Action Needed to Better Assess Cost-Effectiveness of Security Enhancements at Federal Facilities [Reissued on April 2, 2015]
GAO-15-444: Published: Mar 24, 2015. Publicly Released: Mar 24, 2015.
What GAO Found
The federal civilian entities GAO selected—the Department of Homeland Security's (DHS) Federal Emergency Management Agency (FEMA), the General Services Administration (GSA), the Department of Justice's United States Marshals Service (USMS), the Smithsonian Institution (Smithsonian), and the Social Security Administration (SSA)—have implemented a range of enhancements to improve physical security. The Interagency Security Committee (ISC), which is chaired by DHS and has representation from across federal civilian entities, has a risk management standard that federal executive branch entities are to follow, where ISC specifies enhancements entities should implement to effectively minimize risk and meet baseline levels of protection. The ISC has identified six general categories of enhancements: interior security, facility structure, security systems, facility entrance, site improvements, and operations and administration. Enhancements can include, among other things, security systems, contract guard forces, and blast resistant windows.
The five federal entities paid for security enhancements using a range of methods such as: paying for enhancements as part of their rent to GSA; paying fees to security organizations to install or operate security screening services; and paying for enhancements during renovation projects. Entities reported having limited ability to track facility security expenditures, particularly when these costs were: (1) funded partially by another entity; (2) were part of rent costs and not separately identified; or (3) were not a separate line-item for entities' funding. GAO's work at these entities showed that several factors drive security costs. For example, site and facility-related factors—such as geographic location, age and size of the facility, and historical designation—drive these costs. Also, implementing security enhancements in new construction projects generally costs less compared to renovations.
Officials from the selected entities said they have used a range of practices to manage costs, such as researching and selecting the least costly vendors, considering costs in relation to risk when deciding on enhancements, and developing some performance measures. ISC's risk management standard states that federal entities should use a cost analysis methodology that considers all costs and should establish a comprehensive performance measurement and testing program to, among other things, help allocate resources. These aspects of the standard represent a rigorous approach to determining cost effectiveness and measuring performance in the security environment; however, the ISC does not provide detailed guidance or specify methodologies federal entities could use for implementation. In fact, the selected entities have had difficulty implementing these parts of the standard to the degree specified by ISC, noting that further guidance would be beneficial. ISC is well positioned to provide entities with such guidance. Implementing these parts of the standard could better able federal entities to assess the cost effectiveness of their security investments.
Why GAO Did This Study
Since September 11, 2001, civilian federal entities have made improvements to the physical security at their buildings. The total cost of these enhancements is unknown. GAO was asked to review changes in physical security in federal facilities and related cost issues.
This report examines (1) the types of physical security enhancements selected civilian federal entities have made to their facilities since September 11, 2001; (2) how these entities pay for and track costs of such enhancements; and (3) the actions these entities have taken to manage costs, including determining the cost effectiveness of enhancements and using performance measures. GAO conducted site visits and interviewed headquarters and field officials from five selected entities that have implemented a range of security enhancements at federal facilities. Information obtained during the site visits and interviews is not generalizable and cannot be used to represent the opinions of all agency officials. GAO also collected and reviewed documentation on the management of physical security across these entities' facilities.
What GAO Recommends
GAO recommends that the Secretary of Homeland Security direct the ISC to develop guidance for helping entities meet the cost-effectiveness and performance measurement aspects of ISC's risk management standard. In commenting on a draft of this report, DHS concurred with GAO's recommendation and discussed actions under way by ISC to develop improved guidance for agencies.
For more information, contact Mark L. Goldstein at (202) 512-2834 or GoldsteinM@gao.gov.
Recommendation for Executive Action
Status: Closed - Implemented
Comments: In March 2015, GAO reported that civilian federal entities have made improvements to the physical security of their buildings, but the total costs of these enhancements are unknown. Five selected federal entities told GAO that it would be difficult for them to determine how much they have spent on physical security enhancements across their facilities, particularly when these costs were (1) funded partially by another entity; (2) were part of rent costs and not separately identified, or (3) were not a separate line-item for entities' funding. The entities noted that they have used a range of practices to ensure that they implement the most cost-effective physical security enhancements in their facilities. These include, among other things, researching and selecting the least costly vendors, considering costs in relation to risk when deciding on enhancements, and coordinating and deferring implementation of multiple enhancements. The Interagency Security Committee (ISC), which is mandated to enhance the quality and effectiveness of security and protection of federal facilities, has emphasized the importance of evaluating the cost-effectiveness of enhancements and measuring performance in its risk management standard to help entities allocate resources. The ISC standard states that federal entities should use a cost analysis methodology that considers all costs. While this is positive and represents a rigorous approach to determining cost-effectiveness, the ISC standard does not provide detailed guidance or specify a methodology an entity should use to implement this part of the standard. Furthermore, the ISC standard also states that entities should establish a comprehensive performance-measurement and testing program that will allow the entity to measure a security program's capabilities and effectiveness, help demonstrate the need to obligate funds for facility security, and make appropriate decisions for allocating resources. However, the entities GAO reviewed reported difficulties in implementing these aspects of the ISC standard and that further guidance would be beneficial. To address this problem, GAO recommended that the Secretary of Homeland Security direct the ISC to develop guidance for helping entities meet the cost-effectiveness and performance measurement aspects of ISC's risk management standard. In December 2015, the ISC published new guidance that provides entities with an introduction and understanding of the most efficient processes and procedures to effectively allocate physical security resources across an entities' portfolio of facilities, including discussions on how to determine cost-effectiveness and implement performance measures. For example, the ISC guidance provides details on the types of project costs that must be included in an entities' funding plan to ensure the most cost-effective countermeasure is selected when considering adopting physical security enhancements, and describes management practices for entities to use for performance measurement, such as conducting inspections and tests. As a result, federal entities will be able to better determine the benefits of security investments and whether they have reduced federal facilities' vulnerability to acts of terrorism or other forms of violence.
Recommendation: The Secretary of Homeland Security should direct that ISC, in consultation with ISC members, should develop guidance for helping federal entities implement the cost-effectiveness and performance-measurement aspects of ISC's risk management standard. The guidance could be incorporated into ongoing ISC initiatives related to resource allocation, or into other ISC guidance materials, as ISC deems appropriate.
Agency Affected: Department of Homeland Security