Issue Briefs

Some Building Protections Found Lacking

Following is the summary of a recent GAO report examining risk assessment applied in federal buildings.

Three of the nine selected agencies’ risk assessment methodologies that GAO reviewed—the Department of Energy (DOE), the Department of Justice (DOJ), and the Department of State (State)—fully align with the Interagency Security Committee’s (ISC) risk assessment standards, but six do not—the Department of the Interior (DOI), the Department of Veterans Affairs (VA), the Federal Protective Service (FPS), the Federal Emergency Management Agency (FEMA), the Nuclear Regulatory Commission (NRC), and the Office of Personnel Management (OPM). As a result, these six agencies may not have a complete understanding of the risks facing approximately 52,000 federal facilities and may be less able to allocate security resources cost-effectively at the individual facility level or across the agencies’ facility portfolios. ISC’s The Risk Management Process for Federal Facilities ( RMP ) standard requires that agencies’ facility risk assessment methodologies must (1) consider all of the undesirable events identified in the RMP as possible risks to federal facilities, and (2) assess the threat, consequences, and vulnerability to specific undesirable events. Six of the nine agencies’ methodologies GAO reviewed do not align with ISC’s standards because the methodologies do not (1) consider all of the undesirable events in the RMP or (2) assess threat, consequences, or vulnerability to specific undesirable events. For example, five agencies (DOI, VA, FEMA, FPS, and NRC), do not assess the threat, consequences, or vulnerability to specific undesirable events, as ISC requires. The reasons why varied; for example, VA said that its methodology was in place before ISC issued its standards. Officials from that agency told us they were working to update their methodology.

ISC has issued a series of physical security standards and guidance to assist member agencies with developing their risk assessment methodologies, but does not know the extent to which its 53 member agencies comply with its standards, including its risk assessment standards, because it does not monitor agencies’ compliance. ISC does not monitor compliance or have an approach to do so that incorporates outreach to agencies regarding their compliance status. Officials stated that they would like to monitor agencies’ compliance, but limited resources and other priorities, such as developing standards and guidance, have prevented them from doing so. However, ISC has the authority to create a working group from its member agencies to help it perform its duties. In the absence of ISC’s monitoring, agencies’ risk assessment methodologies may not align with ISC’s standards. In addition, although ISC issued risk assessment guidance in August 2013, this guidance is limited. For example, the guidance does not describe how to incorporate threat, consequence, or vulnerability assessments of specific undesirable events into a risk assessment methodology. Not having appropriate guidance is inconsistent with federal internal-control standards designed to promote effectiveness and efficiency.

The 2012 shooting at the Anderson Federal Building in Long Beach, California, demonstrates that federal facilities and their employees as well as the public who visit federal buildings continue to be the targets of violence. The Federal Protective Service and about 30 other federal agencies are responsible for protecting civilian federal facilities and their occupants from potential threats, in part, by assessing risks to their facilities. ISC—an interagency organization led by the Department of Homeland Security— issues standards for facility protection.

GAO was asked to examine how federal agencies assess risk to their facilities. This report assesses (1) the extent to which selected ISC member agencies’ facility risk assessment methodologies align with ISC’s risk assessment standards, and (2) how ISC assists member agencies in developing risk assessment methodologies and monitors compliance with these standards. GAO selected 9 of 53 ISC member agencies based on their missions and number of facilities. GAO compared each selected agency’s risk assessment methodology to ISC’s risk assessment standards. ISC is required to enhance security in and protection of federal facilities government-wide; recommendations GAO makes are to ISC and not its member agencies.

What GAO Recommends

GAO recommends that ISC take action to assess member agencies’ compliance and provide additional risk- assessment methodology guidance. DHS concurred with GAO’s recommendations.