This is the accessible text file for GAO report number GAO-15-6 
entitled 'Federal Facility Cybersecurity: DHS and GSA Should Address 
Cyber Risk to Building and Access Control Systems' which was released 
on January 12, 2015. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as 
part of a longer term project to improve GAO products' accessibility. 
Every attempt has been made to maintain the structural and data 
integrity of the original printed product. Accessibility features, 
such as text descriptions of tables, consecutively numbered footnotes 
placed at the end of the file, and the text of agency comment letters, 
are provided but may not exactly duplicate the presentation or format 
of the printed version. The portable document format (PDF) file is an 
exact electronic replica of the printed version. We welcome your 
feedback. Please E-mail your comments regarding the contents or 
accessibility features of this document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

United States Government Accountability Office: 
GAO: 

Report to Congressional Requesters: 

December 2014: 

Federal Facility Cybersecurity: 

DHS and GSA Should Address Cyber Risk to Building and Access Control 
Systems: 

GAO-15-6: 

GAO Highlights: 

Highlights of GAO-15-6, a report to congressional requesters. 

Why GAO Did This Study: 

Federal facilities contain building and access control systems—
computers that monitor and control building operations such as 
elevators, electrical power, and heating, ventilation, and air 
conditioning—-that are increasingly being connected to other 
information systems and the Internet. The increased connectivity 
heightens their vulnerability to cyber attacks, which could compromise 
security measures, hamper agencies' ability to carry out their 
missions, or cause physical harm to the facilities or their occupants. 

GAO's objective was to examine the extent to which DHS and other 
stakeholders are prepared to address cyber risk to building and access 
control systems in federal facilities. GAO reviewed DHS's and other 
stakeholders' authorities to protect federal facilities from cyber 
attacks; visited selected FPS-protected facilities to determine what 
stakeholders were doing to address cyber risks to these systems; and 
interviewed experts about the cyber vulnerability of building and 
access control systems and related issues. GAO also reviewed GSA's 
security assessment process and a sample of reports. 

What GAO Found: 

The Department of Homeland Security (DHS) has taken preliminary steps 
to begin to understand the cyber risk to building and access controls 
systems in federal facilities. For example, in 2013, components of DHS'
s National Protection and Programs Directorate (NPPD) conducted a 
joint assessment of the physical security and cybersecurity of a 
federal facility. However, significant work remains. 

* Lack of a strategy: DHS lacks a strategy that: (1) defines the 
problem, (2) identifies the roles and responsibilities, (3) analyzes 
the resources needed, and (4) identifies a methodology for assessing 
this cyber risk. A strategy is a starting point in addressing this 
risk. The absence of a strategy that clearly defines the roles and 
responsibilities of key components within DHS has contributed to a 
lack of action within the Department. For example, no one within DHS 
is assessing or addressing cyber risk to building and access control 
systems particularly at the nearly 9,000 federal facilities protected 
by the Federal Protective Service (FPS) as of October 2014. According 
to an NPPD official, DHS has not developed a strategy, in part, 
because cyber threats involving these systems are an emerging issue. 
By not developing a strategy document for assessing cyber risk to 
facility and security systems, DHS and, in particular, NPPD have not 
effectively articulated a vision for organizing and prioritizing 
efforts to address the cyber risk facing federal facilities that DHS 
is responsible for protecting. 

* Cyber threat not identified in report for federal agencies: The 
Interagency Security Committee (ISC), which is housed within DHS and 
is responsible for developing physical security standards for 
nonmilitary federal facilities, has not incorporated cyber threats to 
building and access control systems in its Design-Basis Threat report 
that identifies numerous undesirable events. An ISC official said that 
recent active shooter and workplace violence incidents have caused ISC 
to focus its efforts on policies in those areas first. Incorporating 
the cyber threat to building and access control systems in the Design-
Basis Threat report will inform agencies about this threat so they can 
begin to assess its risk. This action also could prevent federal 
agencies from expending limited resources on methodologies that may 
result in duplication. 

GSA has not fully assessed the risk of building control systems to a 
cyber attack in a manner that is consistent with the Federal 
Information Security Management Act of 2002 (FISMA) or its 
implementation guidelines. Although GSA has assessed the security 
controls of these systems, the assessments do not fully assess the 
elements of risk (e.g., threat, vulnerability, and consequence). GSA 
also has not yet conducted security control assessments for many of 
its building control systems. GSA information technology officials 
said that GSA has conducted security assessments of the building 
control systems that are in about 500 of its 1,500 FPS-protected 
facilities and plans to complete the remainder in fiscal year 2015 or 
when systems are connected to the network or the Internet. Further, 
our review of 20 of 110 of the security assessment reports that GSA 
prepared during 2010 to 2014 showed that they were not comprehensive 
or fully consistent with FISMA implementation guidelines. For example, 
5 of the 20 reports we reviewed showed that GSA assessed the building 
control device to determine if a user's identity and password were 
required for login but did not assess the system to determine if 
password complexity rules were enforced. This could potentially lead 
to weak or insecure passwords being used to secure building control 
systems. 

What GAO Recommends: 

GAO recommends that DHS (1) develop and implement a strategy to 
address cyber risk to building and access control systems and (2) 
direct ISC to revise its Design-Basis Threat report to include cyber 
threats to building and access control systems. GAO also recommends 
that GSA assess cyber risk of its building control systems fully 
reflecting FISMA and its guidelines. DHS and GSA agreed with the 
recommendations. 

View [hyperlink, http://www.gao.gov/products/GAO-15-6]. For more 
information, contact Mark L. Goldstein at (202) 512-2834 or 
goldsteinm@gao.gov or Gregory C. Wilshusen at (202) 512-6244 or 
wilshuseng@gao.gov. 

[End of section] 

Contents: 

Letter: 

Background: 

DHS and Other Stakeholders Are Taking Preliminary Steps to Address 
Cyber Risk to Building and Access Control Systems, but Significant 
Work Remains: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments: 

Appendix I: Objective, Scope, and Methodology: 

Appendix II: Sources of Cyber-Based Threats and Types of Exploits: 

Appendix III: Comments from the Department of Homeland Security: 

Appendix IV: Comments from the General Services Administration: 

Appendix V: GAO Contact and Staff Acknowledgments: 

Related GAO Products: 

Tables: 

Table 1: Selected Federal Laws and Policies Governing the Protection 
of Building and Access Control Systems: 

Table 2: Sources of Cyber-Based Threats: 

Table 3: Types of Exploits: 

Figures: 

Figure 1: DHS's NPPD Offices with Facility Security or Cybersecurity 
Responsibilities: 

Figure 2: Some Types of Building and Access Control Systems in a 
Federal Facility: 

Figure 3: Example of the Connectivity of a Heating, Ventilation, and 
Air-Conditioning System via the Internet: 

Abbreviations: 

DHS: Department of Homeland Security: 

GSA: General Services Administration: 

FISMA: Federal Information Security Management Act of 2002: 

FPS: Federal Protective Service: 

ICS-CERT: Industrial Control Systems Cyber Emergency Response Team: 

ISC: Interagency Security Committee: 

NCCIC: National Cybersecurity and Communications Integration Center: 

NIST: National Institute of Standards and Technology: 

NPPD: National Protection and Programs Directorate: 

PPD-21: Presidential Policy Directive 21: 

RMP: The Risk Management Process for Federal Facilities: 

US-CERT: U.S. Computer Emergency Readiness Team: 

[End of section] 

United States Government Accountability Office: 
GAO:
441 G St. N.W. 
Washington, DC 20548: 

December 12, 2014: 

The Honorable Michael McCaul: 
Chairman: 
Committee on Homeland Security: 
House of Representatives: 

The Honorable Patrick Meehan: 
Chairman: 
Subcommittee on Cybersecurity, Infrastructure Protection, and Security 
Technologies: 
Committee on Homeland Security: 
House of Representatives: 

The Honorable Jeff Duncan: 
Chairman: 
Subcommittee on Oversight and Management Efficiency: 
Committee on Homeland Security: 
House of Representatives: 

The Department of Homeland Security (DHS) is responsible for 
protecting federal facilities, including thousands of office 
buildings, laboratories, and warehouses, which are part of the 
nation's critical infrastructure. These facilities contain building 
and access control systems such as heating, ventilation, and air 
conditioning; electronic card readers; and closed-circuit camera 
systems that are increasingly being automated and connected to other 
information systems or networks and the Internet.[Footnote 1] As these 
systems are becoming more connected, their vulnerability to potential 
cyber attacks[Footnote 2] is also increasing. This was demonstrated by 
an incident in 2009, when a security guard at a Dallas-area hospital 
loaded a malicious program onto the hospital's computers, one of which 
controlled the heating, ventilation, and air-conditioning control 
system for two floors, which, according to court records, could have 
affected patients' medications and treatments. Security officials we 
interviewed also said that cyber attacks on systems in federal 
facilities could compromise security countermeasures, hamper agencies' 
ability to carry out their missions, or cause physical harm to the 
facilities and their occupants. 

Although DHS's Federal Protective Service (FPS) is responsible for the 
physical security of facilities under the custody and control of the 
General Services Administration (GSA), other entities may own and 
operate these building and access control systems. For example, GSA or 
private building owners may own and operate heating, ventilation, and 
air-conditioning systems, and federal tenant agencies may own access 
control systems and have responsibility for protecting them. However, 
the extent to which DHS and other stakeholders are prepared to assess 
and mitigate cyber risk--a measure of the extent to which an entity is 
threatened by a potential circumstance or event--to these systems is 
unclear. We have identified the protection of federal information 
systems as a government-wide high-risk area since 1997 and in 2003 
expanded this high-risk area to include the protection of systems 
supporting our nation's critical infrastructure, a designation that 
remains in place today.[Footnote 3] Moreover, concern about protecting 
federal facilities is one of the main reasons why we have designated 
federal real property management as a high risk area.[Footnote 4] 

This report focuses on building and access control systems used to 
operate or protect these facilities, and does not address cyber risk 
to other types of information systems or networks. You asked us to 
review FPS's efforts to protect federal facilities from these types of 
cyber attacks. This report examines the extent to which DHS and other 
stakeholders are prepared to address cyber risk to building and access 
control systems in FPS-protected facilities. 

To conduct our evaluation, we analyzed relevant homeland security and 
cybersecurity-related laws, policies, and guidance. We identified 
relevant federal stakeholders, for example, DHS and its various 
components, including the National Protection and Programs Directorate 
(NPPD), FPS, the Office of Infrastructure Protection, the Office of 
Cyber and Infrastructure Analysis, and the Office of Cybersecurity and 
Communications and its subcomponents: Federal Network Resilience and 
the National Cybersecurity and Communications Integration Center 
(NCCIC) and its subcomponents, the U.S. Computer Emergency Readiness 
Team (US-CERT) and the Industrial Control Systems Cyber Emergency 
Response Team (ICS-CERT). We also identified the Interagency Security 
Committee, GSA, and other federal agencies that are tenants in 
facilities protected by FPS. We interviewed each of these stakeholders 
or their relevant components to determine what steps they have taken 
to prevent cyber attacks on building and access control systems in FPS-
protected facilities. We identified and visited five FPS-protected 
facilities in the Washington, D.C., area to determine what FPS and 
other stakeholders are doing to assess and mitigate cyber risk to 
building and access control systems in these facilities. We selected 
these facilities to represent different types of ownership (three were 
government-owned and two were leased from private owners), different 
security levels,[Footnote 5] and uses. We chose to visit facilities in 
the Washington, D.C., area because of the large number of federal 
facilities that met these criteria. At each of the five facilities, we 
interviewed officials from FPS, GSA (or the facility's owner if 
leased), and tenant agencies about their roles and responsibilities 
for securing these systems. The findings from these site visits are 
not generalizable to all FPS-protected facilities. We also reviewed 
GSA's security assessment procedures and a sample of GSA's security 
assessment reports on building systems that were prepared between 2010 
and 2014, and discussed them with agency information technology 
officials. The findings from those reviews are not generalizable to 
all of GSA's assessment reports. 

In addition, we conducted a literature review and interviewed DHS 
officials and experts about the extent to which building and access 
control systems are vulnerable to cyber attacks and the possible 
consequences of such attacks. Ten experts with cybersecurity expertise 
were selected from academia and private industry. These experts were 
chosen through our research and based on interviews during previous 
cybersecurity reviews. Their views are not generalizable. A list of 
related GAO products on cybersecurity is provided at the end of this 
report. Appendix I provides more details about our scope and 
methodology. 

We conducted this performance audit from November 2013 through 
December 2014 in accordance with generally accepted government 
auditing standards. Those standards require that we plan and perform 
the audit to obtain sufficient, appropriate evidence to provide a 
reasonable basis for our findings and conclusions based on our audit 
objective. We believe that the evidence obtained provides a reasonable 
basis for our findings and conclusions based on our audit objective. 

Background: 

DHS and Other Stakeholders Are Involved in Physical and Cybersecurity 
of Federal Facilities: 

The Homeland Security Act of 2002 requires DHS, among other things, to 
protect federal facilities as well as people on the property. Within 
DHS, the National Protection and Programs Directorate (NPPD) is 
responsible for leading the national effort to strengthen the security 
and resilience of the nation's physical and cyber-critical 
infrastructure against terrorist attacks, cyber events, natural 
disasters, or other catastrophic incidents. As part of this effort, an 
NPPD responsibility is to lead the effort to strengthen security and 
resilience of federal facilities and federal (nonmilitary) information 
systems and networks. Figure 1 shows several NPPD components 
responsible for issues related to protecting federal facilities or 
cybersecurity. 

Figure 1: DHS's NPPD Offices with Facility Security or Cybersecurity 
Responsibilities: 

[Refer to PDF for image: organization chart] 

Department of Homeland Security: 

Top level: 
National Protection and Programs Directorate: 

Second level: 
Federal Protective Service; 
Office of Infrastructure Protection: 
* Interagency Security Committee; 
Office of Cyber and Infrastructure Analysis; 
Office of Cybersecurity and Communications: 
* Federal Network Resilience; 
* National Cybersecurity and Communications Integration Center: 
- Industrial Control Systems Cyber Emergency Response Team; 
- U.S. Computer Emergency Readiness Team. 

Source: GAO analysis of DHS information. GAO-15-6. 

[End of figure] 

* FPS is responsible for protecting nearly 9,000 federal facilities 
[Footnote 6] from physical attacks. As part of its facility protection 
mission, FPS conducts facility security assessments and recommends 
countermeasures, and provides law enforcement services to its 
protected facilities.[Footnote 7] 

* The Office of Infrastructure Protection is responsible for leading 
efforts to strengthen critical infrastructure security and resilience 
against all hazards, which include both physical and cyber attacks. 

* The Office of Cyber and Infrastructure Analysis is responsible for, 
among other things, providing analytic support to DHS leadership, 
assessing and informing national critical infrastructure risk-
management strategies, and developing or enhancing capabilities to 
support crisis action by identifying and prioritizing infrastructure. 

* The Office of Cybersecurity and Communications is responsible for 
enhancing the security, resilience, and reliability of the nation's 
cyber and communications infrastructure. 

* Within the Office of Cybersecurity and Communications, Federal 
Network Resilience is to identify common cybersecurity requirements 
across the federal government, collaborate with agencies to identify 
solutions, implement policy and technical solutions, and monitor the 
effectiveness of implemented solutions. 

* Within the Office of Cybersecurity and Communications, the National 
Cybersecurity and Communications Integration Center (NCCIC) is 
responsible for operating an around-the-clock cyber situational 
awareness; incident response; and the management center for the 
federal government, intelligence community, and law enforcement. Two 
NCCIC subcomponents--the U.S. Computer Emergency Readiness Team (US-
CERT) and the Industrial Control Systems Cyber Emergency Response Team 
(ICS-CERT)--are responsible for carrying out the NCCIC's cyber 
incident reporting and response functions. 

- US-CERT is responsible for providing analysis and information about 
malicious activity threatening the nation's networks, and provides a 
cyber reporting and response function to federal information system 
operators. For federal entities, reporting federal information 
security incidents to US-CERT is mandatory under reporting guidance 
established in accordance with the Federal Information Security 
Management Act of 2002 (FISMA).[Footnote 8] 

- ICS-CERT provides similar reporting and response functions for 
operators of control systems inside and outside of the federal 
government. Control systems are computers that are used to monitor and 
control sensitive processes and physical functions. Building systems 
generally employ control systems in their operations. 

* The Interagency Security Committee (ISC), a DHS-chaired organization 
comprised of 54 member agencies that is housed within the Office of 
Infrastructure Protection, is responsible for establishing policies 
for security in and protection of buildings and facilities in the 
United States occupied by federal employees for nonmilitary activities. 

GSA manages real property for many civilian federal agencies and has a 
large portfolio of owned and leased properties that it rents to its 
federal agency customers. GSA officials indicated that in federally-
owned facilities, GSA is generally responsible for the building 
systems they contain. In privately-owned facilities, the private owner 
is generally responsible for the building systems. GSA officials also 
said that federal agencies that are tenants in facilities that are 
under the control and custody of GSA could also be responsible for 
certain systems if the tenant has custodial control of the system, 
such as an access control system for their space within a facility. 

Selected Laws and Policies Relating to Physical and Cybersecurity of 
Federal Facilities: 

Table 1 shows some of the laws and policies that apply to federal 
facility physical security and cybersecurity. 

Table 1: Selected Federal Laws and Policies Governing the Protection 
of Building and Access Control Systems: 

The Homeland Security Act of 2002:
Under section 1706 of the Homeland Security Act of 2002, DHS is 
required to: 
* protect the buildings, grounds, and property that are owned, 
occupied or secured by the federal government as well as the persons 
on the property, and; 
* in performance of such duties DHS officers and agents are authorized 
to, among other things: 
- enforce federal laws and regulations for the protection of persons 
and property; and; 
- investigate offenses against these properties and persons. 

The Federal Information Security Management Act of 2002: 
FISMA requires, among other things, that: 
* each agency develop, document, and implement an information security 
program to include periodic assessments of risk, policies and 
procedures that are based on these risk assessments, security 
awareness training for its personnel, and periodic testing and 
evaluation of information security policies; 
* each agency prepare and maintain inventories of major information 
systems under their control and to develop procedures for detecting, 
reporting, and responding to security incidents; 
* the Department of Commerce's National Institute of Standards and 
Technology (NIST) develop minimum information-security standards and 
guidelines for information systems used or operated by an agency or by 
a contractor of an agency or other organization on behalf of an 
agency, other than national security systems; 
* the Office of Management and Budget ensure the operation of a 
central federal information-security incident center that compiles and 
analyzes information about incidents that threaten information 
security and informs operators of agency information systems about 
current and potential threats and vulnerabilities; and; 
* senior agency officials provide information security for the 
information and information systems that support the operations and 
assets under their control. 

NIST Standards and Guidelines: 
In accordance with FISMA, NIST is responsible for providing 
information security standards and guidelines for non-national 
security information and information systems. Among other guidelines, 
NIST has published guidance for securing industrial control systems. 

Presidential Policy Directive 21: 
Presidential Policy Directive 21 (PPD-21), issued in February 2013, 
establishes the protection of critical infrastructure against both 
physical and cyber threats as national policy. More specifically, the 
directive: 
* requires DHS to provide strategic guidance to promote the security 
and resilience of the nation's critical infrastructure; 
* tasks agency and department heads with the identification, 
prioritization, assessment, remediation, and security of their 
internal critical infrastructure that supports primary mission 
essential functions; 
* tasks GSA, in consultation with DHS and the Department of Defense, 
to provide or support government-wide contracts for critical 
infrastructure systems and ensure that such contracts include audit 
rights; 
* identifies sector lead agencies for 16 critical infrastructure 
sectors, including DHS and GSA as co-leads for the government 
facilities sector; and; 
* identifies roles and responsibilities of sector lead agencies, which 
include serving as the day-to-day interface for the protection of 
critical infrastructure, to carry out incident management within the 
sector and provide support or technical assistance in assessing 
vulnerabilities in the sector. 

Source: GAO analysis. GAO-15-6. 

[End of table] 

Federal Facilities Contain Various Types of Building and Access 
Control Systems: 

As shown in figure 2, some types of building and access control 
systems in federal facilities include: 

* closed circuit camera systems include cameras, televisions or 
monitors, and recording equipment, and provide video surveillance 
capabilities; 

* access control systems include card readers, control panels, access 
control servers, and infrastructure such as door actuators and 
communications lines, which restrict access to authorized persons only; 

* fire annunciation and suppression systems include fire alarms, 
emergency communication equipment, and water-based or non-water-based 
suppression systems, designed to prevent, extinguish, or control a 
fire or other life safety event; 

* heating, ventilation, and air conditioning systems include equipment 
for heating, cooling, moisture control, ventilation or air handling, 
and measurement and control, often managed through a building 
automation system[Footnote 9]; 

* power and lighting control systems include lighting devices and 
their controls, advanced-metering controls, power distribution 
systems, and emergency power or lighting systems, which are also often 
managed through a building automation system; and: 

* elevator control systems include operating machinery, safety 
systems, and a control system or panel. 

Figure 2: Some Types of Building and Access Control Systems in a 
Federal Facility: 

[Refer to PDF for image: illustration] 

Systems depicted: 

Closed circuit camera systems; 
Access control systems (badges and door locks); 
Fire annunciation and suppression; 
Heating, ventilation and air condition control systems; 
Power/lighting control systems; 
Elevator control system. 

Source: GAO. GAO-15-6. 

[End of figure] 

To increase efficiency, centralized control of building and access 
control systems is increasingly achieved through automation systems. 
Building and access control systems, automation systems, and the 
devices within them, are now often configured with connections to the 
Internet. These Internet connections allow the systems to be accessed 
remotely, for example, to receive software patches and updates. Figure 
3 shows an example of a facility where a heating, ventilation, and air-
conditioning system is managed through a building automation system 
and operated over a control network. In this example, the information 
systems and networks used by this building's tenant are protected by a 
firewall--a common cybersecurity countermeasure--while the control 
network and its devices have direct Internet connectivity. 

Figure 3: Example of the Connectivity of a Heating, Ventilation, and 
Air-Conditioning System via the Internet: 

[Refer to PDF for image: illustration] 

Connectivity depicted: 

Internet: 

Remote monitoring and maintenance. 

Cyber threat sources. 

Firewall: 
Information systems and networks. 

Control network: 
Building automation system: 
Control device: Boiler unit; 
Control device: Chiller unit. 

Source: GAO. GAO-15-6. 

[End of figure] 

Sources of Cyber Threats to Building and Access Control Systems: 

Cyber threats are any circumstance or event with the potential to 
adversely affect organizational operations (including mission, 
functions, image, or reputation), organizational assets, individuals, 
other organizations, or the nation through an information system via 
unauthorized access, destruction, disclosure, modification of 
information, or denial of service. Cyber threat sources include 
corrupt employees, criminal groups, hackers, and terrorists. These 
threat sources vary in terms of the capabilities of the actors, their 
willingness to act, and their motives, which can include monetary or 
political gain or mischief, among other things. Cyber threat sources 
may make use of various cyber techniques, or exploits, to adversely 
affect systems or networks. More detailed information on sources of 
cyber threats and types of exploits can be found in appendix II. 

Insider threats--which can include disgruntled employees, contractors, 
or other persons abusing their positions of trust--also represent a 
significant threat to building and access control systems, given their 
access to and knowledge of these systems. This threat results in 
standalone systems (those with no external network connections) also 
being at risk. 

Moreover, from fiscal year 2011 to fiscal year 2014, the number of 
cyber incidents reported to DHS involving industrial control systems, 
which include building and access control systems, increased from 140 
incidents to 243 incidents, an increase of 74 percent. The following 
examples illustrate that these systems are at risk: 

* In 2014, a federal agency reported a cyber incident at a wastewater 
treatment plant.[Footnote 10] 

* In 2013, the retailer Target experienced a breach in its payment 
card data, which the company believes occurred after intruders 
obtained a heating, ventilation, and air-conditioning system vendor's 
credentials to access the outermost portion of its network. 

* In 2010, a sophisticated computer attack known as Stuxnet was 
discovered that targeted control systems used to operate industrial 
processes in the energy, nuclear, and other critical sectors. 

* In 2009, a security guard at a Dallas-area hospital loaded a 
malicious program onto the hospital's computers, one of which 
controlled the heating, ventilation, and air-conditioning control 
system for two floors, which, according to court records, could have 
affected patients' medications and treatments. 

* In 2006, Los Angeles city employees hacked into computers 
controlling the city's traffic lights, an action that disrupted signal 
lights and caused substantial backups and delays. 

Cybersecurity experts that we interviewed also generally said that 
building and access control systems are vulnerable to cyber attacks. 
One expert, for example, noted that control systems were not designed 
with cybersecurity in mind. 

DHS and Other Stakeholders Are Taking Preliminary Steps to Address 
Cyber Risk to Building and Access Control Systems, but Significant 
Work Remains: 

DHS Does Not Have a Strategy to Address Cyber Risk to Building and 
Access Control Systems: 

DHS has taken preliminary steps to begin to understand the cyber risk 
to building and access controls systems but has not developed a 
strategy. Section 1706 of the Homeland Security Act of 2002 authorizes 
DHS to protect federal facilities and PPD-21 requires it to provide 
strategic guidance to promote the security and resilience of the 
nation's critical infrastructure, which includes federal facilities, 
to cyber and physical threats. In addition, as we reported in 2013, 
implementing a comprehensive strategic approach to cybersecurity 
requires the development of a strategy to guide the activities that 
will support this approach.[Footnote 11] In guidance that we developed 
to assist agencies implement the Government Performance and Results 
Act of 1993,[Footnote 12] we stated that developing a strategic plan 
can help clarify organizational priorities and unify employees in the 
pursuit of shared goals. 

DHS, in particular NPPD, has taken preliminary steps to begin 
understanding the cyber risk to building and access control systems. 
For example, in 2013, NPPD components--including FPS, the Office of 
Infrastructure Protection, and ICS-CERT--conducted a joint assessment 
of the physical security and cybersecurity in a recently renovated GSA 
facility in the Washington, D.C., area.[Footnote 13] Also in 2013, FPS 
prepared a discussion paper for ISC identifying the types of building 
systems that could be assessed for cyber risk, including heating, 
ventilation, and air conditioning; access controls; closed-circuit 
video; fire annunciation panels; and security command and control 
centers. According to FPS's discussion paper, to identify cyber 
vulnerabilities, assessments should be used to determine if these 
systems are connected and remotely operated and what security controls 
are in place, such as firewalls. 

However, DHS has not developed a strategy that: 

* defines the problem, 

* identifies the roles and responsibilities, 

* analyzes the resources needed, and: 

* identifies a methodology for assessing cyber risk to building and 
access control systems. 

As we reported in 2013,[Footnote 14] a strategy is a starting point 
that defines the problem and risk intended to be addressed by 
organizations as well as plans for (1) tackling the problem and risk, 
(2) allocating and managing the appropriate resources, and (3) 
identifying different organizations' roles and responsibilities. In 
particular, the absence of a strategy that clearly defines the roles 
and responsibilities of key components within DHS has contributed to 
the lack of action within the Department. For example, no one within 
DHS is assessing or addressing cyber risk to building and access 
control systems particularly at the nearly 9,000 federal facilities 
protected by FPS. 

In addition, because DHS has not developed a strategy, several 
components within DHS have made different assertions about their roles 
and responsibilities. For example, FPS's Deputy Director for Policy 
and Programs said that FPS's authority includes cybersecurity. 
However, FPS is not assessing cyber risk because, according to this 
official, it does not have the expertise. Furthermore, although ICS-
CERT has developed a tool to assess cyber risk, it also is not 
assessing cyber risk to building and access control systems at federal 
facilities. Moreover, NPPD's Federal Network Resilience is to, among 
other things, identify common cybersecurity requirements across the 
federal government, but it also is not working on issues regarding the 
cyber risk of building and access control systems in the federal 
government. An official from the Office of the Under Secretary of NPPD 
acknowledged that NPPD has not yet determined roles and 
responsibilities, including what entity should conduct cyber risk 
assessments of FPS-protected facilities or what assessment tool should 
be used. This official said that the Department has not developed a 
strategy, in part, because cyber threats involving building and access 
control systems are an emerging issue. 

The lack of a strategy was also reflected in DHS's guidance to federal 
agencies on reporting computer security incidents. Before October 1, 
2014, DHS's guidance for federal agencies on reporting computer 
security incidents did not specify that information systems included 
industrial control systems. A DHS director said that the lack of clear 
guidance on reporting cyber incidents involving industrial control 
systems may have contributed to the lack of incident reporting by 
federal agencies. From fiscal year 2010 to August 2014, out of 851 
reported industrial control system incidents, DHS received only one 
from a federal agency, which did not involve a building or access 
control system.[Footnote 15] On October 1, 2014, DHS issued guidance 
clarifying that information systems include industrial control systems 
and that federal agencies should report all information security 
incidents to US-CERT. A DHS official said that the guidance was 
clarified in part because of questions that we raised during our 
review. 

By not developing a strategy for addressing cyber risk to building and 
access control systems, DHS and, in particular, NPPD, have not 
effectively articulated a vision for organizing and prioritizing 
efforts to address the cyber risk facing federal facilities that DHS 
is responsible for protecting. DHS also faces limitations in ensuring 
that its resources are allocated appropriately and not resulting in 
duplication. Furthermore, by not assessing the risk to these systems 
and taking steps to reduce that risk, federal facilities may be 
vulnerable to cyber attacks. Security officials at DHS and tenant 
agencies at FPS-protected facilities that we visited, as well as 
experts whom we interviewed, suggested various possible consequences 
of cyber attacks on these systems, including: 

* allowing people to gain unauthorized access to facilities; 

* damaging temperature-sensitive equipment, such as in data centers; 

* causing life-safety systems such as fire alarms or sprinklers to 
give false alarms or fail to alarm in the event of an emergency, 
malfunctions that could result in injury or a loss of life; 

* disabling facilities due to lack of power or other environmental 
needs; 

* providing access to information systems; 

* having to temporarily evacuate facilities; and: 

* damaging the government's credibility if it was unable to protect 
its employees. 

ISC Has Not Incorporated Cybersecurity in Its Design-Basis Threat 
Report: 

Housed within DHS, ISC, which was established to enhance the quality 
and effectiveness of physical security in federal facilities, is 
responsible for developing physical security standards for nonmilitary 
federal facilities. However, it has not incorporated cybersecurity in 
its Design-Basis Threat report, which establishes the characteristics 
of the threat environment to be used in conjunction with all ISC 
standards.[Footnote 16] The report, which identifies and describes 
numerous undesirable events under various scenarios and their 
probability of occurring as well as establishing a profile of the 
types, composition, and capabilities of adversaries, is applicable to 
all buildings and facilities in the United States occupied by federal 
employees for nonmilitary activities. Aside from certain intelligence-
related exceptions, Executive Order 12977 requires executive branch 
departments and agencies to cooperate and comply with ISC's policies 
and recommendations, including any standards that ISC sets. Its 
standards are developed based on leading security practices across the 
government and set forth a decision-making process to help ensure that 
agencies have effective physical security programs in place. 

According to ISC, the unpredictable nature of adversaries makes it 
difficult to determine what specific factors will make a facility an 
attractive target. However, ISC stated that because federal facilities 
include some highly symbolic federal and commercial office buildings, 
laboratories, and warehouses--some of which are used to store high-
risk items such as weapons and drugs--this causes them to be more 
likely targets for adversaries or terrorists who attempt to disable a 
building or access control system in order to carry out an attack. 
Moreover, as we have previously reported, threats to systems 
supporting critical infrastructure and federal information systems are 
evolving and growing.[Footnote 17] The Director of National 
Intelligence has warned of the increasing globalization of cyber 
attacks, including those carried out by foreign militaries or 
organized international crime. In January 2012, he testified before 
Congress that such threats pose a critical national and economic 
security concern. To further highlight the importance of the threat, 
on October 11, 2012, the Secretary of Defense stated that the 
collective result of attacks on our nation's critical infrastructure 
could be "a cyber Pearl Harbor, an attack that would cause physical 
destruction and the loss of life." An ISC official said that while ISC 
is concerned about cyber threats to federal facilities and is 
currently pursuing efforts to minimize them, it views this threat as 
one among a number of threats facing federal facilities. The official 
said that recent active shooter and workplace violence incidents have 
caused the membership to focus the committee's efforts on policies in 
those areas first. However, incorporating the cyber threat to building 
and access control systems in ISC's Design-Basis Threat report will 
inform agencies about this threat so they can begin to assess its 
risk. It also could prevent federal agencies from expending limited 
resources on methodologies that may result in duplication. 

Use of ISC standards is beneficial because they are intended to 
provide agencies with tools and approaches for consistently and cost-
effectively establishing a baseline level of protection at all 
facilities commensurate with identified risks at those facilities. 
Although it is important to tailor physical security to facilities so 
that the unique risks at individual facilities are addressed, a 
consistent approach to certain aspects of physical security is 
beneficial because it helps ensure that all facilities are covered by 
a baseline level of physical security commensurate with identified 
risks at those facilities. 

At three of the five FPS-protected facilities that we visited, we 
found that information technology officials varied in how they were 
securing the access control systems owned by their agencies. At one 
agency, the chief information security officer said that as part of 
securing an access control system that was connected to the agency's 
information network, his office conducts procedures to certify the 
security controls of the agency's information systems and to formally 
authorize and accept the risk associated with their operation. The 
official said the system is connected to the agency's information 
network to comply with Homeland Security Presidential Directive 12, 
which requires the establishment of a mandatory, government-wide 
standard for secure and reliable forms of identification for federal 
government employees and contractors. At another agency, officials 
said that its access control system was not connected to the agency's 
information network, but complied with FISMA requirements. Officials 
at a third facility said that its access control systems, which are 
not connected to the agency's information network, are part of its 
FISMA inventory. In addition, security officials at one of the 
facilities we visited said that they were not concerned with the 
cybersecurity of the security system that the agency owns because it 
is a standalone system. The officials said that they plan to upgrade 
the security system in the near future, an upgrade that they said 
would comply with information security standards and policies, would 
be installed on the agency's network, and not have remote capability 
from outside the network. 

An ISC official said that ISC is currently pursuing efforts to 
mitigate cyber threats. In 2013, ISC's Subcommittee on Convergence 
prepared a draft white paper, Securing Government Assets through 
Combined Traditional Security and Information Technology, on how 
security systems could be better protected through coordination 
between information technology and security officials. The draft white 
paper recommends that agency information and security officials 
develop memorandums of agreement and interagency service agreements 
defining roles and responsibilities for securing electronic security 
systems. The subcommittee chairman said that those recommendations 
directly apply to security systems such as access controls, cameras, 
and alarms and "loosely apply" to the other building systems. In 
September 2014, an ISC official said the Committee was incorporating 
comments from member agencies for final processing and that the white 
paper will be a report to help agencies achieve convergence between 
their physical security and information technology communities, and 
will not be a set of standards or guidance. 

GSA Has Not Fully Assessed Cyber Risk to Its Building Control Systems 
in Federal Facilities: 

FISMA requires federal agencies to periodically assess the cyber risk 
and magnitude of harm that could result from the unauthorized access, 
use, disclosure, disruption, modification, or destruction of 
information and information systems that support the operations and 
assets under their control. FISMA also requires the periodic testing 
and evaluation of the effectiveness of agency information security 
policies, procedures, and practices, including testing of management, 
operational, and technical controls of all major systems. To assist 
federal agencies with implementing FISMA requirements, NIST has issued 
standards and guidelines that are applicable to all non-national 
security information systems. [Footnote 18] One of those guides, 
NIST's Risk Management Framework, states that organizations should 
assess security controls using appropriate procedures to determine the 
extent to which the controls are implemented correctly, operating as 
intended, and producing the desired outcome with respect to meeting 
the security requirements of the system. 

Neither GSA nor DHS (as mentioned earlier) is fully assessing the risk 
of building control systems that are in about 1,500 FPS-protected 
facilities[Footnote 19] to a cyber attack. Instead, GSA has conducted 
security control assessments of these systems. However, these 
assessments are designed to determine the effectiveness of controls 
associated with a building control system and do not fully assess all 
elements of risk (e.g. the threat, vulnerability, and consequence) of 
the control system to a cyber attack. 

Moreover, GSA has not conducted security control assessments for all 
of its systems that are in about 1,500 FPS-protected facilities. In 
November 2014, GSA information technology officials said that from 
2009 to 2014, the agency conducted 110 security assessments of the 
building control systems that are in about 500 of its 1,500 
facilities. GSA has not yet assessed the security of control systems 
with network or Internet connections in about 200 buildings. GSA 
officials stated that they plan to assess these systems during fiscal 
year 2015. According to these officials, GSA also plans to assess the 
security of standalone control systems in about 800 buildings when 
they are converted to network-and Internet-connected systems. 

Further, our review of 20 of 110 of GSA's security assessment reports 
(between 2010 and 2014) show that they were not comprehensive and not 
fully consistent with NIST guidelines. For example, in 5 of the 20 
reports we reviewed, GSA assessed the building control device to 
determine if a user's identity and password were required for login 
but did not assess the device to determine if password complexity 
rules were enforced. This could potentially lead to weak or insecure 
passwords being used to secure building control devices. 

GSA also conducted its assessments of building control systems in a 
laboratory setting which allowed it to test components and to identify 
weaknesses in their default configuration. However, GSA does not 
conduct further assessments after installation when configuration 
settings may no longer reflect their default values. As a result, GSA 
has limited assurance that the configurations assessed reflect the 
configurations implemented in the facility, thereby increasing the 
risk that vulnerabilities in building control systems may not be 
detected. 

In November 2014, GSA's Chief Information Officer said that GSA is 
conducting its security assessments in this manner because the 
agency's approach to assessing cyber risk to these systems is 
evolving. Until GSA fully and effectively assesses the information 
security over all of its building control systems, it will have 
diminished assurance that the systems' security controls are 
effectively implemented and operating as intended. 

Conclusions: 

Because federal facilities are a part of the nation's critical 
infrastructure and include some highly symbolic federal and commercial 
office buildings, laboratories, and warehouses--some of which are used 
to store high risk items such as weapons and drugs--determining the 
extent to which building and access control systems within them are 
vulnerable to cyber attacks is critical to providing security. 
However, DHS faces challenges in determining the extent to which 
building and access control systems in federal facilities are 
vulnerable to cyber attacks because it lacks a strategy that defines 
the problem, identifies the roles and responsibilities for securing 
these systems, analyzes the resources needed to assess cyber risk to 
the systems, and a methodology for assessing cyber risk to building 
and access control systems. Moreover, without a strategy that 
addresses cyber risk to building and access control systems in federal 
facilities, key stakeholders, particularly within NPPD, do not have a 
clear understanding of their roles and responsibilities. And as a 
result, no one in DHS is assessing the cyber risk to building and 
access control systems at the almost 9,000 facilities protected by 
FPS. A strategy will help DHS to begin addressing this threat. 

Federal agencies that own building and access control systems may be 
hampered in addressing cyber risk of building and access control 
systems because ISC has not identified this threat in its Design-Basis 
Threat report to federal agencies. According to experts and security 
officials we interviewed, not addressing this threat could result in 
disruptions of agency operations or harm to occupants of federal 
facilities. In addition, because GSA owns building control systems in 
about 1,500 FPS-protected facilities that are part of the nation's 
critical infrastructure, it is vital that these systems are assessed 
in a manner that is fully consistent with FISMA and its implementation 
guidelines. 

Recommendations for Executive Action: 

First, we recommend that the Secretary of Homeland Security, in 
consultation with GSA, develop and implement a strategy to address 
cyber risk to building and access control systems that, among other 
things: 

* defines the problem; 

* identifies roles and responsibilities; 

* analyzes the resources needed; and: 

* identifies a methodology for assessing this cyber risk. 

Second, we recommend that the Secretary of Homeland Security direct 
ISC to incorporate the cyber threat to building and access control 
systems into ISC's list of undesirable events in its Design-Basis 
Threat report. 

Third, we recommend that the Administrator of the General Services 
Administration assess the building and access control systems that it 
owns in FPS-protected facilities in a manner that is fully consistent 
with FISMA and its implementation guidelines. 

Agency Comments: 

We provided copies of a draft of this report to DHS and GSA for their 
review and comment. DHS provided written comments, reprinted in 
appendix III, agreeing with the report's recommendations. DHS also 
provided technical comments, which we incorporated as appropriate. GSA 
provided written comments, reprinted in appendix IV, agreeing with the 
report's recommendations. 

As arranged with your office, unless you publicly announce its 
contents earlier, we plan no further distribution of this report until 
30 days from the date of this report. At that time, we will send 
copies of this report to the Secretary of Homeland Security, the 
Director of the Federal Protective Service, the Administrator the 
General Services Administration, the Director of the Office of 
Management and Budget, and other interested parties. The report will 
also be available on the GAO website at no charge at [hyperlink, 
http://www.gao.gov]. 

If you or your staff have any questions about this report, please 
contact Mark Goldstein at (202) 512-2834 or goldsteinm@gao.gov or 
Gregory Wilshusen at (202) 512-6244 or wilshuseng@gao.gov. Contact 
points for our Offices of Congressional Relations and Public Affairs 
may be found on the last page of this report. GAO staff who made major 
contributions to this report are listed in appendix V. 

Signed by: 

Mark L. Goldstein: 
Director, Physical Infrastructure Issues: 

Signed by: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 

[End of section] 

Appendix I: Objective, Scope, and Methodology: 

Our objective was to review the extent to which the Department of 
Homeland Security (DHS) and other stakeholders are prepared to address 
cyber risks to systems in facilities protected by the Federal 
Protective Service (FPS). 

To perform this work, we reviewed DHS's and other stakeholders' 
authorities to protect federal facilities. We also reviewed DHS's risk 
assessment tools; the Interagency Security Committee's guidance and 
standards on securing federal facilities; and the National Institute 
of Standards and Technology's cybersecurity guidelines and standards. 
We also interviewed DHS and FPS headquarters officials about actions 
being taken and future plans to address cyber risk to systems. 

We visited five FPS-protected facilities in the Washington, D.C., area 
to determine what FPS and other stakeholders were doing to assess and 
mitigate cyber threats to systems. We determined that there were a 
sufficient number of facilities in the Washington, D.C., area to 
represent different types of ownership, different security levels, 
[Footnote 20] and uses. Three of the five facilities were government-
owned and two were leased from private owners. In addition, one was a 
multi-tenant facility where we interviewed four tenants and the 
facility security committee. We also selected facilities housing 
tenants with different missions, including an agency with research 
laboratories. At these facilities, we interviewed facility security 
and information security officials from the General Services 
Administration (GSA), tenant agencies, and facility owners if they 
were leased facilities. We also visited an FPS MegaCenter, which is 
responsible for monitoring alarms from and maintaining communications 
with field locations, to determine what steps were being taken to 
secure systems in that facility. The findings from these site visits 
are not generalizable to all FPS-protected facilities. 

We also reviewed GSA's security assessment procedures and a sample of 
GSA's security assessment reports on building systems, and discussed 
them with agency information technology officials. The findings from 
those reviews are not generalizable to all of GSA's assessment reports. 

We reviewed the report of the National Protection and Programs 
Directorate's (NPPD) pilot combined cyber and physical security 
assessment and reviewed and discussed the assessment methodologies 
used with officials in various NPPD components. Furthermore, we 
collected and analyzed data from the Industrial Control Systems Cyber 
Emergency Response Team (ICS-CERT) on cyber incident reports from 
fiscal year 2010 to fiscal year 2014, and discussed them with the 
Director of ICS-CERT. ICS-CERT also provided information about the 
steps that it took to ensure the completeness and reliability of these 
data, which we determined were sufficiently reliable for our purposes. 

To obtain information about the extent to which systems are vulnerable 
to cyber attacks and the possible consequences, we interviewed DHS 
officials and experts and reviewed literature and reports. We selected 
10 experts from academia and the private sector with relevant 
experience. These experts were selected through our research, a 
previous cybersecurity review, and referrals from other experts. The 
experts' views are not generalizable, but provided a range of 
perspectives on securing these systems. 

We conducted this performance audit from November 2013 through 
December 2014 in accordance with generally accepted government 
auditing standards. Those standards require that we plan and perform 
the audit to obtain sufficient, appropriate evidence to provide a 
reasonable basis for our findings and conclusions based on our audit 
objective. We believe that the evidence obtained provides a reasonable 
basis for our findings and conclusions based on our audit objective. 

[End of section] 

Appendix II: Sources of Cyber-Based Threats and Types of Exploits: 

Table 2: Sources of Cyber-Based Threats: 

Threat source: Bot-network operators; 
Description: Bot-net operators use a network of compromised, remotely 
controlled systems, referred to as a bot-net, to coordinate attacks 
and to distribute phishing schemes, spam, and malware attacks. The 
services of these networks are sometimes made available on underground 
markets (e.g., purchasing a denial-of-service attack or services to 
relay spam or phishing attacks). 

Threat source: Business competitors; 
Description: Companies that compete against or do business with a 
target company may seek to obtain sensitive information to improve 
their competitive advantage in various areas, such as pricing, 
manufacturing, product development, and contracting. 

Threat source: Criminal groups; 
Description: Organized criminal groups use spam, phishing, and 
spyware/malware to commit identity theft, online fraud, and computer 
extortion. 

Threat source: Hackers; 
Description: Hackers break into networks for the thrill of the 
challenge, bragging rights in the hacker community, revenge, stalking, 
monetary gain, and political activism, among other reasons. While 
gaining unauthorized access once required a fair amount of skill or 
computer knowledge, hackers can now download attack scripts and 
protocols from the Internet and launch them against victim sites. 
Thus, while attack tools have become more sophisticated, they have also 
become easier to use. 

Threat source: Insiders; 
Description: A disgruntled or corrupt organization insider is a source 
of computer crime. The insider may not need a great deal of knowledge 
about computer intrusions because his or her knowledge of a target 
system is sufficient to allow unrestricted access to cause damage to 
the system or to steal system data. The insider threat includes 
malicious current and former employees and contractors hired by the 
organization, as well as careless or poorly trained employees who may 
inadvertently introduce malware into systems. 

Threat source: Nations; 
Description: Nations use cyber tools as part of their information-
gathering and espionage activities. In addition, several nations are 
aggressively working to develop information warfare doctrines, 
programs, and capabilities. Such capabilities enable a single entity 
to have a significant and serious impact by disrupting the supply, 
communications, and economic infrastructures that support military 
power--impacts that could affect the daily lives of citizens across 
the country. In his January 2012 testimony, the Director of National 
Intelligence stated that, among state actors, China and Russia are of 
particular concern. 

Threat source: Phishers; 
Description: Individuals or small groups execute phishing schemes in 
an attempt to steal identities or information for monetary gain. A 
phisher may also use spam and spyware or malware to accomplish their 
objectives. 

Threat source: Spammers; 
Description: An individual or organization that distributes 
unsolicited e-mail with hidden or false information in order to sell 
products, conduct phishing schemes, distribute spyware or malware, or 
attack organizations (e.g., a denial of service). 

Threat source: Spyware or malware authors; 
Description: Individuals or organizations with malicious intent carry 
out attacks against users by producing and distributing spyware and 
malware. 

Threat source: Terrorists; 
Description: A terrorist seeks to destroy, incapacitate, or exploit 
critical infrastructures in order to threaten national security, cause 
mass casualties, weaken the economy, and damage public morale and 
confidence. The terrorist may use phishing schemes or spyware/malware 
in order to generate funds or gather sensitive information. 

Source: GAO analysis based on data from the Director of National 
Intelligence, Department of Justice, Central Intelligence Agency, 
National Institute of Standards and Technology, and the Software 
Engineering Institute's CERT ® Coordination Center. GAO-15-6. 

[End of table] 

Table 3: Types of Exploits: 

Type of exploit: Denial of service; 
Description: An attack that prevents or impairs the authorized use of 
networks, systems, or applications by exhausting resources. 

Type of exploit: Distributed denial of service; 
Description: A variant of the denial-of-service attack that uses 
numerous hosts to perform the attack. 

Type of exploit: Phishing; 
Description: A digital form of social engineering that uses authentic-
looking, but fake, e-mails to request information from users or direct 
them to a fake website that requests information. 

Type of exploit: Trojan Horse; 
Description: A computer program that appears to have a useful 
function, but also has a hidden and potentially malicious function 
that evades security mechanisms by, for example, masquerading as a 
useful program that a user would likely execute. 

Type of exploit: Virus; 
Description: A computer program that can copy itself and infect a 
computer without the permission or knowledge of the user. A virus 
might corrupt or delete data on a computer, use an e-mail program to 
spread itself to other computers, or even erase everything on a hard 
disk. Unlike a computer worm, a virus requires human involvement 
(usually unwitting) to propagate. 

Type of exploit: Worms; 
Description: A self-replicating, self-propagating, self-contained 
program that uses network mechanisms to spread. Unlike a computer 
virus, a worm does not require human involvement to propagate. 

Type of exploit: Exploits affecting the information security supply 
chain; 
Description: The installation of hardware or software that contains 
malicious logic (like a logic bomb, Trojan Horse, or a virus) or an 
unintentional vulnerability (the result of an existing defect, such as 
a coding error) or that may be counterfeited. A supply chain threat 
can also come from a failure or disruption in the production of a 
critical product, or a reliance on a malicious or unqualified service 
provider for the performance of technical services. 

Source: GAO analysis of unclassified government and nongovernment data. 
GAO-15-6. 

[End of table] 

[End of section] 

Appendix III: Comments from the Department of Homeland Security: 

U.S. Department of Homeland Security: 
Washington, DC 20528: 

November 7, 2014: 

Mark L. Goldstein: 
Director, Physical Infrastructure Issues: 
U.S. Government Accountability Office: 
441 G Street NW: 
Washington, DC 20548: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 
U.S. Government Accountability Office: 
441 G Street NW: 
Washington, DC 20548: 

Re: Draft Report GAO-15-6, "Federal Facility Security: DHS Should 
Address Cyber Risk to Building and Access Control Systems" 

Dear Messrs. Goldstein and Wilshusen: 

Thank you for the opportunity to review and comment on this draft 
report. The U.S. Department of Homeland Security (DHS) appreciates the 
U.S. Government Accountability Office's (GAO's) work in planning and 
conducting its review and issuing this report. 

The Department is pleased to note GAO's positive acknowledgment of the 
preliminary steps DHS has taken, led by the National Protection and 
Programs Directorate (NPPD), to begin to understand the cyber risk to 
building and access control systems. DHS is committed to collaborating 
with its public, private, and international partners to secure 
cyberspace and America's cyber assets to safeguard critical 
infrastructme systems from cyber threats and attacks. 

The draft report contained two recommendations for DHS with which the 
Department concerns. Specifically, GAO recommended that the Secretary 
of Homeland Security: 

Recommendation 1: In consultation with GSA, develop and implement a 
strategy to address cyber risk to building and access control systems 
that, among other things: 

* defines the problem;
* identifies the roles and responsibilities;
* analyzes the resources needed; and; 
* identifies a methodology for assessing this cyber risk. 

Response: Concur. NPPD's Federal Protective Service and Office of 
Infrastructure Protection (JP) and Office of Cybersecurity and 
Communications will consult with GSA, the Interagency Security 
Committee (ISC) and other relevant federal agencies to develop a 
strategy for addressing cyber risk to building and access control 
systems. This strategy will utilize best practices and lessons learned 
from the private sector experiences of the National Cybersecurity
and Communications Integration Center's Industrial Control Systems 
Cyber Emergency Response Team (ICS-CERT). Estimated Completion Date 
(ECD): May 29, 2015. 

Recommendation 2: Direct ISC to incorporate the cyber threat to 
building and access control systems into ISC's list of undesirable 
events in its Design-Basis Threat report. 

Response: Concur. As cited in the report, "federal facilities are part 
of the nation's critical infrastructure (and) determining the extent 
to which building and access control systems within them are 
vulnerable to cyber-attacks is critical to providing security." The 
ISC, which is chaired by the DRS Assistant Secretary of Infrastructure 
Protection and is composed of Chief Security Officers and other senior 
executives from 54 Federal departments and agencies, is working with
NPPD's United States Computer Emergency Readiness Team and ICS-CERT to 
incorporate potential cyber risks to buildings and access control 
systems into the Design-Basis Threat Report and Countermeasures 
Appendix. 

Since protecting federal facilities is a government-wide 
responsibility, NPPD will work through the ISC to ensure that GSA, 
federal departments and agencies, and other partners proactively
identify and mitigate cybersecurity risks to federal buildings and 
access control systems. As a next step, the ISC will convene with GSA 
and other agencies to plan for initial review of cyber risks to 
building access control and will issue additional guidance to its 
federal partners on appropriate countermeasures in the next al1llual 
review of the Design-Basis Threat Report. ECD: October 30, 2015. 

Again, thank you for the opportunity to review and provide comment on 
this draft report. Technical comments were previously provided under 
separate cover. Please feel free to contact me if you have any 
questions. We look forward to working with you in the future. 

Sincerely, 

Signed by: 

Jim H. Crumpacker, CIA, CFE: 
Director: 
Departmental GAO-OIG Liaison Office: 

[End of section] 

Appendix IV: Comments from the General Services Administration: 

The Administrator: 
U.S. General Services Administration: 
1800 F Street, NW: 
Washington, DC 20405: 
Telephone: (202) 501-0800: 
Fax: (202) 219-1243: 

November 26, 2014: 

The Honorable Gene L. Dodaro: 
Comptroller General of the United States: 
U.S. Government Accountability Office: 
Washington, DC 20548: 

Dear Mr. Dodaro: 

The U.S. General Services Administration (GSA) appreciates the 
opportunity to review and comment on the draft report, "Federal 
Facility Cybersecurity: DHS and GSA Should Address Cyber Risk to 
Building and Access Control Systems" (GAO-15-6). 

The U.S. Government Accountability Office (GAO) recommends that GSA 
assess cyber risk of its building control systems in a manner that 
fully reflects FISMA and its guidelines. 

GSA agrees with the findings and the recommendations and will take 
appropriate action to ensure its assessments of the cyber risks of its 
building control systems are conducted in a manner that fully reflects 
FISMA and implementing guidelines. In addition, GSA will partner with 
the Department of Homeland Security to develop and implement a 
framework for these cyber risks. 

If you have any additional questions or concerns, please feel free to 
contact me at (202) 501-0800, or Ms. Lisa A. Austin, Associate 
Administrator, Office of Congressional and Intergovernmental Affairs, 
at (202) 501-0563. 

Sincerely, 

Signed by: 

Dan Tangherlini: 
Administrator: 

[End of section] 

Appendix V: GAO Contact and Staff Acknowledgments: 

GAO Contacts: 

Mark L. Goldstein, (202) 512-2934 or goldsteinm@gao.gov: 

Gregory C. Wilshusen, (202) 512-6244 or wilshuseng@gao.gov: 

Staff Acknowledgments: 

In addition to the contact named above, Tammy Conquest, Assistant 
Director; John de Ferrari, Assistant Director; Geoff Hamilton, Bob 
Homan, Thomas Johnson, Seth Malaguerra, and SaraAnn Moessbauer made 
key contributions to this report. 

[End of section] 

Related GAO Products: 

Maritime Critical Infrastructure Protection: DHS Needs to Better 
Address Port Cybersecurity. [hyperlink, 
http://www.gao.gov/products/GAO-14-459]. Washington, D.C.: June 5, 
2014. 

Information Security: Agencies Need to Improve Cyber Incident Response 
Practices. [hyperlink, http://www.gao.gov/products/GAO-14-354]. 
Washington, D.C.: April 30, 2014. 

Federal Information Security: Mixed Progress in Implementing Program 
Components; Improved Metrics Needed to Measure Effectiveness. 
[hyperlink, http://www.gao.gov/products/GAO-13-776]. Washington, D.C.: 
September 26, 2013. 

Cybersecurity: National Strategy, Roles, and Responsibilities Need to 
Be Better Defined and More Effectively Implemented. [hyperlink, 
http://www.gao.gov/products/GAO-13-187]. Washington, D.C.: February 
14, 2013. 

Cybersecurity: Threats Impacting the Nation. [hyperlink, 
http://www.gao.gov/products/GAO-12-666T]. April 24, 2012. 

Cybersecurity: Continued Attention Needed to Protect Our Nation's 
Critical Infrastructure. [hyperlink, 
http://www.gao.gov/products/GAO-11-865T]. Washington, D.C.: July 26, 
2011. 

Information Security: TVA Needs to Address Weaknesses in Control 
Systems and Networks. [hyperlink, 
http://www.gao.gov/products/GAO-08-526]. Washington, D.C.: May 21, 
2008. 

Critical Infrastructure Protection: Multiple Efforts to Secure Control 
Systems Are Under Way, but Challenges Remain. [hyperlink, 
http://www.gao.gov/products/GAO-07-1036]. Washington, D.C.: September 
10, 2007. 

[End of section] 

Footnotes: 

[1] According to the National Institute on Standards and Technology, 
an "information system" is a discrete set of information resources 
organized for the collection, processing, maintenance, use, sharing, 
dissemination, or disposition of information. Information systems can 
include diverse entities ranging from high-end supercomputers, 
workstations, personal computers, cellular telephones, and 
personalized digital assistants to very specialized systems such as 
weapons systems, telecommunications systems, industrial/process 
control systems, and environmental control systems. 

[2] "Cyber attacks" are defined as attacks conducted via cyberspace 
for the purpose of disrupting, disabling, destroying, or maliciously 
controlling computer infrastructure, destroying the integrity of the 
data, or stealing controlled information. 

[3] GAO, High Risk Series: An Update, [hyperlink, 
http://www.gao.gov/products/GAO-13-283] (Washington, D.C.: February, 
2013). 

[4] [hyperlink, http://www.gao.gov/products/GAO-13-283]. 

[5] Facility security levels are assigned to all federal, nonmilitary 
facilities based on criteria such as mission criticality, symbolism, 
and facility size and population. Levels range from one (lowest) to 
five (highest). 

[6] As of October 2014. 

[7] To fund its operations and contract guard program, federal tenant 
agencies in GSA-controlled facilities provide funding to FPS. 

[8] Title III of the E-Government Act of 2002, Pub. L. No. 107-347, 
116 Stat. 2946 (codified, as amended, at 44 U.S.C. § 3541-3549). 

[9] Building automation systems, also known as energy management 
control systems, provide centralized control--through the use of 
software and hardware (e.g., computer, modems, sensors, controllers, 
and printers)--to monitor and adjust building systems (e.g., 
temperature settings and schedules for running equipment)--such as a 
building's cooling systems. A building automation system is intended 
to optimize the integrated performance of the individual equipment's 
components that comprise the system. Data can be recorded so they can 
be analyzed. 

[10] Details regarding this incident are law-enforcement sensitive and 
cannot be publicly disclosed. 

[11] GAO, Cybersecurity: National Strategy, Roles, and 
Responsibilities Need to Be Better Defined and More Effectively 
Implemented, [hyperlink, http://www.gao.gov/products/GAO-13-187] 
(Washington, D.C.: Feb. 14, 2013). 

[12] Pub.L.No. 103-62, 107 Stat. 285 (1993), See also Government 
Performance and Results Act Modernization Act of 2010, Pub. L. No. 111-
352, 124 Stat. 3866 (2011). 

[13] Each component used its own facility assessment tool or 
methodology. FPS used its Modified Infrastructure Survey Tool (MIST), 
the Office of Infrastructure Protection used the Infrastructure Survey 
Tool, and ICS-CERT performed an Architecture/Design Review Cyber 
Security assessment and a Network Architecture Verification and 
Validation analysis. 

[14] [hyperlink, http://www.gao.gov/products/GAO-13-187]. 

[15] Details regarding this incident are law-enforcement sensitive and 
cannot be publicly disclosed. 

[16] The Design-Basis Threat report is an appendix to ISC's physical 
security standard, The Risk Management Process for Federal Facilities 
(RMP), with which federal executive branch agencies must comply. Among 
other things, the RMP includes standards for agencies' facility risk 
assessment methodologies. 

[17] [hyperlink, http://www.gao.gov/products/GAO-13-187]. 

[18] NIST, Managing Information Security Risk: Organization, Mission, 
and Information System View, NIST Special Publication 800-39 
(Gaithersburg, Md.: March 2011); Guide for Applying the Risk 
Management Framework to Federal Information Systems: A Security Life 
Cycle Approach, NIST Special Publication 800-37 Revision 1 
(Gaithersburg, Md.: February 2010); and Guide for Conducting Risk 
Assessments, NIST Special Publication 800-30 Revision 1 (Gaithersburg, 
Md.: September 2012). 

[19] These 1,500 facilities are ones that the federal government owns. 
GSA does not own the building system in leased facilities, which are 
the majority of facilities in its portfolio. 

[20] Tenants determine facility security levels in accordance with 
ISC's Risk Management Process for Federal Facilities. Every 
nonmilitary facility owned or leased by the federal government is 
rated from one (lowest level) to five (highest level) based on these 
factors: facility size, facility population, mission criticality, 
symbolism, and threat to tenant agencies. We visited three level four 
facilities, one level three facility, and one level two facility. 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation, and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the 
performance and accountability of the federal government for the 
American people. GAO examines the use of public funds; evaluates 
federal programs and policies; and provides analyses, recommendations, 
and other assistance to help Congress make informed oversight, policy, 
and funding decisions. GAO's commitment to good government is 
reflected in its core values of accountability, integrity, and 
reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's website [hyperlink, http://www.gao.gov]. Each 
weekday afternoon, GAO posts on its website newly released reports, 
testimony, and correspondence. To have GAO e-mail you a list of newly 
posted products, go to [hyperlink, http://www.gao.gov] and select 
"E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO's actual cost of 
production and distribution and depends on the number of pages in the 
publication and whether the publication is printed in color or black 
and white. Pricing and ordering information is posted on GAO's 
website, [hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or 
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card, 
MasterCard, Visa, check, or money order. Call for additional 
information. 

Connect with GAO: 

Connect with GAO on facebook, flickr, twitter, and YouTube.
Subscribe to our RSS Feeds or E mail Updates. Listen to our Podcasts.
Visit GAO on the web at [hyperlink, http://www.gao.gov]. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 
Website: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]; 
E-mail: fraudnet@gao.gov; 
Automated answering system: (800) 424-5454 or (202) 512-7470. 

Congressional Relations: 

Katherine Siggerud, Managing Director, siggerudk@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, DC 20548. 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, DC 20548. 

[End of document]