop an interim vulnerability assessment tool referred to as the Modified Infrastructure Survey Tool (MIST). In 2015, GAO confirmed that FPS developed MIST following project management best practices such as managing requirement changes and conducting user acceptance testing. FPS was using MIST to assess risk and conduct guard inspections at federal facilities. As a result, FPS has a better system for conducting vulnerability assessments of federal facilities.

    Recommendation: Given the challenges FPS faced thus far with developing RAMP, technological changes that may have occurred in the last 4 years, and to help guide and ensure the successful development and implementation of any risk assessment and contract guard management system, the Secretary of Homeland Security should direct the Under Secretary of NPPD and the Director of FPS to increase the use of project management best practices by managing requirements and conducting user acceptance testing for any future RAMP development efforts.

    Agency Affected: Department of Homeland Security

  3. Status: Closed - Implemented

    Comments: In 2011, GAO reported that FPS could not use RAMP to complete risk assessments of federal facilities because the agency did not verify the accuracy of the federal facility data it obtained from GSA or include an edit feature in RAMP that would allow inspectors to edit these data when necessary. FPS was also experiencing difficulty using RAMP to ensure that its approximately 13,200 contract guards have met training and certification requirements to be deployed at federal facilities because the agency does not have a process for verifying this information before it is entered into RAMP. Therefore, GAO recommended that FPS establish a process for verifying the accuracy of federal facility and guard training and certification data before entering them into RAMP (the system that FPS planned to use during our engagement). In 2015, GAO confirmed that FPS developed and implemented procedures to receive, review, and submit corrections to federal facility data sent from GSA's real property database for FPS to use to conduct facility vulnerability assessments. Regarding improving the accuracy of contract guard training and certification data, FPS developed and implemented procedures to verify the accuracy of that data before entering it into its interim contract guard database. As a result, FPS is better able to verify the accuracy of federal facility data as well as their contract guard training and certification data.

    Recommendation: Given the challenges FPS faced thus far with developing RAMP, technological changes that may have occurred in the last 4 years, and to help guide and ensure the successful development and implementation of any risk assessment and contract guard management system, the Secretary of Homeland Security should direct the Under Secretary of NPPD and the Director of FPS to establish a process for verifying the accuracy of federal facility and guard training and certification data before entering them into RAMP.

    Agency Affected: Department of Homeland Security

  4. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: Given the challenges FPS faced thus far with developing RAMP, technological changes that may have occurred in the last 4 years, and to help guide and ensure the successful development and implementation of any risk assessment and contract guard management system, the Secretary of Homeland Security should direct the Under Secretary of NPPD and the Director of FPS to develop interim solutions for completing FSAs and guard inspections while addressing RAMP's challenges.

    Agency Affected: Department of Homeland Security

  5. Status: Closed - Implemented

    Comments: In 2011, GAO reported that FPS and the Department of Homeland Security's (DHS) Immigration and Custom Enforcement (ICE) did not always comply with DHS's acquisition policy and the FAR with the acquisition of FPS's Risk Assessment and Management Program (RAMP) system. Specifically FPS and ICE did not complete contractor performance evaluations for the contractor responsible for developing FPS's RAMP. These evaluations are one of the most important tools for ensuring that the contractor meets the terms of the contract. Therefore, GAO recommended that FPS and ICE complete contract performance evaluations for the RAMP contractor and ensure that the evaluations and other required documents are maintained in the contract file in accordance with DHS's acquisition policy and the FAR. In 2015, GAO confirmed that FPS and ICE had retroactively completed contract performance evaluations for the RAMP contractor and included them in the contract file. As a result, FPS has improved its acquisition process and is better able to explain the basis for key acquisition decisions.

    Recommendation: To improve contract administration, the Secretary of Homeland Security should direct the Directors of ICE and FPS to complete contract performance evaluations for the current RAMP contractor, and ensure that the evaluations and other required documents are maintained in the contract file in accordance with DHS's acquisition policy and the Federal Acquisition Regulation.

    Agency Affected: Department of Homeland Security

 

Explore the full database of GAO's Open Recommendations »

Aug 11, 2016

Jul 22, 2016

Jul 21, 2016

Jul 6, 2016

Jun 30, 2016

Jun 23, 2016

Jun 20, 2016

Looking for more? Browse all our products here