Ever since the 1995 terrorist bombing of the federal building in Oklahoma City, all agencies have been required to meet facility vulnerability standards based on risk assessments of such threats as shootings, arson, vandalism and explosions.
But four agencies have fallen behind on keeping their countermeasures fully aligned with the risk assessments and standards set by the Homeland Security Department-chaired Interagency Security Committee, according to the unclassified version of a Government Accountability Office report released last week. Such countermeasures include fences and closed-circuit televisions.
Customs and Border Protection, the Federal Aviation Administration, the Agricultural Research Service and the Forest Service were singled out in GAO’s sampling of security at the government’s 113,000 civilian buildings from June 2016 to August 2017.
“Several incidents—such as armed citizens taking over a federal wildlife refuge in Oregon for about 40 days in 2016; the active shooter incident at the Washington Navy Yard in Washington, D.C., in 2013 that resulted in several deaths; and the fatal shooting at the Anderson Federal Building in Long Beach, California, in 2012—demonstrate that government facilities and their employees continue to be targets of potential harm,” GAO wrote to Rep. Trey Gowdy, R-S.C., chairman of the House Oversight and Government Reform Committee.
At least 30 federal agencies are responsible for protecting about 45 percent of civilian federal facilities and their occupants from potential threats, the report noted.
Under the standards of the interagency committee, agencies are required to prepare for each facility a plan for countermeasures—updated every three years—using an analysis of foreseeable “undesirable events” based on the key factors of threats, vulnerabilities and consequences.
“All four agencies used methodologies that included some [Interagency Security Committee] requirements when conducting assessments,” auditors found. They “improved their methodologies to better align with the ISC Standard, but the agencies had not yet incorporated the methodologies into their policies and procedures. Without updated policies and procedures requiring a methodology that adheres to the ISC Standard,… agencies may not collect the information needed to assess risk and determine priorities for improved security,” the report said.
The lapses varied by agency. For example, Customs and Border Protection and the FAA assessed vulnerabilities but not threats and consequences, while the Agricultural Research Service and the Forest Service assessed threats, vulnerabilities and consequences, but did not use these factors to measure risk, GAO said. In addition, the agencies considered many, but not all the listed 33 undesirable events related to physical security as possible risks to their facilities.
The omissions often occurred “because of competing priorities and resource constraints,” the audit said, noting that some lacked a timeline with milestones and a place to centralize data. “We also found that agencies reported facing challenges in monitoring their physical security programs because their policies did not specify data collection or monitoring requirements, as required by Standards for Internal Control.”
As remedies, GAO recommended some general and some agency-specific steps. For example, the CBP and FAA should update policies to require the use of methodologies fully aligned with the ISC Standard, it said, while CBP should revise its plan to eliminate the assessments backlog. “All four agencies,” it continued, should “improve monitoring of their physical security programs.”
All four agencies agreed.