National Mall: Actions Needed to Better Manage Physical Security Risks

Highlights

What GAO Found

Federal entities on the National Mall are assessing the physical security risks to their respective U.S. assets. In doing so, they are demonstrating that they are taking a risk management approach to meet the demands of a complex security environment, specifically:

To assess the risks to the icons—the Washington Monument and the Jefferson and Lincoln Memorials—the Department of the Interior (Interior) follows a departmental policy that reflects government-wide homeland security objectives for critical infrastructure. Among other things, Interior's policy establishes minimum security requirements for safeguarding critical infrastructure such as the icons.

To assess the risks to the museums and galleries on the National Mall, the Smithsonian Institution (Smithsonian) and the National Gallery of Art (National Gallery) voluntarily follow government-wide standards set forth by the Interagency Security Committee (ISC)—an interagency organization chaired by the Department of Homeland Security (DHS). These standards are designed to minimize risk to federal facilities and help nonmilitary federal entities meet recommended levels of protection. Interior's, the Smithsonian's, and the National Gallery's adherence to these policies and standards, and the related steps that the entities follow, shows the considerable extent to which these entities use risk assessments as an analytical tool in their physical security programs. Nonetheless, the threat to federal facilities is significant, and ISC standards require the documentation of risk management decisions—such as decisions to defer actions to mitigate risk due to cost or other factors. Documenting risk management decisions is also a necessary part of an effective internal-control system and important in order to retain institutional knowledge and inform decision-making. GAO found that the National Gallery, which follows ISC standards voluntarily, lacked such documentation.

Interior, the Smithsonian, and the National Gallery collect information on various aspects of the performance of their physical security programs and are making efforts to use goals, measures, and testing to assess the performance of their physical security programs; however, each could benefit from taking additional steps. ISC and GAO have reported that it is necessary to establish goals and link performance measures to those goals to assess progress. While Interior, the Smithsonian, and the National Gallery intend to link performance measures to goals, they have not done so yet or established firm time frames for completing these efforts. Ensuring that plans include both goals and performance measures linked to those goals, as well as developing timelines for completion, could help these entities develop a more strategic view of their physical security programs and better position them to prioritize their needs. These entities also test aspects of their physical security programs, such as to ensure that security systems are operational and that guards are attending to their duties. While the entities have reached out to others to improve their overall programs, they did not focus on testing as part of that outreach. Seeking input from others with expertise is consistent with key practices GAO has identified for physical security and could help these entities target where their testing efforts need improvement.

Why GAO Did This Study

The National Mall is one of the most recognizable landscapes in the United States. It is home to memorials to our nation's history and some of the most visited museums in the world. Threats to these assets—whether acts of terrorism, violence, or vandalism or theft of artifacts or art—could result not only in the loss of life but also the loss of iconic monuments or irreplaceable items from the Smithsonian's or National Gallery's collections.

GAO was asked to review the steps Interior, the Smithsonian, and the National Gallery are taking to protect U.S. assets, employees, and the visiting public. This report examines: (1) the extent to which these entities assess physical security risks and (2) the extent to which the entities use goals, measures, and testing to assess their physical security programs. This is a public version of a sensitive report that GAO issued in May 2017.

GAO reviewed applicable federal requirements; Interior-, Smithsonian-, and National Gallery-specific policies and related documents; and interviewed officials.

Recommendations

In the sensitive report, GAO recommended that (1) the National Gallery document its risk management decisions and that (2) Interior, the Smithsonian, and the National Gallery link performance measures with security goals and seek input to enhance their testing programs. Interior, the Smithsonian, and the National Gallery agreed with GAO's recommendations and indicated they will begin taking steps to address them.

Recommendations for Executive Action

Agency Affected	Recommendation	Status
Department of the Interior	The Secretary of the Interior should direct the Director of the National Park Service to direct the U.S. Park Police to ensure that performance measures linked to program goals are included as part of its updated strategic plan and direct it to develop a timeline for completion of this plan.	Closed – Implemented The National Mall in Washington, D.C., is a destination for more than 24-million people each year and home to numerous monuments and memorials to our nation's history and heritage. The open spaces of the National Mall, along with the Washington Monument and the Jefferson and Lincoln Memorials, are administered and maintained by the Department of the Interior's National Park Service and patrolled by the U.S. Park Police (Park Police). In 2017, GAO reported that the Park Police was collecting information on various aspects of the performance of its physical security program on the National Mall and using that information to manage its program. However, at the time of GAO's review, the Park Police's efforts aligned with a strategic plan that covered fiscal years 2006-2009. This plan contains several goals and action steps needed to implement these goals, although it had not been updated since 2006. GAO has previously reported that monitoring and evaluating actions taken against strategic objectives and performance measures is important, and a key part of performance measurement is setting meaningful goals and measuring progress toward those goals. As a result, GAO recommended that the Park Police ensure that performance measures linked to program goals were included as part of its next strategic plan and develop a timeline for completion of this plan. In 2018, GAO confirmed that the Park Police had developed a strategic plan for 2017-2021, which eliminated the need for a timeline. As part of its strategic plan, the Park Police identified goals, sub-goals, and performance measures for its program. For example, one of the goals the Park Police established is ensuring that critical existing technology works effectively and delivers consistent results across all Park Police locations, and related performance measures include tracking information on the number of repairs of screening equipment. By taking these steps, the Park Police has enhanced its ability to monitor and evaluate its efforts while developing a more strategic view of its physical security program on the National Mall and better position itself to prioritize security needs.
Department of the Interior	The Secretary of the Interior should direct the Director of the National Park Service to direct the U.S. Park Police to seek additional input from federal entities with expertise regarding ways to enhance testing of its physical security program.	Closed – Implemented The National Mall in Washington, D.C., is home to numerous monuments and memorials to our nation's history and heritage. The open spaces of the National Mall, along with the Washington Monument and the Jefferson and Lincoln Memorials, are administered and maintained by the Department of the Interior's National Park Service and patrolled by the U.S. Park Police (Park Police). In 2017, GAO reported that the Park Police was taking steps to test aspects of its physical security program on the National Mall and had reached out to other entities to help improve its overall program but had not made testing a focus of its efforts. Testing is a key practice for physical security programs. Testing-both covert and planned-can help determine whether security staff and equipment are adequate under real and simulated conditions, and the results of testing can provide insight into the effectiveness of efforts to mitigate potential vulnerabilities. GAO has also reported that the Department of Justice's U.S. Marshals Service (Marshals Service), which has primary responsibility for the security of federal courthouses, have years of experience in testing security-screening efforts in federal buildings-places where balancing public access and security is an important factor. Marshals Service officials told GAO they would be willing to share their expertise in planning and conducting testing with entities on the National Mall. As a result, GAO recommended that the Park Police seek additional input from federal entities with expertise regarding ways to enhance testing of its physical security program. In 2019, GAO confirmed that the Park Police took steps to implement that recommendation. Specifically, beginning in late 2017, the Park Police worked with other federal entities located on or around the National Mall to adapt guidance provided by the Marshals Service to develop standard operating procedures for testing the Park Police's physical security on the National Mall. In October 2019, those procedures were approved and put into effect. By taking this step, the Park Police is better positioned to assess the effectiveness of its physical security program on the National Mall.
Smithsonian Institution	The Secretary of the Smithsonian Institution should direct the Office of Protection Services to develop program goals and ensure that performance measures linked to those goals are included as part of the strategic plan for security and develop a timeline for completion of this plan.	Closed – Implemented The National Mall in Washington, D.C., is home to some of the most visited museums and galleries in the world. Various federal entities, such as the Smithsonian Institution (Smithsonian), are responsible for the physical security of the National Mall, which includes conducting risk assessments of their assets and implementing measures to protect those assets, employees, and the visiting public. In 2017, GAO reported that the Smithsonian was taking steps to assess the risks to its assets on the National Mall but could benefit from taking additional steps. Specifically, GAO reported that the Smithsonian was using performance measures to monitor various aspects of its physical security program and planned to link those performance measures to program goals, but had not yet identified those goals. At the time, Smithsonian officials told GAO that they planned to establish goals and address this need as part of an effort the Smithsonian was undertaking to develop a strategic plan for security. However, Smithsonian officials also told GAO that they did not know when this effort would be completed and that prior efforts to develop a strategic plan for security had been delayed due to other priorities. While measuring the performance of physical security programs can be challenging, GAO has reported that monitoring and evaluating actions taken against strategic objectives and performance measures is part of the "loop" of risk management and helps ensure that an entity's objectives are being accomplished. A key part of performance measurement is setting meaningful goals and measuring progress toward those goals. Also, developing a timeline for completion could help the Smithsonian take a more strategic approach to performance measurement and better position it to prioritize its needs. As a result, GAO recommended that the Smithsonian develop goals for its physical security program and ensure that performance measures linked to those goals are included as part of its strategic planning efforts and develop a timeline for completing those efforts. In 2019, GAO confirmed that the Smithsonian had taken steps to implement this recommendation. First, following issuance of GAO's report the Smithsonian completed its strategic plan for security and the plan included goals. Second, the Smithsonian's plan included strategies to achieve those goals and the Smithsonian developed timeframes for implementing related performance measures. By taking these steps, the Smithsonian is better positioned to assess the effectiveness of its physical security program on the National Mall.
Smithsonian Institution	The Secretary of the Smithsonian Institution should direct the Office of Protection Services to seek additional input from federal entities with expertise regarding ways to enhance testing of the physical security program.	Closed – Implemented The National Mall in Washington, D.C., is home to some of the most visited museums and galleries in the world. Various federal entities, such as the Smithsonian Institution (Smithsonian), are responsible for the physical security of the National Mall, which includes conducting risk assessments of their assets and implementing measures to protect those assets, employees, and the visiting public. In 2017, GAO reported that the Smithsonian was taking steps to test aspects of its physical security program on the National Mall and had reached out to other entities to help improve its overall program but had not made testing a focus of its efforts. Testing is a key practice for physical security programs. Testing-both covert and planned-can help determine whether security staff and equipment are adequate under real and simulated conditions, and the results of testing can provide insight into the effectiveness of efforts to mitigate potential vulnerabilities. Further, physical security standards for nonmilitary federal facilities in the United States state that nonmilitary federal entities should use testing to assess and document the effectiveness of their physical security programs. GAO has also reported that the Department of Justice's U.S. Marshals Service (Marshals Service), which has primary responsibility for the security of federal courthouses, have years of experience in testing security-screening efforts in federal buildings-places where balancing public access and security is an important factor. Marshals Service officials told GAO they would be willing to share their expertise in planning and conducting testing with entities on the National Mall. As a result, GAO recommended that the Smithsonian seek additional input from federal entities with expertise regarding ways to enhance testing of its physical security programs. In 2019, GAO confirmed that the Smithsonian took steps to implement that recommendation. Specifically, beginning in late 2017, the Smithsonian worked with other federal entities located on or around the National Mall to adapt guidance provided by the Marshals Service to develop standard operating procedures for testing the security of its facilities. In October 2019, those procedures were approved and put into effect. By taking this step, the Smithsonian is better positioned to assess the effectiveness of its physical security program on the National Mall.
National Gallery of Art	The Director of the National Gallery of Art should direct the Office of Protection Services to develop a process for documenting risk management decisions.	Closed – Implemented The National Mall in Washington, D.C., is one of the most recognizable landscapes in the United States. It is home to our nation's Capital as well as home to some of the most visited museums in the world. Various federal entities, including the National Gallery of Art (National Gallery), are responsible for the physical security of the National Mall. This includes conducting risk assessments of their assets and implementing measures to protect those assets, employees, and the visiting public from threats that range from theft to active shooter. In 2017, GAO reported that the National Gallery was taking steps to assess its security risks on the National Mall but did not have complete documentation of its risk management decisions, such as decisions to defer actions to mitigate risk due to cost or other factors. Documenting risk management decisions is important for several reasons. First, physical security standards for nonmilitary federal facilities in the United States issued by the Interagency Security Committee (an interagency organization chaired by the Department of Homeland Security) state that the threat to federal facilities is significant and that decisions to accept risk could have serious consequences. To that end, the Interagency Security Committee requires that risk management decisions be documented. Second, GAO has previously reported that risk management, as it pertains to facility protection, relies heavily on having accurate and timely information. Third, documenting risk management decisions is also a necessary part of an effective internal-control system and important in order to retain institutional knowledge and inform decision-making. Without documentation, decision makers may not effectively understand the rationale behind decisions-or, in the case of risk management-make important security-related decisions. As a result, GAO recommended that the National Gallery take steps to document its risk management decisions. In 2018, GAO confirmed that the National Gallery had taken steps to implement that recommendation. Specifically, the National Gallery adopted a tool the Interagency Security Committee provides federal agencies to document their risk management decisions. As part of this process, the National Gallery is now documenting its risk management decisions, including the rationale for accepting risk, and those decisions are reviewed and approved by the National Gallery's management. By taking this step, the National Gallery is better positioned to ensure that it is complying with federal physical security standards. It is also helping the National Gallery address gaps in its institutional knowledge and assisting its decision makers make important physical security risk management decisions.
National Gallery of Art	The Director of the National Gallery of Art should direct the Office of Protection Services to ensure that program goals and performance measures linked to those goals are included as part of the master security plan and develop a timeline for completion of this plan.	Closed – Implemented In 2017, we reported that federal entities on the National Mall were assessing the physical security risks to their respective assets. Among these entities, we reported that the National Gallery of Art (National Gallery) voluntarily followed government-wide standards set forth by the Interagency Security Committee (ISC)-an interagency organization chaired by the Department of Homeland Security (DHS). These standards are designed to minimize risk to federal facilities and help nonmilitary federal entities meet recommended levels of protection. As part of these efforts, the National Gallery was collecting information on various aspects of the performance of its physical security program and was making efforts to use goals, measures, and testing to assess performance. The National Gallery was also developing a master security plan, and as part of this plan the agency intend to develop goals and performance measures. However, this plan was still in draft form and time frames for implementation were unclear. In addition to the efforts underway, we reported that the National Gallery could benefit from taking additional steps to link performance measures to its goals to assess progress. ISC and GAO have reported that it is necessary to establish goals and link performance measures to those goals to assess progress. As such, we recommended that the National Gallery ensure that program goals and performance measures linked to goals are included as part of its then-planned master security plan and that it develop a timeline for completion of this plan. In May 2021, we confirmed that the National Gallery did not develop a master security plan, but instead established performance goals and measures for the Office of Protection Services as part of its 5-Year Strategic Plan through 2023. The plan includes several broad goals such as transforming the workforce and achieving organizational excellence, with a series of specific actions associated with each goal. For example, the goal on transforming the workforce includes actions and measures related to ensuring officers' physical readiness and knowledge of de-escalation tactics. Because of these actions, the National Gallery will have a clearer view of the effectiveness of their physical security programs and will be better positioned to prioritize security program needs.
National Gallery of Art	The Director of the National Gallery of Art should direct the Office of Protection Services to seek additional input from federal entities with expertise regarding ways to enhance testing of the physical security program.	Closed – Implemented The National Mall in Washington, D.C., is home to some of the most visited museums and galleries in the world. Various federal entities, such as the National Gallery of Art (National Gallery), are responsible for the physical security of the National Mall, which includes conducting risk assessments of their assets and implementing measures to protect those assets, employees, and the visiting public. In 2017, GAO reported that the National Gallery was taking steps to test aspects of its physical security program on the National Mall and had reached out to other entities to help improve its overall program but had not made testing a focus of its efforts. Testing is a key practice for physical security programs. Testing-both covert and planned-can help determine whether security staff and equipment are adequate under real and simulated conditions, and the results of testing can provide insight into the effectiveness of efforts to mitigate potential vulnerabilities. Further, physical security standards for nonmilitary federal facilities in the United States state that nonmilitary federal entities should use testing to assess and document the effectiveness of their physical security programs. GAO has also reported that the Department of Justice's U.S. Marshals Service (Marshals Service), which has primary responsibility for the security of federal courthouses, have years of experience in testing security-screening efforts in federal buildings-places where balancing public access and security is an important factor. Marshals Service officials told GAO they would be willing to share their expertise in planning and conducting testing with entities on the National Mall. As a result, GAO recommended that the National Gallery seek additional input from federal entities with expertise regarding ways to enhance testing of its physical security programs. In 2019, GAO confirmed that the National Gallery took steps to implement that recommendation. Specifically, beginning in late 2017, the National Gallery worked with other federal entities located on or around the National Mall to adapt guidance provided by the Marshals Service to develop standard operating procedures for testing the security of its facilities. In October 2019, those procedures were approved and put into effect. By taking this step, the National Gallery is better positioned to assess the effectiveness of its physical security program on the National Mall.

See All 7 Recommendations

Full Report

Highlights Page (1 page)

Full Report (32 pages)

Accessible PDF (36 pages)

GAO Contacts

Lori Rectanus

Director

rectanusl@gao.gov

(202) 512-2834

Office of Public Affairs

Chuck Young

Managing Director

youngc1@gao.gov

(202) 512-4800

Topics

Homeland Security

Facility securityFederal facilitiesMuseumsNational parksPerformance measuresPhysical securityRisk assessmentRecreation areasRisk managementSecurity policiesSecurity threatsStrategic planningTesting