Skip to main content

Diplomatic Security: Overseas Facilities May Face Greater Risks Due to Gaps in Security-Related Activities, Standards, and Policies

GAO-14-655 Published: Jun 25, 2014. Publicly Released: Jun 25, 2014.
Jump To:
Skip to Highlights

Highlights

What GAO Found

To manage risks at its overseas work facilities, the Department of State (State) tracks information about each facility, assesses threat levels at posts, develops security standards to meet threats facing different types of facilities overseas, identifies vulnerabilities, and sets risk-based construction priorities. For example, State assesses six types of threats, such as terrorism, and assigns threat levels, which correspond to physical security standards at each overseas post. However, GAO found several inconsistencies in terminology used to categorize properties and within the property inventory database used to track them, raising questions about the reliability of the data. For example, GAO identified a facility categorized as a warehouse that included offices and therefore should have been subject to more stringent standards. Gaps in categorization and tracking of facilities could hamper the proper implementation of physical security standards.

Although State has established physical security standards for most types of overseas facilities, GAO identified some facility types for which standards were lacking or unclear, instances in which the standards were not updated in a timely manner, and inconsistencies within the standards. The following are examples:

  •  It is unclear what standards apply to some types of facilities.
  •  In some instances, updating standards took more than 8 years.
  •  One set of standards requires anti-ram perimeter walls at medium- and higher-threat posts; another required them only at higher-threat posts. 

Furthermore, GAO found that State lacks a process for reassessing standards against evolving threats and risks. GAO identified several posts that put security measures in place that exceed the standards because the standards did not adequately address emerging threats and risks. Without adequate and up-to-date standards, post officials rely on an ad hoc process to establish security measures rather than systematically drawing upon collective subject-matter expertise.

Although State takes steps to mitigate vulnerabilities to older, acquired, and temporary work facilities, its waivers and exceptions process has weaknesses. When posts cannot meet security standards for a given facility, the posts must submit requests for waivers and exceptions, which identify steps the post will take to mitigate vulnerabilities. However, GAO found neither posts nor headquarters systematically tracks the waivers and exceptions and that State has no process to re-evaluate waivers and exceptions when the threat or risk changes. Furthermore, posts do not always request required waivers and exceptions and do not always take required mitigation steps. With such deficiencies, State cannot be assured it has all the information needed to mitigate facility vulnerabilities and that mitigation measures have been implemented.

GAO found that State has not fully developed and implemented a risk management policy for overseas facilities. Furthermore, State's risk management activities do not operate as a continuous process or continually incorporate new information. State does not use all available information when establishing threat levels at posts, such as when posts find it necessary to implement measures that exceed security standards. State also lacks processes to re-evaluate the risk to interim and temporary facilities that have been in use longer than anticipated. Without a fully developed risk management policy, State may lack the information needed to make the best security decisions concerning personnel and facilities.

To manage risk to overseas work facilities, State conducts a range of ongoing activities, including the setting of security standards. However, GAO identified a number of problems with these activities. Moreover, GAO found that State lacked a fully developed risk management policy to coordinate these activities (see figure). 

State’s Key Risk Management Activities and Decisions Concerning Facility Security and Problems Identified by GAO

Graphic of State’s Key Risk Management Activities and Decisions Concerning Facility Security and Problems Identified by GAO

This is the public version of a Sensitive but Unclassified report by the same title.

Why GAO Did This Study

U.S. policy can call for U.S. personnel to be posted to high-threat, high-risk posts overseas. To maintain a presence in these locations, State has often relied on older, acquired (purchased or leased), and temporary work facilities that do not meet the same security standards as more recently constructed permanent facilities.

GAO was asked to review how State assures the security of these work facilities. GAO evaluated (1) how State manages risks at work facilities overseas; (2) the adequacy of State's physical security standards for these facilities; (3) State's processes to address vulnerabilities when older, acquired, and temporary overseas facilities do not meet physical security standards; and (4) the extent to which State's activities to manage risks to its overseas work facilities align with State's risk management policy and with risk management best practices. GAO reviewed U.S. laws and State's policies, procedures, and standards for risk management and physical security. GAO reviewed facilities at a judgmental sample of 10 higher-threat, higher-risk, geographically dispersed, overseas posts and interviewed officials from State and other agencies in Washington, D.C., and at 16 overseas posts, including the 10 posts at which GAO reviewed facilities.

Recommendations

GAO is making 13 recommendations for State to address gaps in its security-related activities, standards, and policies. State generally agreed with GAO’s recommendations.

Specifically, GAO is recommending that the Secretary of State:

1. Define the conditions when a warehouse should be categorized as an office facility and meet appropriate security standards.

2. Harmonize the terminology State uses to categorize facilities in its security standards and property databases.

3. Establish a routine process for validating the accuracy of the data in State’s property database.

4. Establish a routine process for validating the accuracy of the data in State’s risk matrix.

5. Identify and eliminate inconsistencies between and within State’s physical security guidance.

6. Develop physical security standards for facilities not currently covered by existing standards.

7. Clarify existing flexibilities to ensure that security and life-safety updates to the security standards are updated through an expedited review process.

8. Develop a process to routinely review all security standards to determine if the standards adequately address evolving threats and risks.

9. Develop a policy for the use of interim and temporary facilities that includes definitions for such facilities, time frames for use, and a routine process for reassessing the interim or temporary designation.

10. Automate waivers and exceptions documentation, and ensure that headquarters and post officials have ready access to the documentation.

11. Routinely ensure that necessary waivers and exceptions are in place for all work facilities at posts overseas.

12. Develop a process to ensure that mitigating steps agreed to in granting waivers and exceptions have been implemented.

13. Develop a risk management policy and procedures for ensuring the physical security of diplomatic facilities, including roles and responsibilities of all stakeholders and a routine feedback process that continually incorporates new information.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of State To improve the consistency and data reliability of Department of State risk management data, the Secretary of State should direct Office of Management Policy, Rightsizing, and Innovation (M/PRI), Bureau of Diplomatic Security (DS), and Bureau of Overseas Buildings Operations (OBO) to define the conditions when a warehouse should be categorized as an office facility and meet appropriate office physical security standards.
Closed – Implemented
State has defined the conditions when a warehouse should be categorized as an office facility and should meet appropriate physical security standards. These conditions, which are documented in the Foreign Affairs Handbook, state that for standalone warehouses used both for storage and full-time office space for U.S. government employees performing non-warehouse staff functions, the office space must meet the physical security standards for Sole Occupant of a Building or Compound.
Department of State
Priority Rec.
To improve the consistency and data reliability of Department of State risk management data, the Secretary of State should direct M/PRI, DS, and OBO to harmonize the terminology State uses to categorize facilities in State's physical security standards and property databases.
Closed – Implemented
State agreed with the intent of the recommendation and has developed a standardized dataset for domestic and overseas facilities. However, State did not believe that incorporating this standardized dataset into its physical security standards was the most efficient approach, and instead, shared information about the new standardized dataset through an announcement in May 2017 to ensure all relevant officials are aware of the dataset and how to access it. In addition, State is linking its Physical Security Surveys application, which it uses to document the physical security of all overseas facilities, to the Overseas Building Operations (OBO) property database. The OBO property database includes the standardized dataset for facility terms. According to State officials, this should ensure that the Physical Security Surveys application adequately identifies all relevant work facilities.
Department of State
Priority Rec.
To improve the consistency and data reliability of Department of State risk management data, the Secretary of State should direct OBO to establish a routine process for validating the accuracy of the data in OBO's property database.
Closed – Implemented
State established an annual process that requires posts to review and verify the accuracy of the property database. State formalized this process in 2016 by incorporating the process into the Foreign Affairs Manual.
Department of State To improve the consistency and data reliability of Department of State risk management data, the Secretary of State should direct DS to establish a routine process for validating the accuracy of the data in DS's risk matrix.
Closed – Implemented
State agreed with this recommendation. Subsequently, State developed a mechanism for crosschecking its risk data and published a standard operating procedure on how this information should be updated.
Department of State
Priority Rec.
To improve the consistency and data reliability of Department of State risk management data, the Secretary of State should direct the Under Secretary for Management to identify and eliminate inconsistencies between and within the Foreign Affairs Manual, Foreign Affairs Handbook (FAH), and other guidance concerning physical security.
Closed – Implemented
State agreed with the recommendation. To improve its ability to identify inconsistencies in security-related guidance documents, State's Bureau of Diplomatic Security began conducting annual reviews of every section of the FAM and FAH portions they are responsible for in 2014, and the bureau formalized this review by updating its standard operating procedures for FAM/FAH updates in March 2017.
Department of State
Priority Rec.
To strengthen the applicability and effectiveness of the Department of State's physical security standards, the Secretary of State should work through DS or, in his capacity as chair, through the Overseas Security Policy Board (OSPB) to develop physical security standards for facilities not currently covered by existing standards.
Closed – Implemented
State agreed with this recommendation. In response, DS developed physical security standards for one type of off-compound facility for which standards did not previously exist, and incorporated the physical security standards for other types of facilities outlined in a May 2011 memorandum into the OSPB standards in May 2017.
Department of State
Priority Rec.
To strengthen the applicability and effectiveness of the Department of State's physical security standards, the Secretary of State should work through DS or, in his capacity as chair, through the OSPB to clarify existing flexibilities in the FAH to ensure that security and life-safety updates to the OSPB standards and Physical Security Handbook are updated through an expedited review process.
Closed – Implemented
State agreed with this recommendation. In response, State revised the Overseas Security Policy Board (OSPB) Working Group Guidelines, which outline the process for developing and approving new or revised OSPB standards. The updated guidelines streamline the process for updating the OSPB standards by, for example, limiting OSPB members' review comments to just the proposed changes in the final draft. State published the updated guidelines in December 2018.
Department of State
Priority Rec.
To strengthen the applicability and effectiveness of the Department of State's physical security standards, the Secretary of State should work through DS or, in his capacity as chair, through the OSPB to develop a process to routinely review all OSPB standards and the Physical Security Handbook to determine if the standards adequately address evolving threats and risks.
Closed – Implemented
State agreed with the recommendation. DS began conducting annual reviews of the FAM and FAH in 2014, and the bureau formalized this review by updating its standard operating procedures for FAM/FAH updates in March 2017. The new standing operating procedures outline events to consider when reviewing the FAM and FAH for necessary updates, including considering new National Security Council Decisions and new technology, research, or tests that identify security deficiencies.
Department of State
Priority Rec.
To strengthen the applicability and effectiveness of the Department of State's physical security standards, the Secretary of State should work through DS or, in his capacity as chair, through the OSPB to develop a policy for the use of interim and temporary facilities that includes definitions for such facilities, time frames for use, and a routine process for reassessing the interim or temporary designation.
Closed – Implemented
State did not initially agree or disagree with this recommendation. However, State officials later agreed that it is important to have a process for regularly re-evaluating risk to facilities. As such, State has revised and developed additional processes for re-evaluating risk. For example, all Chief-of-Missions are required to sign an annual assurance statement. In April 2017, State clarified the regional security officers' role in the Chief-of-Mission annual assurance statement process, and requires regional security officers to provide a briefing on the status of physical security for all facilities at post. This briefing is required to include information about security vulnerabilities, mitigation strategies, areas of non-compliance with security requirements, and any waivers or exceptions on file. In addition, State has fully implemented the Vital Presence Validation Process to annually reassess the risk taken to operate at each of the high-threat, high-risk posts. As part of this process, State officials prepare documentation for each post that includes a description of all facilities at post (including permanent, temporary, and interim facilities), any security deficiencies, mitigation measures and any security upgrades implemented, and any waivers or exceptions on file. This documentation also includes a conclusion statement accepting or rejecting the risk associated with continued operations at the post in question that is ultimately reviewed by the Deputy Secretary of State.
Department of State
Priority Rec.
To strengthen the effectiveness of the Department of State's ability to identify risks and mitigate vulnerabilities, the Secretary of State should direct DS to automate its documentation of waivers and exceptions, and ensure that DS officials in headquarters and at each post have ready access to post's waivers and exceptions documentation.
Closed – Implemented
In response to the GAO recommendation, the Bureau of Diplomatic Security scanned in all waiver and exception packages and made them available electronically to all regional security officers (RSOs) as of August 25, 2015. According to DS, the scanned packages now constitute the "Published Waivers and Exceptions" library, and is available for viewing through the classified Regional Security Officer (RSO) Security Management Console (SMC).
Department of State
Priority Rec.
To strengthen the effectiveness of the Department of State's ability to identify risks and mitigate vulnerabilities, the Secretary of State should direct DS to routinely ensure that necessary waivers and exceptions are in place for all work facilities at posts overseas.
Closed – Implemented
State agreed with this recommendation. In response, DS modified the physical security survey template DS officials use to routinely evaluate the security of work facilities overseas to include questions about waivers and exceptions. In addition, DS developed a Deficiency Database to electronically track physical security deficiencies at and existing waivers and exceptions for facilities overseas. The Deficiency Database became fully functional in July 2017.
Department of State
Priority Rec.
To strengthen the effectiveness of the Department of State's ability to identify risks and mitigate vulnerabilities, the Secretary of State should direct DS to develop a process to ensure that mitigating steps agreed to in granting waivers and exceptions have been implemented.
Closed – Implemented
State agreed with this recommendation. In response, DS developed a Deficiency Database to electronically track physical security deficiencies at and existing waivers and exceptions for facilities overseas. DS officials are responsible for extracting the mitigation strategy from the waivers and exceptions and inputting the mitigation strategy into the Deficiency Database to track implementation of the strategy. The Deficiency Database became fully functional in July 2017. In addition, DS has begun using the database to identify required mitigation steps and requested that the Bureau of Overseas Building Operations begin to address the identified mitigation requirements.
Department of State
Priority Rec.
To strengthen the effectiveness of the Department of State's risk management policies, the Secretary of State should develop a risk management policy and procedures for ensuring the physical security of diplomatic facilities, including roles and responsibilities of all stakeholders and a routine feedback process that continually incorporates new information.
Closed – Implemented
Instead of developing a risk management policy, State's Bureau of Diplomatic Security (DS) developed and launched a collaborative website to improve access to information necessary for making risk management decisions for U.S. diplomatic facilities overseas in September 2017. Prior to creating this collaborative website, State's risk management-related information and data was located in disparate systems that made it difficult for officials in headquarters and at posts to gain access to the same and the most up-to-date information. To address this issue and GAO's recommendation, DS developed the DS Countermeasures Collaboration Site. The new DS Countermeasures Collaboration Site serves as a depository for the physical security information GAO identified in 2014 as information that decision makers need to understand to make decisions about the current physical security blueprint at a particular post. The site provides a common operating picture between officials in headquarters and overseas. In addition, officials stated that the new site is creating a natural feedback loop because DS officials in headquarters and overseas are now reviewing the security-related information together to develop a work plan for the U.S. mission. The newly added information obtained during the completion of this work plan will then feed back into the risk management process and inform future security activities at U.S. missions. Together these actions address the intent of GAO's recommendation.

Full Report

GAO Contacts

Topics

Diplomatic securityFacility maintenanceFacility managementFacility securityFederal facilitiesFederal propertyPhysical securityRisk managementStandardsInternational affairs