Federal facilities lacking risk assessments, says report

WASHINGTON—The Department of Homeland Security's internal police and security agency is not conducting appropriate risk assessments on thousands of federal buildings nationwide, according to recent testimony from Capitol Hill.

The Federal Protective Service, which provides security for more than 9,000 federal facilities managed by the General Services Administration, has struggled to complete facility security assessments (FSAs)consistent with the National Infrastructure Protection Plan's risk management framework, as well as managing its approximately 12,500 security guards, Mark Goldstein, the Government Accountability Office's director of physical infrastructure issues, told the House Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies (link is a PDF) last week.

The challenges stem from its Risk Assessment and Management Program (RAMP), which FPS spent $35 million and almost four years developing to manage its facility security assessments and contract guards. The tool, however, ultimately was scrapped because of system problems.

The FPS is using an interim risk assessment tool known as the Modified Infrastructure Survey Tool (MIST) to complete FSAs. However, the GAO identified a serious limitation with MIST—it does not estimate the consequences of an undesirable event occurring at a facility, an essential consideration for any comprehensive risk assessment. In addition, MIST is not designed to compare risk across facilities, preventing the agency from developing a comprehensive strategy to manage risk.

FPS claims it is still able to keep facilities safe without RAMP and with the limitations of MIST by having its inspectors "monitor the security posture of federal facilities by responding to incidents, testing countermeasures and conducting guard post inspections," according to the GAO. However, several FPS inspectors who spoke with the GAO said they received minimal training how to collect the information and worried that the facility information collected would be outdated by the time it was used to complete a full FSA, the GAO reported.

A result of FPS's failure to successfully complete risk assessments, several agencies have spent funds to conduct their own assessments. The GAO found that the Internal Revenue Service, the Federal Emergency Management Agency, the Environmental Protection Agency and the U.S. Army Corps of Engineers all conduct their own risk assessments.

To manage its 12,500 contract guard in absence of RAMP, the FPS is verifying guard certification and training information by conducting monthly audits of guard information maintained by guard contractors, according to the GAO's preliminary findings.

The GAO will release a final report next month, including recommendations FPS should take to improve its ability to manage its FSAs and guard contracts.