In a review of four agencies, GAO found that none fully used the Security Committee’s Risk Management Process for Federal Facilities standard for assessing and monitoring threats to their facilities, although all four were in partial compliance.
The standards require agencies to consider a range of potential undesirable events such as arson and vandalism and assess the threats, vulnerabilities and consequences for each. For example, of the agencies reviewed, the FAA and CBP assessed vulnerabilities but not threats and consequences, and the Agricultural Research Service and Forest Service assessed threats, vulnerabilities, and consequences, but did not use those factors to measure risk. Further, all considered many of the specified undesirable events related to physical security as possible risks to their facilities but none considered each of them.
“All four agencies reported facing management challenges in conducting physical security assessments or monitoring assessment results,” said GAO, citing issues such as backlogs, outdated policy manuals and a lack of means to monitor completion of future assessments. ARS and the Forest Service do not collect and analyze security-related data, such as countermeasures implementation, while FAA does not routinely monitor the performance of its physical security program, it said.
“Without improved monitoring, agencies are not well equipped to prioritize their highest security needs, may leave facilities’ vulnerabilities unaddressed, and may not take corrective actions to meet physical security program objectives,” the report said, adding that “protecting federal employees and facilities from security threats is of critical importance.”