Diplomatic Security:

Overseas Facilities May Face Greater Risks Due to Gaps in Security-Related Activities, Standards, and Policies

GAO-14-655: Published: Jun 25, 2014. Publicly Released: Jun 25, 2014.

Multimedia:

Additional Materials:

Contact:

Michael J. Courts
(202) 512-8980
courtsm@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

To manage risks at its overseas work facilities, the Department of State (State) tracks information about each facility, assesses threat levels at posts, develops security standards to meet threats facing different types of facilities overseas, identifies vulnerabilities, and sets risk-based construction priorities. For example, State assesses six types of threats, such as terrorism, and assigns threat levels, which correspond to physical security standards at each overseas post. However, GAO found several inconsistencies in terminology used to categorize properties and within the property inventory database used to track them, raising questions about the reliability of the data. For example, GAO identified a facility categorized as a warehouse that included offices and therefore should have been subject to more stringent standards. Gaps in categorization and tracking of facilities could hamper the proper implementation of physical security standards.

Although State has established physical security standards for most types of overseas facilities, GAO identified some facility types for which standards were lacking or unclear, instances in which the standards were not updated in a timely manner, and inconsistencies within the standards. The following are examples:

  •  It is unclear what standards apply to some types of facilities.
  •  In some instances, updating standards took more than 8 years.
  •  One set of standards requires anti-ram perimeter walls at medium- and higher-threat posts; another required them only at higher-threat posts. 

Furthermore, GAO found that State lacks a process for reassessing standards against evolving threats and risks. GAO identified several posts that put security measures in place that exceed the standards because the standards did not adequately address emerging threats and risks. Without adequate and up-to-date standards, post officials rely on an ad hoc process to establish security measures rather than systematically drawing upon collective subject-matter expertise.

Although State takes steps to mitigate vulnerabilities to older, acquired, and temporary work facilities, its waivers and exceptions process has weaknesses. When posts cannot meet security standards for a given facility, the posts must submit requests for waivers and exceptions, which identify steps the post will take to mitigate vulnerabilities. However, GAO found neither posts nor headquarters systematically tracks the waivers and exceptions and that State has no process to re-evaluate waivers and exceptions when the threat or risk changes. Furthermore, posts do not always request required waivers and exceptions and do not always take required mitigation steps. With such deficiencies, State cannot be assured it has all the information needed to mitigate facility vulnerabilities and that mitigation measures have been implemented.

GAO found that State has not fully developed and implemented a risk management policy for overseas facilities. Furthermore, State's risk management activities do not operate as a continuous process or continually incorporate new information. State does not use all available information when establishing threat levels at posts, such as when posts find it necessary to implement measures that exceed security standards. State also lacks processes to re-evaluate the risk to interim and temporary facilities that have been in use longer than anticipated. Without a fully developed risk management policy, State may lack the information needed to make the best security decisions concerning personnel and facilities.

To manage risk to overseas work facilities, State conducts a range of ongoing activities, including the setting of security standards. However, GAO identified a number of problems with these activities. Moreover, GAO found that State lacked a fully developed risk management policy to coordinate these activities (see figure). 

State’s Key Risk Management Activities and Decisions Concerning Facility Security and Problems Identified by GAO

Graphic of State’s Key Risk Management Activities and Decisions Concerning Facility Security and Problems Identified by GAO

This is the public version of a Sensitive but Unclassified report by the same title.

Why GAO Did This Study

U.S. policy can call for U.S. personnel to be posted to high-threat, high-risk posts overseas. To maintain a presence in these locations, State has often relied on older, acquired (purchased or leased), and temporary work facilities that do not meet the same security standards as more recently constructed permanent facilities.

GAO was asked to review how State assures the security of these work facilities. GAO evaluated (1) how State manages risks at work facilities overseas; (2) the adequacy of State's physical security standards for these facilities; (3) State's processes to address vulnerabilities when older, acquired, and temporary overseas facilities do not meet physical security standards; and (4) the extent to which State's activities to manage risks to its overseas work facilities align with State's risk management policy and with risk management best practices. GAO reviewed U.S. laws and State's policies, procedures, and standards for risk management and physical security. GAO reviewed facilities at a judgmental sample of 10 higher-threat, higher-risk, geographically dispersed, overseas posts and interviewed officials from State and other agencies in Washington, D.C., and at 16 overseas posts, including the 10 posts at which GAO reviewed facilities.

What GAO Recommends

GAO is making 13 recommendations for State to address gaps in its security-related activities, standards, and policies. State generally agreed with GAO’s recommendations.

Specifically, GAO is recommending that the Secretary of State:

1. Define the conditions when a warehouse should be categorized as an office facility and meet appropriate security standards.

2. Harmonize the terminology State uses to categorize facilities in its security standards and property databases.

3. Establish a routine process for validating the accuracy of the data in State’s property database.

4. Establish a routine process for validating the accuracy of the data in State’s risk matrix.

5. Identify and eliminate inconsistencies between and within State’s physical security guidance.

6. Develop physical security standards for facilities not currently covered by existing standards.

7. Clarify existing flexibilities to ensure that security and life-safety updates to the security standards are updated through an expedited review process.

8. Develop a process to routinely review all security standards to determine if the standards adequately address evolving threats and risks.

9. Develop a policy for the use of interim and temporary facilities that includes definitions for such facilities, time frames for use, and a routine process for reassessing the interim or temporary designation.

10. Automate waivers and exceptions documentation, and ensure that headquarters and post officials have ready access to the documentation.

11. Routinely ensure that necessary waivers and exceptions are in place for all work facilities at posts overseas.

12. Develop a process to ensure that mitigating steps agreed to in granting waivers and exceptions have been implemented.

13. Develop a risk management policy and procedures for ensuring the physical security of diplomatic facilities, including roles and responsibilities of all stakeholders and a routine feedback process that continually incorporates new information.

For more information, contact Michael J. Courts at (202) 512-8980 or courtsm@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the consistency and data reliability of Department of State risk management data, the Secretary of State should direct Office of Management Policy, Rightsizing, and Innovation (M/PRI), Bureau of Diplomatic Security (DS), and Bureau of Overseas Buildings Operations (OBO) to define the conditions when a warehouse should be categorized as an office facility and meet appropriate office physical security standards.

    Agency Affected: Department of State

  2. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the consistency and data reliability of Department of State risk management data, the Secretary of State should direct M/PRI, DS, and OBO to harmonize the terminology State uses to categorize facilities in State's physical security standards and property databases.

    Agency Affected: Department of State

  3. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the consistency and data reliability of Department of State risk management data, the Secretary of State should direct OBO to establish a routine process for validating the accuracy of the data in OBO's property database.

    Agency Affected: Department of State

  4. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the consistency and data reliability of Department of State risk management data, the Secretary of State should direct DS to establish a routine process for validating the accuracy of the data in DS's risk matrix.

    Agency Affected: Department of State

  5. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To strengthen the applicability and effectiveness of the Department of State's physical security standards, the Secretary of State should work through DS or, in his capacity as chair, through the Overseas Security Policy Board (OSPB) to develop physical security standards for facilities not currently covered by existing standards.

    Agency Affected: Department of State

  6. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To strengthen the applicability and effectiveness of the Department of State's physical security standards, the Secretary of State should work through DS or, in his capacity as chair, through the OSPB to clarify existing flexibilities in the FAH to ensure that security and life-safety updates to the OSPB standards and Physical Security Handbook are updated through an expedited review process.

    Agency Affected: Department of State

  7. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To strengthen the applicability and effectiveness of the Department of State's physical security standards, the Secretary of State should work through DS or, in his capacity as chair, through the OSPB to develop a process to routinely review all OSPB standards and the Physical Security Handbook to determine if the standards adequately address evolving threats and risks.

    Agency Affected: Department of State

  8. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To strengthen the applicability and effectiveness of the Department of State's physical security standards, the Secretary of State should work through DS or, in his capacity as chair, through the OSPB to develop a policy for the use of interim and temporary facilities that includes definitions for such facilities, time frames for use, and a routine process for reassessing the interim or temporary designation.

    Agency Affected: Department of State

  9. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To strengthen the effectiveness of the Department of State's ability to identify risks and mitigate vulnerabilities, the Secretary of State should direct DS to automate its documentation of waivers and exceptions, and ensure that DS officials in headquarters and at each post have ready access to post's waivers and exceptions documentation.

    Agency Affected: Department of State

  10. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To strengthen the effectiveness of the Department of State's ability to identify risks and mitigate vulnerabilities, the Secretary of State should direct DS to routinely ensure that necessary waivers and exceptions are in place for all work facilities at posts overseas.

    Agency Affected: Department of State

  11. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To strengthen the effectiveness of the Department of State's ability to identify risks and mitigate vulnerabilities, the Secretary of State should direct DS to develop a process to ensure that mitigating steps agreed to in granting waivers and exceptions have been implemented.

    Agency Affected: Department of State

  12. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To strengthen the effectiveness of the Department of State's risk management policies, the Secretary of State should develop a risk management policy and procedures for ensuring the physical security of diplomatic facilities, including roles and responsibilities of all stakeholders and a routine feedback process that continually incorporates new information.

    Agency Affected: Department of State

  13. Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To improve the consistency and data reliability of Department of State risk management data, the Secretary of State should direct the Under Secretary for Management to identify and eliminate inconsistencies between and within the Foreign Affairs Manual, Foreign Affairs Handbook (FAH), and other guidance concerning physical security.

    Agency Affected: Department of State

 

Explore the full database of GAO's Open Recommendations »

Sep 10, 2014

Sep 9, 2014

Aug 28, 2014

Jul 24, 2014

Jul 21, 2014

Jul 9, 2014

Jul 8, 2014

Looking for more? Browse all our products here