Recommendation: The Administrator of the General Services Administration should expand its outreach as appropriate to obtain feedback from lessors that are representative of its entire lease portfolio. (Recommendation 1)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: GSA agreed with this recommendation. In its 180-day letter to the congressional clients dated March 25, 2020, GSA stated that it would provide additional documentation of invitations to its industry outreach efforts. We will review this information when it is available.

Recommendation: The Administrator of the General Services Administration should, for future outreach efforts, document and assess lessors' feedback about the leasing process. (Recommendation 2)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: GSA agreed with this recommendation. In its 180-day letter to the congressional clients dated March 25, 2020, GSA stated that it would document and assess the feedback received from lessors during its outreach efforts. We will review this information when it is available.

Recommendation: The Administrator of the General Services Administration should evaluate whether the simplified lease model is achieving its intended results. (Recommendation 3)

Agency: General Services Administration: Office of the Administrator
Status: Open

Comments: GSA agreed with this recommendation. In its 180-day letter to the congressional clients dated March 25, 2020, GSA stated that it would evaluate its simplified lease model and provide documentation of the evaluation's methodology, findings, and recommendations. We will review information related to this evaluation when it is available.

Recommendation: The Director of BLM should develop a plan to conduct all required facility security assessments agency-wide, taking into consideration the agency's organizational structure, available resources, and training needs. (Recommendation 1)

Agency: Department of the Interior: Bureau of Land Management
Status: Open

Comments: BLM agreed with our recommendation and stated it intends to revise its policy and develop a plan to complete required facility security assessments. As of November 2019, BLM had not yet completed its plan.

Recommendation: The Director of the Park Service should develop a plan to conduct all required facility security assessments agency-wide, taking into consideration the agency's organizational structure, available resources, and training needs. (Recommendation 3)

Agency: Department of the Interior: National Park Service
Status: Open

Comments: Park Service agreed with our recommendation and cited its efforts to develop a plan that includes training and tools so that park unit staff can conduct the required assessments. As of November 2019, Park Service had not yet completed its plan.

Recommendation: The Director of the Park Service should update the agency's facility security assessment methodology to comply with requirements in the ISC Standard, including a step to consider the consequence of each undesirable event. (Recommendation 4)

Agency: Department of the Interior: National Park Service
Status: Open

Comments: Park Service agreed with our recommendation to update its facility security assessment methodology to comply with requirements in the ISC Standard. As of November 2019, Park Service had not yet updated its methodology.

Recommendation: The Director of BLM should develop a facility security assessment methodology that complies with requirements in the ISC Standard to assess all undesirable events and consider all three factors of risk for each undesirable event. (Recommendation 5)

Agency: Department of the Interior: Bureau of Land Management
Status: Open

Comments: BLM agreed with our recommendation and said it would revise its policy and develop a facility security assessment methodology that complies with requirements in the ISC Standard. As of November 2019, BLM had not yet developed its methodology.

Recommendation: The Director of FWS should develop a facility security assessment methodology that complies with requirements in the ISC Standard to assess all undesirable events and consider all three factors of risk for each undesirable event. (Recommendation 6)

Agency: Department of the Interior: United States Fish and Wildlife Service
Status: Open

Comments: FWS agreed with our recommendation and cited its efforts to develop a facility security assessment methodology that complies with requirements in the ISC Standard. As of November 2019, FWS had not yet developed its methodology.

Recommendation: The Director of OMB should determine a government-wide baseline level of progress in meeting physical access control system requirements, including implementation of GSA-approved systems, and should monitor progress in meeting these requirements. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: In August 2019, GAO contacted OMB to determine if any progress has been made implementing this recommendation. GAO is awaiting OMB's response.

Recommendation: The Secretary of Homeland Security should direct the ISC, in collaboration with member agencies, to assess the extent of, and develop strategies to address, government-wide challenges to implementing physical access control systems. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: In August 2019, GAO learned that DHS has recently completed the "Physical Access Control System (PACS) Modernization Working Group Charter." This charter was created under the direction of the Co-Chairs of the Federal Chief Information Security Officer Council, Identity, Credentialing and Access Management Subcommittee, and the Program Director of the DHS Interagency Security Committee. The purpose of the PACS Modernization Working Group is to facilitate the implementation and use of the technology and processes related to modernizing electronic-PACS within the federal government, thereby increasing security, coordination, and compliance with national-level policies and standards. GAO is following up with DHS to obtain additional information about this effort and to determine whether it addresses this recommendation.

Recommendation: The Secretary of VA should, in collaboration with ISC, review and revise VA's risk management policies for VHA facilities to ensure VA incorporates ISC standards, as appropriate. (Recommendation 1)

Agency: Department of Veterans Affairs
Status: Open

Comments: Shortly after the issuance of the report, VA notified GAO that it was in the process of working with the lnteragency Security Committee (ISC) to update its vulnerability assessment program, with a target completion date of January 2019. Despite multiple attempts, as of June 2020, VA has not provided any information on its progress in updating its program.

Recommendation: The Secretary of VA should develop an oversight strategy that allows VA to assess the effectiveness of risk management programs at VHA facilities system-wide. (Recommendation 2)

Agency: Department of Veterans Affairs
Status: Open

Comments: Shortly after the issuance of the report, VA notified GAO that it had identified OS&LE as the internal entity responsible for conducting a complete review of VA's current risk management policies and processes for VA facilities and that it was reviewing an ISC-certified risk assessment tool for possible implementation consideration. Despite multiple attempts, as of June 2020, VA had not provided an update on its efforts to implement this recommendation.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Commissioner of U.S. Customs and Border Protection, with regard to the updated Security Policy and Procedures Handbook, should include data collection and analysis requirements for monitoring the performance of CBP's physical security program.

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: The U.S. Customs and Border Protection issued an updated Physical Security Policy and Procedures Handbook in January 2020, which includes a series of internal controls and physical security performance measures. We have reviewed the handbook and requested additional information from CBP to determine whether it meets ISC's Risk Management Process for Federal Facilities.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to develop a plan that provides sufficient details on the activities needed and time frames within the date when FAA will implement an improved methodology.

Agency: Department of Transportation
Status: Open

Comments: The Federal Aviation Administration (FAA) has developed, initially tested, and deployed a risk assessment methodology that aligns with the Interagency Security Committee Risk Management Process for Federal Facilities. In August and September of 2019, FAA trained some staff on the new methodology, which is being integrated into the facility security reporting system. After resolving any software compatibility issues, completing all necessary testing and training, and issuing the associated security policy, FAA expects to fully implement the methodology by December 31, 2020.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to update FAA's policy to require the use of a methodology that fully aligns with the ISC's Risk Management Process for Federal Facilities for assessing all undesirable events, considering all three factors of risk, and documenting all deviations from the standard countermeasures.

Agency: Department of Transportation
Status: Open

Comments: The Federal Aviation Administration (FAA) drafted an updated facility security policy and distributed it for comment in October 2019. It received over 300 comments that are currently being addressed. Once completed, the policy is to incorporate a methodology that fully aligns with the Interagency Security Committee Risk Management Process for Federal Facilities for assessing all undesirable events, considering all three factors of risk, and documenting all deviations from the standard countermeasures. FAA plans to publish the new policy to coincide with the implementation of its risk-assessment methodology by December 31, 2020.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to update FAA's policy to include ongoing monitoring of physical security information.

Agency: Department of Transportation
Status: Open

Comments: The Federal Aviation Administration's (FAA) update of its facility security policy and its associated databases should help to improve the monitoring and use of physical security information to better assist with risk assessment decision-making. In February 2020, FAA officials said that its facility security reporting system is to be improved with new metrics and executive level reporting. Such improvements are to result in increased program oversight, risk awareness, and mitigation planning. These improvements are to be completed by December 31, 2020 to coincide with full implementation of the components of the risk management framework, such as the risk assessment methodology, personnel training, and policy publication.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Agriculture should include data collection and analysis requirements for monitoring the performance of agencies' physical security programs, in the department's revised physical-security manual.

Agency: Department of Agriculture
Status: Open

Comments: The U.S. Department of Agriculture is drafting a revised physical-security regulation and manual that is to align with risk management processes, including a tracking and monitoring component. It expects to implement a revised process by the end of 2020.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Agriculture should direct the Administrator of the Agricultural Research Service and the Chief of the Forest Service to implement and monitor a long-term assessment schedule with key milestones to ensure that higher-level facilities are reassessed at least once every 3 years.

Agency: Department of Agriculture
Status: Open

Comments: The U.S. Department of Agriculture (USDA) recognizes the need to develop and implement a database to track and monitor physical security assessment schedules across all of its components. As a result, USDA plans to request funding in the President's Budget for fiscal year 2021 to design and build such a database. If sufficient funding is secured and development efforts go as planned, the agency anticipates having the database operational by the end of 2021.

Recommendation: The Director of the National Gallery of Art should direct the Office of Protection Services to ensure that program goals and performance measures linked to those goals are included as part of the master security plan and develop a timeline for completion of this plan.

Agency: National Gallery of Art
Status: Open

Comments: The National Gallery concurred with this recommendation and said it would take steps to implement it. In February 2019, the National Gallery approved the Office of Protection Services' 5-year strategic plan, which included goals for security. However, as of June 2020, work to establish performance measures was not yet complete. We will continue to monitor the National Gallery's progress in implementing this recommendation

Recommendation: To enhance its ability to fulfill its role as the facilitator of cross-sector collaboration and best-practices sharing, the Secretary of Homeland Security should direct the Assistant Secretary of Infrastructure Protection, Office of Infrastructure Protection, to explore with key critical infrastructure partners, whether and what opportunities exist to harmonize federally-administered screening and credentialing access control efforts across critical infrastructure sectors.

Agency: Department of Homeland Security
Status: Open

Comments: As of 2/12/2020, awaiting additional evidence/clarification from DHS.

Recommendation: To better ensure that CBP's Office of Field Operations' (OFO) staffing processes are transparent and to help ensure CBP can demonstrate that these resource decisions have effectively addressed CBP's mission needs, the Commissioner of CBP should document the methodology and process OFO uses to allocate staff to land ports of entry on the southwest border, including the rationales and factors considered in making these decisions.

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: In May 2017, CBP's Office of Field Operations began working with a contractor to develop a comprehensive CBP position allocation methodology and tool. According to CBP officials, the purpose of this tool was to ensure a data driven, transparent process for allocating CBP resources--including staff--to land ports of entry on the southwest border. CBP officials stated that the contractor completed the tool in January 2018, CBP tested the tool in fiscal year 2018, and CBP planned to implement the tool in fiscal year 2019. However, CBP officials told us in September 2020 that a subsequent reorganization of the Office of Field Operations rendered the tool unusable without further modification. As a result, they used a manual method to allocate staff in fiscal year 2020 and plan to do the same in fiscal year 2021. As of September 2020, CBP officials planned to document the methodology and process they are now using to allocate staff to land ports of entry, including rationales and factors considered, by November 2020. This recommendation remains open.

Recommendation: The Commissioner of the IRS should direct the appropriate IRS officials to revise the post orders for the service center campuses (SCC) and lockbox bank security guards to include specific procedures for timely reporting exterior lighting outages to SCC or lockbox bank facilities management. These procedures should specify (1) whom to contact to report lighting outages and (2) how to document and track lighting outages until resolved.

Agency: Department of the Treasury: Internal Revenue Service
Status: Open

Comments: IRS's actions to address this recommendation are ongoing. IRS officials stated that during fiscal year 2020, Facilities Management and Security Services (FMSS) will update the Internal Revenue Manual to reflect the necessary guidance for service center guards and FMSS physical security specialists to know (1) whom the guards are to contact to report lighting outages and (2) how lighting outages are to be documented and tracked until resolved.