Key Issues > Duplication & Cost Savings > GAO's Action Tracker > Federal Facility Risk Assessments (2012-18)
justice icon, source: Comstock

Homeland Security/Law Enforcement: Federal Facility Risk Assessments (2012-18)

Agencies are making duplicate payments for facility risk assessments by completing their own assessments, while also paying the Department of Homeland Security for assessments that the department is not performing.

Action:

To address the duplicative federal facility risk assessments conducted by multiple federal agencies, the Secretary of the Department of Homeland Security (DHS) should direct the Director of the Federal Protective Service (FPS) to develop interim solutions for completing risk assessments while addressing Risk Assessment and Management Program’s (RAMP) challenges.

Progress:

FPS has made consistent, sustained progress in its efforts to develop interim solutions for completing risk assessments while addressing the RAMP’s challenges. Namely, in March 2012, FPS developed a new vulnerability assessment tool, referred to as the Modified Infrastructure Survey Tool (MIST), after RAMP was discontinued to assess the vulnerabilities of federal facilities. However, GAO reported that MIST did not comply with ISC standards. In July 2015, the Interagency Security Committee (ISC), chaired by DHS, confirmed GAO’s finding that MIST did not fully incorporate ISC standards. Specifically, ISC stated that MIST does not calculate risk as function of threat, vulnerability and consequence. To address the ISC findings, as of October 2016, FPS has developed a Mission Needs Assessment document that outlines how FPS will enhance its ability to assess risks to federal facilities by incorporating threats, vulnerabilities and consequences in an automated tool. According to FPS officials, this document will be used as the basis to procure the needed technology, with the procurement process estimated to start in 2017. By evaluating risks in this way, FPS’s risk assessments would be compliant with the ISC standards. In October 2016, FPS officials also stated that even though it does not fully incorporate the ISC standards at this time, FPS inspectors are currently using the MIST tool augmented with external data sources in an effort to improve the security of federal facilities.  Continuing its work on identifying a permanent solution for assessing risk at federal facilities could improve FPS’s ability to better protect federal facilities and help minimize agencies’ duplicative risk assessment activities.

Implementing Entity:

Department of Homeland Security

Action:

To address the duplicative federal facility risk assessments conducted by multiple federal agencies, the Director of the Federal Protective Service (FPS) should make information about the estimated costs of key activities and the basis for these estimates available to affected parties to improve transparency.

Progress:

FPS has taken steps to gather information about the estimated costs of its key activities and make this information available to affected parties, as GAO recommended in May 2011. In January 2015, FPS finalized and began using its Activity Based Costing Strategic Communications Plan (Plan) to communicate with its stakeholders regarding (1) how its fees are set, used, and reviewed, (2) the results and potential impact of fees, and (3) how frequently communication with agencies will occur. As a result of the Plan, FPS is in a better position to share with affected agencies information about the estimated costs of key activities and the basis for these estimates which should improve transparency.  According to FPS officials, the agency also provided information about its fees to affected parties via monthly billing memorandums and webinars. The steps FPS has taken to identify and make information available about the costs of its activities and services should provide FPS’s clients—some of whom are expending additional resources to conduct duplicative risk assessment activities—with more information about the costs of FPS’s services.

Implementing Entity:

Action:

To address the duplicative federal facility risk assessments conducted by multiple federal agencies, the Department of Homeland Security (DHS) should work with federal agencies to determine their reasons for duplicating the activities included in Federal Protective Service’s (FPS) risk assessments and identify measures to reduce this duplication.

Progress:

FPS has taken steps to determine the reasons other federal agencies are duplicating its risk assessment activities, as GAO suggested in February 2012. According to FPS officials, in July 2014, FPS surveyed 30 tenant agencies to determine if they are conducting risk assessments of their facilities, the extent to which agencies may be duplicating FPS’s assessments, and how the duplication could be eliminated. FPS found that 15 of the 21 agencies that responded were conducting risk assessments and 6 were not. The agencies stated that they were conducting risk assessments because of a congressional mandate or because FPS’s assessment did not address a particular threat facing that agency although they pay FPS to conduct these assessments. In August 2016, GAO confirmed that FPS has taken steps to coordinate with these agencies. As a result of both coordinating with and surveying GSA as well as other federal agencies, FPS is in a better position to reduce unnecessary duplication of effort associated with its risk assessments.

In addition, the Interagency Security Committee—a DHS-chaired organization—developed a physical security standard, The Risk Management Process for Federal Facilities (RMP), with which federal executive agencies and departments must comply. Among other things, the RMP includes a list of undesirable events (threats) that are applicable to all federal facilities and requires FPS to assess the threat, vulnerability and consequence of each. In 2013, FPS officials stated that the agency has no authority to prevent other federal agencies from conducting risk assessments, and in November 2015, FPS officials said its position had not changed. FPS also said that it plans to continue to coordinate with its tenant agencies that are conducting risk assessments and look for ways to eliminate the duplication. Given the financial and other benefits that may result from reducing duplication, GAO agrees with FPS that it should continue working with these agencies to understand why they are completing their own assessments and identify ways to minimize their duplicative assessment activities.

Implementing Entity:

Department of Homeland Security