Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Commissioner of U.S. Customs and Border Protection, with regard to the updated Security Policy and Procedures Handbook, should include data collection and analysis requirements for monitoring the performance of CBP's physical security program.
Agency: Department of Homeland Security: United States Customs and Border Protection
Status: Open
Comments: The U.S. Customs and Border Protection issued an updated Physical Security Policy and Procedures Handbook in January 2020, which includes a series of internal controls and physical security performance measures. We have reviewed the handbook and requested additional information from CBP to determine whether it meets ISC's Risk Management Process for Federal Facilities.
Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to develop a plan that provides sufficient details on the activities needed and time frames within the date when FAA will implement an improved methodology.
Agency: Department of Transportation
Status: Open
Comments: The Federal Aviation Administration (FAA) has developed, initially tested, and deployed a risk assessment methodology that aligns with the Interagency Security Committee Risk Management Process for Federal Facilities. In August and September of 2019, FAA trained some staff on the new methodology, which is being integrated into the facility security reporting system. After resolving any software compatibility issues, completing all necessary testing and training, and issuing the associated security policy, FAA expects to fully implement the methodology by December 31, 2020.
Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to update FAA's policy to require the use of a methodology that fully aligns with the ISC's Risk Management Process for Federal Facilities for assessing all undesirable events, considering all three factors of risk, and documenting all deviations from the standard countermeasures.
Agency: Department of Transportation
Status: Open
Comments: The Federal Aviation Administration (FAA) drafted an updated facility security policy and distributed it for comment in October 2019. It received over 300 comments that are currently being addressed. Once completed, the policy is to incorporate a methodology that fully aligns with the Interagency Security Committee Risk Management Process for Federal Facilities for assessing all undesirable events, considering all three factors of risk, and documenting all deviations from the standard countermeasures. FAA plans to publish the new policy to coincide with the implementation of its risk-assessment methodology by December 31, 2020.
Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Transportation should direct the FAA Administrator to update FAA's policy to include ongoing monitoring of physical security information.
Agency: Department of Transportation
Status: Open
Comments: The Federal Aviation Administration's (FAA) update of its facility security policy and its associated databases should help to improve the monitoring and use of physical security information to better assist with risk assessment decision-making. In February 2020, FAA officials said that its facility security reporting system is to be improved with new metrics and executive level reporting. Such improvements are to result in increased program oversight, risk awareness, and mitigation planning. These improvements are to be completed by December 31, 2020 to coincide with full implementation of the components of the risk management framework, such as the risk assessment methodology, personnel training, and policy publication.
Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Agriculture should include data collection and analysis requirements for monitoring the performance of agencies' physical security programs, in the department's revised physical-security manual.
Agency: Department of Agriculture
Status: Open
Comments: The U.S. Department of Agriculture is drafting a revised physical-security regulation and manual that is to align with risk management processes, including a tracking and monitoring component. It expects to implement a revised process by the end of 2020.
Recommendation: To improve agencies' physical security programs' alignment with the ISC Risk Management Process for Federal Facilities and Standards for Internal Control in the Federal Government for information and monitoring, the Secretary of Agriculture should direct the Administrator of the Agricultural Research Service and the Chief of the Forest Service to implement and monitor a long-term assessment schedule with key milestones to ensure that higher-level facilities are reassessed at least once every 3 years.
Agency: Department of Agriculture
Status: Open
Comments: The U.S. Department of Agriculture (USDA) recognizes the need to develop and implement a database to track and monitor physical security assessment schedules across all of its components. As a result, USDA plans to request funding in the President's Budget for fiscal year 2021 to design and build such a database. If sufficient funding is secured and development efforts go as planned, the agency anticipates having the database operational by the end of 2021.
