Recommendation: The TSA Administrator should update the BASE cybersecurity template to ensure it reflects cybersecurity key practices, including the Detect and Recover functions outlined in the NIST Cybersecurity Framework. (Recommendation 2)

Agency: Department of Homeland Security: Transportation Security Administration
Status: Open

Comments: TSA concurred with this recommendation and said it would take steps to implement it by updating the BASE Cybersecurity Security Action Item section to ensure it reflects the NIST Cybersecurity Framework Detect and Recover functions. When we confirm what actions TSA has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the Under Secretary of Defense for Intelligence requires that DOD components (including the military departments and the Defense Logistics Agency) monitor the use of PACS at their installations. (Recommendation 1)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Army should ensure that the Office of Provost Marshal General monitors the use of PACS at Army installations. (Recommendation 2)

Agency: Department of Defense: Department of the Army
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Navy should ensure that the Commander, Navy Installations Command, monitors the use of PACS at Navy installations. (Recommendation 3)

Agency: Department of Defense: Department of the Navy
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Navy, in coordination with the Commandant of the Marine Corps, should ensure that the Commander, Marine Corps Installations Command, monitors the use of PACS at Marine Corps installations. (Recommendation 4)

Agency: Department of Defense: Department of the Navy
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should ensure that the Under Secretary of Defense for Personnel and Readiness develops appropriate performance measures and associated goals for the timely resolution of the Defense Biometric Identification System technical issues to facilitate improved PACS performance. (Recommendation 5)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Director of OMB should determine a government-wide baseline level of progress in meeting physical access control system requirements, including implementation of GSA-approved systems, and should monitor progress in meeting these requirements. (Recommendation 1)

Agency: Executive Office of the President: Office of Management and Budget
Status: Open

Comments: In August 2019, GAO contacted OMB to determine if any progress has been made implementing this recommendation. GAO is awaiting OMB's response.

Recommendation: The Secretary of Homeland Security should direct the ISC, in collaboration with member agencies, to assess the extent of, and develop strategies to address, government-wide challenges to implementing physical access control systems. (Recommendation 2)

Agency: Department of Homeland Security
Status: Open

Comments: In August 2019, GAO learned that DHS has recently completed the "Physical Access Control System (PACS) Modernization Working Group Charter." This charter was created under the direction of the Co-Chairs of the Federal Chief Information Security Officer Council, Identity, Credentialing and Access Management Subcommittee, and the Program Director of the DHS Interagency Security Committee. The purpose of the PACS Modernization Working Group is to facilitate the implementation and use of the technology and processes related to modernizing electronic-PACS within the federal government, thereby increasing security, coordination, and compliance with national-level policies and standards. GAO is following up with DHS to obtain additional information about this effort and to determine whether it addresses this recommendation.

Recommendation: The Secretary of Agriculture should amend its analysis of selected data centers to address key elements of a cost-benefit and cost-effectiveness analysis as defined by OMB Circular A-94 and relevant agency guidance. (Recommendation 1)

Agency: Department of Agriculture
Status: Open

Comments: In March 2020, the Department of Agriculture asserted that it has implemented the recommendation but has not provided sufficient evidence to support its assertion.

Recommendation: When amending its analysis of the selected data centers, the Secretary of Agriculture should report on the assessment of each facility's protective measures, as outlined by the Interagency Security Committee guidance. (Recommendation 2)

Agency: Department of Agriculture
Status: Open

Comments: In March 2020, the Department of Agriculture asserted that it has implemented the recommendation but has not provided sufficient evidence to support its assertion.

Recommendation: When amending its analysis of the selected data centers, the Secretary of Agriculture should report on an analysis of the information security controls for each data center, in order to evaluate the data center's information security capabilities. (Recommendation 3)

Agency: Department of Agriculture
Status: Open

Comments: In March 2020, the Department of Agriculture asserted that it has implemented the recommendation but has not provided sufficient evidence to support its assertion.

Recommendation: When amending its analysis of the selected data centers, the Secretary of Agriculture should report on each data center's demonstrated history of restoring continuity of operation functions in the event of a service disruption. (Recommendation 4)

Agency: Department of Agriculture
Status: Open

Comments: In March 2020, the Department of Agriculture asserted that it has implemented the recommendation but has not provided sufficient evidence to support its assertion.

Recommendation: The Secretary of the Army should direct the Army's Provost Marshal General to take actions to help ensure that physical security inspections at locations with Arms, Ammunition, and Explosives (AA&E) are conducted on time, as required by Army guidance. (Recommendation 1)

Agency: Department of Defense: Department of the Army
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Navy should direct the Chief of Naval Operations' Supply, Ordnance, and Logistics Operations Division to take actions to help ensure that physical security inspections at locations with AA&E are conducted on time, as required by Navy guidance. (Recommendation 2)

Agency: Department of Defense: Department of the Navy
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Navy should direct the Marine Corps Deputy Commandant for Plans, Policies, and Operations to take actions to help ensure that physical security inspections at locations with AA&E are conducted on time, as required by Marine Corps guidance. (Recommendation 3)

Agency: Department of Defense: Department of the Navy
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of the Air Force should direct the Air Force's Office of the Deputy Chief of Staff for Logistics, Engineering and Force Protection, Directorate of Security Forces, to take actions to help ensure that inspectors at locations with AA&E are consistently documenting in inspection reports that all minimum requirements for physical security were checked. (Recommendation 4)

Agency: Department of Defense: Department of the Air Force
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of Defense should direct the Under Secretary of Defense for Intelligence to revise DOD guidance to require that the military services establish a process to consistently document the resolution of all identified physical security deficiencies. (Recommendation 5)

Agency: Department of Defense
Status: Open

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: The Secretary of VA should, in collaboration with ISC, review and revise VA's risk management policies for VHA facilities to ensure VA incorporates ISC standards, as appropriate. (Recommendation 1)

Agency: Department of Veterans Affairs
Status: Open

Comments: Shortly after the issuance of the report, VA notified GAO that it was in the process of working with the lnteragency Security Committee (ISC) to update its vulnerability assessment program, with a target completion date of January 2019. Despite multiple attempts, as of June 2020, VA has not provided any information on its progress in updating its program.

Recommendation: The Secretary of VA should develop an oversight strategy that allows VA to assess the effectiveness of risk management programs at VHA facilities system-wide. (Recommendation 2)

Agency: Department of Veterans Affairs
Status: Open

Comments: Shortly after the issuance of the report, VA notified GAO that it had identified OS&LE as the internal entity responsible for conducting a complete review of VA's current risk management policies and processes for VA facilities and that it was reviewing an ISC-certified risk assessment tool for possible implementation consideration. Despite multiple attempts, as of June 2020, VA had not provided an update on its efforts to implement this recommendation.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Commissioner of U.S. Customs and Border Protection, with regard to the updated Security Policy and Procedures Handbook, should include data collection and analysis requirements for monitoring the performance of CBP's physical security program.

Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open

Comments: The U.S. Customs and Border Protection issued an updated Physical Security Policy and Procedures Handbook in January 2020, which includes a series of internal controls and physical security performance measures. We have reviewed the handbook and requested additional information from CBP to determine whether it meets ISC's Risk Management Process for Federal Facilities.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to develop a plan that provides sufficient details on the activities needed and time frames within the date when FAA will implement an improved methodology.

Agency: Department of Transportation
Status: Open

Comments: The Federal Aviation Administration (FAA) has developed, initially tested, and deployed a risk assessment methodology that aligns with the Interagency Security Committee Risk Management Process for Federal Facilities. In August and September of 2019, FAA trained some staff on the new methodology, which is being integrated into the facility security reporting system. After resolving any software compatibility issues, completing all necessary testing and training, and issuing the associated security policy, FAA expects to fully implement the methodology by December 31, 2020.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to update FAA's policy to require the use of a methodology that fully aligns with the ISC's Risk Management Process for Federal Facilities for assessing all undesirable events, considering all three factors of risk, and documenting all deviations from the standard countermeasures.

Agency: Department of Transportation
Status: Open

Comments: The Federal Aviation Administration (FAA) drafted an updated facility security policy and distributed it for comment in October 2019. It received over 300 comments that are currently being addressed. Once completed, the policy is to incorporate a methodology that fully aligns with the Interagency Security Committee Risk Management Process for Federal Facilities for assessing all undesirable events, considering all three factors of risk, and documenting all deviations from the standard countermeasures. FAA plans to publish the new policy to coincide with the implementation of its risk-assessment methodology by December 31, 2020.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to update FAA's policy to include ongoing monitoring of physical security information.

Agency: Department of Transportation
Status: Open

Comments: The Federal Aviation Administration's (FAA) update of its facility security policy and its associated databases should help to improve the monitoring and use of physical security information to better assist with risk assessment decision-making. In February 2020, FAA officials said that its facility security reporting system is to be improved with new metrics and executive level reporting. Such improvements are to result in increased program oversight, risk awareness, and mitigation planning. These improvements are to be completed by December 31, 2020 to coincide with full implementation of the components of the risk management framework, such as the risk assessment methodology, personnel training, and policy publication.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Agriculture should include data collection and analysis requirements for monitoring the performance of agencies' physical security programs, in the department's revised physical-security manual.

Agency: Department of Agriculture
Status: Open

Comments: The U.S. Department of Agriculture is drafting a revised physical-security regulation and manual that is to align with risk management processes, including a tracking and monitoring component. It expects to implement a revised process by the end of 2020.

Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Agriculture should direct the Administrator of the Agricultural Research Service and the Chief of the Forest Service to implement and monitor a long-term assessment schedule with key milestones to ensure that higher-level facilities are reassessed at least once every 3 years.

Agency: Department of Agriculture
Status: Open

Comments: The U.S. Department of Agriculture (USDA) recognizes the need to develop and implement a database to track and monitor physical security assessment schedules across all of its components. As a result, USDA plans to request funding in the President's Budget for fiscal year 2021 to design and build such a database. If sufficient funding is secured and development efforts go as planned, the agency anticipates having the database operational by the end of 2021.

Recommendation: The Director of the National Gallery of Art should direct the Office of Protection Services to ensure that program goals and performance measures linked to those goals are included as part of the master security plan and develop a timeline for completion of this plan.

Agency: National Gallery of Art
Status: Open

Comments: The National Gallery concurred with this recommendation and said it would take steps to implement it. In February 2019, the National Gallery approved the Office of Protection Services' 5-year strategic plan, which included goals for security. However, as of June 2020, work to establish performance measures was not yet complete. We will continue to monitor the National Gallery's progress in implementing this recommendation

Recommendation: The Secretary of Energy, working with the Administrator of the National Nuclear Security Administration, should include more complete information on the assessments--that is, security plans, vulnerability assessments, independent assessments, and other assessments--used in the annual reports to support the agencies' assessments that DOE and NNSA sites are secure.

Agency: Department of Energy
Status: Open

Comments: We reported in May 2019 that DOE and NNSA continued to make progress in responding to this recommendation. The draft 2018 annual report contained, as recommended, more complete and uniform information on assessments, though in some cases different terminology was used by programs and sites. As of June 2020, we have requested final 2018, 2019, and 2020 annual reports from NNSA to ensure progress has continued. Once we have received and reviewed the reports, we will update the status of this recommendation.

Recommendation: Additionally, the Secretary of Energy should develop a plan for addressing the physical security infrastructure needs at DOE sites. Similar to a report under development by NNSA, this plan could identify cost and time frames and enable DOE and the Congress to prioritize these projects.

Agency: Department of Energy
Status: Open

Comments: As of June 2020, DOE has not implemented this recommendation. While DOE program offices (Environmental Management, Science, and Nuclear Energy) are individually considering long-term needs, the program offices are not required by Congress to submit the kind of physical security plan that Congress requires of NNSA. In the absence of Congressional direction, we believe it is unlikely that DOE will fully implement this recommendation.

Recommendation: Additionally, the Secretary of Energy should, in future annual security certification reports, inform Congress of the reasons for the delayed implementation of the June 2011 DOE material control and accountability order at some sites, as well as the steps DOE and its sites are taking to implement it. DOE should also provide Congress with information on any vulnerabilities or deficiencies in the security at sites that may potentially exist while the sites complete implementation of the order as well as information on any concomitant adjustment to their security posture that is required.

Agency: Department of Energy
Status: Open

Comments: As of June 2020, we are continuing to monitor actions related to this recommendation. DOE has acknowledged in a classified memorandum the security risks associated with the slow pace of the material control and accountability order. DOE has also developed a plan to implement measures to address these risks in a phased approach with final implementation sometime in the 2020s. Some of the early phases will be complete between 2019 and 2022, but others will extend beyond 2022. As such, it will be important for DOE to continue to report to Congress on residual risk until planned actions are fully completed and their implementation has been verified by the relevant DOE program offices and DOE's Office of Enterprise Assessments. We will update the status of this recommendation once we have we have received and reviewed DOE's classified 2018-2020 annual reports to ensure this action is taken.

Recommendation: To strengthen compliance with the Leahy laws and implementation of State's human rights vetting process and to help ensure that U.S. funded assistance is not provided to Egyptian security forces that have committed gross violations of human rights, as State works to implement a revised version of the International Vetting and Security Tracking system (INVEST) system that is expected to help facilitate equipment vetting, the Secretary of State should develop time frames for establishing corresponding policies and procedures to implement a vetting process to help enable the U.S. government to provide a more reasonable level of assurance that equipment is not transferred to foreign security forces, including those in Egypt, when there is credible information that a unit has committed a gross violation of human rights.

Agency: Department of State
Status: Open
Priority recommendation

Comments: State agreed with this recommendation. State acknowledged challenges identifying recipients of equipment across the range of assistance activities, but noted that it would continue to update its systems and procedures to facilitate human rights vetting for recipients of equipment. In April 2017, State reported that it had provided finalized guidance on vetting Egyptian recipients of Foreign Military Financing-funded equipment to Embassy Cairo and that these procedures had been incorporated into a revised version of Embassy Cairo's guide for conducting human rights vetting. At the time, State noted that Embassy Cairo had begun to implement these procedures. However, State subsequently reported that implementation of these procedures lapsed in 2018 due to staff turnover at Embassy Cairo. As of January 2020, State said that it intends to have new standard operating procedures in place for equipment vetting in Egypt later in 2020. In addition, State has not adopted procedures, similar to those in development for Egypt, to be used more broadly in other countries that also receive equipment through the Foreign Military Financing account or through other U.S. assistance programs. As of June 2017, State had added new features to INVEST, its human rights vetting system, to help facilitate vetting of equipment recipients, and published new vetting guidance requiring screening of equipment transfers. However, State has not established global requirements for posts to use the new equipment vetting system features to screen equipment transfers. As of February 2020, State reported that it had developed draft standard operating procedures for conducting equipment vetting globally; however, these procedures are being reviewed internally within the Department and are expected to be finalized later in 2020. We will continue to monitor agency efforts to implement this recommendation.