[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]
SECURING FEDERAL FACILITIES: AN EXAMINATION OF FPS PROGRESS IN
IMPROVING OVERSIGHT AND ASSESSING RISK
=======================================================================
HEARING
before the
SUBCOMMITTEE ON CYBERSECURITY,
INFRASTRUCTURE PROTECTION,
AND SECURITY TECHNOLOGIES
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
SECOND SESSION
__________
JULY 24, 2012
__________
Serial No. 112-108
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
_____
U.S. GOVERNMENT PRINTING OFFICE
80-850 PDF WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop SSOP, Washington, DC
20402-0001
COMMITTEE ON HOMELAND SECURITY
Peter T. King, New York, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Daniel E. Lungren, California Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Michael T. McCaul, Texas Henry Cuellar, Texas
Gus M. Bilirakis, Florida Yvette D. Clarke, New York
Paul C. Broun, Georgia Laura Richardson, California
Candice S. Miller, Michigan Danny K. Davis, Illinois
Tim Walberg, Michigan Brian Higgins, New York
Chip Cravaack, Minnesota Cedric L. Richmond, Louisiana
Joe Walsh, Illinois Hansen Clarke, Michigan
Patrick Meehan, Pennsylvania William R. Keating, Massachusetts
Ben Quayle, Arizona Kathleen C. Hochul, New York
Scott Rigell, Virginia Janice Hahn, California
Billy Long, Missouri Ron Barber, Arizona
Jeff Duncan, South Carolina
Tom Marino, Pennsylvania
Blake Farenthold, Texas
Robert L. Turner, New York
Michael J. Russell, Staff Director/Chief Counsel
Kerry Ann Watkins, Senior Policy Director
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY
TECHNOLOGIES
Daniel E. Lungren, California, Chairman
Michael T. McCaul, Texas Yvette D. Clarke, New York
Tim Walberg, Michigan, Vice Chair Laura Richardson, California
Patrick Meehan, Pennsylvania Cedric L. Richmond, Louisiana
Billy Long, Missouri William R. Keating, Massachusetts
Tom Marino, Pennsylvania Bennie G. Thompson, Mississippi
Peter T. King, New York (Ex (Ex Officio)
Officio)
Coley C. O'Brien, Staff Director
Zachary D. Harris, Subcommittee Clerk
Chris Schepis, Minority Senior Professional Staff Member
C O N T E N T S
----------
Page
Statements
The Honorable Daniel E. Lungren, a Representative in Congress
From the State of California, and Chairman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Yvette D. Clarke, a Representative in Congress From
the State of New York, and Ranking Member, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies:
Oral Statement................................................. 4
Prepared Statement............................................. 5
Witnesses
General L. Eric Patterson, Director, Federal Protective Service,
Department of Homeland Security:
Oral Statement................................................. 7
Prepared Statement............................................. 8
Mr. Mark L. Goldstein, Director, Physical Infrastructure Issues,
Government Accountability Office:
Oral Statement................................................. 11
Prepared Statement............................................. 12
Dr. James P. Peerenboom, Director, Infrastructure Assurance
Center, Associate Director, Decision and Information Sciences
Division, Argonne National Laboratory:
Oral Statement................................................. 18
Prepared Statement............................................. 19
Appendix
Questions From Chairman Daniel E. Lungren for L. Eric Patterson.. 33
Questions From Ranking Member Yvette D. Clarke for L. Eric
Patterson...................................................... 33
Questions From Ranking Member Yvette D. Clarke for Mark L.
Goldstein...................................................... 34
Questions From Ranking Member Yvette D. Clarke for James P.
Peerenboom..................................................... 35
SECURING FEDERAL FACILITIES: AN EXAMINATION OF FPS PROGRESS IN
IMPROVING OVERSIGHT AND ASSESSING RISK
----------
Tuesday, July 24, 2012
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity, Infrastructure Protection,
and Security Technologies,
Washington, DC.
The subcommittee met, pursuant to call, at 10:09 a.m., in
Room 311, Cannon House Office Building, Hon. Daniel E. Lungren
[Chairman of the subcommittee] presiding.
Present: Representatives Lungren, Walberg, Clarke,
Richmond, and Keating.
Mr. Lungren. The Committee on Homeland Security,
Subcommittee on Cybersecurity, Infrastructure Protection, and
Security Technologies will come to order. The subcommittee is
meeting today to examine the Federal Protective Service and the
possible need for reform.
Ms. Clarke will be here shortly, and so I am just going to
give my opening statement and when she arrives she will be able
to give her opening statement.
Thank you very much for being here, all three of our
witnesses. This is an important hearing.
The Federal Protective Service is a vital part of the
Department of Homeland Security. It is the largest operational
component within the National Protection and Programs
Directorate.
The FPS mission is to protect over 9,000 Government
buildings and their 1.4 million occupants, which are essential
to the day-to-day operations of the Federal Government. Recent
incidents at Federal facilities such as the failed improvised
explosive device, as well as the bombing of Oklahoma City's
Murrah Federal Building in 1995, remind us the Federal
facilities remain attractive terrorist targets.
This subcommittee has conducted rigorous oversight over the
Federal Protective Service this Congress. Last July we held a
hearing which identified some of the perennial problems
plaguing the FPS.
In that hearing we discussed failures of contract guard
oversight and their training program, including the egregious
mishandling of an IED in Detroit. We also discussed the failed
development of FPS's risk management program, known as RAMP,
which cost the Federal Government $35 million over 4 years. I
am hopeful and cautiously optimistic that these problems
represent the low-water mark for FPS.
Since 2008 GAO has made 32 recommendations to improve FPS
security vulnerabilities and other operational problems, five
of which have been implemented and 20 which are in the process
of implementation.
From the outset I do want to commend Director Patterson for
his leadership. I believe the recent successes in implementing
GAO recommendations are in part the result of improved dialogue
and outreach with the private sector as well as the efforts of
FPS's own workforce.
I think this dialogue is extremely important as FPS works
to address the remaining GAO recommendations, especially in its
two core areas of responsibility: First, its ability to conduct
risk assessments of Federal buildings; and second, to provide
necessary oversight and training for its contract guard force.
Regarding the first responsibility, FPS began operational
testing this last spring for a new risk assessment tool, known
as the modified infrastructure survey tool, or MIST, which was
developed in partnership with the Argonne National Laboratory.
MIST is intended to be an interim tool that FPS inspectors use
to conduct vulnerability assessments in the aftermath of the
RAMP failure.
I understand, am informed that there is a disagreement
between FPS and GAO with regard to the limitations and benefits
of MIST and I look forward to hearing from our witnesses
regarding these differences. I am aware of some of the
limitations identified by GAO that MIST does not account for
consequence information and therefore does not provide FPS the
comprehensive ability to manage risk. I also understand GAO has
concerns that MIST is neither compliant with the National
infrastructure protection plan framework nor compliant with
standards developed by the Interagency Security Committee.
I think these are very legitimate questions raised by GAO
and important standards FPS should meet when it develops a
longer-term solution. Nonetheless, I do consider MIST
development a step in the right direction for an agency that
has taken a series of steps in the wrong direction over the
last decade.
FPS has always stated that MIST is intended to serve as an
interim tool until a longer-term solution is developed.
However, FPS has never stated what the longer-term solution
will be. So I look forward to hearing from Director Patterson
on his vision for MIST's future as a risk management tool.
I also look forward to learning about what FPS is doing to
address GAO's findings about unnecessary duplication of risk
assessments by several FPS customers who in some instances have
expressed dissatisfaction with FPS's assessments--for instance,
the IRS, FEMA, and EPA.
Providing oversight and training of the contract guard
program is also a critical responsibility of FPS. At last
summer's hearing Director Patterson stated that he was looking
at different ways that FPS may be able to improve delivery of
X-ray and magnetometer training.
I look forward to hearing more about how these ideas have
developed since last year. I also understand there has been
outreach to the private sector regarding better training
options and I commend you for those efforts.
Finally, FPS has undergone significant transition since
joining the Department of Homeland Security. After initially
being placed under ICE, after the creation of DHS, FPS moved to
NPPD in 2010, and last summer NPPD notified the committee that
it was once again considering reorganizing the directorate. Is
reorganization being contemplated, and if so, how will this
impact FPS?
I want to thank all of our witnesses for being here this
morning, and I look forward to your testimony on the progress
made by the FPS in securing our Nation's Federal facilities.
[The statement of Chairman Lungren follows:]
Statement of Chairman Daniel E. Lungren
July 24, 2012
The Federal Protective Service (FPS) is a vital part of the
Department of Homeland Security and is the largest operational
component within the National Protection and Programs Directorate
(NPPD). Its mission to protect some 9,000 Government buildings and its
1.4 million occupants is essential for the Federal Government to
continue day-to-day operations. Recent incidents at Federal facilities
such as the failed IED attempt in Detroit, and the bombing of Oklahoma
City's Murrah Federal Building in 1995, remind us that Federal
facilities remain significant symbolic targets for terrorists.
This subcommittee has conducted rigorous oversight over the Federal
Protective Service this Congress. Last July we held a hearing which
identified some of the perennial problems plaguing the FPS. In that
hearing we discussed failures of contract guard oversight and training,
including the egregious mishandling of an attempted Improvised
Explosive Devise in Detroit, and the failed development of a risk
management program known as RAMP, which after 5 years of development,
cost the Federal Government somewhere between $35-57 million with
little to show for. I am hopeful that these incidents represent the
low-water mark for FPS, and I am cautiously optimistic about FPS's
future.
Last July the GAO had issued a total of 28 recommendations for FPS
to address, yet at the time none were implemented. Today, I am
encouraged to note that while GAO has recommended 32 recommendations,
to date, 5 have been implemented and 20 are in the process of
implementation. This represents significant progress.
From the outset, I want to commend Director Patterson for his
leadership and the agency's recent successes. These successes, I
believe are in part the result of improved dialogue and substantial
outreach with private-sector partners as well FPS's own workforce. I
think this dialogue is extremely important as FPS works to address
important recommendations made by the Government Accountability Office,
especially as it works to improve two of its core areas of
responsibility: (1) Its ability to conduct risk assessments of Federal
buildings; and (2) provide necessary oversight and training for its
Contract Guard Program.
Regarding this first responsibility, FPS began operational testing
this last spring for a new risk assessment tool, known as the Modified
Infrastructure Survey Tool or MIST, which was developed in partnership
with the Argonne National Laboratory. MIST is intended to be an interim
tool FPS inspectors use to conduct facility security assessments, in
the aftermath of RAMP's failure.
I understand there is some pretty substantial disagreement between
FPS and GAO with regard to the limitations and benefits of MIST and I
look forward to hearing from our witnesses regarding these differences.
I am aware of some of the limitations identified by GAO, such as that
MIST does not account for ``consequence'' information, and therefore
does not provide FPS the comprehensive ability to manage risk. I also
understand GAO has concerns that MIST is neither compliant with the
National Infrastructure Protection Plan framework nor compliant with
standards developed by the Interagency Security Committee. I think
these are very legitimate questions raised by GAO, and are important
standards FPS should meet when it develops a longer-term solution.
Nonetheless, I consider MIST's development a step in the right
direction for an agency that has taken a series of steps in the wrong
direction over the last decade. FPS has always stated that MIST is
intended to serve as an interim tool until a longer-term solution is
developed. However, FPS has never stated what the longer-term solution
will be. I look forward to hearing from Director Patterson on his
vision for MIST's future as a risk management tool. I also look forward
to learning about what FPS is doing to address GAO's finding about
unnecessary duplication of risk assessments by several FPS customers,
who in some instances, are dissatisfied by assessments provided by FPS.
Providing oversight and training of the contract guard program is
also a critical responsibility of FPS. At last summer's hearing
Director Patterson stated that he was looking at different ways FPS may
be able to improve delivery of X-ray and magnetometer training. I look
forward to hearing more about how these ideas have developed since last
year. I understand there has been significant outreach with the private
sector that may be able to better deliver training, and I commend you
for putting an emphasis on training in your tenure at FPS.
Finally, FPS has undergone significant transition since joining the
Department of Homeland Security. After initially being placed under ICE
after the creation of DHS, FPS moved to NPPD in 2010. Last summer, NPPD
notified the committee that it was once again considering reorganizing
the agency which FPS was assigned. However, since last summer, the
Department has been silent on its plans to reorganize NPPD, so I am
very much looking forward to hearing from Director Patterson on his
thoughts on reorganization, and if we can expect any more information
on this soon.
I want to thank all of our witnesses for being here this morning
and look forward to their testimony on progress made by the FPS
securing our Nation's Federal facilities. I now recognize the gentle
lady from New York, the Ranking Member of this subcommittee, Ms.
Clarke, for her opening statement.
Mr. Lungren. I now have the pleasure of recognizing the
gentle lady from New York, the Ranking Member of the
subcommittee, Ms. Clarke, for her opening statement.
Ms. Clarke. Thank you, Mr. Chairman, and thank you for
holding this hearing today. Today's hearing will allow the
subcommittee to hear from witnesses about the Federal
Protective Service's progress in improving its ability to
provide adequate protection to the Federal Government's more
than 9,000 facilities.
Given the numerous studies that FPS has undertaken by the
Government Accountability Office and the multiple hearings held
by this committee, the subcommittee is interested in learning
about the actions FPS has taken to upgrade its ability to
conduct facility security assessments, better manage its
contract guard staff, and to enhance funding for its
operations. We need a more clear explanation of the
implementation and utility of the modern infrastructure survey
tool, or MIST, and how it compares, hopefully surpasses, the
failed risk assessment and management program, or RAMP.
The subcommittee must be assured that after investing
approximately $35 million RAMP without yielding any
demonstrable outcomes FPS is indeed expending its resources
effectively and scaling up MIST. We need assurances that MIST
is working as an interim solution, and we need to know what
FPS's long-term strategy to replace RAMP. Also, as the
designated leader of the Federal Government facilities sector
FPS has an important role to play in assuring that the Federal
critical infrastructure both secure--that the--excuse me--the
Federal critical infrastructure is both secure and resilient in
the event of a catastrophic occurrence.
In August GAO will issue a report at Ranking Member
Thompson's request that evaluates the Department's activities
regarding the Government facilities sector with a particular
emphasis on FPS's role as the designated sector leader. I look
forward to the release of that report and hope that we are able
to revisit this subject at that time.
Finally, Mr. Chairman, I am concerned that FPS is forced to
bear the cost of developing and implementing a program capable
of completing security assessments of Federal buildings. It
seems to me that as the landlord for most Federal buildings,
the General Services Administration benefits from these
security assessments. I look forward to hearing from our
witnesses today about the role of GSA in sharing the cost of
the assessment program.
Having said that, thank you, Mr. Chairman, and I yield
back.
[The statement of Ranking Member Clarke follows:]
Statement of Ranking Member Yvette D. Clarke
July 26, 2012
Mr. Chairman, thank you for holding this hearing to discuss
developments in the Domestic Nuclear Detection Office Strategy, and the
Global Nuclear Detection Architecture.
It has been said before, the enormous devastation that would result
if terrorists use a nuclear weapon or nuclear materials successfully,
requires us to do all we can to prevent them from entering or moving
through the United States.
This subcommittee, in its oversight capacity, has held hearings
starting in 2005, and continuing through 2012, regarding the
development and implementation of the GNDA and in the decision-making
process that involves costly investments in it.
The overarching issues include the balance between investment in
near-term and long-term solutions for architecture gaps, the degree and
efficiency of Federal agency coordination, the mechanism for setting
agency investment priorities in the architecture, and the efforts DNDO
has undertaken to retain institutional knowledge regarding this
sustained effort.
In the policy and strategy documents of the GNDA, DNDO is
responsible for developing the global strategy for nuclear detection,
and each Federal agency that has a role in combating nuclear smuggling
is responsible for implementing its own programs. DNDO identified 73
Federal programs, which are primarily funded by DOD, DOE, and DRS that
engage in radiological and nuclear detection activities.
With the publication of an overall DNDO strategy document and the
release of the Global Nuclear Detection Architecture and implementation
plan, Congress will have a better idea of how to judge the DNDO's
policy, strategy operations, tactics, and implementation.
But we need to know more about their R&D activities, their resource
requests, and their asset allocations. And I know that I might sound
like a broken record before the day is through, but from the very start
of the ASP program which was officially cancelled just 10 days ago,
July 16, DNDO seemed to push for acquisition decisions well before the
technology had demonstrated that it could live up to its promise.
On July 14, 2006, Secretary of Homeland Security Michael Chertoff
and the then-Director of DNDO, Mr. Oxford, one of our witnesses today,
announced contract awards to three companies worth an estimated $1.2
billion to develop ASPs, including the Raytheon Company from
Massachusetts, the Thermo Electron Company from Santa Fe, New Mexico,
and Canberra Industries from Connecticut. Both Secretary Chertoff and
Oxford held a press conference to announce the billion-dollar contract
awards just a few months after highly critical reviews of the ASPs'
abilities by the GAO and the National Institute of Standards and
Technology (NIST).
I hope we don't see that kind of decision making again in DNDO.
Within DNDO, policy and strategy have historically not been
adequately translated into operations, tactics, and implementation.
Overlapping missions, especially in the field of nuclear detection,
worsen this.
Since 2009, DNDO has made important changes under Secretary
Napolitano, and made especially good progress in nuclear forensics. And
I hope that our Congressional oversight has had an effect, a positive
one, in bringing to light decisions that cost the taxpayers a lot of
money, with little to show.
In 2010, the Science and Technology (S&T) Directorate requested
$109.000 million for the Transformational Research and Development
Radiological and Nuclear Division. This research was to be transferred
from DNDO to the S&T Directorate,\1\ and the Democratic committee
Members supported the transition of radiological and nuclear research
away from DNDO into S&T. The committee, under then-Chairman Thompson,
worked to make this transition happen, and we believe that research and
development, and operations and procurement, are best left to separate
organizations in order to avoid the obvious conflict of interest.
---------------------------------------------------------------------------
\1\ DHS Fiscal Year 2011 Budget in Brief, ICE 10-2647.000474. p.
139.
---------------------------------------------------------------------------
What I hope we are going to hear today is how DNDO's mission can be
better-defined. Some claim there is still confusion as to whether it is
an end-to-end RDT&E and procurement entity for all things nuclear/
radiological, a development entity, or an operational entity, and
question whether there is an inherent conflict of interest when an
agency is both an R&D workshop and a procurement platform.
Let me finish with this thought, completely out of the policy
arena. On the ground, and every day, our nuclear deterrence effort
requires motivated and vigilant officers supplied with the best
equipment and intelligence we can give them. Customs and Border Patrol
officers working at our Nation's ports of entry have an extremely
complex and difficult job.
Thousands of decisions are made every day to clear a container or
personal vehicle for transit into the United States, require further
inspection, or even deny entry or interdict such a vehicle or person,
and that is the hard, cold, every-day reality of our mission to prevent
this kind of violent nuclear attack.
We must do our best.
I look forward to hearing from our witnesses today and with that,
Mr. Chairman, I yield back.
Mr. Lungren. I thank the gentlelady for her comments, and I
think the panel can tell that we are on the same page at
looking at what the progress has been since our last hearing.
General L. Eric Patterson was appointed director of the
Federal Protective Service, a subcomponent of the National
Protective--Protection and Programs Directorate, in September
2010. He previously served as the deputy director of the
Defense Counterintelligence HUMINT Center at the Defense
Intelligence Agency.
Prior to joining DIA Mr. Patterson served as a principal
with Booz Allen Hamilton where he supported two of the Defense
Technical Information Center analysis centers, one focused on
information assurance and the other on the survivability and
vulnerability of defense systems. He is a retired United States
Air Force brigadier general with 30 years of service.
Mr. Mark Goldstein is the director of physical
infrastructure issues at GAO. Mr. Goldstein is responsible for
the agency's work in Federal property and telecommunications. A
former award-winning journalist and author, his other public
service work has included roles as chief of staff to the D.C.
Financial Control Board and senior investigative staff to the
Senate Committee on Governmental Affairs.
Dr. James Peerenboom is the associate director of the
decision and information sciences division at the Argonne
National Laboratory, near Chicago, Illinois. In this role he is
responsible for leading multidisciplinary teams of scientists
and engineers in developing innovative solutions for
infrastructure assurance, systems analysis, decision and risk
analysis, and advanced modeling and simulation problems.
For the past 15 years he has focused on critical
infrastructure protection and resilience issues, providing
technical support to the Departments of Energy and Homeland
Security, the President's commission on critical infrastructure
protection, and White House Office of Science and Technology
Policy. He received his Ph.D in energy and environmental
systems from the Institute of Environmental Studies and an M.S.
and B.S. in nuclear engineering from the University of
Wisconsin at Madison.
Gentlemen, we ask you--well, we would first indicate that
your written testimony will be made a part of the record and
would ask that you summarize your testimony with any additions
as you wish in 5 minutes, and then we will have a round of
questioning.
So the Chairman would recognize Director Patterson to
begin.
STATEMENT OF L. ERIC PATTERSON, DIRECTOR, FEDERAL PROTECTIVE
SERVICE, DEPARTMENT OF HOMELAND SECURITY
General Patterson. Good morning. Thank you, Chairman
Lungren, Ranking Member Clarke.
My name is Eric Patterson and I am the director of the
Federal Protective Service within the Department of Homeland
Security's National Protection and Programs Directorate. I am
honored to appear before you today to discuss FPS's progress in
addressing some historically identified challenges.
FPS's mission is to protect more than 9,000 Federal
buildings throughout the United States and its territories and
the 1.4 million Federal employees and visitors who occupy and
conduct business in them every day. We execute this mission by
providing proactive law enforcement, investigations, protective
intelligence, incident response, security planning, and
stakeholder engagement.
Based upon my experience in the ever-changing threat
environment, my belief is that risk assessment is a continuous
process and not a static event. Our law enforcement and
physical security professionals continually provide access risk
and implement mitigation strategies through their daily
activities.
During fiscal year 2011 FPS investigated and mitigated more
than 1,300 threats and assaults directed towards Federal
facilities and their occupants, made close to 2,000 arrests,
responded to 53,000 incidents, and prevented the entry of
hundreds of thousands of prohibited items into Federal
facilities. FPS also conducted 1,800 Operation Shield
exercises, 150 Covert Test operations, over 80,000 post
inspections, and also validated the training of thousands of
protective security officers that we oversee.
Over the past year FPS developed an important partnership
with Argonne National Lab resulting in the completed
development and current deployment of a new facility security
assessment tool, called the modified infrastructure survey
tool, or MIST. MIST will enable comprehensive and consistent
FSAs that will allow Federal tenant agencies to make informed
security and risk management decisions. The MIST tool is a
welcome addition to FPS's portfolio of on-going facility
assessment efforts and strategies.
As GAO has indicated, FPS employed the best project
management principles in the development of MIST. MIST
requirements were developed leveraging the knowledge obtained
from our long-standing relationships with the General Services
Administration, the Facility Security Committee, and other
customers.
As we move to measure and assure the successful performance
of MIST my plan is to build upon this foundation to improve
FPS's management of other significant programs--for example,
our protective security officer program. Just as technology is
enhancing our risk assessment processes, I plan to better
leverage technology to allow for more effective oversight of
our contract PSOs.
A key enabler of these actions will come from the good work
of our collaboration with the Systems Engineering and Design
Institute, SEDI, a Federally-funded research and development
center. We have engaged the SEDI to produce a full mapping of
FPS activities and to then align them with FPS's current fee
structure. That work will be used to produce an activity-based
cost model for FPS.
These efforts are designed to result in a more efficient
revenue structure for FPS and greater transparency on security
costs for FPS stakeholders.
I am also pleased to note that some of our recent progress
includes an increased participation in the important work of
the Interagency Security Committee to include chairing a new
ISC working group which will look at the future of Federal
workplace security and the newly reconstituted Training
Subcommittee.
FPS's program--progress in the past year and our path
forward leveraging partnerships and technology is clearly in
direct support of our long-term vision. It will continue to
take time, deliberate planning, and the dedication of our
employees and partners to fully realize our vision and I look
forward to keeping you apprised of our progress.
Again, thank you for the opportunity to discuss FPS with
you today, and I would be happy to answer any questions you
might have.
[The prepared statement of Mr. Patterson follows:]
Prepared Statement of L. Eric Patterson
July 24, 2012
Thank you Chairman Lungren, Ranking Member Clarke, and the
distinguished Members of the subcommittee. My name is Eric Patterson,
and I am the Director of the Federal Protective Service (FPS) within
the Department of Homeland Security's (DHS) National Protection and
Programs Directorate (NPPD).
I am honored to appear before you today to discuss NPPD/FPS's
progress in utilizing key protection and risk management practices such
as allocation of resources, leveraging technology, and enhancing
information sharing and coordination.
The GAO has raised several areas that have historically represented
challenges for FPS including:
1. Absence of a risk management program;
2. Addressing key human capital issues through a strategic human
capital plan;
3. Contract Guard workforce management and oversight; and
4. Need for a review of FPS's fee design.
Today's hearing is an opportunity to address the progress FPS has
made during the past year in working to address these challenges, and
to also provide information on the topics addressed in GAO's new report
related to risk assessment and Protective Security Officer (PSO)
program management and oversight.
fps background
FPS's mission is to protect more than 9,000 Federal buildings and
the 1.4 million Federal employees and visitors who occupy them
throughout the country every day by leveraging the intelligence and
information resources of its network of public and private-sector
partners. Specifically, FPS executes its mission by providing proactive
law enforcement, investigation and protective intelligence and
information sharing services, incident response, security planning, and
stakeholder engagement. Prior to its transfer to NPPD in 2009, FPS was
organized under Immigration and Customs Enforcement and prior to that,
under the General Services Administration (GSA).
Part of our core mission is to assess the threat picture for the
Government Facilities Sector (GFS) and share that information with
stakeholders as appropriate. For example, FPS leverages the Homeland
Security Information Network (HSIN), a secure, trusted web-based portal
to share information with our more than 900 Government and industry
partners. One of the recent information-sharing initiatives FPS has
implemented to assist in the protection of facilities and their
occupants is the Federal Facility Threat Picture (FFTP), which is an
unclassified assessment of the current known threats to the facilities
FPS protects. Produced quarterly, the FFTP supports the threat
component of a Federal Security Assessments (FSA) and informs our
stakeholders of potential threats to Government facilities. The FFTP
focuses on the threats posed by a variety of actors that may seek to
attack or exploit elements of the GFS. The information used in the FFTP
comes from intelligence and law enforcement community reporting.
During fiscal year 2011, FPS:
Investigated and mitigated more than 1,300 threats and
assaults directed towards Federal facilities and their
occupants;
Disseminated 331 threat- and intelligence-based products to
our stakeholders, 142 of which were FPS-produced;
Conducted 81,125 post inspections;
Interdicted more than 680,000 weapons/prohibited items
including knives, brass knuckles, pepper spray, and other items
that could be used as weapons or are contraband such as illegal
drugs, at Federal facility entrances during routine checks;
Made 1,975 arrests;
Responded to 53,000 incidents involving people or property;
and
Conducted more than 1,800 high-visibility operations under
Operation Shield and 150 risk-based Covert Test operations,
ensuring the protection of Federal buildings and
infrastructure.
fps is developing a risk management program
In terms of a risk management program, FPS's operational activities
are organized by the National Infrastructure Protection Plan's (NIPP)
Risk Management Framework, which calls for the following steps: Set
Security Goals, Identify Assets and Functions, Assess Risks,
Prioritize, Implement Protective Programs, and Measure Effectiveness.
One area of recent significant progress related to risk assessment and
the implementation of a risk management program is the on-going
implementation of FPS's solution for conducting FSAs using an automated
assessment tool. In May 2011, the decision was made to cease
development of the legacy application known as the Risk Assessment and
Management Program (RAMP) and to pursue a stand-alone assessment tool,
in order to provide completed FSAs to customers. That decision has
since been affirmed by the Department's Office of Inspector General
(OIG).
In the interim period, our employees have continued their daily
interactions with tenant agencies and oversight of facility security.
Our personnel have been completing Pre-Modified Infrastructure Survey
Tool (MIST) worksheets to enable complete FSA reports, and are
constantly assessing risks to Federal facilities. Specifically, the
pre-MIST worksheet allows the inspector to collect key information that
will be populated into MIST and used in generating a final FSA report.
Such data includes facility information, vulnerability assessments, and
existing protective measures.
After consideration of several alternatives, FPS partnered with
NPPD's Office of Infrastructure Protection (IP) to leverage a proven
assessment methodology called the Infrastructure Survey Tool (IST). In
October 2011, NPPD issued a task order to Argonne National Laboratory
(ANL) through the Department of Energy to modify the existing Link
Encrypted Network System (LENS) and IST for FPS use to conduct FSAs.
Because this project leveraged existing tools and had limited resources
and time constraints, the acquisition life cycle was tailored to meet
delivery deadlines.
I am pleased to note that in its draft report, GAO noted FPS's use
of project management principles in the development of MIST. Throughout
the project, the MIST Users Working Group has remained engaged to
ensure user involvement in the process. User feedback from field
testing was uniformly positive about MIST and the FPS Gateway,
confirming suitability to support the FPS mission. The MIST and FPS
Gateway development efforts were completed on schedule, with ANL
delivering the system to the Government on March 30, 2012. In April
2012, and the decision was made to proceed and deploy MIST. It is
important to note that throughout the development and testing of MIST,
field employees and our union were involved and actively participated
as subject matter experts in the process.
FPS developed and is currently implementing a distance learning-
based training program for each MIST user, as GAO commended in its
draft report. Supervisors completed this training in April 2012 and
Inspectors began their virtual training in May 2012, with completion of
all training anticipated for late September 2012. This provides a
hands-on learning environment for our Inspectors; they will receive
virtual instruction as they use the tool in the learning environment.
Once an Inspector completes the training and successfully briefs his or
her supervisor on a completed FSA, that Inspector will be able to
proceed with conducting FSAs and reporting the results to a Facility
Security Committee.
In leveraging existing technology in developing MIST, FPS was able
to incorporate the ability to illustrate the impact of alternative
countermeasures on a particular vulnerability. MIST will also show how
a facility is or is not meeting the baseline level of protection for
its Facility Security Level as set forth in the ISC's Physical Security
Criteria for Federal Facilities standard and the ISC's Design Basis
Threat report. This will lead to a more informed and better dialogue
with tenants and Facility Security committees as FSA results are
discussed and alternatives are explored. Additionally, FPS recently
disseminated guidance Nation-wide on the commencement of the use of
MIST to generate FSAs upon completion of inspector training. The
anticipated results of the use of MIST are consistent assessment
results Nation-wide and informed decision-making regarding security
investments on the part of tenant agencies.
fps is addressing key human capital issues through development of a
strategic human capital plan
In order to ensure that human resource requirements are aligned
appropriately with FPS's overall mission, a Strategic Human Capital
Plan is being developed in conjunction with NPPD's Human Capital
Office. We are working to finalize the document; we intend to provide
the plan and brief the committee when it is finalized.
fps is working to improve its protective security officer management
and oversight
FPS is working to improve management and oversight of our over
13,000 Protective Security Officer (PSO) force. We have reviewed our
operations Nation-wide and have taken steps at the National program
level to ensure that performances under contracts are advantageous to
the Government. We are actively working to implement the
recommendations resulting from GAO and OIG reviews across the
organization. Additionally, an Integrated Project Team (IPT) conducted
a comprehensive review of how FPS resources the PSO oversight function
and our current oversight policy.
FPS is also working with DHS's Science and Technology Directorate
to develop a system for contract guard oversight and explore means of
leveraging technology to ensure effective oversight of PSOs, such as
automated tracking of guard post staff levels and PSO possession of the
necessary credentials to stand post. Additionally, our training team is
working closely with industry and Federal partners in developing a more
effective training strategy for our PSOs.
fps is examining its fee structure in order to review current fee
design
FPS operates through fee-based funding revenue, which is calculated
based on the Federal facility tenant's square footage of occupancy and
on the collection of services associated with the provisioning of
reimbursable protective countermeasures. This fee-based financial
structure is unique among Federal law-enforcement agencies and requires
a greater degree of understanding internal operations to ensure it is
properly aligned with FPS's costs.
To address this challenge, FPS is implementing a two-pronged
strategy to better understand its activities and costs and recommend
options for a new revenue structure. In January 2012, FPS collaborated
with the Department's Systems Engineering and Design Institute (SEDI),
a Federally Funded Research and Development Center managed by the DHS
Science and Technology Directorate, to produce a full mapping of FPS
activities and then align them with costs. That work will be used to
produce Activity-Based Cost (ABC) models for FPS. Both of these efforts
are designed to result in a more efficient revenue structure for FPS
and greater transparency in security costs for FPS stakeholders.
conclusion
Thank you again for the opportunity to provide you with an update
on the progress FPS is making on a number of fronts. FPS aspires to be
an exemplary law enforcement and strategic critical infrastructure
protection organization. This is a vision uniformly shared by FPS
leadership and operational staff, both at headquarters and in the
field. I would be happy to answer any questions you might have.
Mr. Lungren. Thank you very much, Director Patterson. You
stayed within the time wonderfully. A new record here.
Now, Mr. Goldstein, please.
STATEMENT OF MARK L. GOLDSTEIN, DIRECTOR, PHYSICAL
INFRASTRUCTURE ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Goldstein. Thank you, Mr. Chairman and Ranking Member
Clarke. We are pleased to be here this morning to testify on
the Federal Protective Service and its efforts to improve its
security of Federal property, employees, and citizens who use
these facilities.
FPS provides security and law enforcement services to over
9,000 Federal facilities managed by GSA. GAO has reported that
FPS faces challenges providing security services, particularly
completing FSAs and managing its contract guard program.
To address these challenges FPS spent about $35 million in
4 years developing RAMP, essentially a risk assessment and
guard oversight tool. However, RAMP ultimately could not be
used to do either because of system problems.
My testimony today is based on preliminary work for you,
Mr. Chairman, and discusses the extent to which FPS is
completing risk assessments, developing a tool to complete
FSAs, and managing its contract guard workforce.
Our preliminary results indicate that: No. 1, the
Department of Homeland Security's DHS Federal Protective
Service is not assessing risks at Federal facilities in a
manner that is consistent with standards such as the National
infrastructure protection plan's risk management framework as
FPS originally planned. Instead of conducting risk assessments,
since September 2011 FPS's inspectors have collected
information such as location, purpose, agency contacts, and
current countermeasures.
This information notwithstanding, FPS has a backlog of
Federal facilities that have not been assessed for several
years. According to FPS's own data, more than 5,000 facilities
were to be assessed in fiscal years 2010 through 2012.
However, GAO was not able to determine the extent of FPS's
facility security assessment backlog because the data was
unreliable. Multiple agencies have expended resources to
conduct risk assessments themselves even though they also
already pay FPS for this service.
Second, FPS has an interim vulnerability assessment tool,
referred to as MIST, which it plans to use to assess Federal
facilities until it develops a longer-term solution. In
developing MIST, FPS generally followed project management best
practices that GAO had developed, such as conducting user
acceptance testing.
However, our preliminary analysis indicates that MIST has
some limitations. Most notably, MIST does not estimate the
consequences of an undesirable event occurring at a facility.
Several of the risk assessment experts GAO spoke with
agreed that a tool that does not estimate consequences does not
allow for an agency to fully assess risk. FPS officials stated
that they did not include consequence information in MIST
because it was not part of the original design and thus
requires more time to validate.
MIST also was not designed to compare risk across Federal
facilities. Thus, FPS has a limited assurance if critical risks
at Federal facilities are being prioritized and mitigated. We
have made recommendations in this area in the past.
Third, GAO's preliminary work indicates that FPS continues
to face challenges in overseeing its contract guard program.
FPS developed the risk assessment and management program, RAMP,
to help it oversee its contract guard workforce by verifying
that guards are trained and certified and for conducting guard
post inspections.
However, FPS faced challenges using RAMP for guard
oversight, such as verifying guard training and certification
information, and has recently determined that it would no
longer use RAMP. Without a comprehensive system it is more
difficult for FPS to oversee its contract guard workforce.
FPS is verifying guard certification and training
information by conducting monthly audits of guard training and
certification information. However, FPS does not independently
verify the contractors' information.
Additionally, FPS recently decided to deploy a new interim
method to record post inspections that replaced RAMP. We have
not reviewed this system.
This concludes my opening remarks, Mr. Chairman. I would be
pleased to address any questions you or Members of the
subcommittee have. Thank you.
[The prepared statement of Mr. Goldstein follows:]
Prepared Statement of Mark L. Goldstein
July 24, 2012
gao highlights
Highlights of GAO-12-943T, testimony before the Subcommittee on
Cybersecurity, Infrastructure Protection, and Security Technologies of
the House Committee on Homeland Security.
Why GAO Did This Study
FPS provides security and law enforcement services to over 9,000
Federal facilities managed by the General Services Administration
(GSA). GAO has reported that FPS faces challenges providing security
services, particularly completing FSAs and managing its contract guard
program. To address these challenges, FPS spent about $35 million and 4
years developing RAMP--essentially a risk assessment and guard
oversight tool. However, RAMP ultimately could not be used to do either
because of system problems.
This testimony is based on preliminary work for the Chairman and
discusses the extent to which FPS is: (1) Completing risk assessments,
(2) developing a tool to complete FSAs, and (3) managing its contract
guard workforce. GAO reviewed FPS documents, conducted site visits at 3
of FPS's 11 regions and interviewed officials from FPS, Argonne
National Laboratory, GSA, Department of Veterans Affairs, the Federal
Highway Administration, Immigration and Customs Enforcement, and guard
companies; as well as 4 risk management experts.
What GAO Recommends
GAO is not making any recommendations in this testimony. GAO plans
to finalize its analysis and report to the Chairman in August 2012,
including recommendations. GAO discussed the information in this
statement with FPS and incorporated technical comments as appropriate.
federal protective service.--preliminary results on efforts to assess
facility risks and oversee contract guards
What GAO Found
GAO's preliminary results indicate that the Department of Homeland
Security's (DHS) Federal Protective Service (FPS) is not assessing
risks at Federal facilities in a manner consistent with standards such
as the National Infrastructure Protection Plan's (NIPP) risk management
framework, as FPS originally planned. Instead of conducting risk
assessments, since September 2011, FPS's inspectors have collected
information, such as the location, purpose, agency contacts, and
current countermeasures (e.g., perimeter security, access controls, and
closed-circuit television systems). This information notwithstanding,
FPS has a backlog of Federal facilities that have not been assessed for
several years. According to FPS's data, more than 5,000 facilities were
to be assessed in fiscal years 2010 through 2012. However, GAO was not
able to determine the extent of FPS's facility security assessment
(FSA) backlog because the data were unreliable. Multiple agencies have
expended resources to conduct risk assessments, even though they also
already pay FPS for this service.
FPS has an interim vulnerability assessment tool, referred to as
the Modified Infrastructure Survey Tool (MIST), which it plans to use
to assess Federal facilities until it develops a longer-term solution.
In developing MIST, FPS generally followed GAO's project management
best practices, such as conducting user acceptance testing. However,
our preliminary analysis indicates that MIST has some limitations. Most
notably, MIST does not estimate the consequences of an undesirable
event occurring at a facility. Three of the four risk assessment
experts GAO spoke with generally agreed that a tool that does not
estimate consequences does not allow an agency to fully assess risks.
FPS officials stated that they did not include consequence information
in MIST because it was not part of the original design and thus
requires more time to validate. MIST also was not designed to compare
risks across Federal facilities. Thus, FPS has limited assurance that
critical risks at Federal facilities are being prioritized and
mitigated.
GAO's preliminary work indicates that FPS continues to face
challenges in overseeing its approximately 12,500 contract guards. FPS
developed the Risk Assessment and Management Program (RAMP) to help it
oversee its contract guard workforce by verifying that guards are
trained and certified and for conducting guard post inspections.
However, FPS faced challenges using RAMP for guard oversight, such as
verifying guard training and certification information, and has
recently determined that it would no longer use RAMP. Without a
comprehensive system, it is more difficult for FPS to oversee its
contract guard workforce. FPS is verifying guard certification and
training information by conducting monthly audits of guard information
maintained by guard contractors. However, FPS does not independently
verify the contractor's information. Additionally, according to FPS
officials, FPS recently decided to deploy a new interim method to
record post inspections that replaces RAMP.
Chairman Lungren, Ranking Member Clarke, and Members of the
subcommittee: We are pleased to be here today to discuss the Department
of Homeland Security's (DHS) Federal Protective Service's (FPS) efforts
to complete risk assessments of the over 9,000 Federal facilities under
the custody and control of the General Services Administration (GSA)
and oversee its contract guards in the absence of its Risk Assessment
and Management Program (RAMP), a web-enabled facility security
assessment (FSA) and guard management system. As we reported in July
2011, FPS had spent about $35 million and taken almost 4 years to
develop RAMP--$14 million and 2 years more than planned--but still
could not use RAMP to complete FSAs because of several factors,
including that FPS did not verify the accuracy of the Federal facility
data used.\1\ As a result, FPS's Director decided to stop using RAMP to
conduct FSAs and instead pursue an interim tool to replace it. FPS also
experienced difficulty using RAMP to ensure that its guards met
training and certification requirements, primarily because of
challenges in verifying guards' data.\2\ In June 2012, FPS also decided
to stop using RAMP to help oversee its contract guard program.
---------------------------------------------------------------------------
\1\ GAO, Federal Protective Service: Actions Needed to Resolve
Delays and Inadequate Oversight Issues with FPS's Risk Assessment and
Management Program, GAO-11-705R (Washington, DC: July 15, 2011).
\2\ GAO-11-705R.
---------------------------------------------------------------------------
For fiscal year 2012, FPS has a budget of $1.3 billion, with over
1,200 full-time employees and about 12,500 contract security guards, to
achieve its mission to protect Federal facilities. As part of the FSA
process, FPS generally attempts to gather and review facility
information; conduct and record interviews with tenant agencies; assess
threats, vulnerabilities, and consequences to facilities, employees,
and the public; and recommend countermeasures to Federal tenant
agencies. FPS's contract guards are responsible for controlling access
to Federal facilities, screening access areas to prevent the
introduction of weapons and explosives, enforcing property rules and
regulations, detecting and reporting criminal acts, and responding to
emergency situations involving facility safety and security. FPS relies
on the fees it charges Federal tenant agencies in GSA-controlled
facilities to fund its security services.\3\
---------------------------------------------------------------------------
\3\ 40 U.S.C. � 586; 41 C.F.R. � 102-85.35; Pub. L. No. 111-83, 123
Stat. 2142, 2156-57 (2009).
---------------------------------------------------------------------------
This testimony is based on preliminary results of work we conducted
for a report that we plan to issue to the Chairman in August 2012. That
report will contain our final evaluation and recommendations.
Consistent with the report's objectives, this statement addresses the
extent to which FPS is: (1) Completing risk assessments, (2) developing
a tool to complete FSAs, and (3) managing its contract guard workforce.
To examine the extent to which FPS is completing risk assessments and
overseeing guards without RAMP, we reviewed, among other things, FPS's
current FSA procedures and data on completed and planned FSAs for
fiscal years 2010 to 2012. Specifically, we reviewed FPS's FSA data
aggregated from its 11 regions to determine the extent of its FSA
backlog. However, we could not determine the extent of the backlog
because FPS's data contained a number of missing and incorrect values
which made the data unreliable. We also visited 3 of FPS's 11 regions
and interviewed internal and external stakeholders including, among
others, FPS, GSA, Department of Veterans Affairs, the Federal Highway
Administration, Immigration and Customs Enforcement, and guard
companies. We selected these 3 regions based on the number of Federal
facilities in the region and their security levels, the number of
contract guards in the region, and geographic dispersion. Our work is
not generalizable to all FPS regions. To determine the status of FPS's
efforts to develop an FSA tool, we reviewed, among other things,
relevant project documents and Federal physical security standards,
such as DHS's National Infrastructure Protection Plan's (NIPP) risk
management framework. We also interviewed FPS officials,
representatives from Argonne National Laboratory, and four risk
management experts. We selected our four risk assessment experts from a
list of individuals who participated in the Comptroller General's 2007
risk management forum.\4\ This work is being conducted in accordance
with generally accepted Government auditing standards. Those standards
require that we plan and perform the audit to obtain sufficient,
appropriate evidence to provide a reasonable basis for our findings and
conclusions based on our audit objectives. We believe that the evidence
obtained provides a reasonable basis for our findings and conclusions
based on our audit objectives.
---------------------------------------------------------------------------
\4\ GAO, Highlights of a Forum: Strengthening the Use of Risk
Management Principles in Homeland Security, GAO-08-627SP (Washington,
DC: April 2008).
---------------------------------------------------------------------------
fps does not currently assess risks at federal facilities but multiple
agencies are conducting their own assessments
Our preliminary results indicate that, in the absence of RAMP, FPS
currently is not assessing risk at the over 9,000 Federal facilities
under the custody and control of GSA in a manner consistent with
Federal standards such as NIPP's risk management framework, as FPS
originally planned. According to this framework, to be considered
credible a risk assessment must specifically address the three
components of risk: Threat, vulnerability, and consequence. As a
result, FPS has accumulated a backlog of Federal facilities that have
not been assessed for several years. According to FPS data, more than
5,000 facilities were to be assessed in fiscal years 2010 through 2012.
However, we were not able to determine the extent of the FSA backlog
because we found FPS's FSA data to be unreliable. Specifically, our
analysis of FPS's December 2011 assessment data showed nearly 800 (9
percent) of the approximately 9,000 Federal facilities did not have a
date for when the last FSA was completed. We have reported that timely
and comprehensive risk assessments play a critical role in protecting
Federal facilities by helping decision makers identify and evaluate
potential threats so that countermeasures can be implemented to help
prevent or mitigate the facilities' vulnerabilities.\5\
---------------------------------------------------------------------------
\5\ GAO, Homeland Security: Greater Attention to Key Practices
Would Improve the Federal Protective Service's Approach to Facility
Protection, GAO-10-142 (Washington, DC: Oct. 23, 2009).
---------------------------------------------------------------------------
Although FPS is not currently assessing risk at Federal facilities,
FPS officials stated that the agency is taking steps to ensure Federal
facilities are safe. According to FPS officials, its inspectors (also
referred to as law enforcement security officers) monitor the security
posture of Federal facilities by responding to incidents, testing
countermeasures, and conducting guard post inspections. In addition,
since September 2011, FPS's inspectors have collected information--such
as location, purpose, agency contacts, and current countermeasures
(e.g., perimeter security, access controls, and closed-circuit
television systems) at over 1,400 facilities--which will be used as a
starting point to complete FPS's fiscal year 2012 assessments. However,
FPS officials acknowledged that this approach is not consistent with
NIPP's risk management framework. Moreover, several FPS inspectors told
us that they received minimal training or guidance on how to collect
this information, and expressed concern that the facility information
collected could become outdated by the time it is used to complete an
FSA.
Multiple Federal Agencies Are Conducting Their Own Risk Assessments
We reported in February 2012 that multiple Federal agencies have
been expending additional resources to conduct their own risk
assessments, in part because they have not been satisfied with FPS's
past assessments.\6\ These assessments are taking place even though,
according to FPS's Chief Financial Officer, FPS received $236 million
in basic security fees from Federal agencies to conduct FSAs and other
security services in fiscal year 2011.\7\ For example, officials we
spoke with at the Internal Revenue Service, Federal Emergency
Management Agency, Environmental Protection Agency, and the U.S. Army
Corps of Engineers stated that they conduct their own risk assessments.
GSA is also expending additional resources to assess risk. We reported
in October 2010 that GSA officials did not always receive timely FPS
risk assessments for facilities GSA considered leasing.\8\ GSA seeks to
have these assessments completed before it takes possession of a
property and leases it to tenant agencies. However, our preliminary
work indicates that as of June 2012, FPS has not coordinated with GSA
and other Federal agencies to reduce or prevent duplication of its
assessments.
---------------------------------------------------------------------------
\6\ GAO, 2012 Annual Report: Opportunities to Reduce Duplication,
Overlap, and Fragmentation, Achieve Savings, and Enhance Revenue, GAO-
12-342SP (Washington, DC: February 2012).
\7\ FPS currently charges tenant agencies in properties under GSA
control a basic security fee of $0.74 per square foot per year for its
security services including physical security and law enforcement
activities as per 41 C.F.R. � 102-85.35.
\8\ GAO-10-142.
---------------------------------------------------------------------------
fps efforts to develop a risk assessment tool are evolving, but
challenges remain
In September 2011, FPS signed an interagency agreement with Argonne
National Laboratory for about $875,000 to develop an interim tool for
conducting vulnerability assessments by June 30, 2012.\9\ According to
FPS officials, on March 30, 2012, Argonne National Laboratory delivered
this tool, called the Modified Infrastructure Survey Tool (MIST), to
FPS on time and within budget. MIST is an interim vulnerability
assessment tool that FPS plans to use until it can develop a permanent
solution to replace RAMP. According to MIST project documents and FPS
officials, among other things, MIST will:
---------------------------------------------------------------------------
\9\ As of March 2012, FPS's total life cycle cost for MIST was
estimated at $5 million.
---------------------------------------------------------------------------
allow FPS's inspectors to review and document a facility's
security posture, current level of protection, and recommend
countermeasures;
provide FPS's inspectors with a standardized way for
gathering and recording facility data; and
allow FPS to compare a facility's existing countermeasures
against the Interagency Security Committee's (ISC)
countermeasure standards based on the ISC's predefined threats
to Federal facilities (e.g., blast-resistant windows for a
facility designed to counter the threat of an explosive device)
to create the facility's vulnerability report.\10\
---------------------------------------------------------------------------
\10\ The ISC is comprised of representatives from more than 50
Federal agencies and departments, establishes standards and best
practices for Federal security professionals responsible for protecting
non-military Federal facilities in the United States. FPS is a member
agency of the Interagency Security Committee in the Department of
Homeland Security, along with other Federal agencies such as the
General Services Administration, the Federal Aviation Administration,
the Environmental Protection Agency, and other components within the
Department of Homeland Security. The ISC has defined 31 different
threats to Federal facilities including vehicle-borne improvised
explosive devices, workplace violence, and theft.
---------------------------------------------------------------------------
According to FPS officials, MIST will provide several potential
improvements over FPS's prior assessment tools, such as using a
standard way of collecting facility information and allowing edits to
GSA's facility data when FPS inspectors find it is inaccurate. In
addition, according to FPS officials, after completing a MIST
vulnerability assessment, inspectors will use additional threat
information gathered outside of MIST by FPS's Threat Management
Division as well as local crime statistics to identify any additional
threats and generate a threat assessment report. FPS plans to provide
the facility's threat and vulnerability reports along with any
countermeasure recommendations to the Federal tenant agencies.
In May 2012, FPS began training inspectors on MIST and how to use
the threat information obtained outside MIST and expects to complete
the training by the end of September 2012. According to FPS officials,
inspectors will be able to use MIST once they have completed training
and a supervisor has determined, based on professional judgment, that
the inspector is capable of using MIST. At that time, an inspector will
be able to use MIST to assess level I or II facilities.\11\ According
to FPS officials, once these assessments are approved, FPS will
subsequently determine which level III and IV facilities the inspector
may assess with MIST.
---------------------------------------------------------------------------
\11\ FPS uses the ISC's Facility Security Level Determination for
Federal Facilities to determine the facility security level (FSL). The
ISC recommends that level I and II facilities be assessed every 5 years
and level III and IV facilities every 3 years. According to the ISC's
criteria, a level I facility may be 10,000 or fewer square feet, have
fewer than 100 employees, provide administrative or direct service
activities, and have little to no public contact; a level II facility
may be 100,000 or fewer square feet, have 250 or fewer employees, be
readily identifiable as a Federal facility, and provide district or
State-wide services; a level III facility may be 250,000 or fewer
square feet, have 750 or fewer employees, be an agency's headquarters,
and be located in an area of moderate crime; and a level IV facility
may exceed 250,000 square feet, have more than 750 employees, house
National leadership, and be located in or near a popular tourist
destination.
---------------------------------------------------------------------------
FPS Increased Its Use of Project Management Best Practices in
Developing MIST
Our preliminary analysis indicates that in developing MIST, FPS
increased its use of GAO's project management best practices, including
alternatives analysis, managing requirements, and conducting user
acceptance testing.\12\ For example, FPS completed, although it did not
document, an alternatives analysis prior to selecting MIST as an
interim tool to replace RAMP. It appears that FPS also better managed
MIST's requirements. Specifically, FPS's Director required that MIST be
an FSA-exclusive tool and thus helped avoid changes in requirements
that could have resulted in cost or schedule increases during
development. In March 2012, FPS completed user acceptance testing of
MIST with some inspectors and supervisors, as we recommended in
2011.\13\ According to FPS officials, user feedback on MIST was
positive from the user acceptance test, and MIST produced the necessary
output for FPS's FSA process. However, FPS did not obtain GSA or
Federal tenant agencies' input in developing MIST's requirements.
Without this input, FPS's customers may not receive the information
they need to make well-informed countermeasure decisions.
---------------------------------------------------------------------------
\12\ GAO-11-705R.
\13\ GAO-11-705R.
---------------------------------------------------------------------------
MIST Has Limitations as an Assessment Tool
FPS has yet to decide what tool, if any, will replace MIST, which
is intended to be an interim vulnerability assessment tool. According
to FPS officials, the agency plans to use MIST for at least the next 18
months. Consequently, until FPS decides what tool, if any, will replace
MIST and RAMP, it will still not be able to assess risk at Federal
facilities in a manner consistent with NIPP, as we previously
mentioned. Our preliminary work suggests that MIST has several
limitations:
Assessing Consequence.--FPS did not design MIST to estimate
consequence, a critical component of a risk assessment.
Assessing consequence is important because it combines
vulnerability and threat information to evaluate the potential
effects of an adverse event on a Federal facility. Three of the
four risk assessment experts we spoke with generally agreed
that a tool that does not estimate consequences does not allow
an agency to fully assess the risks to a Federal facility.
However, FPS officials stated that incorporating consequence
information into an assessment tool is a complex task. FPS
officials stated that they did not include consequence
assessment in MIST's design because it would have required
additional time to develop, validate, and test MIST. As a
result, while FPS may be able to identify a facility's
vulnerabilities to different threats using MIST, without
consequence information, Federal tenant agencies may not be
able to make fully-informed decisions about how to allocate
resources to best protect Federal facilities. FPS officials do
not know if this capability can be developed in the future, but
they said that they are working with the ISC and DHS's Science
and Technology Directorate to explore the possibility.
Comparing Risk Across Federal Facilities.--FPS did not
design MIST to present comparisons of risk assessment results
across Federal facilities. Consequently, FPS cannot take a
comprehensive approach to managing risk across its portfolio of
9,000 facilities to prioritize recommended countermeasures to
Federal tenant agencies. Instead, FPS takes a facility-by-
facility approach to risk management where all facilities with
the same security level are assumed to have the same security
risk, regardless of their location.\14\ We reported in 2010
that FPS's approach to risk management provides limited
assurance that the most critical risks at Federal facilities
across the country are being prioritized and mitigated.\15\ FPS
recognized the importance of having such a comprehensive
approach to its FSA program when it developed RAMP and FPS
officials stated that they may develop this capability for the
next version of MIST.
---------------------------------------------------------------------------
\14\ GAO-10-142.
\15\ GAO, Homeland Security: Addressing Weaknesses with Facility
Security Committees Would Enhance Protection of Federal Facilities,
GAO-10-901 (Washington, DC: August 5, 2010).
---------------------------------------------------------------------------
Measuring Performance.--FPS has not developed metrics to
measure MIST's performance, such as feedback surveys from
tenant agencies. Measuring performance allows organizations to
track progress toward their goals and, gives managers critical
information on which to base decisions for improving their
programs. This is a necessary component of effective
management, and should provide agency managers with timely,
action-oriented information.\16\ Without such metrics, FPS's
ability to improve MIST will be hampered. FPS officials stated
that they are planning to develop performance measures for
MIST, but did not give a time frame for when they will do so.
---------------------------------------------------------------------------
\16\ GAO, Homeland Security: The Federal Protective Service Faces
Several Challenges That Hamper its Ability to Protect Federal
Facilities, GAO-08-683 (Washington, DC: June 11, 2008).
---------------------------------------------------------------------------
fps faces challenges in overseeing its contract guards
Our work to date indicates that FPS does not have a comprehensive
and reliable system to oversee its approximately 12,500 contract
guards. In addition to conducting FSAs, FPS developed RAMP as a
comprehensive system to help oversee two aspects of its contract guard
program: (1) Verifying that guards are trained and certified to be on
post in Federal facilities; and (2) conducting and documenting guard
post inspections.\17\ However, FPS experienced difficulty with RAMP
because the contract guard training and certification information in
RAMP was not reliable. Additionally, FPS faced challenges using RAMP to
conduct and document post inspections.\18\ For example, FPS inspectors
we interviewed reported they had difficulty connecting to RAMP's
servers in remote areas and that recorded post inspections disappeared
from RAMP's database without explanation. Although we reported some of
these challenges in 2011, FPS did not stop using RAMP for guard
oversight until June 2012 when the RAMP operations and maintenance
contract was due to expire.
---------------------------------------------------------------------------
\17\ A post is a guard's area of responsibility in a Federal
facility.
\18\ FPS's inspection requirement for level I and II facilities is
two annual inspections of all posts, all shifts. The inspection
requirement for level III facilities is biweekly inspections of two
posts, any shift, and for level IV, weekly inspections of two posts,
any shift.
---------------------------------------------------------------------------
In the absence of RAMP, in June 2012, FPS decided to deploy an
interim method to enable inspectors to record post inspections. FPS
officials said this capability is separate from MIST, will not allow
FPS to generate post inspection reports, and does not include a way for
FPS inspectors to check guard training and certification data during a
post inspection. FPS officials acknowledged that this method is not a
comprehensive system for guard oversight. Consequently, it is now more
difficult for FPS to verify that guards on post are trained and
certified and that inspectors are conducting guard post inspections as
required.
Although FPS collects guard training and certification information
from the companies that provide contract guards, it appears that FPS
does not independently verify that information. FPS currently requires
its guard contractors to maintain their own files containing guard
training and certification information and began requiring them to
submit a monthly report with this information to FPS's regions in July
2011.\19\ To verify the guard companies' reports, FPS conducts monthly
audits. As part of its monthly audit process, FPS's regional staff
visits the contractor's office to select 10 percent of the contractor's
guard files and check them against the reports guard companies send FPS
each month. In addition, in October 2011, FPS undertook a month-long
audit of every guard file to verify that guards had up-to-date training
and certification information for its 110 contracts across its 11
regions. FPS provided preliminary October 2011 data showing that 1,152
(9 percent) of the 12,274 guard files FPS reviewed at that time were
deficient, meaning that they were missing one or more of the required
certification document(s). However, FPS does not have a final report on
the results of the Nation-wide audit that includes an explanation of
why the files were deficient and whether deficiencies were resolved.
---------------------------------------------------------------------------
\19\ For example, guard training and certifications include
firearms qualification, cardiopulmonary resuscitation, first aid, baton
certification, and X-ray and magnetometer training.
---------------------------------------------------------------------------
FPS's monthly audits of contractor data provide limited assurance
that qualified guards are standing post, as FPS is verifying that the
contractor-provided information matches the information in the
contractor's files. We reported in 2010 that FPS's reliance on
contractors to self-report guard training and certification information
without a reliable tracking system of its own may have contributed to a
situation in which a contractor allegedly falsified training
information for its guards.\20\ In addition, officials at one FPS
region told us they maintain a list of the files that have been audited
previously to avoid reviewing the same files, but FPS has no way of
ensuring that the same guard files are not repeatedly reviewed during
the monthly audits, while others are never reviewed. In the place of
RAMP, FPS plans to continue using its administrative audit process and
the monthly contractor-provided information to verify that qualified
contract guards are standing post in Federal facilities.
---------------------------------------------------------------------------
\20\ GAO, Homeland Security: Federal Protective Service's Contract
Guard Program Requires More Oversight and Reassessment of Use of
Contract Guards, GAO-10-341 (Washington, DC: April 13, 2010).
---------------------------------------------------------------------------
We plan to finalize our analysis and report to the Chairman in
August 2012, including recommendations. We discussed the information in
this statement with FPS and incorporated technical comments as
appropriate. Chairman Lungren, Ranking Member Clarke, and Members of
the subcommittee, this completes my prepared statement. I would be
happy to respond to any questions you may have at this time.
Mr. Lungren. Thank you very much, Mr. Goldstein.
The Chairman now recognizes Dr. Peerenboom to testify.
STATEMENT OF JAMES P. PEERENBOOM, DIRECTOR, INFRASTRUCTURE
ASSURANCE CENTER, ASSOCIATE DIRECTOR, DECISION AND INFORMATION
SCIENCES DIVISION, ARGONNE NATIONAL LABORATORY
Mr. Peerenboom. Good morning. Thank you, Chairman Lungren,
Representative Clarke, and the Members of the subcommittee for
your invitation to testify here today.
In early October 2011 the Federal Protective Service
engaged Argonne by funding the development of a software
application called a Modified Infrastructure Survey Tool, or
MIST, to be used by FPS on an interim basis to conduct facility
security assessments. MIST uses a tailored set of questions
that helps FPS establish a security baseline and allows for
comparisons of facilities being surveyed against security
standards. The MIST provides a standardized way of collecting
and reporting facility information to inform decisions about
security measures.
Argonne's work involved five tasks: Working with FPS to
develop the MIST methodology; implementing the methodology as a
release called MIST Release 1.0; developing a host site for
MIST Release, called the FPS Gateway; assisting FPS, as
requested, in training functions; and finally, providing help
desk support to MIST operation.
By working closely with FPS inspectors, contract management
staff, and leadership throughout the period of performance
Argonne was able to meet all the defined requirements in the
statement of work. MIST Release 1.0 and the FPS Gateway were
delivered to FPS on March 30, 2012, 6 months after the program
began. The products were delivered on time and within the
defined budget.
Argonne greatly appreciates the opportunity to work with
FPS in a collaborative manner to develop the MIST as a useful
and usable interim tool for FPS personnel. Knowledgeable FPS
leadership and staff were actively involved in all tasks and
feedback was provided by FPS personnel in a timely manner to
guide development activities. In addition, regular meetings
were held with FPS director, Director Patterson, and his staff
to review schedules and deliverables and to ensure that any
problems encountered were identified and quickly resolved.
Finally, Argonne also wishes to thank the DHS Office of
Infrastructure Protection, part of NPPD, their Protective
Security Coordination Division in particular, for their
collaboration with FPS, willingness to share methodologies,
technology, and experience.
I appreciate this opportunity to summarize the MIST
development activities at Argonne and I look forward to your
questions. Thank you.
[The prepared statement of Mr. Peerenboom follows:]
Prepared Statement of James P. Peerenboom
July 24, 2012
Thank you Chairman Lungren, Representative Clarke, and the
distinguished Members of the subcommittee for your invitation to
testify here today.
My name is James Peerenboom, and I am the Director of the
Infrastructure Assurance Center and the Associate Director of the
Decision and Information Sciences Division at Argonne National
Laboratory. Argonne is located just outside of Chicago and is one of
the U.S. Department of Energy's largest National laboratories for
scientific and engineering research. Argonne has been providing
technical support to the U.S. Department of Homeland Security (DHS)
since the Department was established in March 2003.
background
In late March 2011, the Federal Protective Service (FPS) requested
a meeting with Argonne to discuss the potential for leveraging
technical work that had been underway at the laboratory since 2007. The
work that FPS was seeking to leverage was funded by the DHS National
Protection and Programs Directorate's Office of Infrastructure
Protection (NPPD/IP). Specifically, FPS was interested in exploring the
option to modify an existing survey tool that Argonne had developed for
NPPD/IP called the Infrastructure Survey Tool (IST). This security
survey has been successfully deployed and used by DHS and its
Protective Security Advisors (PSAs) to identify security measures at
various critical infrastructure assets across the Nation. Argonne first
met with FPS representatives in April 2011 to demonstrate IST
functionality; discuss the purpose, scope, and limitations of the tool;
and discuss FPS assessment needs. A series of subsequent discussions
and meetings with FPS took place from April through September 2011.
description of ist
The IST is a survey tool that employs a tailored set of questions
to identify for infrastructure owners and operators some of the
potential security weaknesses at a given facility, establish an index
value of protective measures at the facility, and provide comparisons
with similar facilities. It is not a vulnerability or risk assessment
tool. Rather, as a survey tool, the IST provides a consistent,
transparent, and integrated assessment of a facility's current security
posture. It was designed for application to many types of critical
infrastructure assets--from refineries, railroad lines, and power
plants to financial centers--to enable owners and operators to see how
the security measures at their facilities stack up against those at
facilities like theirs. While the IST is not intended to compare a
facility's security to specific standards, it does provide a
comparative measure to similar facilities.
The DHS customers for IST survey data are infrastructure owners and
operators. The survey data, presented in an interactive dashboard,
allows them to visualize how certain security-related changes, such as
adding security cameras or installing fencing, alters the protective
measures index value and may contribute to improved security. On the
basis of feedback from the PSA community, the interactive dashboard in
use by NPPD/IP has been well received by infrastructure owners and
operators. In addition to providing insight and valuable feedback to
owners and operators, the IST data are also used by DHS to benchmark
security measures, identify protective measure gaps, and develop
infrastructure protection strategies.
fps work scope
In early October 2011, FPS engaged Argonne by funding the
development of a software application, called the Modified
Infrastructure Survey Tool (MIST), to be used by FPS on an interim
basis to conduct facility security assessments. As the name implies,
the MIST is a modification of the existing IST developed by Argonne and
deployed by NPPD/IP. The MIST uses a tailored set of questions that
helps FPS establish a security baseline and allows for comparison of
the facility being surveyed against security standards. MIST's
methodology involves the gathering of data via an assessment question
set, processing the data through an algorithm to convert the data to
vulnerability measures, and the generation of outputs such as a report
of those measures. Although the MIST was not designed to be an
Interagency Security Committee (ISC)-compliant tool, it adheres to the
ISC process and guidance as much as possible and captures elements of
ISC standards. The MIST provides a standardized way of collecting and
reporting facility information to inform decisions about security
measures.
Argonne's work was funded through an existing Interagency Agreement
(IAA) with NPPD/IP that encompassed IST-related tasks. Funds were
committed under the IAA to develop, test, deliver, and support MIST
Release 1.0. More than half of the funds were used for hardware and
software to establish a web portal, called the FPS Gateway, that allows
for sharing of information products and knowledge in real time. The FPS
Gateway leverages the architecture and hardware/software technology of
the Linking Encrypted Network System (LENS), a similar portal that
Argonne developed for NPPD/IP.
Argonne's statement of work under the IAA with FPS included five
tasks, all of which involved leveraging the experience, expertise, and
technology used in developing the IST:
Working with FPS to develop the MIST methodology;
Implementing the methodology as MIST Release 1.0 (software
development);
Developing a host site for MIST Release 1.0 (i.e., the FPS
Gateway);
Assisting FPS, as requested, in training functions; and
Providing ``help desk'' support for MIST operation.
project results
By working closely with FPS inspectors, contract management staff,
and leadership throughout the period of performance, Argonne was able
to meet all defined requirements in the statement of work. MIST Release
1.0 and the FPS Gateway were delivered to FPS on March 30, 2012. The
products were delivered on time and within the defined budget. Argonne
continues to provide help desk support to FPS. Feedback from FPS about
the MIST as an interim survey tool has been very positive.
acknowledgments
Argonne appreciates the opportunity to work with FPS in a
collaborative manner to develop the MIST as a useful and usable interim
tool for FPS personnel. Knowledgeable FPS leadership and staff were
actively engaged in all tasks, and feedback was provided by FPS
personnel in a timely manner to guide development. In addition, regular
meetings with the FPS Director also were held to review schedules and
deliverables and to ensure that any problems encountered were
identified and quickly resolved. Argonne also wishes to thank the NPPD/
IP Protective Security Coordination Division staff for their
collaboration with FPS, willingness to explain and share methodologies
and technology, and thorough IAA oversight.
Mr. Lungren. Thank you very much.
I think we may have set a record for brevity of the three
panelists, and we appreciate that. I am sure all my colleagues
have questions. We will start of round of questioning, and I
will start with the first 5 minutes.
General Patterson, in your previous jobs, precision,
accuracy, attention to detail has been extremely important. We
have had concerns prior to the time you got there with the lack
of those things in some of the functions that you are supposed
to--that your operation is supposed to carry out.
Last July when you testified you indicated your, I think,
frustration at where FPS was at that time. So how would you
assess FPS's progress to address deficiencies in the ability to
conduct facility security assessments and conduct oversight and
training of the contract guard program?
As I am sure you heard Mr. Goldstein, you have seen the
testimony that he gave. There seems to be some concern that he
expresses there. How would you judge where you are versus where
you think you need to be and where you want to be in those
areas?
General Patterson. Thank you, sir.
Well, to begin, we are at the beginning. RAMP unfortunately
did not produce results that the agency had hoped that it
would. So after careful review, as you are aware, I made the
decision that we were no longer going to follow that path and
develop a new path.
I spent quite a bit of time with our sister activity
component within Homeland Security, I.P., to talk about how
they look at threats, how they look at vulnerability within the
private and commercial sector, and how we could leverage what
they do and bring that about as quickly as we can to look how
we might do that in the Federal sector.
Once I was able to look across the--at what they were doing
and some of the things that some of our other partners might--
were doing at the time, because we also looked at systems
within S&T, and I think GSA also had a system that we were
evaluating. But at the time I believe that I.P. offered us the
best product, if you will, for us to move forward. That was
when I was introduced to Argonne Labs and the work that they
were doing for I.P. to support I.P.
I spent quite a bit of time with I.P. and Argonne Labs to
assess whether or not that would be the right direction for us.
In fact, that was the right--I believe that it is the right
direction for us.
Now, to get to the point of our folks within the GAO
assessment, it is correct that our MIST tool does not look at
consequence. However, what we do is we look at vulnerability
and we look at threat. We do that in a couple of ways.
In the vulnerability, we collect a lot of data to assess
and to determine how vulnerable these--our facilities are to
the threats that are being posed by--in a number of areas,
whether it be natural disaster, whether it be criminal threat,
or whether it be from the threat of terrorism.
I have also developed a very robust activity within FPS
that looks at the threat picture every day. We have folks who
are working with the ODNI, the Office of Director of National
Intelligence, who are working with I&A at DHS, who are working
with the FBI. I have several folks across the country who are
working at the JTTFs as well as the fusion centers across the
country to help us better understand the threat picture as we
move forward pulling vulnerability and threat together.
Relative to the consequence piece, each one of the Federal
agencies has a--what we call a COOP plan. It is a plan as to
when there is a problem--a disaster or something the must
respond to--how they will reorganize, how they will
reconstitute once that event has happened. They also have
something called an occupational emergency plan that we work
with them--that they can leverage, and that plan is developed
when an agency is either--when they have stood up--or when they
occupy a facility, or as we go in to perform our assessments.
So we have what we believe to be a fairly robust scenario,
if you will, of bringing vulnerability, threat, and
consequences together not necessarily in a single document, but
in a process, in a plan. So when an assessment is done my MIST
tool brings me the vulnerability piece; my intelligence folks--
my RIAs, is what we call them, regional intelligence folks,
bring forth the threat piece, and combine that with the COOP
plan and the emergency occupant plan to, I think, to bring
together a fairly robust product and assessment of
vulnerabilities and threats to our Federal facilities.
Mr. Lungren. Mr. Goldstein, would you have any comments on
that?
Mr. Goldstein. Thank you, Mr. Chairman.
You know, we were very pleased that FPS has made progress.
Don't get me wrong, we feel that they have made some progress.
The development of MIST is certainly a way forward out of the
past, whether it was from the original tools of FSRS, or
whether it was through the more recent tools, where they use an
Excel spreadsheet and then they had the whole RAMP program.
This is a way forward, and we do believe that by finally having
a program the inspectors can use where they are not
subjectively determining vulnerability on their own is
important. We discussed it in our report.
But we do think that being able to include consequence
information, as the National infrastructure program requires,
is really important. In my opinion----
Mr. Lungren. Mr. Patterson suggests that COOP, I believe it
is, or these other elements that their clients have fulfills
that role. You have a disagreement with that?
Mr. Goldstein. What I would tell you is I think that you
can't have a robust program without consequence information
because what you are doing is essentially telling people that
you have set the dinner table without telling them what the
food is going to be----
Mr. Lungren. No, I understand. I mean, I have always looked
at risk, you know, that simple equation of threat,
vulnerability, and consequence. What I was trying to get at is
Mr. Patterson has suggested, or stated, that he believes that
you reach that with this other component of information that he
receives from what I refer to as the clients--you might use
another term. Is that something you would still quarrel with at
this point?
Mr. Goldstein. I don't think it provides agencies and their
clients the kind of information they need to make robust
decisions about which countermeasures they are going to adopt
and which they aren't, which have more priority than others.
Mr. Lungren. Okay.
Ms. Clarke.
Ms. Clarke. Thank you, Mr. Chairman.
Director Patterson, FPS chose to modify the current Office
of Infrastructure Protection's infrastructure survey tool for
its new interim risk assessment tool. What other tools did FPS
consider and why weren't they selected?
General Patterson. Yes, ma'am. I don't have the specific
names of the other tools but there were a couple other tools. I
know one specifically that was being developed by the Office of
Science and Technology. The challenge with that particular tool
was that it was still in the development phase and it was being
beta tested.
One of the challenges that I believe that we were going to
have was that we were not involved in setting the requirements
for the tool. So therefore, we would had to have started from
the very beginning to figure out, you know, whether or not our
requirements were going to be met, and then if they weren't,
how we were going to incorporate that.
I felt that I needed to deliver something. We had spent
time, a bit of time, on RAMP. I felt that we needed to do, to
move forth quickly to try to do something to ensure that we
were providing our customers, our clients, an assessment
product--okay, not just an assessment, but an assessment
product--and I thought MIST would be the best way to do that.
Ms. Clarke. How does FPS plan to address the limitations
that GAO identified for MIST?
General Patterson. Yes, ma'am. For me, this is about being
a marathon and not a sprint. We are going to work aggressively
with the ISC, the Interagency Security Committee, to look at
how we productively and efficiently and effectively incorporate
all those things that the GAO has recommended and we agree that
should be considered to be in the tool.
Part of the challenge that we have is that we need to look
at this very, if you will, judiciously. When we evaluate or
assess a facility sometimes there are 10 tenants in that
facility, okay, so we have to be--we have to ensure that when
we produce a report that the consequence piece of that, if you
will, is going to have relevance to all of the folks in that
particular facility.
So I am not exactly sure that trying to put a consequence
piece into every assessment is the right avenue. So we are
going to work with the ISC to see how we might develop that and
work forward and move in that direction.
Ms. Clarke. How was the decision made to award Argonne
National Laboratory the contract to develop MIST? Were there
other entities considered as well?
General Patterson. Yes. We were required to--the
acquisition process required us to consider other avenues for
that, and they were--the decision was to go with Argonne.
Ms. Clarke. Okay.
Mr. Goldstein, when do you estimate that FPS will have a
more robust guard oversight tool in place that can track guard
certification information and offer FPS management with greater
insight as to whether all of the post inspections that need to
be conducted are, in fact, occurring?
Mr. Goldstein. I would judicially say that that is a work
in progress. I think the Federal Protective Service has
recognized that there are some vulnerabilities in their
process.
They recently stopped, as of June 2012, any use of RAMP for
that process; it was the last part of RAMP that was being used
and they notified offices not to be using that anymore. Much of
the information in that system had never been revalidated from
the old cert system so there were many problems with it.
I think it is going to take some time. We have some on-
going work for this committee, taking a look at guard programs,
and this will be something that we evaluate how others do it
and try to bring some of that information back to you and to
FPS to help them as they go forward. It is not a short-term
project.
Ms. Clarke. So would you say--yes, I mean, I recognize
that. But would you say they are just at the advent of----
Mr. Goldstein. I think they are at the beginning of trying
to determine what they need and how to independently verify
certification as well as post inspection, yes, ma'am.
Ms. Clarke. Okay. How does FPS now track the implementation
of security countermeasures that are recommended for inclusion
in the facility security assessments?
General Patterson. I am sorry, ma'am. Can you repeat that,
please?
Ms. Clarke. Yes, sure. How does FPS now track the
implementation of security countermeasures that are recommended
for inclusion in the facility security assessments?
General Patterson. Yes, ma'am. Currently we don't have a
tracking tool. It is all done manually, if you will, paper. As
our inspectors go out and interface with the committees, the
security committees, the facility security committees to
discuss--or the agencies to discuss what countermeasures might
be necessary or what--that we might recommend, at that point we
work with the FSCs to implement those requirements and it is
documented, but it is documented on paper at this point because
don't have a digital system, if you will, to account for that.
Ms. Clarke. Thank you, Mr. Chairman. I yield back.
Mr. Lungren. Gentlelady yields back.
Mr. Walberg is recognized for 5 minutes.
Mr. Walberg. Thank you, Mr. Chairman.
Thanks to the panel for being here.
Mr. Goldstein, you have noted that MIST, as an interim
tool, falls short of providing FPS the ability to do many of
the things that RAMP was intended to provide. You also noted
that MIST is neither compliant with DHS's own National
infrastructure protection plan and the framework that it has
nor standards developed by the Interagency Security Committee.
So the question I would initially ask is, why are these
standards so important?
Mr. Goldstein. I think the standards are important
principally because they will create a baseline, but they will
also allow that baseline to be examined across the host of the
Government's portfolio. FPS does not have the ability today to
look at the portfolio of Government properties that it
protects--some 9,000 GSA buildings--and to determine at various
levels which of those facilities require the most resources.
They protect everyone, everything essentially at each level
in the same way, regardless of where it is and what its
function is. So therefore we have a very static approach,
building by building, to protecting our Federal infrastructure
when resources are obviously very tight, and you can't leverage
the resources and priorities effectively that way.
Mr. Walberg. I mean, that being the suggestion then, I
guess, Mr. Patterson, does FPS believe ISC or NIPP standards
are important criteria to meet?
General Patterson. Oh, absolutely, sir. They are important.
We are baselining those criteria.
The challenge that we have is right now, is developing, if
you will, a tool that will bring all that into play----
Mr. Walberg. But the present tool isn't compliant with any
of those standards, is it?
General Patterson. It is not ISC-compliant because it does
not take into consideration the consequence piece of the
assessment, okay? However, the tool isn't compliant but our
process is compliant, okay, and the process----
Mr. Walberg. Explain that a little further.
General Patterson. Yes, sir. I will. The tool is no more
than a product that we provide to our customer. It is a
snapshot in time of what we believe to be the vulnerability,
the threat, and in this case, the consequence at a particular
facility, okay? We discuss each one of those elements at the
out-brief when we have completed an assessment.
All right, now, that MIST tool--that MIST product--will not
cover all three, but that doesn't mean that we haven't covered
that with our customers, all right? So what we are trying to do
is we are trying to work with the ISC to develop a product, a
tool, a product that we can deliver at the end of the day, at
the end of the assessment that allows them to capture all of
that into one document. We can't do that today.
Mr. Walberg. What is the time period you are expecting this
tool to be developed and then fully implemented?
General Patterson. In my discussions with the ISC, to their
knowledge there is no one out there today that has a tool that
will do that, that has been proven to do that. I understand
that there might be a few folks out there who think they may
have a tool to do that, but no one at this point has
demonstrated that they have an effective tool that brings into
play vulnerability, threat, and consequence into one document,
or into a process that will bring all that together and you can
provide that to our clients.
So we are working aggressively with GSA, with the ISC, and
others to look at how we might do that and how the community--
how we can work together with the community to make that
happen.
Mr. Walberg. Mr. Goldstein, would you concur with that,
that there is not a tool capable at this time, or----
Mr. Goldstein. We haven't looked at that specifically, sir.
We are doing some work for this committee--just beginning that
work--taking a look at assessment tools across the Federal
Government and out in the broader community, and we will
hopefully be able to report back on that on the near future.
Mr. Walberg. Okay.
Mr. Patterson, I understand that MIST was developed as an
interim tool to replace RAMP. What is FPS's long-term plan to
replace RAMP and what is the time line for that implementation?
General Patterson. Yes, sir. The long-term plan is to
create a tool that is ISC-compliant. I currently don't have a--
I don't have a time line for that.
Again, we are going to--we are actively working with the
ISC and collaborating with the ISC. We are actively
collaborating with GSA to begin to look at how we will do that:
What is the next step? Because we want to build upon what we
have at MIST, what we have created with MIST, so that we are
not recreating every time we decide to develop a new tool or a
new process. We don't want to recreate that every time.
So the bottom line is is that we are going to work with the
ISC and the community to look at how we move forward. I wish I
could give you a better answer but I don't have a better answer
at this point until we can collaboratively come together and
begin to figure out the path forward.
Mr. Walberg. Well, I see my time has expired.
Mr. Lungren. Mr. Richmond----
Mr. Walberg. Thank you, Mr. Chairman.
Mr. Lungren [continuing]. Is recognized for 5 minutes.
Mr. Richmond. Mr. Patterson, I guess I need you to make a
connection for me and monitor the conversation with my
colleague, and you said that MIST, or whatever you are using
now, the program does not have consequence in it but your
process has consequence in it. Did I hear that right?
General Patterson. Yes.
Mr. Richmond. I guess I am falling short that if the
process has consequence in it why can't we develop a tool that
puts vulnerability, threat, and consequence into one thing? I
guess I am lost on that. Can you----
General Patterson. Sure.
Mr. Richmond. Can you help me on that?
General Patterson. I am not debating that we can. I am just
saying that I haven't found a way to do that today.
My work to this point--our research to this point--has
taken us through vulnerability and threat, but incorporating
the consequence piece, as we would have it within the Federal
sector, is very different than you incorporate consequence
necessarily into the private sector. So what we are trying to
do is when we do that we want to make sure that we develop a
tool that is usable, that has got credibility, and we just
haven't reached that point yet.
So when I talk about the consequence piece in the process,
the process is is that when we sit down and talk with our
customers and with our clients we talk about their ability to
reconstitute, their ability to perform if there is an event,
okay, and there are certain things that they have already done.
For instance, IRS has a COOP plan. If there is an IRS--if
there is an event--for instance, the airplane that flew into
the IRS facility in Austin, Texas a few years ago, well the IRS
had a way to reconstitute. They knew exactly what they needed
to do in order to move those functions from that facility to
another facility, okay?
So for them it wasn't about us bringing something to them,
all right? They knew exactly what they wanted to do. They had a
plan. They have a plan.
Most Federal agencies have a plan if there is a problem, if
there is an event that happens that takes them away from their
facility.
Mr. Richmond. You said most of them do. Do----
General Patterson. That is an assumption. I would hope all
do.
Mr. Richmond. Okay. I guess that was going to be my next
question: Do we have a good take on who has and who does not
have----
General Patterson. No. We work with every agency--every
facility, every agency that we do an assessment, we work with
them on what they call the occupant emergency plan, and that is
a plan to do just what we are talking about. If there is a
problem--if it is a natural disaster, if it is a criminal event
or a terrorism event, what will you do? We go through a myriad
of scenarios with them as to what they would do. Through every
assessment we work with every tenant in the facility on that
plan.
Mr. Richmond. I remember from the last hearing we talked
about that there was the inability, or we were not in a
position to verify the--that the guards that were on post were
trained and certified. Have we developed something to better
assess whether they are trained, certified, and present on
our--in our Federal buildings?
General Patterson. Yes. What we are doing now--we don't--
clearly we need a better process. Right now it is a pen-and-
paper process for us.
We were hoping--the agency was hoping that RAMP was going
to resolve this or help us get a little closer to a better
solution. When that didn't evolve, when that didn't work, what
I had directed all of my regions to do is revert back to a
paper process, if you will, working with--as our PSOs are
brought on for their time to do work, or when a client--not a
client, but when our contractors, if you will, when they hire a
PSO to work there is a package of certifications that each of
our PSOs must have. That package--those certifications are
maintained by the contractor.
However, that information that is contained in those
certification packages are then forwarded--is then forwarded to
every one of my regions. So we have on file in our regions, if
you will, that information.
Now, the challenge is how often we can get through there
and continue to recertify that their certifications are up-to-
date. We have 13 certifications in those files that must be
certified every year, or recertified every year. So it is a
huge administrative task for us to go through that and we are
looking for ways that we can digitize that, we can use
technology to help us with that; we are just not there yet.
Mr. Richmond. I see that my time has expired so I yield
back. Thank you, Mr. Chairman.
Mr. Lungren. Thank you.
We might have time for a quick second round if anybody is
interested.
Let me just recognized myself in the first instance, and
that is, Mr. Goldstein, you heard Mr. Patterson's response to
the question about consequence. Here is my concern--I will have
Mr. Patterson answer after I ask your thoughts--when Mr.
Patterson described it he talked about some of the clients,
such as IRS, having an ability to reconstitute themselves. That
is what they have. That is their part of this consequence.
But I thought this tool that we were trying to develop, or
tools, to do threat assessment was for the purpose of
establishing, by FPS, what the levels of security would be so
that you would have them more in line with what the overall
risk assessment was. In that regard, a consequence piece would
help Mr. Patterson and his organization decide the level of
security as opposed to, as you suggested, I thought, in your
testimony, that it is kind of an across-the-board, everybody is
treated the same.
Am I correct in what you said and the reason why the lack
of consequence would affect their ability to make those
decisions?
Mr. Goldstein. Yes, sir. Mr. Patterson's discussion of COOP
is an important element of, obviously, responding to any
disaster or any attack but it isn't directly related, I would
submit, to what we are talking about, in that the need to have
consequence information as part of this program, which he
agrees they will eventually develop and we are simply bringing
that point out, is so that agencies working with the Federal
Protective Service will have guidance on how to prioritize
protecting facilities themselves over a period of time.
Mr. Lungren. Mr. Patterson, that is what I have found is a
disconnect in what you are saying. I understand--I am happy
that IRS knew how to reconstitute itself, but in terms of your
assessment of your operation's ability to manage your resources
in tough budget times, to decide where you need to put your
emphasis, where you need to have more, where you need to have
less, that that assessment tool or tools are to allow you to do
that as opposed to you determining exactly what IRS ought to do
at this place or one of your other clients.
General Patterson. Yes, sir. Again, it is--from our
perspective it is a huge challenge as to how we incorporate
consequence into any tool.
For instance, as I stated before, every facility is
different. Some facilities, they are just stand-alone agencies;
and other facilities, much like the Reagan Building, there
might be literally 10 to 20 different agencies with different
requirements--having different requirements, and having much
more, if you will, at risk than some of the other agencies in
there.
So as we look across the spectrum of facilities that we
have to assess what I am trying to get away from is a one-size-
fits-all kind of a tool.
Mr. Lungren. I don't want you to do that. That is why I am
trying to figure out----
General Patterson. Yes, sir.
Mr. Lungren [continuing]. Why consequence couldn't be
incorporated into the tool that you use, or you have some
integration at some point in time of two tools so that you have
those three things together in making your risk assessment to
aid you in a determination of the level of security and the
prioritizing of your resources. That is all I am trying to
figure out.
General Patterson. Yes, sir. Again, it is our intent to
incorporate consequence; we are just trying to figure out, how
do we do that?
Mr. Lungren. Okay. Ms. Clarke.
Ms. Clarke. Thank you, Mr. Chairman.
This question is for Director Patterson and Mr. Goldstein:
How does FPS track the effectiveness and performance of the
security countermeasures that it has recommended? How do you
actually----
General Patterson. We have our inspectors who visit our
sites routinely, who visit Federal facilities routinely to
assess the effectiveness of our PSOs. When we do post
inspections that is an assessment of our contract guard force.
We also visit our camera facilities to look at whether or
not they are operating, and when they are not to look, and
working with the FSC to get them repaired. So this is on an on-
going and continual basis, looking at all of our
countermeasures on a routine basis to ensure that they are
operating efficiently and effectively.
Ms. Clarke. Would you say it is a cyclical type of regimen
that your inspectors are engaged in? Because I would imagine
when you look at various facilities the landscape around those
facilities may change from time to time with infrastructure
changes, with----
General Patterson. Right. I mean, you know, we can--we--
from time to time we will have different tenants who move in
who have different requirements, or they, like, as you just
stated, ma'am, where there are facilities that may come up next
to or where we have to assess whether or not--what that impact
might be on a bus station, let's say, moving in next to one of
our facilities. So absolutely.
But that is a continuing process for us. We don't wait for
the assessment period to do that. If, in fact, we know that the
city is building--has new construction going up to one of our
GSA facilities we engage immediately with GSA and the tenant to
find out what--and the city--to find out what is going up and
what the impact might be, and what we may need to do to answer
the--to see if there is going to be an additional security
standard that we may have to set out as a result of that.
Ms. Clarke. Is there, baked into the MIST system, a way of
keeping track of that information?
General Patterson. I am sorry. Let me--is there going to be
a way----
Ms. Clarke. Yes, of, you know--over time you are going to
maybe have overlays----
General Patterson. Yes. Yes. Our MIST system, yes, as MIST
is rolled out and as we are incorporating all that information,
yes, ma'am, that all will be digitized into MIST so we can go
back immediately and determine, you know, what systems are
there and then how we need to correct, or adjust, or whatever
we need to do to those systems, yes.
Ms. Clarke. Dr. Peerenboom, what capabilities, if any,
would a more permanent tool have over FPS's interim MIST tool?
Mr. Peerenboom. Well, as stated by Director Patterson and
Mr. Goldstein, MIST is not a risk tool. It focuses on
vulnerabilities. But it was based on work done for the Office
of Infrastructure Protection at DHS, the infrastructure survey
tool. That provides a platform or basis by which one could
expand.
In fact, within I.P. they are looking at single assessment
methodologies to pull together tools and capabilities that
address risk in a holistic fashion to inform decisions about
security investments. The customers of Office of Infrastructure
Protection are slightly different; they are the owners and
operators. The IST tool that we developed and modified for FPS
is applicable to all 18 critical infrastructures, so it has a
broader base.
But the subset of questions and things that apply to
Federal facilities is what was done for MIST.
Ms. Clarke. What makes these capabilities necessary?
Mr. Peerenboom. The Office of Infrastructure Protection has
a mission to provide protection and risk analysis for critical
infrastructure, and so their sets of tools are designed to
encompass that broad spectrum. The IST that we developed MIST
from addresses part of the equation, and there are efforts
underway to expand that base within Office of Infrastructure
Protection. It provides a point of leverage for FPS should they
decide to use that.
Ms. Clarke. So when the risk or the vulnerabilities seem to
be evolving, how do--how effective is the MIST tool, in terms
of indicating for FPS what new measures need to be taken? Is it
dynamic, in other words?
Mr. Peerenboom. Well, that is really--I should let Director
Patterson speak to that issue, but MIST provides a basis for
looking at the vulnerabilities to the facility and the
inspectors can add in their recommendations and their
understanding of the consequences of protective measures that
would--not consequences, excuse me--the countermeasures that
would be applicable to that facility.
The MIST tool is partly compliant with the ISC standards
but it is not an ISC-compliant tool. But we certainly took that
into account, and over time, should FPS decide to do that,
technically it is possible to address those standards.
Ms. Clarke. All right. Thank you.
Mr. Lungren. Mr. Walberg.
Mr. Walberg. Thank you, Mr. Chairman.
Drilling down in the same board again, Mr. Peerenboom, can
MIST be developed to capture consequence? Is it capable?
Mr. Peerenboom. Technically the answer is yes.
Mr. Walberg. Go a little further on why you would say
technically the answer is yes.
Mr. Peerenboom. Well, there are capabilities, as I
indicated earlier, that are being developed within the Office
of Infrastructure Protection, to enhance the capabilities of
the infrastructure survey tool that provides the basis that
MIST was developed on, and we have the capabilities to
incorporate elements of consequence, but that is a decision
that obviously is not ours. But technically it is feasible.
Mr. Walberg. It is feasible, but would you say it is not
the best tool?
Mr. Peerenboom. It depends on requirements. No, I didn't
say that.
Mr. Walberg. Okay. Okay. Thank you.
Mr. Patterson, I would applaud you and commend you for
putting an emphasis on training in your tenure at FPS, and I
agree that training is a key for your force's morale and
effectiveness in the process.
Last summer you stated that you were looking at different
ways FPS may be able to deliver X-ray and magnetometer and
weapons training. I understand there has been significant
dialogue and outreach between FPS and the private sector, which
may be able to better deliver the training.
Could you enlighten us at this point in time on the on-
going dialogue with industry to improve guard training?
General Patterson. Yes, sir. Well, first of all, one of the
things that I needed to do was hire a senior deputy director
for training to--who could focus in on this full-time and not
be a part-time duty. So I have done that. So now I have someone
who is looking across the board at all the training within FPS
full-time.
Now, as we look at training for our PSO force, we are
actively working with NASCO, the National Association of
Security Companies, to work with them and look at how we can
proliferate training across 13,000 PSOs that support FPS and
all of our Federal partners. It is a huge task, because when
you are talking about providing services in 50 States that all
have different, if you will, training requirements, okay, we
have to ensure that we are doing it in such a way that we are
getting the best bang for our buck.
One of the things in the National Weapons Detection
Program, in magnetometers and X-ray machines, that I knew that
we needed to do was to ensure that our inspectors were
adequately trained, and we have done that--we are doing it. We
are just about completed all of our training for our inspectors
for the magnetometers and X-ray machines----
Mr. Walberg. The additional 8 hours of training that you
were----
General Patterson. Yes.
Mr. Walberg [continuing]. Proposing?
General Patterson. That is going to be cascaded by our
inspectors, by a team of our inspectors to the--to our PSO
force. Working with the--kind of in a deal where we do kind-of
a trained-to-trainer kind-of a thing as well so that we can
also work with our--within the contractor force, within the
contractor structure to, in such, certify our contractors so
that they can provide some of the training, as well.
Mr. Walberg. You feel that FPS is capable of delivering
consistent training across, as you say, the 50 States and the
uniqueness of each of those?
General Patterson. Yes, sir. Absolutely.
Mr. Walberg. Mr. Goldstein, would you concur with that?
Mr. Goldstein. We remain concerned, sir, because the
problem that brought on the need for the additional training is
now more than 3 years old when GAO was able to bring bomb-
making materials into 10 Federal facilities without anyone
knowing and building those bombs. It has been 3 years, and the
contract guards who are there to prevent things like that from
happening haven't had that additional training in all of that
time.
I understand that the agency is resource-constrained, but
it would seem to me that this would have been a matter of the
highest priority, sir.
Mr. Walberg. Within 3 years?
Mr. Goldstein. Yes, sir.
Mr. Walberg. Thank you.
Mr. Lungren. Thank you very much.
I thank all the Members for their participation.
I want to thank the witnesses for your valuable testimony.
The Members of the committee may have some additional questions
for our witnesses, and so we would ask you to respond to those
in writing. The hearing record will be held open for 10 days,
and this subcommittee stands adjourned.
[Whereupon, at 11:09 a.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Questions From Chairman Daniel E. Lungren for L. Eric Patterson
Question 1. In testimony before the House Committee on Homeland
Security in November 2009, NPPD Under Secretary Rand Beers testified
that NPPD was conducting a workforce needs analysis for FPS, at the
request of Secretary Napolitano, to ensure that FPS has ``the right
resources and staffing levels to match the missions FPS currently
has.'' Under Secretary Beers further stated that when the results of
the study were complete, Congress would be notified.
What were the results of the analysis?
Answer. The Federal Protective Service (FPS) conducted a workforce
needs analysis between 2009 and 2010 and the results were used
internally within the Department of Homeland Security. The results were
a first step but did not fully meet the needs of the Service. FPS
currently has a Federally Funded Research and Development Center on
contract to conduct an activities analysis to refresh the past
assumptions and requirements so that FPS may evaluate staffing levels
in future years. FPS will brief the committee on the completion of the
updated analysis.
Question 2a. While FPS is taking positive steps to improve the
standardization and consistency of FPS, there are still concerns that
FPS operates differently from region to region and lacks consistent
standards.
Is consistency throughout the regions a concern of yours?
Question 2b. What steps are being taken to improve consistency of
FPS from region to region?
Question 2c. Is headquarters assignment a prerequisite for
promotion at FPS, and if not, do you think that would improve
standardization and consistency of FPS policies?
Answer. The Federal Protective Service (FPS) is performing an
activities analysis to understand and document where it should
introduce or modify policies to increase operational effectiveness and
reduce risk. Several variables, including geography, law, threat, and a
specific customer, could warrant differences in operational activities
across regions. Through FPS's current detailed review of functions and
activities, it is identifying commonalities and best practices to
inform uniform National policies where it makes sense to do so. FPS
would be pleased to provide a detailed briefing on this effort and
highlight policy and process improvements that are being implemented
Nation-wide.
In addition, FPS has taken steps to realign its workforce to
effectively map personnel resources to program functions. The result of
this effort was the creation of an Area Management Concept, which
compartmentalizes reporting for 11 regional-level offices into three
Field Operations. Each Field Operation, led by a Senior Executive
Service-level Assistant Director, provides oversight for multiple
regional offices to help ensure standardization and consistency across
the service. This area concept is a geographic-based structure that
streamlines operational reporting through consolidation of information
channels.
An assignment to headquarters is not a prerequisite for promotion
at FPS. The creation of the Area Management Concept, led by three
Senior Executive Service-level and field-based Assistant Directors, is
providing standardization and consistency across the service.
Questions From Ranking Member Yvette D. Clarke for L. Eric Patterson
Question 1. According to GAO, FPS spent $795 million on its
contract guards in fiscal year 2011 which represented 90% of the
agency's procurement budget. How much is FPS obligated to spend on its
contract guards in fiscal year 2012, and what are the projected
expenditures for fiscal year 2013?
Answer. The Federal Protective Service (FPS) obligated $755.6
million on its guard contracts in fiscal year 2011, which represented
approximately 91 percent of its total contract obligations. FPS
projects that it will obligate approximately $764.6 million in this
program in fiscal year 2012. This projection is based on the known
fiscal year 2012 obligations to date ($750.9 million as of August, 10,
2012), plus additional expected obligations through September 30, 2012,
totaling $13.7 million for recurring guard services and pending
modifications and/or equitable adjustments under existing contracts.
FPS projects that it will obligate approximately $784.4 million in
fiscal year 2013. This projection is based on the estimated escalation
of the fiscal year 2012 obligation by 2.6 percent, which accounts for
estimated inflationary factors such as Service Contract Act wage
adjustments. However, FPS may obligate additional amounts in fiscal
year 2013 as necessary to account for emerging requirements for
existing and new customers and any changes that may arise concerning
guard requirements.
Question 2. Why is it that as of June 2012, a total of $652,000 was
spent on MIST, which appears to be useful so far, while RAMP has
yielded no tangible results after four years and $35 million or more in
expenditures?
Answer. The Risk Assessment and Management Program (RAMP)
experienced significant programmatic and technical issues, primarily
related to insufficient user involvement in the requirements definition
and testing of the application, as well as the lack of an approved
program baseline to control and measure program progress.
The efforts to develop and field the Modified Infrastructure Survey
Tool (MIST) have been more successful because the program benefited
from leveraging an existing software application already in service
with the Office of Infrastructure Protection. MIST and its development
addressed the shortcomings experienced within RAMP by instituting
program management best practices to provide adequate controls on the
development effort, and ensuring user involvement in the development
and testing of MIST.
Question 3. Given that FPS had a June 2012 deadline to decide what
to do with the data remaining within RAMP, what decision has been made?
If a decision has yet to be made, what are the next steps?
Answer. The June 2012 deadline was tied to the expiration of the
sustainment support contract for the legacy Risk Assessment and
Management Program (RAMP) application. The expiration of that contract
does not equate to a loss of data, as the Government owns the rights to
the software and RAMP is currently installed within the Department of
Homeland Security (DHS) Data Center 1 production environment.
The Federal Protective Service (FPS) has examined the data within
RAMP and identified three major data sets that needed to be retained:
The RAMP repository, which is a library of historical assessments and
policy documents; Protective Security Officer (contract guard)
contracting information; and guard post inspection reports. Data from
all other modules within RAMP is either resident elsewhere within FPS
or lacks value due to problems with RAMP functionality.
FPS has decommissioned RAMP as of July 12, 2012. With user access
no longer available, the final data set was copied to FPS servers to
ensure retention of the data. FPS will continue to work to dispose of
the RAMP application during the fourth quarter of fiscal year 2012 and
remove the application and all data from the DHS Data Center 1.
Questions From Ranking Member Yvette D. Clarke for Mark L. Goldstein
Question 1. How will the security of Federal facilities be affected
if FPS inspectors and law enforcement security officers are not
adequately trained to use MIST?
Answer. The protection of Federal facilities may be significantly
hampered if FPS's law enforcement security officers do not receive
training on the Modified Infrastructure Survey Tool (MIST). As we
reported in August 2012, FPS is not assessing risk at Federal
facilities but plans to resume assessing Federal facilities
vulnerabilities with MIST. However, if FPS's law enforcement security
officers do not receive MIST training and no other alternative
assessment tool is used, the backlog of facilities not assessed will
increase significantly. According to FPS data, more than 5,000
facilities were to be assessed in fiscal years 2010 through 2012.
Question 2. What tools or options would be available to FPS in the
event that MIST training is not completed?
Answer. FPS may be able to use other tools if it cannot use MIST to
assess Federal facilities. For example, one tool is the Federal
Security Risk Manager (FSRM), which FPS used from 2000 to 2009.
However, FPS has experienced problems using FSRM. Another potential
tool is the Integrated Rapid Visual Screening developed by DHS's
Science and Technology Directorate (S&T). The IRVS is a risk assessment
tool that assesses risk using threat, vulnerability, and consequence.
According to an S&T official, the IRVS is available to FPS at no cost.
Question 3. Will the implementation of MIST and other FPS
activities allow for enhanced compliance with the Interagency Security
Committee standards?
Answer. FPS has taken some steps to better align MIST with the
Interagency Security Committee (ISC) standards. For example, MIST uses
the ISC recommended countermeasures for defined threat scenarios for
each facility security level.
Questions From Ranking Member Yvette D. Clarke for James P. Peerenboom
Question 1. What are the costs associated with developing and
implementing MIST as the interim replacement for RAMP?
Answer. Argonne developed the Modified Infrastructure Survey Tool
(MIST) under an existing Interagency Agreement (IAA) with the U.S.
Department of Homeland Security National Protection and Programs
Directorate's Office of Infrastructure Protection (NPPD/IP). Similar
methodologies and technologies developed by Argonne for NPPD/IP, such
as the Infrastructure Survey Tool (IST), were leveraged to reduce MIST
development time, cost, and risk. A total of $850,000 was committed
under the IAA to build on the foundation established for the IST to
develop, test, and deliver MIST Release 1.0. More than half of the
funds were used for hardware and software to establish a web portal,
called the FPS Gateway, that allows for sharing of information products
and knowledge in real time. The FPS Gateway leverages the architecture
and hardware/software technology of the Linking Encrypted Network
System (LENS), a similar platform that Argonne also developed for NPPD/
IP. Work on the project was initiated on October 3, 2011. Argonne
delivered MIST Release 1.0 and the FPS Gateway to FPS on March 30,
2012.
Question 2. Are there any features within RAMP that can be adapted
for use with MIST?
Answer. Argonne was not tasked to evaluate RAMP and its features.
Question 3. What are the projected costs and time table for the
completion of MIST?
Answer. The scope of work for MIST development was completed, and
MIST Release 1.0 and the FPS Gateway were delivered to FPS, on March
30, 2012. The products were delivered on time and within the defined
budget. Future enhancements to MIST, if any, and Argonne's potential
role in completing such enhancements are unknown.
Question 4. Do you anticipate any cost overruns with regard to
MIST?
Answer. No cost overruns were associated with Argonne's development
and delivery of MIST Release 1.0 and the FPS Gateway.
�