Federal Facilities: Improved Oversight Needed for Security Recommendations
Fast Facts
The Department of Homeland Security is responsible for security at federal buildings and facilities.
We previously reported that federal agencies don't implement many of DHS's Federal Protective Service recommendations for security improvements. When we followed up with agency representatives, they cited cost or feasibility concerns.
DHS requires federal agencies to self-report some information about security recommendations. But because DHS does not verify this information, it can't be sure that facilities are protected. We recommended ways to strengthen this oversight.
DHS protects many federal buildings, including this U.S. Courthouse in Mobile, Alabama.
Highlights
What GAO Found
The Federal Protective Service (FPS) conducts security assessments and recommends countermeasures—such as security cameras—to address vulnerabilities at federal facilities. FPS maintains a database with information on its assessments and on agencies' decisions to approve or reject these recommendations. As GAO reported in 2022, FPS data indicate that agencies did not respond to over half of FPS's recommendations in fiscal years 2017 through 2021 (GAO-22-106177).
In the discussion groups GAO held with facilities' representatives, participants cited several reasons why agencies might not act on FPS recommendations. Reasons included the cost or feasibility of implementing recommended countermeasures.
Security Cameras as an Example of a Facility Countermeasure
The Interagency Security Committee (ISC), established by Executive Order 12977, is required to oversee the implementation of appropriate countermeasures in certain federal facilities, among other responsibilities. The Department of Homeland Security (DHS) chairs this organization, which is comprised of 66 federal agencies The ISC requires non-military executive branch agencies to self-report some information on the degree to which they comply with ISC's federal security standards. For example, these agencies report on the extent to which they documented their acceptance of risk for countermeasures they did not implement. However, GAO found that ISC's oversight does not verify that these agencies have:
- implemented FPS-recommended countermeasures, or
- documented the acceptance of risk for those countermeasures they do not implement at their facilities.
Without an oversight mechanism to verify if these federal facilities are implementing the appropriate countermeasures or accepting the risk of not doing so, the federal government lacks reasonable assurance that such facilities are secure.
Why GAO Did This Study
FPS protects over 9,000 federal facilities with over 1.4 million employees and visitors. As part of its services, FPS conducts facility security assessments and recommends countermeasures to help address vulnerabilities at federal facilities. FPS conducts these assessments based on ISC security standards. Agencies are responsible for acting on these countermeasures.
GAO was asked to review the implementation of countermeasures recommended by FPS. This report (1) identifies information that FPS maintains on its assessments and recommendations, (2) identifies factors that affect agencies' decisions to act on these recommendations, and (3) examines how ISC assesses compliance with its security standards and countermeasures.
GAO reviewed FPS guidance on the information collected from its assessments, and how that information is entered into its database. In addition, GAO held discussion groups with officials representing 27 selected facilities where FPS conducted security assessments between 2017 and 2021, as well as FPS and ISC officials. GAO also reviewed ISC documentation and guidance.
Recommendations
GAO is making two recommendations to DHS that it improve its oversight ability to (1) assess countermeasure implementation and (2) identify the acceptance of risk at facilities where recommended countermeasures are not implemented. DHS concurred with GAO's recommendations.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Homeland Security | The Secretary of Homeland Security should ensure that the Cybersecurity and Infrastructure Security Agency improves its oversight of security measures by modifying its compliance and verification process to assess the implementation of FPS's recommended countermeasures. (Recommendation 1) |
In January 2025, the ISC provided GAO with documentation demonstrating that it added questions to its annual questionnaire to improve oversight of the implementation of identified countermeasures, including those from FPS. These additional questions will improve ISC's oversight of departments and agencies implementation of countermeasures and provide a greater level of assurance that federal facilities are meeting the ISC's security standards.
|
Department of Homeland Security | The Secretary of Homeland Security should ensure that the Cybersecurity and Infrastructure Security Agency improves its oversight of security measures by modifying its compliance and verification process to identify the recommendations for which agencies did not implement the recommended countermeasure and did not document the acceptance of the risk. (Recommendation 2) | The Federal Protective Service (FPS) is responsible for protecting 9,000 federal facilities with over 1.4 million employees and visitors. As part of its services, FPS conducts facility security assessments and recommends countermeasures, to help address vulnerabilities at federal facilities. The Interagency Security Committee (ISC), is responsible for developing facility security standards and overseeing federal agency implementation of recommended countermeasures at federal facilities. ISC security standards require, among other things, that federal agencies accept the risk of recommended countermeasures they do not implement and document the acceptance of that risk. In 2023, GAO...
|