Federal Protective Service: Actions Needed to Assess Risk and Better Manage Contract Guards at Federal Facilities
Highlights
What GAO Found
The Department of Homeland Security’s (DHS) Federal Protective Service (FPS) is not assessing risks at federal facilities in a manner consistent with standards such as the National Infrastructure Protection Plan’s (NIPP) risk management framework, as FPS originally planned. Instead of conducting risk assessments, since September 2011, FPS’s inspectors have collected information, such as the location, purpose, agency contacts, and current countermeasures (e.g., perimeter security, access controls, and closed-circuit television systems). This information notwithstanding, FPS has a backlog of federal facilities that have not been assessed for several years. According to FPS’s data, more than 5,000 facilities were to be assessed in fiscal years 2010 through 2012. However, GAO was unable to determine the extent of FPS’s facility security assessment (FSA) backlog because the data were unreliable. Multiple agencies have expended resources to conduct risk assessments, even though the agencies also already pay FPS for this service. FPS received $236 million in basic security fees from agencies to conduct FSAs and other security services in fiscal year 2011. Beyond not having a reliable tool for conducting assessments, FPS continues to lack reliable data, which has hampered the agency’s ability to manage its FSA program.
FPS has an interim vulnerability assessment tool, referred to as the Modified Infrastructure Survey Tool (MIST), which it plans to use to assess federal facilities until it develops a longer-term solution. According to FPS, once implemented, MIST will allow it to resume assessing federal facilities’ vulnerabilities and recommend countermeasures—something FPS has not done consistently for several years. Furthermore, in developing MIST, FPS generally followed GAO’s project management best practices, such as conducting user acceptance testing. However, MIST has some limitations. Most notably, MIST does not estimate the consequences of an undesirable event occurring at a facility. Three of the four risk assessment experts GAO spoke with generally agreed that a tool that does not estimate consequences does not allow an agency to fully assess risks. FPS officials stated that they did not include consequence information in MIST because it was not part of the original design and thus requires more time to validate. MIST also was not designed to compare risks across federal facilities. Thus, FPS has limited assurance that critical risks at federal facilities are being prioritized and mitigated.
FPS continues to face challenges in overseeing its approximately 12,500 contract guards. FPS developed the Risk Assessment and Management Program (RAMP) to help it oversee its contract guard workforce by (1) verifying that guards are trained and certified, and (2) conducting guard post inspections. However, FPS faced challenges using RAMP, such as verifying guard training and certification information, for either purpose and has recently determined that it would no longer use RAMP. Without a comprehensive system, it is more difficult for FPS to oversee its contract guard workforce. FPS is verifying guard certification and training information by conducting monthly audits of guard contractor training and certification information. However, FPS does not independently verify the contractor’s information. Additionally, according to FPS officials, FPS recently decided to deploy a new interim method to record post inspections to replace RAMP.
Why GAO Did This Study
FPS provides security and law enforcement services to over 9,000 federal facilities under the custody and control of the General Services Administration (GSA). GAO has reported that FPS faces challenges providing security services, particularly completing FSAs and managing its these challenges, FPS spent about $35 million and 4 years developing RAMP—essentially a risk assessment and contract guard oversight tool. However, RAMP ultimately could not be used because of system problems.
GAO was asked to examine (1) the extent to which FPS is completing risk assessments; (2) the status of FPS’s efforts to develop an FSA tool; and (3)FPS’s efforts to manage its contract guard workforce. GAO reviewed FPS documents, conducted site visits at 3 of FPS’s 11 regions, and interviewed FPS officials and inspectors, guard companies, and 4 risk management experts.
Recommendations
GAO recommends that FPS incorporate NIPPs risk management framework in any future risk assessment tool; coordinate with federal agencies to reduce any unnecessary duplication in FPSs assessments; address limitations with its interim tool to better assess federal facilities; develop and implement a comprehensive and reliable contract guard oversight system; and independently verify that its contract guards are current on all training and certification requirements. DHS concurred with GAOs recommendations.
Recommendations for Executive Action
| Agency Affected Sort descending | Recommendation | Status |
|---|---|---|
| Department of Homeland Security | Given the challenges that FPS faces in assessing risks to federal facilities and managing its contract guard workforce, the Secretary of Homeland Security should direct the Under Secretary of NPPD and the Director of FPS to incorporate NIPP's risk management framework--specifically in calculating risk to include threat, vulnerability, and consequence information--in any permanent risk assessment tool. |
Closed – Implemented
Federal Protection Service (FPS) provides security and law enforcement services to over 9,000 federal facilities under the custody and control of the General Services Administration (GSA). FPS faces challenges providing security services, particularly completing facility security assessments and managing its contract guard program. GAO reported in 2012 that to address these challenges, FPS spent about $35 million and 4 years developing the Risk Assessment and Management Program (RAMP)--essentially a risk assessment and contract guard oversight tool. However, RAMP ultimately could not be used because of system problems. GAO reported that FPS developed an interim vulnerability assessment tool, referred to as the Modified Infrastructure Survey Tool (MIST), which it planned to use to assess federal facilities until it developed a longer-term solution to replace RAMP. FPS officials stated that, among other things, MIST would enable the agency to begin aligning its facility security assessment process with the National Infrastructure Protection Plan's (NIPP) risk management framework which states that, among other things, a risk assessment should assess threats, vulnerabilities, and consequences. According to the NIPP, a risk assessment should assess threats, vulnerabilities, consequences, and recommend countermeasures. FPS designed MIST to assess vulnerability and added threat information gathered outside of MIST. However, FPS did not design MIST to estimate consequence, a critical component of a risk assessment. Assessing consequence is important because it combines vulnerability and threat information to evaluate the potential effects of an adverse event on a federal facility. Three of the four risk assessment experts we spoke with generally agreed that a tool that does not estimate consequences does not allow an agency to fully assess the risks to a federal facility. As a result, GAO reported that while FPS may be able to identify a facility's vulnerabilities to different threats using MIST, without consequence information, federal tenant agencies may not be able to make fully informed decisions on how to best allocate resources to protect facilities. GAO also reported that until FPS decides what tool, if any, will replace MIST or RAMP, it would continue to lack the ability to assess risk at federal facilities in a manner consistent with NIPP. However, while MIST assessed vulnerability and incorporated threat information, MIST did not assess consequence, a critical component of a risk assessment-important as it evaluates the potential effects of an adverse event on a federal facility-which limited federal tenant agencies' ability to make fully informed decisions on how to best allocate resources to protect facilities and that FPS had not decided what tool, if any, would replace MIST. Therefore, GAO recommended that FPS incorporate the NIPP's risk management framework-specifically in calculating risk to include threat, vulnerability and consequence information-in any permanent risk assessment tool. In 2017, GAO confirmed that FPS made MIST a permanent part of the agency's facility security assessment process and incorporated the NIPP's risk management framework into its facility security assessment process. Specifically, FPS combines MIST's current capabilities with other information sources, fulfilling the necessary components for assessing risks in the NIPP's risk management framework. Using MIST, FPS estimates vulnerability as part of its facility security assessment process which, when incorporated with threat and consequence information, provides federal tenant agencies with a more complete assessment of the risks to their facilities. By incorporating these elements of NIPP's risk management framework into its now permanent tool, FPS is in a better position to assess and address the risks posed to its portfolio of federal facilities.
|
| Department of Homeland Security | Given the challenges that FPS faces in assessing risks to federal facilities and managing its contract guard workforce, the Secretary of Homeland Security should direct the Under Secretary of NPPD and the Director of FPS to coordinate with GSA and other federal tenant agencies to reduce any unnecessary duplication in security assessments of facilities under the custody and control of GSA. |
Closed – Implemented
The Federal Protective Service (FPS) provides security and law enforcement services to over 9,000 federal facilities under the custody and control of the General Services Administration (GSA). In 2012, we reported that multiple federal agencies, including GSA, have been expending additional resources to conduct their own risk assessments, while also paying the Federal Protective Service (FPS) for this service. According to FPS's Chief Financial Officer, FPS received $236 million in basic security fees from federal agencies to conduct FSAs and other security services in fiscal year 2011. Specifically, GSA was expending additional resources to assess risk. We reported in October 2010 that GSA officials did not always receive timely FPS risk assessments for facilities GSA considered leasing. GSA sought to have these risk assessments completed before it took possession of a property and leased it to tenant agencies. An inefficient risk assessment process for new lease projects can add costs for GSA and create problems for both GSA and tenant agencies. However, FPS had not coordinated with GSA and other federal agencies to reduce or prevent duplication of its facility security assessments. Therefore, we recommended that DHS direct FPS to coordinate with GSA and other federal tenant agencies to reduce any unnecessary duplication in security assessments of facilities under the custody and control of GSA. In 2016, we confirmed that FPS has taken steps to coordinate with these agencies. For example, in 2014, FPS surveyed GSA and other federal agencies to determine why they were conducting their own risk assessments, among other things. As a result of both coordinating with and surveying GSA as well as other federal agencies, FPS has reduced or prevented the duplication of effort associated with its risk assessments.
|
| Department of Homeland Security | Given the challenges that FPS faces in assessing risks to federal facilities and managing its contract guard workforce, the Secretary of Homeland Security should address MIST's limitations (assessing consequence, comparing risk across federal facilities, and measuring performance) to better assess and mitigate risk at federal facilities until a permanent system is developed and implemented. |
Closed – Implemented
In 2012, we reported that Federal Protective Service (FPS) developed the Modified Infrastructure Survey Tool (MIST)--an interim vulnerability assessment tool--that FPS planned to use until it could develop a permanent solution to replace the Risk Assessment and Management Program (RAMP). However, MIST had some limitations as an assessment tool, which could affect FPS's ability to protect federal facilities and provide security services. Specifically MIST's limitations included the: (1) inability to assess consequence, a critical component of a risk assessment-important as it evaluates the potential effects of an adverse event on a federal facility-which limited federal tenant agencies able to make fully informed decisions on how to best allocate resources to protect facilities; (2) inability to compare risk or assessment results across FPS's portfolio of 9,000 facilities, which limited FPS's ability to provide assurance that the most critical risks at these facilities are being prioritized and mitigated; and (3) lack of metrics to measure MIST's performance, such as feedback surveys from tenant agencies, which hampered FPS's ability to improve MIST. Therefore, we recommended that the Department of Homeland Security direct FPS to address MIST's limitations--assessing consequence, comparing risk across federal facilities, and measuring performance--to better assess and mitigate risk at federal facilities until a permanent system is developed and implemented. In 2016, we confirmed that FPS had addressed MIST's limitations while a more permanent risk tool was being developed. For example, FPS has supplemented MIST's output with an overall consequence score via an algorithm using information collected through MIST. FPS has developed the capability to compare risks across its portfolio of federal facilities, allowing FPS to view and analyze their data about risks, countermeasures and other facility information across the country. Finally, FPS has implemented internal and external performance measures, such as federal tenant agency feedback surveys, for MIST and its overall FSA process. By addressing MIST's limitations, FPS is in a better position to assess the threats, vulnerabilities and consequences to its portfolio of federal facilities.
|
| Department of Homeland Security | Given the challenges that FPS faces in assessing risks to federal facilities and managing its contract guard workforce, the Secretary of Homeland Security should develop and implement a new comprehensive and reliable system for contract guard oversight. |
Closed – Implemented
The Department of Homeland Security's Federal Protective Service (FPS) relies on a privately contracted guard force to provide security to federal facilities under the custody and control of the General Services Administration. GAO previously reported that FPS faced long-standing challenges overseeing its contract guard program. In 2012, GAO reported that FPS did not have a comprehensive and reliable system to oversee its approximately 12,500 contract guards. Specifically, FPS lacked an oversight system that allowed the agency to verify that guards had the requisite training and certifications to be on post and use FPS inspectors to conduct guard post inspections as required. Without such an oversight system, FPS was unable to independently verify the guard training and certification information provided by guard contractors. Therefore, GAO recommended that FPS develop and implement a new comprehensive and reliable system for contract guard oversight. In 2019, GAO confirmed that FPS developed two systems to comprehensively and reliably oversee its contract guard workforce. First, FPS developed the Training and Academy Management System (TAMS) to be the agency's system of record for all learning activities for FPS personnel and contractors. Contract guard companies use TAMS to enter and update guard training and certification information, along with supporting documentation, such as electronic copies of training and certification records. TAMS also gives FPS personnel the ability to track, monitor, and verify training records for FPS's contract guard workforce. Second, FPS developed the Post Tracking System (PTS) to verify the identity, suitability, training completion, as well as time and attendance of guards at federal facilities. PTS is designed to allow FPS personnel to remotely verify guard posts are staffed as required and track guard certifications to ensure that FPS posts are manned by qualified and cleared guards at all times. With PTS, guards are required to sign in to a PTS device using personal identification number, fingerprint, and an identification card. As FPS demonstrated to GAO, a guard would be unable to sign-in to a post for which they were not qualified-for instance, if they did not have the required screener training or active-threat certification. PTS also allows FPS inspectors to document their post inspections. Finally, training and certification information from TAMS is integrated into PTS-which can help prevent guards from standing at posts for which they do not meet requirements. Such integration enables companies that hire and manage guards to enter and update guard training information used in PTS. By developing these two systems, FPS will be in a better position to provide comprehensive oversight of its contract guard workforce.
|
| Department of Homeland Security | Given the challenges that FPS faces in assessing risks to federal facilities and managing its contract guard workforce, the Secretary of Homeland Security should verify independently that FPS's contract guards are current on all training and certification requirements. |
Closed – Implemented
The Department of Homeland Security's Federal Protective Service (FPS) relies on a privately contracted guard force to provide security to federal facilities under the custody and control of the General Services Administration. In order to be deployed at federal facilities, contract guards must meet FPS's training and certification requirements. GAO previously reported that FPS had experienced difficulty using the Risk Assessment and Management Program (RAMP)-which has been replaced-to ensure that its guards met training and certification requirements, primarily because of issues with verifying RAMP's guard data. In 2012, GAO reported that FPS continued to face challenges in overseeing its 12,500 contract guard workforce. FPS did not independently verify that guards were trained and certified to be on post in federal facilities. FPS required that its guard contractors maintain their own files containing guard training and certification information and submit a monthly report with this information to FPS's regions. FPS verified this information by conducting monthly audits of guard contractor training and certification information. However, FPS relied solely on its guard contractors training and certification information and did not independently verify the information. GAO had previously reported that FPS's reliance on contractor-provided information without independent verification may have contributed to a situation where a contactor allegedly falsified training information for its guards. As a result, FPS's procedures provided limited assurance that qualified contract guards were standing post in federal facilities. Therefore, GAO recommended that FPS verify independently that its contract guards are current on all training and certification requirements. In 2019, GAO confirmed that FPS developed the Training and Academy Management System (TAMS) to be the agency's system of record for all learning activities for FPS personnel and contractors. Contract guard companies use TAMS to enter and update guard training and certification information, along with supporting documentation, such as electronic copies of training and certification records. TAMS gives FPS personnel the ability to track, monitor, and verify training records for FPS's contract guard workforce. FPS has also implemented new procedures that require FPS personnel to verify the data in TAMS by monitoring guard training classes and by cross-referencing TAMS information against other records, such as quarterly training schedules and signed training rosters. By implementing TAMS along with its additional verification procedures, FPS can better ensure that its contract guard workforce is adequately trained and certified.
|