This is the accessible text file for GAO report number GAO-09-983 entitled 'Homeland Security: Actions Needed to Improve Security Practices at National Icons and Parks' which was released on September 28, 2009. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Chairman, Committee on Homeland Security, House of Representatives: United States Government Accountability Office: GAO: August 2009: Homeland Security: Actions Needed to Improve Security Practices at National Icons and Parks: GAO-09-983: GAO Highlights: Highlights of GAO-09-983, a report to the Chairman, Committee on Homeland Security, House of Representatives. Why GAO Did This Study: The September 11 terrorist attacks have heightened concerns about the security of the nation’s icons and parks, which millions of people visit every year. The National Park Service (Park Service) within the Department of the Interior (Interior) is responsible for securing nearly 400 park units that include icons and other parks. In 2004, GAO identified a set of key protection practices that include: allocating resources using risk management, leveraging technology, information sharing and coordination, performance measurement and testing, and strategic management of human capital. As requested, GAO determined whether the Park Service’s security efforts for national icons and parks reflected key practices. To meet this objective, GAO used its key practices as criteria, reviewed five icons and parks to gain firsthand knowledge, analyzed Interior documents, and interviewed Interior officials. What GAO Found: The Park Service has implemented a range of security improvements since the September 11 terrorist attacks and has worked to integrate security into its primary mission to preserve national icons and parks for the public’s enjoyment. For example, it has established a senior-level security manager position and taken steps to strengthen security at the icons, and is developing a risk management program for small parks. These efforts exhibit some aspects of the key protection practices, but GAO found limitations in each of the areas. The Park Service does not allocate resources using risk management servicewide or cost-effectively leverage technology. While the Park Service, with assistance from Interior, has conducted risk assessments and implemented countermeasures to enhance security at the icons, some critical vulnerabilities remain. Moreover, the Park Service has not advanced this risk management approach for icons to the rest of its national parks. Without a servicewide risk management approach, the Park Service lacks assurance that security efforts are focused where they are needed. Furthermore, while icons and parks may use a variety of security technologies and other countermeasures, they do not have guidance for evaluating the cost-effectiveness of these investments, thus limiting assurances of efficiency and cost-effectiveness. Additionally, the Park Service faces limitations with sharing and coordinating information internally and lacks a servicewide approach for routine performance measurement and testing. Although the Park Service collaborates with external organizations, it lacks comparable arrangements for internal security communications and, as a result, parks are not equipped to share information with one another on common security problems and solutions. Furthermore, the Park Service has not established security performance measures and lacks an analysis tool that could be used to evaluate program effectiveness and inform an overall risk management strategy. Thus, icons and parks have little information on the status and performance of security that they can use to manage daily activities or that Park Service management can use to manage security throughout the organization. Finally, strategic human capital management is an area of concern because of the Park Service’s lack of clearly defined security roles and a security training curriculum. For example, staff that are assigned security duties are generally not required to meet qualifications or undergo specialized training. Absent a security training curriculum, there is less assurance that staff are well- equipped to effectively identify and mitigate risks at national icons and parks. What GAO Recommends: GAO is making six recommendations to the Secretary of the Interior. These include instructing the Park Service to develop a more comprehensive risk management approach, guidance and standards for leveraging technology, strategies to improve communications and to clearly define staff roles, and programs related to performance measurement, testing, and training. Interior concurred with the report’ s recommendations. View [hyperlink, http://www.gao.gov/products/GAO-09-983] or key components. For more information, contact Mark L. Goldstein at (202) 512-2834 or goldsteinm@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: The Park Service Does Not Manage Risk Servicewide or Ensure the Best Return on Security Technology Investments: The Park Service Lacks a Servicewide Approach to Sharing Information Internally and Measuring Performance: Human Capital Management Lacks a Security Focus: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope, and Methodology: Appendix II: Comments from the Department of the Interior: Appendix III: GAO Contact and Staff Acknowledgments: Tables: Table 1: Examples of Technologies and Other Countermeasures that Icons and Parks Use to Enhance Security: Table 2: Examples of Information Sharing and Coordination at Park Service Regions, Icons, and Parks: Table 3: Examples of Security-related Tests, Exercises, and Drills: Table 4: Security Positions at Regions, and Examples of Activities: Table 5: Security Positions at Icons and Parks, and Examples of Activities: Table 6: Security Training Examples: Figures: Figure 1: Perimeter Fencing at the African Burial Ground: Figure 2: Performance Measures, Uses, and Results: Abbreviations: African Burial Ground: African Burial Ground National Monument: DHS: Department of Homeland Security: FAA: Federal Aviation Administration: FBI: Federal Bureau of Investigation: FLETC: Federal Law Enforcement Training Center: FPS: Federal Protective Service: Gateway Arch: Jefferson National Expansion Memorial: Gettysburg: Gettysburg National Military Park: Grand Canyon: Grand Canyon National Park: GSA: General Services Administration: HSPD-7: Homeland Security Presidential Directive 7: IG: Inspector General: Interior: Department of the Interior: ISC: Interagency Security Committee: JTTF: Joint Terrorism Task Force: OLES: Office of Law Enforcement and Security: Park Service: National Park Service: Park Police: U.S. Park Police: Statue of Liberty: Statue of Liberty National Monument: Smithsonian: Smithsonian Institution: TSA: Transportation Security Administration: [End of section] United States Government Accountability Office: Washington, DC 20548: August 28, 2009: The Honorable Bennie G. Thompson: Chairman: Committee on Homeland Security: House of Representatives: Dear Mr. Chairman: The September 11 terrorist attacks have heightened concerns about the security of the nation's icons and parks, which millions of people visit every year. Attacks on these assets could have profound psychological and economic effects. The National Park Service (Park Service), within the Department of the Interior (Interior), is responsible for protecting close to 400 park units that include 5 units Interior has identified as national icons and other types of parks. [Footnote 1] While the Park Service has taken some steps to enhance security, especially at icons and parks along the southwest border, protecting these treasured assets can be a complex and contentious task for the agency, which must also ensure that the public has access to them. In 2002, the Secretary of the Interior established the Office of Law Enforcement and Security (OLES) to oversee Interior's security efforts and to ensure their consistent application across its bureaus and offices. OLES and the Park Service identified five national icons as critical assets as part of the government's homeland security initiatives. Additionally, the U.S. Park Police (Park Police) provides law enforcement and security services for icons and parks in Washington, D.C.; New York City; and San Francisco. We have reported on the challenges agencies face in protecting national icons. Such challenges include balancing security with public access, addressing jurisdictional issues and competing stakeholder interests, and leveraging limited resources.[Footnote 2] We have also identified a set of key protection practices--established from the collective practices of federal agencies and private sector entities--that can provide a framework for guiding agencies' efforts to protect physical assets, such as park properties and facilities, and address challenges. [Footnote 3] The key practices essentially form the foundation of a comprehensive, strategic approach to park protection. We have used these key practices as criteria to evaluate how the Department of Homeland Security (DHS)[Footnote 4] and the Smithsonian Institution [Footnote 5] (Smithsonian) secure their assets. Furthermore, the Interagency Security Committee[Footnote 6] (ISC), chaired by DHS, is using our key protection practices to guide its priorities and work activities. The following are the key practices we used for this review: * Allocation of resources using risk management: Identify threats, assess vulnerabilities, and determine critical assets to protect; use information on these and other elements to develop countermeasures; and prioritize the allocation of resources as conditions change. * Leveraging of technology: Select technologies to enhance asset security through methods like access control, detection, and surveillance systems. This involves not only using technology, but ensuring that there are positive returns on investment in the form of reduced vulnerabilities. * Information sharing and coordination: Establish means of coordinating and sharing security and threat information internally, within large organizations, and externally, with other government entities and the private sector. * Performance measurement and testing: Use metrics, such as implementation timelines, and active testing, such as unannounced on- site assessments, to ensure accountability for achieving program goals and improving security at facilities. * Strategic management of human capital: Manage human capital to maximize government performance and assure accountability in asset protection through, for example, recruitment of skilled staff, training, and retention. You requested that we determine whether the Park Service's approach to securing national icons and parks reflects key protection practices. In response, on June 19, 2009, we issued a sensitive but unclassified report. As that report contained information that was deemed to be either law enforcement sensitive or for official use only, this version of the report is intended to communicate our findings as related to each of the key protection practices that we reviewed and our recommendations while omitting sensitive information about icon and park security, including specific vulnerabilities, security breaches, and steps that Interior, Park Service, and Park Police have taken to address them. To meet the reporting objective, we used our key practices as a framework for assessing the Park Service's protection efforts. We interviewed Interior officials at the national, regional, and asset levels, including officials from the Office of the Inspector General (IG), OLES, Park Service, and Park Police. We reviewed five icons and parks to learn firsthand how the Park Service protects highly visible assets. We selected these assets because they have high public visitation, present other potential security considerations such as recent or planned facility construction, and are geographically diverse. We selected: * Two icons: the Statue of Liberty National Monument (Statue of Liberty) in New York City, and the Jefferson National Expansion Memorial (Gateway Arch) in St. Louis. * Three parks: the African Burial Ground National Monument (African Burial Ground) in New York, Gettysburg National Military Park (Gettysburg) in Pennsylvania, and Grand Canyon National Park (Grand Canyon) in Arizona.[Footnote 7] In doing our work, we also reviewed pertinent documents and policies, related directives, and prior and ongoing GAO studies. We conducted this performance audit from January 2008 through June 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. Appendix I contains a more detailed discussion of our scope and methodology. Results in Brief: The Park Service has implemented a range of security program improvements since the September 11 terrorist attacks. As an important steward of America's highly valued national icons and parks, the Park Service has worked to integrate security into its primary mission to preserve the natural and cultural resources and values of the national park system for the enjoyment, education, and inspiration of those who visit them. For example, it has established a senior-level security manager position and taken steps to strengthen security at the icons, and it is developing a risk management program for small parks. These efforts exhibit some aspects of key protection practices, but also have limitations. More specifically: * The Park Service does not have a systematic approach for allocating resources using risk management throughout its vast and diverse inventory of national icons and parks to address security issues. The Park Service, with assistance from Interior's OLES, has assessed risks and implemented security improvements at the five icons and some border parks, although we noted some cases in which recommended security measures were not implemented at icons and vulnerabilities remain. At other parks, however, risk assessments are done on an ad-hoc basis and the Park Service has not conducted a servicewide assessment of vulnerabilities. Instead, officials at individual parks use their discretion to request risk assessments from the Park Service or obtain them from other sources. For example, officials at the Grand Canyon-- with more than 4 million visitors annually--independently obtained a risk assessment from an outside counterterrorism organization, but the chief ranger was concerned that it was not thorough and that vulnerabilities remain. Without a servicewide risk management approach, the Park Service lacks assurance that security efforts are adequate and focused where they are needed. Furthermore, without risk assessment tools and other security guidance, some Park Service officials at regional offices are developing their own approaches to risk management without leveraging best practices and lessons learned throughout the Park Service. * The Park Service does not have guidance or standards that officials at individual icons and parks can use to leverage technology by evaluating the cost-effectiveness of security countermeasures. As a result, there is limited assurance that technology investments produce the greatest security benefits. Without guidance and standards, officials at icons and parks may rely on other methods such as trial and error to identify systems and equipment that best suit their needs. For example, officials at the Statue of Liberty were planning to lease magnetometers and X-ray machines to screen visitors, while officials at the Gateway Arch intend to continue purchasing the same equipment. Officials at both icons were making these decisions based on preference without assessing which approach was more cost-effective. These alternative methods may lead to inefficient resource allocation since icon and park officials have competing resource demands and regular developments in technology necessitate upgrades. Officials from the two icons and one of the regions said that guidance for investing in technology would be helpful. * The Park Service has information sharing and coordination arrangements with external organizations at the national, regional, icon, and park levels. However, the Park Service lacks comparable arrangements for internal security communications, and as a result, officials at icons and parks are not equipped to share information with one another on common security problems and solutions. For example, there is no servicewide Web portal for sharing security information internally, an approach other organizations have established. Thus, while officials at the Gateway Arch said they have collaborated with other federal agencies--such as the Transportation Security Administration (TSA) to form a federal screeners group to share best practices and learn about new technologies--the Park Service is limited in its ability to leverage these lessons learned throughout the organization--an activity that a shared Web portal could enable. In the absence of a servicewide security Web portal, some regional offices are developing their own Web sites, but functionality, content, and usage vary from region to region. * The Park Service does not have a servicewide approach for routine performance measurement and testing of its security efforts. The Park Service has not established security performance measures and lacks an analysis tool that it could use to track performance measures such as the number of risk assessments conducted, change in the total number of security-related incidents, identified security staff, and security training courses provided and attended. Without an overarching performance measurement and testing framework, officials at each region, icon, and park take their own approach to identifying security performance measures and tests. However, this ad hoc approach provides little assurance that performance measures and tests are effective and adequate, and that lessons learned can be identified and leveraged throughout the Park Service. Moreover, officials at regions, icons, and parks use their own tracking tools to record and report security incidents limiting the extent to which such information can be consolidated, analyzed, and leveraged to enhance security throughout the park system. Because of the limited activity in this area, icon and park personnel have little information on the status and performance of security methods that they can use to manage day-to-day activities or that Park Service management can use to manage security efforts throughout the organization. * Strategic human capital management is an area of concern because of the Park Service's lack of clearly defined security roles and a security training curriculum. Although the Park Service requires regions to assign security responsibilities to law enforcement staff, and icon and park superintendents designate physical security coordinators, these staff do not have to meet any qualifications, demonstrate expertise, or undergo any specialized training, and oversight of their activities is limited. For example, at the time of our review, neither the Park Service nor the Park Police employed a full-time security manager at the Statue of Liberty, despite such recommendations from the Interior IG and OLES. Moreover, park officials have not designated a physical security coordinator, and instead, have distributed those duties among several Park Police managers. While officials from regions, icons, and parks told us that they coordinate and participate in a variety of security training sessions, there is no overarching Park Service-specific training program or curriculum. Instead, security training is decentralized and thus there is little assurance that Park Service employees have the knowledge, skills, and awareness needed to contribute to overall park security. In order to better oversee and more efficiently manage the protection of the vast and diverse inventory of national icons and parks, we are recommending that the Secretary of the Interior take six actions. Specifically, the Secretary should instruct the Director of the National Park Service, in consultation with OLES, to develop and implement: (1) a more comprehensive, routine risk management approach for security; (2) guidance and standards for leveraging security technology; (3) an internal communications strategy for security to address communications gaps, including a timeline for the development of a servicewide Web portal for security; (4) a servicewide performance management and testing program that includes specific measures and an evaluation component; (5) a strategy for more clearly defining security roles and responsibilities within the Park Service; and (6) a servicewide security training program and related curriculum. We provided a draft of this report to Interior for official review and comment. Interior agreed with our assessment that actions are needed to improve security practices at national icons and parks, and agreed with the report's recommendations. Interior also provided additional information--including general comments from the Park Police--which is discussed near the end of this letter. Interior's official comments are contained in appendix II. Additionally, the Park Police provided technical comments that we incorporated, where appropriate. Background: Interior is responsible for the safety and security of more than 67,000 employees, 280,000 volunteers, 1 million daily visitors, and 500 million acres of public lands that include national icons and parks. After September 11, the Secretary of the Interior took steps to address serious organizational and management problems in the law enforcement and security components of the department. Of particular concern, according to the Interior IG, was the lack of coordination among these components and the absence of a meaningful single point of contact that the Secretary and senior managers could depend upon for reliable information and advice.[Footnote 8] The Secretary approved a Deputy Assistant Secretary for Law Enforcement and Security in July 2002, and established OLES to oversee the department's law enforcement and security efforts and ensure their consistent application across Interior's bureaus and offices. Specific to icon protection, in 2003, Homeland Security Presidential Directive 7 (HSPD-7) designated Interior as the sector-specific agency for the National Monuments and Icons critical infrastructure sector, and Interior selected OLES to carry out sector responsibilities.[Footnote 9] To fulfill its duties, OLES officials developed a national monuments and icons sector-specific plan in which they defined national icons as: (1) monuments, physical structures, or objects; (2) recognized both nationally and internationally as representing the nation's heritage, traditions, and/ or values or are recognized for their national, cultural, religious, historical, or political significance; and (3) serve the primary purpose of memorializing or representing significant aspects of our nation's heritage, traditions, or values and serve as points of interest for visitors and educational activities.[Footnote 10] In accordance with its assigned duties, OLES officials also developed a uniform risk assessment and ranking methodology to quantify risk, identify needed security enhancements, and measure risk-reduction benefits at icons. OLES officials used this methodology to assess risks at the icons during 2004 and 2006. OLES has also issued sector annual reports and established a sector government coordinating council. The Park Service's mission is the unimpaired preservation of the natural and cultural resources and values of the national park system. The Park Service is responsible for managing the national icons and the national park system. In 2008, the Park Service welcomed almost 275 million visitors to its nearly 400 national park units throughout the United States, American Samoa, Guam, Puerto Rico, and the Virgin Islands. Within the Visitor and Resource Protection division of the Park Service, the Law Enforcement, Security, and Emergency Services branch provides policy formulation, oversight, support services, guidance, and leadership to assist park managers and law enforcement staff in accomplishing the Park Service's visitor protection goals and objectives. This branch is led by a chief and has one position dedicated to security and intelligence management. Park superintendents and rangers manage and provide security and law enforcement services at icons and parks throughout the United States in conjunction with their other duties. These other duties include the management of public use, dissemination of scientific and historical information, and protection and management of natural and cultural resources. The Park Police, which is a Park Service component, provides law enforcement and security services for national icons and parks in Washington, D.C.; New York City; and San Francisco. The Park Police has also staffed law enforcement specialists in four of seven Park Service regions including the National Capital, Northeast, Intermountain, and Pacific West regions.[Footnote 11] We have identified a set of six key protection practices from the collective practices of federal agencies to provide a framework for guiding agencies' protection efforts and addressing challenges. [Footnote 12] The following are the key practices we used for this review: * Allocation of resources using risk management: Identify threats, assess vulnerabilities, and determine critical assets to protect; use information on these and other elements to develop countermeasures; and prioritize the allocation of resources as conditions change. * Leveraging of technology: Select technologies to enhance asset security through methods like access control, detection, and surveillance systems. This involves not only using technology, but ensuring that there are positive returns on investment in the form of reduced vulnerabilities. * Information sharing and coordination: Establish means of coordinating and sharing security and threat information internally, within large organizations, and externally, with other government entities and the private sector. * Performance measurement and testing: Use metrics, such as implementation timelines, and active testing, such as unannounced on- site assessments, to ensure accountability for achieving program goals and improving security at facilities. * Strategic management of human capital: Manage human capital to maximize government performance and assure accountability in asset protection through, for example, recruitment of skilled staff, training, and retention. We have used the key practices to evaluate the efforts of the Smithsonian to protect its assets,[Footnote 13] DHS to protect its facilities,[Footnote 14] and federal agencies to protect icons and facilities on the National Mall.[Footnote 15] For example, in 2007, we found that while the Smithsonian follows key practices to protect its assets, it faces challenges related to ensuring that museum and facility directors are aware of information on security and funding constraints. Similarly, in 2005, we found that federal agencies[Footnote 16] on the National Mall--the Park Service, Smithsonian, National Gallery of Art, Department of Agriculture, and U.S. Botanic Garden--were using five of the six key practices to implement security enhancements. Also, in 2007, we reported that DHS had taken actions intended to improve the security of its facilities, but its efforts fell short in certain key areas, such as DHS components not fully implementing risk management. Moreover, the ISC--a body that addresses the quality and effectiveness of security requirements for federal facilities through developing and evaluating security standards for federal facilities--is using our key protection practices as key management practices to guide its priorities and work activities. For example, ISC established subcommittees for technology best practices and training, and working groups in the areas of performance measures and strategic human capital management. ISC also issued performance measurement guidance in 2009. [Footnote 17] The Park Service Does Not Manage Risk Servicewide or Ensure the Best Return on Security Technology Investments: While the Park Service, with the assistance of OLES, has assessed risks at the icons and southwest border parks, it has not adopted a servicewide approach to risk management, including policies, guidance, and tools to support risk assessments at the remaining parks. Furthermore, although icon and park officials have acquired a variety of technologies to enhance security, they do not have guidance to evaluate the cost-effectiveness of proposed or actual countermeasures. The Park Service Has Focused Risk Management Efforts on Icons and Border Parks but Vulnerabilities Remain: We have reported that most risk management approaches generally involve identifying the assets that are most critical to protect in terms of mission and significance, identifying potential threats, assessing vulnerabilities, and evaluating mitigation alternatives for their likely effect on risk and their cost.[Footnote 18] The Park Service and OLES generally employed such an approach in identifying five icons as critical assets to protect, assessing risks, and implementing countermeasures. Specifically, OLES conducted its first round of icon risk assessments during 2004, through which it identified vulnerabilities that the icons shared. Officials at the icons worked on implementing the assessments' recommendations; therefore OLES's 2006 icon risk assessments and 2007 compliance reviews noted significant security improvements, including new surveillance and monitoring equipment, some barriers installed to protect against vehicle explosions, and enhanced visitor screening stations and procedures. In addition to prioritizing icon security, during 2008 the Secretary of the Interior directed the Park Service to focus on border park security through its "Safe Borderlands" initiative, and as a result, the Park Service has also taken steps to balance security and public access at southwest border parks. About 41 percent of the land along the U.S. southwest border is under the control and custody of Interior's land management bureaus, including five parks that are under the Park Service. These border parks face security challenges related to drug smuggling and other unlawful activities in the area, which have also caused significant environmental damage. The Safe Borderlands initiative aims to strengthen Interior's--including the Park Service's- -law enforcement capabilities, improve its radio communications, and lessen the environmental impact of illegal activities. The Park Service and other Interior bureaus have assessed risks and increased staffing along the southwest border, and have installed security features, such as vehicle barricades and sensors at certain border locations, in an effort to prevent illegal aliens and drug smugglers from entering. According to Park Service officials from the Intermountain Region, all border parks in their region have ground sensors to detect illegal traffic and some have alarm systems. Despite the significant improvements made in icon security, we noted some cases in which recommended security countermeasures were not implemented and vulnerabilities remain.[Footnote 19] Park officials at the Statue of Liberty told us that the icon security plan had not been updated since its creation in 2002; however, later in our review, Park Police officials told us they updated this plan during 2008.[Footnote 20] Park officials at the Gateway Arch have also made notable security improvements, such as moving the dispatch center away from the arch. However, vulnerabilities still exist at the park, and security breaches have occurred. Officials from both icons told us that, while they identify and prioritize security needs, security projects compete with other operational needs, and these officials must prioritize and balance competing interests as best they can. The Park Service Lacks a Systematic Approach for Allocating Resources Using Risk Management: Park Service officials at the national, regional, icon, and park levels told us that security awareness has increased throughout the organization, largely because of Interior's initiative to assess security risks at the icons, and the resources the Park Service has allocated to address these concerns; yet the Park Service has not formally applied risk management principles for the rest of its national parks inventory. We have reported that allocating resources using risk management is a systematic and analytical process to consider the likelihood that a threat will endanger an asset-- structure, individual, or function--and identify, evaluate, select, and implement actions that reduce the risk or mitigate the consequences of an event.[Footnote 21] However, the Park Service does not require that other parks undergo risk assessments and therefore there has been no comprehensive servicewide assessment, prioritization, and mitigation of vulnerabilities. Instead, Park Service officials use their discretion to request risk assessments from the Park Service or another entity, and as a result, risk assessments can vary in their scope and methodology from park to park. Even if Park Service officials obtain risk assessments, they may not use them to guide park operations, or they may find it challenging to interpret and implement recommended actions because they are unfamiliar with the risk assessment process. Of the three parks we reviewed, only the African Burial Ground had received a comprehensive risk assessment because it is in a high- security federal facility that is under the control and custody of the General Services Administration (GSA) and is protected by the Federal Protective Service (FPS).[Footnote 22] The risk assessments of the other two parks were limited in scope. * The African Burial Ground is adjacent to a high security multitenant federal building in New York City and the visitor center is inside the building. Therefore, the Park Service authorized FPS to provide law enforcement and security services--such as conducting security assessments and recommending countermeasures through a memorandum of understanding. Furthermore, because the Park Service is a tenant in a GSA building, it receives certain protection services from GSA. For example, FPS, GSA, and the Park Service collaborated to identify perimeter fencing for GSA to install around the monument that maintained park aesthetics and provided protection based on FPS and GSA security standards (see figure 1). Also, according to the Northeast regional chief ranger, the former regional physical security specialist completed a risk assessment of the park in 2006. In accordance with the memorandum, FPS will continue to address security vulnerabilities at the African Burial Ground, such as visitor screening, in collaboration with the park. Figure 1: Perimeter Fencing at the African Burial Ground: [Refer to PDF for image: photograph] Source: GAO. [End of figure] * In 2008, the Gettysburg Foundation--a private, nonprofit educational organization working with the Park Service at Gettysburg--hired a security consulting firm to complete a risk assessment specifically for the new visitor center and museum that it constructed on its land within the park. The assessment included recommendations for protecting artifacts, infrastructure, visitors, and staff, and the Gettysburg Foundation implemented some of the countermeasures. For example, the Gettysburg Foundation purchased surveillance cameras, and Park Service rangers monitor them. The Park Service is responsible for protecting visitors and providing a safe environment for visitors and staff. Moreover, the risk assessment was only for the visitor center and museum, not the park as a whole. According to the chief ranger, the park faces security challenges from the numerous roads leading into it and its open borders. * In 2006, Park Service officials at the Grand Canyon--with more than 4 million visitors annually--requested a risk assessment through their participation in the Arizona Joint Terrorism Task Force (JTTF). [Footnote 23] The Arizona Counter Terrorism Information Center fulfilled the request and identified points of vulnerability and potential security improvements at the park. The center's assessment cited concerns with the location of the dispatch center and wiring system, and Park Service officials are taking steps to mitigate these risks, such as moving the dispatch center to a more secure location and upgrading the wiring. Additionally, Park Service officials enhanced security for the fee collection booths by having surveillance cameras installed. However, even though the assessment contained actionable items, the chief ranger told us it lacked details that would have made it more helpful. The chief ranger considered assigning a Park Service staff person to the center to learn more about the risk assessment methodology, but the time commitment was prohibitive. In addition to lacking a systematic approach for assessing risk throughout its inventory, the Park Service lacks guidance and tools that officials at icons and parks can use to develop risk management strategies. The Park Service's 40-chapter law enforcement manual, which was updated in 2008, focuses primarily on law enforcement policies and responsibilities. One chapter on physical security[Footnote 24] broadly outlines the duties of the physical security coordinator and delineates closed-circuit television policy, but does not include other guidance such as risk assessment procedures and how to use technology to enhance security. Park Service officials we spoke with had mixed views on the manual. Officials from three of the four regions we spoke with said the manual lacks comprehensive physical security information and guidance, while officials from the fourth region considered the manual to be useful. While officials at the Gateway Arch and Gettysburg told us that they used the manual and found it useful for physical security, officials at the Statue of Liberty and the Grand Canyon said they did not use the manual to guide park security operations. The superintendent at the African Burial Ground told us that other Park Service staff advising the park refer to the manual. Park Police officials told us that they do not use the Park Service's law enforcement manual. Instead, they rely on the Park Police law enforcement manual for security guidance at locations where the Park Police are responsible for physical security, such as the Statue of Liberty. The Park Service also relies on Interior's physical security manual which sets forth the policies designed to safeguard Interior personnel and facilities, including buildings, grounds, and other property. OLES developed the manual using the Department of Justice's facility security level standards and minimum security countermeasure standards. [Footnote 25] OLES officials told us that they adopted ISC's updated facility security level standards,[Footnote 26] and notified bureau security managers of changes. The Park Service's Acting Chief of the Law Enforcement, Security, and Emergency Services division and the Security and Intelligence Program Manager told us that they are developing a process for updating icons' and parks' individual facility security levels based on the revised standards. However, the department- level physical security manual is focused on general facility protection and officials from the regions, icons, and parks told us it would be more useful if it were tailored to park-specific security issues. For example, officials from two of the regions we spoke with found the manual unhelpful, though officials from the other two regions considered the manual the main driver for security policy. Park Service officials at the icons and parks we spoke with had mixed reviews as well. For example, officials at the Gateway Arch and Gettysburg told us that they used the manual and found it useful--much as they did the Park Service's law enforcement manual--while officials at the Statue of Liberty and the Grand Canyon said they did not use the manual to guide park security operations. While officials at icons and parks are required to develop and implement physical security plans and conduct physical security surveys, there is no standardized approach, tools, or guidance for carrying out these responsibilities. In the absence of a standardized approach, some Park Service officials from the regions are developing their own risk assessment tools and guidance for parks to use. Although officials from the regions are taking actions that could help parks allocate resources using risk management in accordance with the key practice, these initiatives are being developed independently without a servicewide strategy. * The Intermountain regional office has provided parks with a physical security plan template and workbook with guidance on how to assess risk and identify appropriate countermeasures. * The Midwest regional office is updating a small parks assessment program that it originally created during 2002 by developing a physical security assessment checklist for Park Service rangers to identify deficiencies at parks. * The Northeast regional office plans to create a team made up of rangers and cultural staff that they can send to parks to work with staff to assess security and develop strategies to mitigate vulnerabilities. At the national level, the Park Service recognizes that parks should have tools available to help them assess risks and that physical security plans and assessments should be standardized. Therefore, the Park Service is developing a physical security handbook to standardize physical assessment processes servicewide. Park Service officials are using a U.S. Geological Survey physical security handbook and Interior's physical security manual to develop the Park Service's physical security handbook. The Park Service is also developing a small park assessment program based on the Midwest Region's program, which it intends to test in one region before implementing it servicewide. However, the Park Service has not considered the other regions' approaches and is therefore missing an opportunity to leverage best practices and lessons learned, and create buy-in for a new security program. For example, the Acting Chief of the Law Enforcement, Security, and Emergency Services division and the Security and Intelligence Program Manager were unfamiliar with the Intermountain Region's physical security template and workbook, explaining that officials at each regional office take their own approach to physical security. Lacking a systematic approach for assessing risk throughout the Park Service's inventory of icons and parks has negative effects. First and foremost, the Park Service lacks assurance that decisions about security are based on an assessment of potential threats and countermeasures. Although highly visible icons are the most plausible terrorist targets, it is not unreasonable to presume that parks with high visitor volumes or other national parks, monuments, memorials, and facilities that have symbolic value may also be targets. Second, risk management practices provide the foundation for a comprehensive protection program. Hence, efforts in the other key practice areas-- leveraging technology, information sharing and coordination, performance measurement and testing, and human capital management--are diminished if they are not part of a risk management approach which can be the vehicle for using these practices. Lastly, as previously discussed, individual efforts by officials at regions, icons, and parks to develop risk management tools and security approaches in the absence of overarching guidance are not conducive to sharing lessons learned and leveraging efficiencies. The Park Service Does Not Have Guidance or Standards That Would Assist Icons and Parks in Leveraging Technology: Officials at icons and parks use a variety of technologies and other countermeasures--such as video and surveillance monitoring equipment, visitor screening equipment, vehicle barriers, and door locks--to enhance security operations (see table 1). We have reported that by efficiently using technology to supplement and reinforce other security measures, agencies can more effectively address vulnerabilities identified through the risk management process with appropriate countermeasures.[Footnote 27] Table 1: Examples of Technologies and Other Countermeasures that Icons and Parks Use to Enhance Security: Icon or park: African Burial Ground; Technologies and other countermeasures: The park worked with FPS and GSA to identify and install perimeter fencing that would balance security with the aesthetics of the monument. Icon or park: Gateway Arch; Technologies and other countermeasures: The park installed bollards for perimeter protection, some of which can be controlled at the entry points by entering a code into a keypad, or remotely by the dispatch center. The park is modernizing its dispatch center which will incorporate radio-over-Internet-protocol technology and software-driven security equipment, ensuring continued operations should the dispatch center be damaged during an emergency. Icon or park: Gettysburg; Technologies and other countermeasures: The Gettysburg Foundation implemented keyless lock technology for the park's new visitor center, and the Park Service programs electronic key cards for each employee, thus limiting access to an employee's area of responsibility. The Gettysburg Foundation implemented video surveillance equipment, such as closed-circuit television and motion detectors, and the Park Service operates it. Icon or park: Grand Canyon; Technologies and other countermeasures: The park purchased and installed video and surveillance equipment, such as digital video recording technology and closed-circuit television, to secure fee collection booths at park entrances. Icon or park: Statue of Liberty; Technologies and other countermeasures: The park installed temporary visitor screening stations at Battery Park in New York City and Liberty State Park in New Jersey. Visitors and their belongings must go through magnetometer and X-ray screening before boarding the ferries to Liberty Island. The park also installed a secondary screening station at Liberty Island for visitors who want to go to the observation deck level of the statue. In addition to magnetometers and X-ray machines, this station has radiation and explosives detection devices. Sources: GAO site visits and analysis of Park Service data. [End of table] Additionally, officials at icons we reviewed are partnering with other agencies to test and obtain security technologies. By pooling resources and sharing equipment, officials at icons are leveraging expertise and cost-effectively enhancing their security. As we have reported, technology implementation costs can be high, and the type of technology used should be carefully analyzed to ensure its effectiveness and efficiency.[Footnote 28] For example, at the Statue of Liberty, the U.S. Air Force used the park as a testing ground for emerging technologies, and the arrangement allowed the Park Service to keep the equipment. For example, according to Park Service officials, the U.S. Air Force has tested wireless cameras, weather stations, and chemical, radiological, biological, nuclear, and explosives detection systems on Liberty Island. Park Service and Park Police officials told us that the weather stations are particularly useful to them since the Federal Aviation Administration (FAA) requires weather data for fining aircraft that violate airspace rules near the Statue of Liberty. According to the Park Police, this partnership has been extended into 2010. Despite icon and park officials' use of various technologies and other countermeasures to enhance security, the Park Service has not developed guidance on how to evaluate the cost-effectiveness of proposed or actual security investments. We have recognized that having an approach that allows for cost-effectively leveraging technology to supplement and reinforce other measures would represent an advanced security approach in this area.[Footnote 29] Without such guidance, icon and park officials rely on other methods to identify systems and equipment that best suit their needs. This, however, is an inefficient way to enhance security, particularly in light of icon and park officials' competing resource demands and regular developments in technology that necessitate upgrades. For example, officials from two Park Service regions told us that parks contact them for assistance in identifying security equipment. Officials at the icons we reviewed cited instances of using a trial and error approach to identify cost-effective and suitable technologies. For example, officials at both the Statue of Liberty and the Gateway Arch use magnetometers and X-ray machines to screen visitors and their belongings. After several years of purchasing security equipment, Park Police officials at the Statue of Liberty have realized that they can acquire new and more effective space-saving visitor screening equipment faster through leasing agreements. Park Police officials told us that they intend to lease equipment in the future to stay current with emerging technologies and ensure equipment is maintained. Moreover, in its 2007 compliance review, OLES recommended that park officials lease equipment because such an approach would allow for quicker and less costly upgrades as new technology is developed. In contrast, Park Service officials at the Gateway Arch plan to continue purchasing this equipment. Officials at both icons have made these decisions based on preference without formal cost-benefit analysis. Officials from the Midwest Regional Office, Statue of Liberty, and Gateway Arch suggested that the Park Service could better assist icon and park officials in making informed decisions about security technologies and other countermeasures. The Park Service Lacks a Servicewide Approach to Sharing Information Internally and Measuring Performance: The Park Service has information sharing and coordination arrangements with external organizations at the national, regional, icon, and park levels, but lacks comparable arrangements for internal security communications that would allow icon and park officials to share information with one another on common security problems and solutions. In addition, officials at the regions, icons, and parks have discretion to implement security performance measures and testing, but the Park Service lacks a servicewide approach for measuring and testing the results of its security efforts. As a result, little consolidated performance information is available for icon and park officials to use in managing their day-to-day activities or for Park Service management to use in managing security efforts throughout the organization. The Park Service Shares Information and Coordinates with External Organizations, but Internal Coordination Is Limited: At the national, regional, icon, and park levels, the Park Service has made progress in sharing information and coordinating with other law enforcement, security, and emergency management entities. We have reported that information sharing and coordination among organizations is crucial to producing comprehensive and practical approaches and solutions to addressing terrorist threats directed at federal assets. [Footnote 30] By having a process in place to obtain and share information on potential threats to federal assets, agencies can better understand the risks they face and more effectively determine what preventive measures should be implemented.[Footnote 31] At the national level, the Park Service's Security and Intelligence Program Manager analyzes intelligence from various sources including the Federal Bureau of Investigation (FBI), DHS, and Interior, and disseminates this information to officials at regions, icons, and parks. This manager also attends department-level quarterly meetings of Interior's Security Advisory Council.[Footnote 32] According to OLES officials, meeting attendees are encouraged to disseminate information discussed at the meetings to pertinent staff within their respective bureaus and offices. By collaborating with area law enforcement, security, and emergency management entities, officials at regions, icons, and parks receive threat information and leverage security expertise (see table 2). For example, officials at the Gateway Arch said they are collaborating with area federal agencies such as TSA, the Federal Air Marshal Service, and FBI to form a federal screeners working group to share best practices and learn about new technologies. Table 2: Examples of Information Sharing and Coordination at Park Service Regions, Icons, and Parks: Region: Intermountain; Collaborates with DHS on border park protection and has a memorandum of understanding for the two entities to establish radio-sharing responsibilities; Coordinates with the Bureau of Reclamation to secure dams; Receives intelligence information from the area JTTF. Region: Midwest; Participates on the Nebraska Anti-Terrorism Advisory Council; Attends regular meeting of area chiefs of police, sheriffs, and other law enforcement officials; Coordinates with law enforcement officials in the vicinity of Mount Rushmore National Memorial. Region: Northeast; Collaborated with the Smithsonian Institution on a risk assessment of a Smithsonian asset; Collaborated with FBI, the J. Paul Getty Trust, and the Smithsonian Institution to develop a 3-day museum security awareness conference. Pacific West; Receives intelligence information from area JTTFs. Icon or park: African Burial Ground; Coordinates with the New York Police Department for park events; Maintains a memorandum of understanding with DHS, which outlines FPS's security responsibilities for the park. Icon or park: Gateway Arch; Forming a federal screeners working group with area agencies such as TSA, the Federal Air Marshal Service, and FBI to share best practices and learn about new technologies; Provides a backup terminal for the Department of Justice Interoperability Project which is intended to unify various radio communications to enhance agencies' emergency response; Member of the Illinois State Terrorism Intelligence Center. Icon or park: Gettysburg; Pays for a seat on the local dispatch center, which provides 24-hour access and linkage to the state emergency center. Icon or park: Grand Canyon; Coordinates with FBI to dispense annual training for the park, and in turn the park provides space for FBI to conduct training for FBI and other agencies; Coordinates with the U.S. Marshals Service for warrant services and prisoner transport. Icon or park: Statue of Liberty; Connected to FAA's Domestic Events Network, allowing dispatch center staff to track nearby aircraft; Coordinates with FBI and the U.S. Coast Guard for maritime security; Has a Park Police detective assigned to the New York City JTTF. Source: GAO analysis of Park Service data. [End of table] While collaboration with partner agencies has expanded, the Park Service has not fully leveraged information sharing and coordination mechanisms that could strengthen the ability of officials at regions, icons, and parks to share threat information and identify common security problems and solutions. We have reported that sharing information on threats and incidents that others have experienced can help an organization identify trends better, understand the risks it faces, and determine what countermeasures it should implement.[Footnote 33] Specifically, an information sharing practice that we have found to be an important success factor in protecting critical infrastructure is holding regularly scheduled meetings during which participants can share security management practices, discuss emerging technologies, and create committees to perform specific tasks such as policy setting. [Footnote 34] However, the Park Service's use of regularly scheduled security meetings is limited, and security discussions typically occur on an as-needed basis. The Park Service's Law Enforcement, Security, and Emergency Services branch holds a monthly conference call with regional chief rangers, which covers a variety of topics and is not solely focused on security. Regional officials we spoke with said they meet with icon and park officials to discuss security issues on an as- needed basis. Icon and park officials can contact Park Service regional law enforcement or even the Park Service's Intelligence and Security Program Manager for security assistance as needed. Icon and park officials could access needed information anytime through a Park Service security Web portal, but this tool does not exist servicewide and is instead under development. We have reported that secure Web portals are another important success factor in protecting critical infrastructure and can ensure effective and timely communication among an organization's members.[Footnote 35] Web portals can be used to (1) disseminate all types of information, including alerts, advisories, reports, and other analysis; (2) provide methods for members to ask each other about particular incidents, vulnerabilities, or potential solutions; and (3) share sensitive information.[Footnote 36] For example, GSA's security division is developing a Web portal to track incidents, share threat information, post security policies and other related documents, and enable virtual security discussions. The Park Service recognizes a need to improve its use of technology to disseminate security information through mechanisms such as a Web site and Web conferencing, thereby enhancing its application of the information sharing and coordination key practice. However, the Park Service's security Web portal is still under development without a timetable for completion. According to OLES officials, Interior's Office of Emergency Management maintains a secure Web site known as SAFETALK, where sensitive information and policies can be exchanged and stored. However, only authorized individuals are allowed to access the portal, and over the course of our review, no Park Service or Park Police officials we spoke to at the national, regional, icon, or park levels cited this Web site as a primary security information source. Without its own Web portal, the Park Service is limited in its ability to disseminate key icon and park- specific security information and guidance to icons and parks efficiently and raise security awareness overall. In the absence of a servicewide secure Web portal, some Park Service regional offices have developed law enforcement and security Web sites, but the functionality, content, and usage of these sites vary from region to region. For example, while officials from the Intermountain regional office said that they regularly update their Web site with security resources, officials from the Midwest and Pacific West regions said their law enforcement and security Web sites were used infrequently and not to their fullest extent. The Midwest regional chief ranger told us that officials from the region's icons and parks make limited use of the regional Web site, instead preferring to contact someone in the regional office for assistance or to obtain policy documents. Officials from the Midwest and Pacific West regions acknowledged that more could be done to enhance the content of their Web sites and promote greater usage. For example, the Pacific West regional chief ranger cited the inability of parks to communicate with one another as a limitation on the usefulness of the regional Web site as a tool for protecting visitors and resources. The Web site offers one-way communication from the region to the field, but the region is trying to increase the site's functionality and usage by adding discussion threads and message boards, and displaying successful park security strategies and plans. Also, the Northeast regional chief ranger told us the office is considering creating a Web site to post security-related lessons learned and security assessment templates. The Park Service Lacks a Servicewide Approach for Routine Performance Measurement and Testing: The Park Service--at the national level--has no standardized performance measures, evaluation mechanisms, or a testing program for security servicewide. We have reported that successful performance measures should (1) be linked to an agency's mission and goals; (2) be clearly stated; (3) have quantifiable targets or other measurable values; (4) be reasonably free of significant bias or manipulation that would distort the accurate assessment of performance; (5) provide a reliable way to assess progress; (6) sufficiently cover a program's core activities; (7) have limited overlap with other measures; (8) have balance, or not emphasize one or two priorities at the expense of others; and (9) address governmentwide priorities.[Footnote 37] Linking goals to a security program can be used to hold agencies and program offices accountable for achieving those goals. Furthermore, we reported that such alignment increases the usefulness of performance information to decision makers.[Footnote 38] Although the Park Service requires icon and park officials to report security incidents, it has no centralized reporting and analysis mechanism, thus these Park Service units have created their own incident-tracking tools. The Park Service began developing an incident reporting and analysis tool in 2003, but Interior decided to transfer the project to OLES and leverage it for the whole department. Interior's intent is that all bureaus--including the Park Service--will use the Incident Management Analysis and Reporting System for a variety of security performance measurement and management activities, such as reporting incidents, identifying training and resource needs, justifying resource requests and expenditures, measuring program performance, and tracking training. These functions coincide with some of the uses and results of performance measurement that we have recognized, such as assessing the change in the total number of security incidents to evaluate program effectiveness and inform the overall risk management approach, as shown in figure 2.[Footnote 39] However, Interior expects that this tool will not be available until 2011 or 2012, therefore, until the new system is implemented, the Park Service will continue to be limited in its ability to identify common threats and incidents--information which it could use to evaluate risk management strategies and countermeasures, identify problems, and develop solutions. Figure 2: Performance Measures, Uses, and Results: [Refer to PDF for image: illustration] Performance measure examples: * Risk assessments conducted; * Compliance with security policies; * Change in total number of security incidents; * Change in risk rating resulting from countermeasures deployed. Selected uses: * Ensure adequate protection; * Inform risk management; * Allocate security resources; * Hold employees accountable for security goals and objectives; * Evaluate program effectiveness. Potential results: * Improvement in physical security; * Physical security investments that justify costs; * Reduction in facilities’ vulnerability to acts of terrorism and other forms of violence; * Prioritization of funding within and across agencies. Source: GAO. [End of figure] Regional officials may perform two to three park law enforcement operational evaluations annually by selecting parks for evaluation or responding to a park's request for an evaluation. These assessments have a small security component, but are not security evaluations. For example, the Midwest regional chief ranger examines the security of park fee collections and the types of locks on windows and doors of park facilities, according to this official. Officials from some of the icons and parks we reviewed recognized a need for standardized performance measures and testing. For example, Park Police officials at the Statue of Liberty told us they would like a standardized testing and evaluation program for security technologies, instead of solely relying on informal testing efforts such as the Park Police's collaboration with TSA to test visitor screening equipment. Similarly, Park Service officials from the Gateway Arch expressed an interest in coordinated reviews of the park's security that would incorporate markers for achievement. Because performance is measured and tested occasionally and inconsistently, officials from icons and parks have limited opportunities for sharing lessons learned or using performance data to manage security from a broader perspective. We have reported that performance measurement can help achieve broad program goals and improve security at the individual asset level. [Footnote 40] Without effective performance measurement data, decision makers may have insufficient information to evaluate whether their investments have improved security or reduced vulnerabilities to threats such as terrorism or crime. We have also reported that active testing, using methods such as on-site security assessments, can provide data on the effectiveness of efforts to reduce vulnerabilities. [Footnote 41] Because the Park Service's performance management and testing capability is limited, the agency has little information on the status and performance of security activities at the icons and parks it can use to manage day-to-day activities or that Park Service management can use to strategize security efforts throughout the organization. Absent a formal performance measurement system and testing program, officials at icons and parks individually identify security program components to test, such as focusing on equipment and procedural knowledge. We have reported that testing methods include conducting inspections to ensure that adequate levels of protection are employed, testing the effectiveness of security measures such as structural enhancements and physical barriers, and assessing preparedness through training exercises and drills.[Footnote 42] We found some examples of tests, exercises, and drills that park officials use to assess security performance at icons and parks (see table 3). For example, officials at the Grand Canyon said that they analyze law enforcement and security incidents to shape patrol strategies, and officials at the Statue of Liberty told us they hold emergency exercises with the New York Police Department and FBI. Table 3: Examples of Security-related Tests, Exercises, and Drills: Icon or park: African Burial Ground; Tests, exercises, and drills: FPS tests employee and visitor screening equipment. The park participates in biannual fire drills and annual shelter-in-place drills that GSA conducts for the facility. Icon or park: Gateway Arch; Tests, exercises, and drills: The park tests guards' operation of X-ray equipment for visitor screening daily. The park tests the arch's emergency power and fire alarm system annually. The park participated in continuity of operations and pandemic flu tabletop exercises and evaluations. Icon or park: Gettysburg; Tests, exercises, and drills: The chief ranger checked the effectiveness of the park's evacuation training by informally testing park staff on evacuation procedure recall. Icon or park: Grand Canyon; Tests, exercises, and drills: The park tests its evacuation plan biannually--one tabletop exercise and one drill of a component of the evacuation plan. Icon or park: Statue of Liberty; Tests, exercises, and drills: The guard service contractor has an internal audit program with four assigned program evaluators for the park to test security guards' performance. The park conducts several emergency exercises with the New York Police Department and FBI. The park participates in tabletop exercises with the New York and New Jersey Port Authority and the U.S. Coast Guard. Source: GAO analysis of Park Service data. [End of table] Human Capital Management Lacks a Security Focus: The Park Service assigns security duties to selected regional staff and requires that icon and park superintendents designate physical security coordinators, but it does not require these staff to have physical security experience or expertise, and it does not provide them with specialized security training. As a result, there is little assurance that staff are equipped to effectively identify and mitigate risks at icons and parks. Security Roles Are Not Well Defined and Training Is Limited: The Park Service has security staff at the national, regional, icon, and park levels that have a variety of security and other duties. We have reported that the strategic management of human capital is a key practice that can maximize the government's performance and ensure the accountability of its security-related efforts.[Footnote 43] At the national level, the Park Service has established a Security and Intelligence Program Manager position within its Law Enforcement, Security, and Emergency Services division. This position was created in 2003, in response to a 2002 Interior IG recommendation that Interior bureaus install full-time security managers.[Footnote 44] We have also recognized the importance of having a chief security officer position and the security industry maintains that such a position is essential in organizations with large numbers of mission-critical assets. [Footnote 45] Moreover, a security trade organization--ASIS International[Footnote 46]--has developed chief security officer guidance for organizations to use in developing a security leadership position that would establish a comprehensive, integrated security risk strategy.[Footnote 47] The Acting Chief of the Law Enforcement, Security, and Emergency Services division and the Security and Intelligence Program Manager told us that the Park Service has structured the manager position to disseminate and coordinate information among Park Service units, instead of establishing a managerial position that oversees and directs security activities at regions, icons, and parks. The Security and Intelligence Program Manager performs a variety of duties, such as liaising with DHS to improve security within the southwest border parks, coordinating with OLES to develop semiannual security workshops, conducting risk assessments when parks request them, and gathering, analyzing, and disseminating intelligence information. This official also oversees some of the national initiatives we have previously described, such as the small parks assessment program and the security Web portal. According to the Security and Intelligence Program Manager, as the Park Service has become more aware of this resource, the manager's activities have increased, especially in the area of physical security. At the regional level, security responsibilities are assigned to law enforcement staff that also have other duties in the areas of law enforcement and emergency management. Of the four regional offices we reviewed, only the Northeast Regional Office, had a full-time position dedicated to security. From 2002 to 2007, the regional office employed a physical security and intelligence specialist who performed a variety of activities such as conducting risk assessments, establishing technology-sharing relationships with other federal agencies, and analyzing and disseminating intelligence throughout the agency. This position was vacated in 2007, but the regional chief ranger is trying to staff this position again and is revising the position description to focus on physical security. Park Police law enforcement specialists are staffed to the National Capital, Northeast, Intermountain, and Pacific West regional offices and can provide security assistance. Regional Park Service and Park Police staff who have security responsibilities are available to help icons and parks that request their services. These staff may conduct risk assessments or help identify security technologies or other countermeasures, as shown in table 4. Table 4: Security Positions at Regions, and Examples of Activities: Region: Intermountain; Activities: The regional chief ranger and two Park Police captains have security duties. The Park Police captain advises parks on security equipment costs and quality. The region has promoted the practice of parks upgrading and implementing alarms and cameras which they report has reduced vandalism. Region: Midwest; Activities: The regional chief ranger and assistant chief ranger have security duties, and the office uses the physical security specialist from the Gateway Arch to conduct risk assessments at parks throughout the region. The assistant chief ranger manages fee collections security programs, supports security programs in parks that do not have rangers on staff, and advises park superintendents on security matters. Region: Northeast; Activities: The regional chief ranger and assistant chief ranger have security duties. The region employed a physical security specialist from 2002 until 2007, and is trying to fill the vacancy. This specialist established contacts and coordinated with external agencies to acquire security intelligence and training; conducted park risk assessments; and provided training in explosive devices and checkpoint security for rangers at icons and urban parks. A Park Police captain currently assigned to the region has a background in icon protection and has been involved with protection efforts at the Statue of Liberty. Region: Pacific West; Activities: The region relies on the Park Police at the San Francisco Field Office for security expertise. A Park Police sergeant assists with security assessments throughout the region and at times may visit a park to conduct a comprehensive review of the facilities. Source: GAO analysis of Park Service data. [End of table] The Park Service requires icon and park superintendents to designate physical security coordinators and expects them to develop and implement park physical security plans and conduct physical security surveys of all structures. Park Service officials told us that, typically, physical security coordinators are park rangers or maintenance managers, who have other duties and responsibilities in addition to security. Moreover, because of the small size of some parks, one person may serve as the physical security coordinator for several parks. For example, the Intermountain Regional Chief Ranger told us that the region has 41 physical security coordinators positioned at about 56 of its 78 parks. We found that physical security coordinators perform a variety of duties, such as overseeing dispatch center operations and reviewing video surveillance images, as shown in table 5. Additionally, Park Service law enforcement rangers and Park Police staff at icons and parks have some security responsibilities in addition to law enforcement duties. Table 5: Security Positions at Icons and Parks, and Examples of Activities: Icon or park: African Burial Ground; Activities: The Northeast Regional Park Police captain will fulfill the role of the physical security coordinator until fiscal year 2010, when the park is fully staffed. The former Northeast region physical security specialist participated in visitor center design discussions and coordinated FPS involvement, review, and approval of security systems. Icon or park: Gateway Arch; Activities: The physical security specialist is the designated physical security coordinator and has responsibility for the operations, planning, and supervision of the dispatch center and operation of physical security checkpoints. The assistant chief ranger maintains oversight of the physical security and anti-terrorism branch of the ranger activities division. Icon or park: Grand Canyon; Activities: A law enforcement ranger is the physical security coordinator. The physical security coordinator supervises the fee collections law enforcement group. Icon or park: Statue of Liberty; Activities: A Park Police lieutenant is the physical security coordinator. The former Northeast region physical security specialist and Park Police officials have overseen technology enhancements and maintained equipment. Source: GAO analysis of Park Service data. [End of table] Despite the range of security duties assigned to regional staff, physical security coordinators, law enforcement rangers, and Park Police staff, the Park Service does not provide them with specialized training. Moreover, senior Park Service officials told us that they do not have an inventory of all the physical security coordinators servicewide, and they do not track their duties. We have noted that the effectiveness of a risk management approach depends on the involvement of experienced and professional security personnel and that the chances of omitting major steps in the risk management process increase if personnel are not well trained in applying risk management.[Footnote 48] Without training for security staff, or evaluations of their security activities, there is little assurance that risks are identified and mitigated and that staff are held accountable for results. Though the Park Service lacks a physical security training program, it has partnered with OLES to organize security workshops at icons and other critical assets such as the Hoover Dam (see table 6). Park Service and Park Police staff are invited to attend, but attendance is contingent upon time and resource availability. For example, staff from the icons we reviewed and the regions we interviewed had attended some of these workshops, but no staff from the African Burial Ground, Gettysburg, or the Grand Canyon had attended. Officials at regions, icons, and parks may also develop security training internally or in collaboration with external agencies. We have reported that (1) training exercises are useful in assessing preparedness,(2) effective security entails having well-trained staff that follow and enforce policies and procedures, and (3) good training and practice are essential to successfully implementing policies by ensuring that personnel exercise good judgment in following security procedures. [Footnote 49] Table 6: Security Training Examples: Office: National; Types of training: The Park Service national office organizes security workshops in collaboration with OLES and other Interior bureaus. The workshops have been held at the Statue of Liberty in 2005, Hoover Dam in 2006, the Gateway Arch in 2007, and the Kennedy Space Center in 2009. In September 2009, the Park Police will host a critical infrastructure and key resource protection training program for the Park Police and some Park Service and Interior staff. Office: Region: Intermountain; Types of training: In 2005, the region hosted a chief ranger conference that focused on physical security. Participants received training in developing physical security plans, guidance for conducting security surveys, and a checklist to assess risks and countermeasures. Office: Region: Midwest; Types of training: Every 18 months, the region hosts a chief ranger conference in the Black Hills area of South Dakota. At the 2008 conference, an FBI official presented a session on icon and critical infrastructure and key resource protection. Office: Region: Northeast; Types of training: In 2008, the region hosted a museum and security conference, which focused on protecting cultural property, resources, and collections. Office: Region: Pacific West; Types of training: The region created an Operational Leadership Program, which targets safety and accident prevention. The program has started to gain national recognition and is the primary focus of the Park Service National Leadership Council. The region is training 100 facilitators for the program. Office: Icon or park: African Burial Ground; Types of training: The northeast region and FPS provide physical security training. Office: Icon or park: Gateway Arch; Types of training: The physical security specialist has undertaken a number of training activities including creating and dispensing a security awareness presentation to orient new staff, inviting a U.S. Postal Service inspector to dispense mail screening training for employees directly involved in handling mail, and regularly sending security awareness tips via e-mail to park staff. Office: Icon or park: Gettysburg; Types of training: The park's museum services supervisor served as a keynote speaker at the Northeast region's museum and security awareness training in September 2008. The supervisor addressed how park and museum staff can work together to ensure security of collections. Office: Icon or park: Grand Canyon; Types of training: FBI provides a training course annually for the park. Past FBI training has covered topics such as evidence recovery, behavioral profiling, and violent crimes. Office: Icon or park: Statue of Liberty; Types of training: Security awareness training is provided to Park Police personnel through roll call and in-service training. Depending on available space, the Park Police may open up training to some Park Service employees and partners such as concessions providers. Source: GAO analysis of Park Service data. [End of table] Additionally, Park Service rangers can try to enroll in two physical security courses that are offered at the Federal Law Enforcement Training Center (FLETC)[Footnote 50]--the physical security training program and the critical infrastructure protection training program. However, according to Park Service officials, space in the courses is limited--the Park Service receives one or two slots per class--the courses are offered on a limited basis, training and travel are subject to resource constraints, and the training is not specific to icons and parks. For example, the physical security specialist at the Gateway Arch tried to enroll in the physical security course for more than 18 months before gaining admission and completing the course in 2008. According to Park Service officials, this specialist may also be able to attend the critical infrastructure training. No park staff from the Statue of Liberty have completed the physical security course since 2001.[Footnote 51] Moreover, Park Service officials told us that no staff from the African Burial Ground, Gettysburg, or Grand Canyon have completed either of the two FLETC training courses. The Grand Canyon chief ranger tried to enroll the physical security coordinator in the physical security training course, but the application for enrollment was not accepted; as a result, the park lacks staff with experience and formal training in physical security. While various security training opportunities arise throughout the Park Service, training is inconsistent and lacks cohesion, and there is little assurance that Park Service employees have the knowledge, skills, and awareness needed to contribute to overall park security. With limited security expertise, the Park Service will face challenges in implementing the other key practices. The lack of physical security expertise affects icon and park officials' ability to develop strategies for identifying their security vulnerabilities and determining how to mitigate them effectively and efficiently with limited resources. Such strategies would ensure that the Park Service has the expertise and resources at the national and regional levels to oversee the implementation of security advancements and practices. Moreover, physical security expertise allows icon and park officials to determine what countermeasures fit their specific needs and how well these countermeasures enhance their security performance. Finally, because all icon and park staff have a role in security, increasing overall security awareness enhances the security of the park. Human Capital Challenges Are a Particular Concern at Icons: We noted earlier that officials at icons have made improvements in security since 2001; however, the Interior IG and OLES have concerns about icon security that are related to human capital issues, including security expertise and the management of security operations. We have reported that it is widely recognized that there is a need for competent professionals who can effectively manage complex security programs that are designed to reduce threats to people and assets. [Footnote 52] Clearly defining roles and responsibilities and ensuring that security personnel are adequately trained are central aspects of this key practice. In its 2008 assessment of the Park Police, the IG recommended that the Park Service hire a qualified senior-level certified security professional to oversee Park Service security operations at all icons, including those that are managed by the Park Police, but the Park Service does not believe such action is necessary. [Footnote 53] Senior Park Service officials told us that the agency works closely with the Park Police, especially in areas with shared responsibility. However, the Park Service relies on its Security and Intelligence Program Manager to oversee icon security for icons that do not have a Park Police presence--the Gateway Arch, Independence National Historic Park, and Mount Rushmore National Memorial. The Park Service relies on the Park Police for security program management at the national mall icons and the Statue of Liberty. As a result, the Park Service has no comprehensive program with centralized senior-level oversight of icon security. This is an inefficient approach, since the five icons--while distinct--have a need to manage similar issues including guard services, surveillance and screening equipment, vehicle and pedestrian barriers, access to intelligence information, staff trained in security awareness, and security performance measurement and testing procedures. Moreover, until recently, the Park Service Security and Intelligence Program Manager lacked specialized physical security expertise. Trained as a law enforcement special agent, this official was not certified in physical security until 2008. According to OLES officials, the Park Service security manager meets the minimum security training requirements for senior-level security managers that OLES established in 2009.[Footnote 54] The Interior IG also recognized that this manager has been through extensive physical security training.[Footnote 55] Although the Park Police created an Homeland Security Division in October 2008 and established a security manager position in accordance with the IG's 2002 recommendation,[Footnote 56] the IG reported in 2009 that the appointee to this position--a Deputy Chief--had no background in physical security and had only been through a basic 2 week critical infrastructure protection course at FLETC.[Footnote 57] According to the Park Police, the Deputy Chief is qualified for the position having (1) attended a 2 week DHS program on critical infrastructure and key resource protection in August 2008, (2) worked on icon protection issues for 4 years, (3) designed security upgrades at the Washington Monument, and, (4) over the course of 25 years, worked on security system alarm issues in Washington, D.C. and San Francisco. Furthermore, the Park Police told us that the Deputy Chief received a certification after completing DHS's Critical Infrastructure and Key Resources Protection course. OLES officials also told us that the Deputy Chief has met the department's minimum training requirements. The Interior IG and OLES officials are also concerned about the Park Service's management of security operations at individual icons. In its 2003 icon protection report, the IG suggested that icons with the most significant threat potential should have trained and certified security managers on-site,[Footnote 58] and in 2008, recommended that the Park Service install trained and certified security professionals at each icon park to work under the direction of the security manager the IG had recommended for all of the icons.[Footnote 59] In its 2006 icon risk assessment and 2007 icon compliance reviews, OLES recommended that Independence National Historic Park and the Statue of Liberty hire security managers. While officials at these two icons have identified hiring security managers as a priority, they had yet to fill the positions at the time of our review. While park officials at the Statue of Liberty have identified hiring a security manager as a top priority, they have not determined whether the Park Service or the Park Police will fund the position.[Footnote 60] In 2007, the Park Police hired a security manager for the National Capital Region. The Deputy Chief of the Icon Protection Division told us that the Park Police intends to hire a technical assistant for this manager who can, for example, repair security equipment. Of the five icons, only the Gateway Arch has a full-time physical security specialist--a need the park identified on its own and filled with a qualified professional. Park officials at the Gateway Arch created and staffed this position during 2006 and had to give up one law enforcement position to do so. The park's assistant chief rangers, who are law enforcement officers, told us they believe the tradeoff was justified and the specialist's efforts may increase awareness among staff. The physical security specialist has undertaken a number of initiatives, such as conducting a risk assessment of the facility where park officials wanted to locate its dispatch center, testing security alarms in the visitor center, sending park employees security awareness e-mails, and forming partnerships with area federal departments and agencies such as DHS, the Department of Justice, and the U.S. Postal Service to enhance surveillance capabilities, acquire interoperable communications technology, and assess mail handling. Moreover, the Midwest Region has leveraged the specialist's expertise to help the region develop a risk assessment tool for its small parks security program. OLES officials told us that of the five icons, the Gateway Arch had the highest security policy compliance rating in 2007, and although they did not attribute this rating to the physical security specialist's work, it is worthwhile to note that the Gateway Arch is the only icon that has a full-time position dedicated solely to physical security. Conclusions: In addition to its primary mission to preserve the natural and cultural resources and values of the national park system for the enjoyment, education, and inspiration of those who visit them, the Park Service has a critical role related to security at national icons and parks and has taken important steps to improve the security of nearly 400 national icons and parks. However, concerns persist that terrorists may attack the United States by targeting national icons such as the Statue of Liberty and the Gateway Arch, and by harming those who visit places emblematic of our nation's natural beauty and heritage, such as the Grand Canyon and Gettysburg. More emphasis on the key practices would provide greater assurance that Park Service assets are well protected and that Park Service resources are being used efficiently to improve protection. Critical to advancing the Park Service's security efforts, a more comprehensive risk management approach and related guidance-- which are currently lacking--would provide management with up-to-date information on threats and trends in security gaps and would allow management to target resources to address the greatest threats and vulnerabilities. Standards and guidance for technology investment, if developed, would provide better assurance that the Park Service's return on investment is maximized. In addition, a strategy for improving internal communication by, for example, expeditiously developing a security Web portal, could lead to more efficient information sharing and coordination. Implementing a more systematic performance measurement and testing program would inform risk management efforts and allow management to better gauge security performance. Finally, paying greater attention to the human capital component of security--by clearly defining security roles and responsibilities using risk management and establishing a security training program--would give Park Service staff the tools and awareness needed to protect the Park Service's assets and the people who visit them. Recommendations for Executive Action: In order to better oversee and more efficiently manage the protection of the vast and diverse inventory of national icons and parks, in the restricted version of this report, we recommended that the Secretary of the Interior take six actions. Specifically, the Secretary should instruct the Director of the National Park Service, in consultation with OLES, to develop and implement: 1. a more comprehensive, routine risk management approach for security that encompasses the Park Service's vast inventory of icons and parks, including developing guidance, standards, and procedures for conducting risk assessments at the icon and park level and for using the results to inform resource allocation decisions at the national, regional, icon, and park levels; 2. guidance and standards for leveraging security technology, including how to assess the costs and benefits of countermeasure alternatives while taking into account risk management results; 3. an internal communications strategy for security to address coordination gaps, including a timeline for the development of a servicewide Web portal for security; 4. a servicewide performance management and testing program that includes specific measures and an evaluation component, which can be used to inform broader risk management decision-making and to assess security performance; 5. a strategy for more clearly defining security roles and responsibilities within the Park Service, which should, among other things, ensure that the Park Service is well equipped at the national and regional levels to oversee security improvements; and: 6. a servicewide security training program and related curriculum to provide staff with the knowledge, skills, and awareness needed to improve Park Service security practices. Agency Comments and Our Evaluation: We provided a draft of the restricted version of this report to Interior for official review and comment. Interior agreed with our assessment that actions are needed to improve security practices at national icons and parks and agreed with the report's recommendations. Regarding the first recommendation to develop a more comprehensive, routine risk management approach for security, Interior cited the recent creation of a Homeland Security Division within the Park Police, stated that parks and regions have been working to develop a more comprehensive approach to security, and agreed to bring all of these efforts together in a more comprehensive, servicewide program. For the second recommendation to develop guidance and standards to leverage security technology, Interior cited some examples of the partnerships it has with other federal agencies and acknowledged that guidance and standards for leveraging technology, coupled with an effective communications strategy, would add to the effectiveness and efficiency of its security program for icons and parks. With respect to the third recommendation, Interior stated that a more formal internal communications strategy would enhance the effectiveness of its security program for icons and parks and noted that such a strategy should acknowledge the critical importance of the communication networks icons and parks establish at the asset level. For the fourth recommendation to develop and implement a servicewide performance management and testing program, Interior stated that while its current approach has been effective in some situations, applying a servicewide approach would benefit all icons and parks in the system. Regarding the fifth recommendation to develop and implement a strategy for more clearly defining security roles and responsibilities within the Park Service, Interior stated that it would continue to look for ways to leverage the expertise and experience of physical security staff and to clearly define their roles and responsibilities. Finally, for the sixth recommendation to develop and implement a servicewide security training program and related curriculum, Interior stated that a servicewide security training program and increased access to contemporary training on appropriate security subjects would be helpful and noted that it currently sends staff with security responsibilities to a variety of training programs within and outside of Interior, including the physical security training program offered through FLETC. While these other security courses may be helpful, as we reported, not all Park Service personnel that have security responsibilities are able to attend these training classes due to the space limitations of the entities offering these courses and resource constraints on the part of individual icons and parks. Furthermore, as we reported, the Park Service does not have a special training curriculum for its designated physical security coordinators. Therefore, it is important that the Park Service develop its own park- specific training program so that staff that have security responsibilities delegated to them can effectively carry out those duties and better ensure that icons and parks, and the people who visit and work at them, are well-protected. Interior's official comments are contained in appendix II. Interior also provided general and technical comments from the Park Police and we incorporated the technical comments where appropriate. In its general comments, the Park Police noted some of the security improvements it has made since September 11 for the icons under its purview in New York City and Washington, D.C. Specifically, the Park Police cited enhancements made to physical barriers, surveillance systems, visitor screening, and contract guard services. The Park Police also stated that in October 2008, it underwent its largest internal reorganization in 40 years and created a Homeland Security Division and added more officers and patrols to enhance icon protection efforts. Finally, with respect to information sharing and coordination, the Park Police stated that it has assigned three intelligence officers to enhance icon protection in Washington, D.C. and detectives to the JTTFs in New York City; Washington, D.C.; and San Francisco. Moreover, the Park Police has assigned a major to the Park Service's national office to liaise with the Park Service to protect all icons. As agreed with your office, unless you publicly announce the contents of this report, we plan no further distribution until 30 days from the report date. At that time, we will send copies of this report to the Secretary of the Interior and appropriate congressional committees. In addition, the report will be available at no charge on GAO's Web site at [hyperlink, http://www.gao.gov]. If you have any questions about this report, please contact me at (202) 512-2834 or goldsteinm@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made major contributions to this report are listed in appendix III. Sincerely yours, Signed by: Mark L. Goldstein: Director, Physical Infrastructure Issues: [End of section] Appendix I: Objectives, Scope, and Methodology: Our objective was to determine whether the National Park Service's (Park Service) approach to security for national icons and parks reflects key protection practices. Through previous work, we identified a set of key protection practices from the collective practices of federal agencies and private sector entities that can provide a framework for guiding agencies' protection efforts and addressing challenges.[Footnote 61] The key practices essentially form the foundation of a comprehensive approach to asset protection and can be used to assess the management of security programs. We used our key protection practices as criteria to evaluate the Park Service's approach to security. Of the six key practices, we used the following as criteria: * Allocating resources using risk management. * Leveraging technology. * Information sharing and coordination. * Performance measurement and testing. * Strategic management of human capital. We did not consider the sixth key practice, aligning assets to mission, which focuses on realigning the federal real property inventory to better reflect agencies' missions. To examine the Park Service's application of key practices at the park level, we selected five icons and parks basing our selection on factors that included geographical diversity, high public visitation, and other potential security considerations such as recent or planned facility construction. To minimize duplication of effort, we considered our own and the Department of the Interior's (Interior) Office of the Inspector General's (IG) recent and ongoing work. For example, we did not select the national mall icons--the Washington Monument National Memorial, the Thomas Jefferson National Memorial, and the Lincoln National Memorial-- because the IG examined their security in 2008.[Footnote 62] We selected: * Two icons--the Statue of Liberty National Monument (Statue of Liberty) in New York City and the Jefferson National Expansion Memorial in St. Louis. * Three parks--the African Burial Ground National Monument in New York City, Gettysburg National Military Park in Pennsylvania, and Grand Canyon (Grand Canyon) National Park in Arizona. Collectively, the sites we selected illustrate a range of park protection practices applied by the Park Service. At each site, we interviewed Park Service officials with primary responsibility for security implementation, operation, and management. We also interviewed U.S. Park Police (Park Police) officials from the Statue of Liberty. We toured each site and observed the physical environment and the principal security elements to gain firsthand knowledge of the protection practices used at all the sites except the Grand Canyon where we used videoconferencing to interview Park Service officials. We reviewed and analyzed documents, when available, that contained site- specific information on security plans, policies, procedures, budgets, and staffing. Because we observed the Park Service's efforts to protect icons and parks at a limited number of sites, our observations of security issues at individual sites cannot be generalized to all the icons and parks that the Park Service is responsible for securing. To supplement these site visits, we interviewed Park Service regional chief rangers and other security officials from the three regions where we had selected icons and parks--the Northeast, Midwest, and Intermountain regions. We also interviewed the regional chief ranger from the Pacific West region because the Park Service once identified the Golden Gate Bridge as an icon and we wanted that region's perspective on icon and park protection. At the national level, we interviewed officials from the IG, Office of Law Enforcement and Security, Park Service, and Park Police. Furthermore, we collected supporting documentation including law enforcement and security manuals; IG reports on law enforcement, security, and icon protection; icon risk assessments and compliance reviews; and security plans, policies, procedures, budgets, and staffing information when available. We conducted this performance audit from January 2008 to June 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective. [End of section] Appendix II: Comments from the Department of the Interior: United States Department of the Interior Office Of The Secretary: Washington, D.C. 20240: June 12, 2009: Mr. Mark L. Goldstein: Director, Physical Infrastructure Issues: U.S. Government Accountability Office: 441 G Street, N.W. Washington, D.C. 20548: Dear Mr. Goldstein: Thank you for providing the Department of the Interior (DO[) the opportunity to review and comment on the U.S. Government Accountability Office Draft report entitled, "Homeland Security Actions Needed to Improve Security Practices at National Icons and Parks," (GAO-09-605). The National Park Service (NPS) and the Department of the Interior have reviewed the draft report and appreciate the diligent work of the team in helping us further improve the security program for icons and parks in the National Park System. We will continue to examine policy and procedures and make adjustments as necessary to protect critical infrastructure under our jurisdiction. We believe the GAO has produced an informative summation of the complex issues associated with risk management. Following are our comments on the six actions recommended in the draft report. 1) A more comprehensive, routine risk management approach for security: We concur that a more comprehensive approach to security would be beneficial to the Park Service. In our efforts to this end to date, the USPP has recently reorganized and created a Homeland Security Division. The many parks throughout the system and several regional offices not under the specific direction of the USPP have been and are continuing to develop a more comprehensive approach to security. We will continue to work toward bringing all of these efforts together in a more comprehensive, service-wide, program. 2) Guidance and standards for leveraging security technology: We concur that increased guidance and standards for leveraging technology would be valuable to our program. We currently enjoy technology assistance, information and advice from many partners, including FLETC, OLES, DHS, TSA-TSL Labs and many more. We have just recently learned that the USPP program with the USAF has been funded for another year. Guidance and standards for leveraging technology, coupled with an effective communications strategy (see (3) below) will help our security program become more effective and efficient. 3) An internal communications strategy for security to address communications gaps, including a time line for the development of a Park Service-wide Web portal for security: We concur that a more formal internal communications strategy for security concerns would be useful in helping to make our security program more effective. Currently, our senior-level Security and Intelligence program managers have regular contact with Icon Parks, non- Icon parks and regional office staff. Parks themselves, throughout the country, enjoy both internal and external contacts, with their respective regional office staff, Washington Office staff as well as many local, regional and state law enforcement and security contacts. These latter contacts, which are less apparent to central office staff, are key to success in many of our rural and isolated park settings. Overlaying a more formal communications strategy over the top of these many aforementioned contacts could assist in addressing communications gaps that may exist in the organization. It would be important for us, in crafting said strategy, to not imply that the ground-level contacts made by parks, throughout the system, are not critical to the success of park-level security programs. 4) A Park Service-wide performance management and testing program that includes specific measures and an evaluation component: We concur that exploring the option of an appropriate and effective performance management and testing program for security would be beneficial. Although imperfect, the "ad-hoc" approach, as described in the report, has been effective in pockets throughout the system. Reviews and assessment of Icon Park and non-Icon Park security programs take place periodically. A Park Service-wide approach, however, would likely yield more positive and all inclusive results, thereby benefiting all parks in the system. 5) A strategy for more clearly defining security roles and responsibilities within the Park Service: We concur that a strategy for defining security roles and responsibilities within the Park Service would be advantageous for a bureau-wide security program. Our two senior-level Security and Intelligence program managers for the NPS and the USPP are recognized and in-place today. These two positions are joined by several other key officials designated, including Captains and Lieutenants at the four Icon parks managed by the USPP. Additionally, parks and regions have their own designated Physical Security Coordinators in place today. We will continue to look for ways to leverage the expertise and experience of current physical security staff and to clearly define their roles and responsibilities. 6) A Park Service-wide security training program and related curriculum: We concur that Park Service-wide security training and increased access to contemporary training on appropriate security subjects will continue to be helpful to our program. However, we would like to note that we currently send staff with security responsibilities to a variety of excellent training programs including local, regional, state and federally sponsored options. DHS has excellent training that we have, and continue to take advantage of. We regularly use the Basic Physical Security Training Program at the Federal Law Enforcement Training Center as base-line training. This course is recognized nationally as an excellent introduction to the world of Physical Security. Further, we work closely with the DOI. OLES for further formal and contemporary security training programs that include exposure to real-world security. In September of 2009, the USPP will be hosting the new FLETC. 80-hour Critical Infrastructure and Key Resources Protection training to Washington DC whereupon all key officials from the USPP, NPS. 01-ES and others will have the opportunity to attend. Thank you for the opportunity to comment on this informative report. We have and will continue to place a high priority on Security throughout the National Park System. We will also continue to interweave security concerns in all aspects of risk management of our parks and Icons. We request that the vulnerabilities in park security programs stated in this report not be released to the public as we feel it could endanger visitors, employees, residents and facilities. Enclosed are specific itemized comments from the USPP, some of which have been previously addressed. We hope these comments will assist you in preparing the final report. If you have any questions, or need additional information, contact Acting Deputy Chief Kevin Hay, at 202-619-7085, or Chief, Division of Law Enforcement, Security, and Emergency Services, Lane Baker, at 202- 513-7084. Sincerely, Signed by: Pamela K. Haze: Deputy Assistant Secretary for Budget and Business Management: Enclosure: Hand written additional note: "Thank you for your help." [End of section] Appendix III: GAO Contact and Staff Acknowledgments: GAO Contact: Mark L. Goldstein, (202) 512-2834 or goldsteinm@gao.gov: Staff Acknowledgments: In addition to the contact named above, David Sausville, Assistant Director; Denise McCabe, Analyst-in-Charge; Anne Dilger; Elizabeth Eisenstadt; Brandon Haller; Robin Nye; Joshua Ormond; Susan Michal- Smith; and Adam Yu made key contributions to this report. [End of section] Footnotes: [1] The national park system is made up of close to 400 park units which include 5 national icons and 14 other types of parks such as monuments, national battlefields, and national parks. The park units that Interior considers to be national icons are: (1) the Statue of Liberty National Monument in New York City; (2) Independence National Historical Park in Philadelphia; (3) the Jefferson National Expansion Memorial in St. Louis; (4) Mount Rushmore National Memorial in South Dakota; and (5) the national mall icons--the Washington Monument National Memorial, the Thomas Jefferson National Memorial, and the Lincoln National Memorial in Washington, D.C. [2] GAO, Homeland Security: Actions Needed to Better Protect National Icons and Federal Office Buildings from Terrorism, [hyperlink, http://www.gao.gov/products/GAO-05-790] (Washington, D.C.: June 24, 2005). [3] GAO, Homeland Security: Further Actions Needed to Coordinate Federal Agencies' Facility Protection Efforts and Promote Key Practices, [hyperlink, http://www.gao.gov/products/GAO-05-49] (Washington, D.C.: Nov. 30, 2004). We excluded one key practice-- aligning assets to mission--from this review. This key practice underscores the need to realign the federal real property inventory so that it can better reflect agencies' missions. [4] GAO, Federal Real Property: DHS Has Made Progress, but Additional Actions Are Needed to Address Real Property Management and Security Challenges, [hyperlink, http://www.gao.gov/products/GAO-07-658] (Washington, D.C.: June 22, 2007). [5] GAO, Smithsonian Institution: Funding Challenges Affect Facilities' Conditions and Security, Endangering Collections, [hyperlink, http://www.gao.gov/products/GAO-07-1127] (Washington, D.C.: Sept. 28, 2007). [6] ISC was established by Executive Order 12977 in 1995 after the bombing of the Alfred P. Murrah Federal Building in Oklahoma City. [7] With the exception of the Grand Canyon--where we used videoconferencing to interview Park Service officials--we visited each of these sites. [8] U.S. Department of the Interior, Office of Inspector General, Disquieting State of Disorder: An Assessment of Department of the Interior Law Enforcement, Report 2002-I-0014 (Washington, D.C., January 2002). [9] HSPD-7 identified 17 critical infrastructure sectors and designated federal entities, called sector-specific agencies, to be responsible for coordinating asset protection within their sector throughout all levels of government and the private sector. In June 2008, an 18th sector was added--Critical Manufacturing. [10] Department of Homeland Security and Department of the Interior, National Monuments and Icons Sector-Specific Plan (Washington, D.C., May 2007). [11] The other three Park Service regions include the Southeast, Midwest, and Alaska regions. [12] [hyperlink, http://www.gao.gov/products/GAO-05-49]. We excluded one key practice--aligning assets to mission--from this review. This key practice underscores the need to realign the federal real property inventory so that it can better reflect agencies' missions. [13] [hyperlink, http://www.gao.gov/products/GAO-07-1127]. [14] [hyperlink, http://www.gao.gov/products/GAO-07-658]. [15] GAO, National Mall: Steps Identified by Stakeholders Facilitate Design and Approval of Security Enhancements, [hyperlink, http://www.gao.gov/products/GAO-05-518] (Washington, D.C.: June 14, 2005). [16] For the purposes of this report, we are referring to all of these entities as federal agencies. [17] ISC, Use of Physical Security Performance Measures, (Washington, D.C., June 16, 2009). [18] [hyperlink, http://www.gao.gov/products/GAO-05-49]. [19] This review did not include an assessment of security vulnerabilities at border parks. [20] According to the Park Police, it also updated icon protection plans for the national mall icons during 2008. [21] [hyperlink, http://www.gao.gov/products/GAO-05-49]. [22] FPS provides law enforcement and related security services to about 9,000 facilities under the control and custody of GSA. [23] JTTFs are chaired by the Federal Bureau of Investigation (FBI) and are composed of various federal, state, and local agencies. JTTFs aim to prevent, pre-empt, deter, and investigate terrorism and related activities affecting the United States and to apprehend terrorists. [24] Physical security is defined as physical or protective measures designed to safeguard personnel, facilities, national borders, and critical infrastructure and to prevent unauthorized access to material and documents, and to safeguard them against terrorism, espionage, sabotage, damage, weapons of mass destruction, and theft. [25] One day after the 1995 bombing of the Alfred P. Murrah Federal Building in Oklahoma City, the President directed the Department of Justice to assess the vulnerability of federal office buildings. In June 1995, DOJ issued a report entitled Vulnerability Assessment of Federal Facilities and the President directed that security at each federal facility be upgraded to the minimum security standards recommended by the study. [26] The Interagency Security Committee, Facility Security Level Determinations for Federal Facilities (Washington, D.C., Mar. 10, 2008). [27] [hyperlink, http://www.gao.gov/products/GAO-05-49]. [28] [hyperlink, http://www.gao.gov/products/GAO-05-49]. [29] [hyperlink, http://www.gao.gov/products/GAO-05-49]. [30] [hyperlink, http://www.gao.gov/products/GAO-05-49]. [31] [hyperlink, http://www.gao.gov/products/GAO-05-49]. [32] According to OLES officials, the Security Advisory Council meets quarterly to discuss emerging protection technology and security best practices, as well as recent security trends and policies. The council also reviews proposed changes to department security policy for sufficiency and impact. [33] GAO, Information Sharing: Practices That Can Benefit Critical Infrastructure Protection, [hyperlink, http://www.gao.gov/products/GAO-02-24] (Washington, D.C.: Oct. 15, 2001). [34] [hyperlink, http://www.gao.gov/products/GAO-02-24]. [35] [hyperlink, http://www.gao.gov/products/GAO-02-24]. [36] [hyperlink, http://www.gao.gov/products/GAO-02-24]. [37] GAO, Tax Administration: IRS Needs to Further Refine Its Tax Filing Season Performance Measures, [hyperlink, http://www.gao.gov/products/GAO-03-143] (Washington, D.C.: Nov. 22, 2002). [38] GAO, Managing for Results: Enhancing Agency Use of Performance Information for Management Decision Making, [hyperlink, http://www.gao.gov/products/GAO-05-927] (Washington, D.C.: Sept. 9, 2005). [39] GAO, Homeland Security: Guidance and Standards Are Needed for Measuring the Effectiveness of Agencies' Facility Protection Efforts, [hyperlink, http://www.gao.gov/products/GAO-06-612] (Washington, D.C.: May 31, 2006). [40] [hyperlink, http://www.gao.gov/products/GAO-05-49]. [41] [hyperlink, http://www.gao.gov/products/GAO-05-49]. [42] [hyperlink, http://www.gao.gov/products/GAO-05-49]. [43] [hyperlink, http://www.gao.gov/products/GAO-05-49]. [44] Interior IG Report 2002-I-0014. [45] [hyperlink, http://www.gao.gov/products/GAO-05-790]. [46] According to its Web site, ASIS International--an organization that reports to have more than 37,000 security industry members--is the pre-eminent international organization for professionals responsible for security, including managers and directors of security. [47] ASIS International, Chief Security Officer Guideline 2008. [48] [hyperlink, http://www.gao.gov/products/GAO-05-49]. [49] [hyperlink, http://www.gao.gov/products/GAO-05-49]. [50] FLETC serves as an interagency law enforcement training organization for more than 80 federal agencies and provides basic and advanced law enforcement training. The Park Service has assigned a superintendent to the FLETC campus in Glynco, Georgia to develop and manage basic and advanced training for Park Service law enforcement and line management, and to develop policy and guidelines for servicewide training and certification. [51] In its technical comments on a draft of this report, the Park Police stated that a USPP captain and a lieutenant from the Statue of Liberty attended a similar physical security course provided by the New York Police Department and that other officials in the New York Field Office have attended the police department's risk assessment course. Moreover, Park Police stated that dozens of its officers have taken the physical security course offered at FLETC. [52] [hyperlink, http://www.gao.gov/products/GAO-05-49]. [53] U.S. Department of the Interior, Office of the Inspector General, Assessment of the United States Park Police, Report PI-EV-NPS-0001-2007 (Washington, D.C., February 2008). [54] In March 2009, OLES issued a memorandum outlining minimum training requirements for bureau and office-level security managers and officers. [55] U.S. Department of the Interior, Office of the Inspector General, 3rd Progress Report on the Implementation of the Secretary's Directives for Law Enforcement Reform, PI-AT-MOA-0001-2008 (Washington, D.C., February 2009). [56] Interior IG Report 2002-I-0014. [57] Interior IG Report PI-AT-MOA-0001-2008. [58] U.S. Department of the Interior, Office of the Inspector General, Review of National Icon Park Security, Report 2003-I-0063 (Washington, D.C., August 2003). [59] Interior IG Report PI-EV-NPS-0001-2007. [60] In its technical comments on a draft of this report, the Park Police stated that a lieutenant has been serving as the security manager at the Statue of Liberty. [61] GAO, Homeland Security: Further Actions Needed to Coordinate Federal Agencies' Facility Protection Efforts and Promote Key Practices, [hyperlink, http://www.gao.gov/products/GAO-05-49] (Washington, D.C.: Nov. 30, 2004). [62] U.S. Department of the Interior, Office of the Inspector General, Assessment of the United States Park Police, Report PI-EV-NPS-0001-2007 (Washington, D.C., February 2008). [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: