Federal Real Property Security:

Interagency Security Committee Should Implement A Lessons-Learned Process

GAO-12-901: Published: Sep 10, 2012. Publicly Released: Sep 10, 2012.

Additional Materials:

Contact:

Mark L. Goldstein
(202) 512-6670
goldsteinm@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Based on GAO’s previous work and the information obtained from other agencies, GAO identified eight individual practices that can be combined and considered steps within an overall lessons-learned process—that is, a systematic means for agencies to learn from an event and make decisions about when and how to use that knowledge to change behavior. Not all of the agencies with which GAO spoke used all of the practices, and the application of the practices varied among agencies. For example, to collect information about an incident—the first step of the process—the Bureau of Diplomatic Security within the Department of State collects incident reports, footage from security cameras, and interviews witnesses. To disseminate lessons learned—the fifth step—the Los Angeles Police Department produces a formal document after a critical incident that captures the lessons learned and disseminates the document to its units for use in planning, preparation, and coordination exercises.

The Interagency Security Committee (ISC), which is led by the Department of Homeland Security (DHS), currently does not have a systematic, comprehensive lessons-learned process for physical security, but the ISC does have a number of current initiatives that could support a more comprehensive lessons-learned effort. For example, ISC collects and analyzes information to update its physical security standards, captures and disseminates best practices to its members through its quarterly meetings, and archives information in the Homeland Security Information Network. ISC has initiated a working group to explore the idea of creating a systematic, governmentwide lessons-learned process. But the working group is at an early stage, and it is not clear if the new effort will include all of the lessons-learned practices that GAO identified. Not incorporating all eight practices could result in a less effective effort and fail to maximize the value of the lessons learned to ISC’s membership. ISC derives its authority from an executive order. However, it depends on its member agencies to take the initiative to share information and it is unclear that ISC’s current authority over its members is sufficient to implement a governmentwide lessons-learned process, which will rely on members to openly share information—including mistakes.

Law enforcement officials cited various challenges to establishing a governmentwide lessons-learned process, including the need to create a culture that encourages information sharing, address the concerns about safeguarding sensitive security information, disseminate information in a timely manner, and overcome resource constraints. Agencies GAO met with had found ways to mitigate these challenges using strategies consistent with a lessons-learned process.

Why GAO Did This Study

Attacks on federal facilities in the U.S. have highlighted the need to identify lessons learned from prior security incidents and apply that knowledge to security procedures governmentwide. Dozens of federal law enforcement agencies provide physical security services for domestic nonmilitary federal facilities. The ISC is responsible for developing governmentwide physical security standards and coordinating agencies to improve the protection of federal facilities. As requested, this report examines (1) the practices used to identify and apply lessons learned and how agencies have used these practices, (2) actions ISC has taken to identify and apply lessons learned from attacks on federal facilities, and (3) challenges to developing a governmentwide lessons-learned process and the strategies agencies have used to mitigate those challenges. GAO reviewed documents and interviewed officials from 35 security and law enforcement agencies with experience protecting selected tourist sites in cities in Greece, Israel, Italy, and the United States. GAO also interviewed officials from ISC and agencies known to apply lessons-learned practices.

What GAO Recommends

ISC should (1) incorporate the practices of a lessons-learned process as it develops its own process and (2) determine if its existing authority is sufficient to effectively implement a governmentwide lessons-learned process. DHS agreed with our findings and recommendations.

For more information, contact Mark L. Goldstein at (202) 512-2834 or GoldsteinM@gao.gov.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To improve the federal government's ability to learn from and disseminate physical security lessons, the Secretary of Homeland Security should direct ISC to develop a lessons-learned process for physical security that will (1) leverage the lessons-learned practices it already employs and (2) incorporate the full range of lessons-learned practices identified in our report.

    Agency Affected: Department of Homeland Security

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the federal government's ability to learn from and disseminate physical security lessons, the Secretary of Homeland Security should direct ISC to determine, as it develops a lessons-learned process, whether Executive Order 12977 provides sufficient authority to effectively support a systematic, governmentwide lessons-learned effort. If ISC determines that it does not have sufficient authority, it should then determine the best course of action to seek the needed authority.

    Agency Affected: Department of Homeland Security

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Jul 24, 2014

    Jul 16, 2014

    Jun 27, 2014

    Jun 24, 2014

    Jun 23, 2014

    Jun 18, 2014

    Jun 16, 2014

    Jun 11, 2014

    Looking for more? Browse all our products here