Federal Facility Security:
Additional Actions Needed to Help Agencies Comply with Risk Assessment Methodology Standards
GAO-14-86: Published: Mar 5, 2014. Publicly Released: Apr 7, 2014.
What GAO Found
Three of the nine selected agencies' risk assessment methodologies that GAO reviewed—the Department of Energy (DOE), the Department of Justice (DOJ), and the Department of State (State)—fully align with the Interagency Security Committee's (ISC) risk assessment standards, but six do not—the Department of the Interior (DOI), the Department of Veterans Affairs (VA), the Federal Protective Service (FPS), the Federal Emergency Management Agency (FEMA), the Nuclear Regulatory Commission (NRC), and the Office of Personnel Management (OPM). As a result, these six agencies may not have a complete understanding of the risks facing approximately 52,000 federal facilities and may be less able to allocate security resources cost-effectively at the individual facility level or across the agencies' facility portfolios. ISC's The Risk Management Process for Federal Facilities ( RMP ) standard requires that agencies' facility risk assessment methodologies must (1) consider all of the undesirable events identified in the RMP as possible risks to federal facilities, and (2) assess the threat, consequences, and vulnerability to specific undesirable events. Six of the nine agencies' methodologies GAO reviewed do not align with ISC's standards because the methodologies do not (1) consider all of the undesirable events in the RMP or (2) assess threat, consequences, or vulnerability to specific undesirable events. For example, five agencies (DOI, VA, FEMA, FPS, and NRC), do not assess the threat, consequences, or vulnerability to specific undesirable events, as ISC requires. The reasons why varied; for example, VA said that its methodology was in place before ISC issued its standards. Officials from that agency told us they were working to update their methodology.
ISC has issued a series of physical security standards and guidance to assist member agencies with developing their risk assessment methodologies, but does not know the extent to which its 53 member agencies comply with its standards, including its risk assessment standards, because it does not monitor agencies' compliance. ISC does not monitor compliance or have an approach to do so that incorporates outreach to agencies regarding their compliance status. Officials stated that they would like to monitor agencies' compliance, but limited resources and other priorities, such as developing standards and guidance, have prevented them from doing so. However, ISC has the authority to create a working group from its member agencies to help it perform its duties. In the absence of ISC's monitoring, agencies' risk assessment methodologies may not align with ISC's standards. In addition, although ISC issued risk assessment guidance in August 2013, this guidance is limited. For example, the guidance does not describe how to incorporate threat, consequence, or vulnerability assessments of specific undesirable events into a risk assessment methodology. Not having appropriate guidance is inconsistent with federal internal-control standards designed to promote effectiveness and efficiency.
Why GAO Did This Study
The 2012 shooting at the Anderson Federal Building in Long Beach, California, demonstrates that federal facilities and their employees as well as the public who visit federal buildings continue to be the targets of violence. The Federal Protective Service and about 30 other federal agencies are responsible for protecting civilian federal facilities and their occupants from potential threats, in part, by assessing risks to their facilities. ISC—an interagency organization led by the Department of Homeland Security— issues standards for facility protection.
GAO was asked to examine how federal agencies assess risk to their facilities. This report assesses (1) the extent to which selected ISC member agencies' facility risk assessment methodologies align with ISC's risk assessment standards, and (2) how ISC assists member agencies in developing risk assessment methodologies and monitors compliance with these standards. GAO selected 9 of 53 ISC member agencies based on their missions and number of facilities. GAO compared each selected agency's risk assessment methodology to ISC's risk assessment standards. ISC is required to enhance security in and protection of federal facilities government-wide; recommendations GAO makes are to ISC and not its member agencies.
What GAO Recommends
GAO recommends that ISC take action to assess member agencies' compliance and provide additional risk- assessment methodology guidance. DHS concurred with GAO's recommendations.
For more information, contact Mark L. Goldstein at (202) 512-2834 or firstname.lastname@example.org.
Recommendations for Executive Action
Comments: In November 2016, the Interagency Security Committee (ISC) told us that it had completed a strategic plan for conducting outreach to agencies and established a working group to develop a standard for ensuring compliance with ISC security standards. ISC is also developing a mechanism that would allow federal agencies to self-report their compliance with the standards and would also allow ISC to track and monitor compliance by agencies. ISC said it plans to finalize agency guidance for using this self-reporting mechanism in 2017. We will continue to monitor ISC's efforts to implement this recommendation.
Recommendation: To help ensure that federal agencies are developing and using appropriate risk assessment methodologies, the Secretary of Homeland Security should direct the ISC to conduct outreach to identify which member agencies have not developed risk assessment methodologies that align with ISC standards and develop a mechanism to monitor and ensure compliance of all its member agencies.
Agency Affected: Department of Homeland Security
Comments: In November 2016, ISC told us it had drafted changes to its Risk Management Process standard to address our recommendation, with anticipated release in mid-2017. ISC also said it made changes to its Design Basis Threat document, issued in January 2016, but our review did not identify any substantial changes that addressed our recommendation. We will continue to monitor ISC's efforts to implement this recommendation.
Recommendation: To help ensure that federal agencies are developing and using appropriate risk assessment methodologies, the Secretary of Homeland Security should direct the ISC to supplement the risk assessment guidance contained in The Risk Management Process for Federal Facilities with: (1) information on how to incorporate threat, consequence, and vulnerability assessments of specific undesirable events into a risk assessment methodology and (2) examples of risk assessment methodologies that ISC determines comply with its standards.
Agency Affected: Department of Homeland Security