Critical Infrastructure Protection: DHS Is Taking Action to Better Manage Its Chemical Security Program, but It Is Too Early to Assess Results

What GAO Found

The November 2011 memorandum that discussed the management of the Chemical Facility Anti-Terrorism Standards (CFATS) program was prepared based primarily on the observations of the Director of the Department of Homeland Security’s (DHS) Infrastructure Compliance Security Division (ISCD), a component of the Office of Infrastructure Protection (IP) within the National Protection and Programs Directorate (NPPD). The memorandum was intended to highlight various challenges that have hindered ISCD efforts to implement the CFATS program. According to the Director, the challenges facing ISCD included not having a fully developed direction and plan for implementing the program, hiring staff without establishing need, and inconsistent ISCD leadership—factors that the Director believed place the CFATS program at risk. These challenges centered on human capital issues, including problems hiring, training, and managing ISCD staff; mission issues, including overcoming problems reviewing facility plans to mitigate security vulnerabilities and performing compliance inspections; and administrative issues, including concerns about NPPD and IP not supporting ISCD’s management and administrative functions.

ISCD has begun to take various actions intended to address the human capital management, mission, and administrative issues identified in the ISCD memorandum and has developed a 94-item action plan to track its progress. According to ISCD managers, the plan appears to be a catalyst for addressing some of the long-standing issues the memorandum identified. As of June 2012, ISCD reported that 40 percent (38 of 94) of the items in the plan had been completed. These include (1) requiring ISCD managers to meet with staff to involve them in addressing challenges, clarifying priorities, and changing ISCD’s culture and (2) developing a proposal to establish a quality control function over compliance activities. The remaining 60 percent (56 of 94) that were in progress include those requiring longer-term efforts--—i.e., streamlining the process for reviewing facility security plans and developing facility inspection processes; those requiring completion of other items in the plan; or those awaiting action by others, such as approvals by ISCD leadership. ISCD appears to be heading in the right direction, but it is too early to tell if individual items are having their desired effect because ISCD is in the early stages of implementing corrective actions and has not established performance measures to assess results. Moving forward, exploring opportunities to develop measures, where practical, to determine where actual performance deviates from expected results, consistent with internal control standards could help ISCD better identify any gaps between actual and expected results so that it can take further action, where needed. For example, as ISCD develops a new security plan review process, it could look for ways to measure the extent to which the time to do these reviews has been reduced as compared with the time needed under the current review process.

According to ISCD officials, almost half of the action items included in the June 2012 action plan require ISCD collaboration with or action by NPPD and IP. The ISCD memorandum stated that IP and NPPD did not provide the support needed to manage the CFATS program when the program was first under development. ISCD, IP, and NPPD officials confirmed that IP and NPPD are providing needed support and stated that the action plan prompted them to work together to address the various human capital and administrative issues identified.