Federal Facilities: Improved Oversight Needed for Security Recommendations
The Department of Homeland Security is responsible for security at federal buildings and facilities.
We previously reported that federal agencies don't implement many of DHS's Federal Protective Service recommendations for security improvements. When we followed up with agency representatives, they cited cost or feasibility concerns.
DHS requires federal agencies to self-report some information about security recommendations. But because DHS does not verify this information, it can't be sure that facilities are protected. We recommended ways to strengthen this oversight.
DHS protects many federal buildings, including this U.S. Courthouse in Mobile, Alabama.
What GAO Found
The Federal Protective Service (FPS) conducts security assessments and recommends countermeasures—such as security cameras—to address vulnerabilities at federal facilities. FPS maintains a database with information on its assessments and on agencies' decisions to approve or reject these recommendations. As GAO reported in 2022, FPS data indicate that agencies did not respond to over half of FPS's recommendations in fiscal years 2017 through 2021 (GAO-22-106177).
In the discussion groups GAO held with facilities' representatives, participants cited several reasons why agencies might not act on FPS recommendations. Reasons included the cost or feasibility of implementing recommended countermeasures.
Security Cameras as an Example of a Facility Countermeasure
The Interagency Security Committee (ISC), established by Executive Order 12977, is required to oversee the implementation of appropriate countermeasures in certain federal facilities, among other responsibilities. The Department of Homeland Security (DHS) chairs this organization, which is comprised of 66 federal agencies The ISC requires non-military executive branch agencies to self-report some information on the degree to which they comply with ISC's federal security standards. For example, these agencies report on the extent to which they documented their acceptance of risk for countermeasures they did not implement. However, GAO found that ISC's oversight does not verify that these agencies have:
- implemented FPS-recommended countermeasures, or
- documented the acceptance of risk for those countermeasures they do not implement at their facilities.
Without an oversight mechanism to verify if these federal facilities are implementing the appropriate countermeasures or accepting the risk of not doing so, the federal government lacks reasonable assurance that such facilities are secure.
Why GAO Did This Study
FPS protects over 9,000 federal facilities with over 1.4 million employees and visitors. As part of its services, FPS conducts facility security assessments and recommends countermeasures to help address vulnerabilities at federal facilities. FPS conducts these assessments based on ISC security standards. Agencies are responsible for acting on these countermeasures.
GAO was asked to review the implementation of countermeasures recommended by FPS. This report (1) identifies information that FPS maintains on its assessments and recommendations, (2) identifies factors that affect agencies' decisions to act on these recommendations, and (3) examines how ISC assesses compliance with its security standards and countermeasures.
GAO reviewed FPS guidance on the information collected from its assessments, and how that information is entered into its database. In addition, GAO held discussion groups with officials representing 27 selected facilities where FPS conducted security assessments between 2017 and 2021, as well as FPS and ISC officials. GAO also reviewed ISC documentation and guidance.
Recommendations
GAO is making two recommendations to DHS that it improve its oversight ability to (1) assess countermeasure implementation and (2) identify the acceptance of risk at facilities where recommended countermeasures are not implemented. DHS concurred with GAO's recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Homeland Security | The Secretary of Homeland Security should ensure that the Cybersecurity and Infrastructure Security Agency improves its oversight of security measures by modifying its compliance and verification process to assess the implementation of FPS's recommended countermeasures. (Recommendation 1) |
DHS concurred with our recommendation and stated that it plans to address it by April 30, 2024. When we confirm what actions DHS has taken in response to this recommendation, we will provide updated information.
|
| Department of Homeland Security | The Secretary of Homeland Security should ensure that the Cybersecurity and Infrastructure Security Agency improves its oversight of security measures by modifying its compliance and verification process to identify the recommendations for which agencies did not implement the recommended countermeasure and did not document the acceptance of the risk. (Recommendation 2) |
DHS concurred with our recommendation and stated that it plans to address it by April 30, 2024. When we confirm what actions DHS has taken in response to this recommendation, we will provide updated information.
|