Federal Facility Security:

Selected Agencies Should Improve Methods for Assessing and Monitoring Risk

GAO-18-72: Published: Oct 26, 2017. Publicly Released: Oct 26, 2017.

Additional Materials:

Contact:

Lori Rectanus
(202) 512-2834
rectanusl@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

None of the four agencies GAO reviewed—U.S. Customs and Border Protection (CBP), the Federal Aviation Administration (FAA), the Agricultural Research Service (ARS), and the Forest Service—used security assessment methodologies that fully aligned with the Interagency Security Committee's Risk Management Process for Federal Facilities standard (the ISC Standard). This standard requires that methodologies used to identify necessary facility countermeasures—such as fences and closed-circuit televisions—must:

  1. 1. Consider all of the undesirable events (i.e., arson and vandalism) identified by the ISC Standard as possible risks to facilities.
  2. 2. Assess three factors—threats, vulnerabilities, and consequences—for each of these events and use these three factors to measure risk.

All four agencies used methodologies that included some ISC requirements when conducting assessments. CBP and FAA assessed vulnerabilities but not threats and consequences. ARS and the Forest Service assessed threats, vulnerabilities, and consequences, but did not use these factors to measure risk. In addition, the agencies considered many, but not all 33 undesirable events related to physical security as possible risks to their facilities. Agencies are taking steps to improve their methodologies. For example, ARS and the Forest Service now use a methodology that measures risk and plan to incorporate the methodology into policy. Although CBP and FAA have updated their methodologies, their policies do not require methodologies that fully align with the ISC standard. As a result, these agencies miss the opportunity for a more informed assessment of the risk to their facilities.

All four agencies reported facing management challenges in conducting physical security assessments or monitoring assessment results. Specifically, CBP, ARS, and the Forest Service have not met the ISC's required time frame of every 3 years for conducting assessments. For example, security specialists have not conducted required reassessments of two ARS and one Forest Service higher-level facilities. While these three agencies have plans to address backlogs, CBP's plan does not balance conducting risk assessments with other competing security priorities, such as updating its policy manual, and ARS and the Forest Service lack a means to monitor completion of future assessments. Furthermore, CBP, ARS, and the Forest Service did not have the data or information systems to monitor assessment schedules or the status of countermeasures at facilities, and their policies did not specify such data requirements. For example, ARS and the Forest Service do not collect and analyze security-related data, such as countermeasures' implementation. FAA does not routinely monitor the performance of its physical security program. Without improved monitoring, agencies are not well equipped to prioritize their highest security needs, may leave facilities' vulnerabilities unaddressed, and may not take corrective actions to meet physical security program objectives. This is a public version of a sensitive report that GAO issued in August 2017. Information that the agencies under review deemed sensitive has been omitted.

Why GAO Did This Study

Protecting federal employees and facilities from security threats is of critical importance. Most federal agencies are generally responsible for their facilities and have physical security programs to do so.

GAO was asked to examine how federal agencies assess facilities' security risks. This report examines: (1) how selected agencies' assessment methodologies align with the ISC's risk management standard for identifying necessary countermeasures and (2) what management challenges, if any, selected agencies reported facing in conducting physical security assessments and monitoring the results.

GAO selected four agencies—CBP, FAA, ARS, and the Forest Service—based on their large number of facilities and compared each agency's assessment methodology to the ISC Standard; analyzed facility assessment schedules and results from 2010 through 2016; and interviewed security officials. GAO also visited 13 facilities from these four agencies, selected based on geographical dispersion and their high risk level.

What GAO Recommends

GAO recommends: (1) that CBP and FAA update policies to require the use of methodologies fully aligned with the ISC Standard; (2) that CBP revise its plan to eliminate the assessments backlog; and (3) that all four agencies improve monitoring of their physical security programs. All four agencies agreed with the respective recommendations.

For more information, contact Lori Rectanus at (202) 512-2834 or rectanusl@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: To help federal agencies protect and assess risks to their facilities, the Interagency Security Committee (ISC) developed physical security standards for non-military federal facilities in the United States. One particular standard, called The Risk Management Process for Federal Facilities (ISC Standard), requires that methodologies used to identify necessary facility countermeasures-such as fences and closed-circuit televisions-must: (1) consider all of the undesirable events (i.e., arson and vandalism) identified by the ISC Standard as possible risks to facilities, (2) assess three factors of risk-threats, vulnerabilities, and consequences-for each of these events and use these three factors to measure risk, and (3) document decisions that deviate from the ISC Standard. In 2017, GAO reported that the U.S. Customs and Border Protection (CBP) assessment methodology (based on its Security Policy and Procedures Handbook, dated August 13, 2009) did not fully align with the ISC Standard because it did not consider all of the undesirable events nor assess threat and consequence. At the time of GAO's review, CBP had started, but had not yet completed after 3 years, the update of the agency's handbook to align it with the ISC Standard. Delays in updating the handbook meant that CBP's policy would continue to not align with the ISC Standard. GAO reported that without an updated policy handbook that requires a methodology that assesses all undesirable events consistent with the ISC Standard, CBP cannot reasonably ensure that its facilities will have levels of protection commensurate to their risk. Therefore, GAO recommended that CBP include in its updated Security Policy and Procedures Handbook the ISC's Risk Management Process for Federal Facilities requirement to assess all undesirable events, consider all three factors of risk, and document deviations from the standard. In 2020, GAO confirmed that CBP issued its updated Physical Security Policies and Procedures Handbook on January 7, 2020, which supersedes its 2009 handbook. The updated handbook is applicable to all CBP owned, leased, or occupied offices, facilities, ports of entry, and stations. The updated handbook also describes the ISC's risk management process for federal facilities requirement to assess all 33 undesirable events, consider all three factors of risk, and document deviations from the ISC Standard. The updated handbook describes this formal process in Chapter 5 entitled, Risk-Informed Decision-Making. By updating the handbook to align with ISC requirements, CBP can have reasonable assurance that all required factors will be considered when conducting physical security assessments. This should result in recommendations that its facilities will have levels of protection commensurate to their risk.

    Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Commissioner of U.S. Customs and Border Protection should, with regard to the updated Security Policy and Procedures Handbook, include the ISC's Risk Management Process for Federal Facilities requirement to assess all undesirable events, consider all three factors of risk, and document deviations from the standard.

    Agency Affected: Department of Homeland Security: United States Customs and Border Protection

  2. Status: Open

    Comments: The U.S. Customs and Border Protection issued an updated Physical Security Policy and Procedures Handbook in January 2020, which includes a series of internal controls and physical security performance measures. We are in the process of reviewing the handbook to determine whether it meets ISC's Risk Management Process for Federal Facilities.

    Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Commissioner of U.S. Customs and Border Protection, with regard to the updated Security Policy and Procedures Handbook, should include data collection and analysis requirements for monitoring the performance of CBP's physical security program.

    Agency Affected: Department of Homeland Security: United States Customs and Border Protection

  3. Status: Closed - Implemented

    Comments: The U.S. Customs and Border Protection (CBP), the nation's largest law enforcement agency, has the responsibility for securing the country's borders. It also has the responsibility for conducting physical security assessments at about 1,200 facilities, including approximately 215 federally owned and agency-controlled higher-level facilities with security levels III and IV. The Interagency Security Committee (ISC) Standard requires agencies to follow a risk-management process when conducting assessments for each of their facilities. Specifically, the ISC requires that agencies assess higher-level facilities at least once every 3 years-an interval requirement to identify and address evolving risks. In 2018, GAO reported that CBP data on assessments from August 2010 to September 2016 showed that the agency had not assessed a significant number of its high-level facilities. CBP security officials attributed the backlog to (1) having too few security specialists assigned to assess about 1,200 facilities and (2) the specialists working on competing priorities. At the time of GAO's review, CBP security officials said that they had developed a plan to eliminate the backlog by the end of fiscal year 2018 by prioritizing the completion of assessments. GAO reported that, without balancing assessments with competing priorities, CBP's time frames for completing the assessments by the end of fiscal year 2018 might not have been feasible and might also have resulted in the agency's not addressing other important physical security responsibilities. While the plan was comprehensive, the schedule did not seem feasible due to assumptions used to develop the plan. Therefore, GAO recommended that CBP revise the assumptions used in the plan to address the backlog to balance assessments with competing priorities, such as, updating the policy manual and reviewing new construction design, to develop a feasible time frame for completing the assessment backlog. In 2018, GAO confirmed that CBP had eliminated the backlog of security assessments at higher-level facilities by making revisions to its plan. Specifically, CBP (1) lowered the security level of 39 federally owned and agency-controlled facilities based on the ISC Standard and respective facility assessment-provided resources to prioritize the assessments of higher-level facilities and support other priorities, which extended the time for reassessing these facilities by 2-years; (2) assessed several facilities at a fast pace-15 facilities within 2-weeks-that were small size and with few personnel, which allowed the agency to conduct on-site assessments within one-day or less; (3) used the Federal Protective Service to assess some of the 1,200 facilities under the control of the General Services Administration, which provided relief from having to assess non-CBP owned facilities; and (4) conducted assessments of higher-level facilities that had not been previously assessed. By eliminating its backlog of security assessments, CBP has the information it needs to reduce the vulnerabilities and security risks to its facilities.

    Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Commissioner of U.S. Customs and Border Protection, should revise the assumptions used in the plan to address the backlog to balance assessments with competing priorities, such as updating the policy manual and reviewing new construction design, to develop a feasible time frame for completing the assessment backlog.

    Agency Affected: Department of Homeland Security: United States Customs and Border Protection

  4. Status: Open

    Comments: The Federal Aviation Administration (FAA) has developed, initially tested, and deployed a risk assessment methodology that aligns with the Interagency Security Committee Risk Management Process for Federal Facilities. In August and September of 2019, FAA trained some staff on the new methodology, which is being integrated into the facility security reporting system. After resolving any software compatibility issues, completing all necessary testing and training, and issuing the associated security policy, FAA expects to fully implement the methodology by December 31, 2020.

    Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to develop a plan that provides sufficient details on the activities needed and time frames within the date when FAA will implement an improved methodology.

    Agency Affected: Department of Transportation

  5. Status: Open

    Comments: The Federal Aviation Administration (FAA) drafted an updated facility security policy and distributed it for comment in October 2019. It received over 300 comments that are currently being addressed. Once completed, the policy is to incorporate a methodology that fully aligns with the Interagency Security Committee Risk Management Process for Federal Facilities for assessing all undesirable events, considering all three factors of risk, and documenting all deviations from the standard countermeasures. FAA plans to publish the new policy to coincide with the implementation of its risk-assessment methodology by December 31, 2020.

    Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to update FAA's policy to require the use of a methodology that fully aligns with the ISC's Risk Management Process for Federal Facilities for assessing all undesirable events, considering all three factors of risk, and documenting all deviations from the standard countermeasures.

    Agency Affected: Department of Transportation

  6. Status: Open

    Comments: The Federal Aviation Administration's (FAA) update of its facility security policy and its associated databases should help to improve the monitoring and use of physical security information to better assist with risk assessment decision-making. In February 2020, FAA officials said that its facility security reporting system is to be improved with new metrics and executive level reporting. Such improvements are to result in increased program oversight, risk awareness, and mitigation planning. These improvements are to be completed by December 31, 2020 to coincide with full implementation of the components of the risk management framework, such as the risk assessment methodology, personnel training, and policy publication.

    Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to update FAA's policy to include ongoing monitoring of physical security information.

    Agency Affected: Department of Transportation

  7. Status: Open

    Comments: The U.S. Department of Agriculture is drafting a revised physical-security regulation and manual that is to align with risk management processes, including a tracking and monitoring component. It expects to implement a revised process by the end of 2020.

    Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Agriculture should include data collection and analysis requirements for monitoring the performance of agencies' physical security programs, in the department's revised physical-security manual.

    Agency Affected: Department of Agriculture

  8. Status: Open

    Comments: The U.S. Department of Agriculture (USDA) recognizes the need to develop and implement a database to track and monitor physical security assessment schedules across all of its components. As a result, USDA plans to request funding in the President's Budget for fiscal year 2021 to design and build such a database. If sufficient funding is secured and development efforts go as planned, the agency anticipates having the database operational by the end of 2021.

    Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Agriculture should direct the Administrator of the Agricultural Research Service and the Chief of the Forest Service to implement and monitor a long-term assessment schedule with key milestones to ensure that higher-level facilities are reassessed at least once every 3 years.

    Agency Affected: Department of Agriculture

 

Explore the full database of GAO's Open Recommendations »

Jul 9, 2020

Jul 1, 2020

Jun 25, 2020

Jun 15, 2020

Jun 9, 2020

May 28, 2020

Looking for more? Browse all our products here