GAO - General Services Administration: Many Building Security Upgrades Made But Problems Have Hindered Program Implementation (Testimony, 06/04/98, GAO/T-GGD-98-141)

In July 1995, the Federal Protective Service (FPS) began its process for identifying and prioritizing building security upgrade needs and cost estimates using the criteria, guidance, and timetable recommended by the DOJ report, which was issued on June 28, 1995. The DOJ report established 52 minimum security standards in 4 separate categories, which were to be considered for buildings under GSA's operation based on their assessed risk level. GSA assigned initial risk level designations to its buildings based on information it had on file. Building security committee (BSC) and FPS staff were to subsequently assign the buildings a risk level, using the DOJ report's more definitive criteria, and evaluate them to determine needed security upgrades and the estimated costs for the upgrades.

Using DOJ report criteria, BSC and FPS staff were to place buildings under GSA's operation into risk levels. The DOJ criteria included tenant population, volume of public contact, size, and agency sensitivity, with level V the highest risk level and level I the lowest, as follows:

Level V: A building that contains mission functions critical to national security, such as the Pentagon or CIA Headquarters. A Level-V building should be similar to a Level-IV building in terms of number of employees and square footage. It should have at least the security features of a Level-IV building. The missions of Level-V buildings require that tenant agencies secure the site according to their own requirements.

Level IV: A building that has 451 or more federal employees; high volume of public contact; more than 150,000 square feet of space; and tenant agencies that may include high-risk law enforcement and intelligence agencies, courts, and judicial offices, and highly sensitive government records.

Level III: A building with 151 to 450 federal employees; moderate/high volume of public contact; 80,000 to 150,000 square feet of space; and tenant agencies that may include law enforcement agencies, court/related agencies and functions, and government records and archives. (According to GSA, at the request of the Judiciary, GSA changed the designation of a number of buildings housing agencies with court and court-related functions from Level III to Level IV.)

Level II: A building that has 11 to 150 federal employees; moderate volume of public contact; 2,500 to 80,000 square feet of space; and federal activities that are routine in nature, similar to commercial activities.

Level I: A building that has 10 or fewer federal employees; low volume of public contact or contact with only a small segment of the population; and 2,500 or less square feet of space, such as a small "store front" type of operation.

BSCs were also to prepare facility evaluations based on the DOJ minimum standards. The facility evaluations, containing requested security upgrades, justifications, and estimated costs for each upgrade were to be submitted to the applicable FPS regional offices for review and approval. Security upgrades costing more than $100,000 to acquire or having an annual operating cost greater than $150,000 required final approval at FPS headquarters.

FPS regional staff focused their evaluation efforts on level-IV buildings first, followed by levels III through I, consistent with the timetable recommended by the DOJ report and endorsed by the President. Funding of upgrades generally followed this same progression, with FPS focusing first on level-IV buildings and then levels III through I. Each FPS region established its own building security upgrade implementation schedule based on coordination with other involved PBS components and the individual requirements of the various types of security upgrades. For example, some upgrades required design and engineering work before actual installation could proceed, and some required coordination and approvals from local governments and historical building societies before work could proceed.

In early 1996, FPS completed a computerized database system to track, by regional office and by building, all BSC-requested security upgrades. This tracking system was to include the date each upgrade was approved or disapproved; the estimated cost of acquiring, installing, and operating the upgrade; and its scheduled and actual completion status. Each FPS region was to have a database of its buildings and was responsible for maintaining its database. FPS headquarters staff periodically uploaded and entered data into each region's database to show headquarters' approval actions on requested upgrades, where required. FPS headquarters staff also consolidated the regional databases for its own use in tracking the nationwide security upgrade program.

The DOJ report established 52 minimum security standards in the categories of perimeter security, entry security, interior security, and security planning to be considered for a building based on its assessed risk level. Tables II.1 through II.4 show how the DOJ report's minimum security standards are to be applied to each building on the basis of its assessed risk level. For example, control of facility parking is recommended as a minimum standard for buildings in security level III through V and recommended as desirable for buildings in security levels I and II.

	Level of security
Perimeter Security	I	II	III	IV	V
Parking
Control of facility parking	G	G	M	M	M
Control of adjacent parking	G	G	G	F	F
Avoid leases in which parking cannot be controlled	G	G	G	G	G
Leases should provide security control for adjacent parking	G	G	G	G	G
Post signs and arrange for towing unauthorized vehicles	F	F	M	M	M
ID system and procedures for authorized parking (placard, decal, card key, etc.)	G	G	M	M	M
Adequate lighting for parking areas	G	G	M	M	M
Closed circuit television (CCTV) monitoring
CCTV surveillance cameras with time lapse video recording	G	F	F	M	M
Post signs advising of 24 hour video surveillance	G	F	F	M	M
Lighting
Lighting with emergency power backup	M	M	M	M	M
Physical barriers
Extend physical perimeter with concrete and/or steel barriers	N/A	N/A	G	F	F
Parking barriers	N/A	N/A	G	F	F

Source: Vulnerability Assessment of Federal Facilities, Department of Justice, June 28, 1995.

	Level of security
Entry Security	I	II	III	IV	V
Receiving/Shipping
Review receiving/shipping procedures (current)	M	M	M	M	M
Implement receiving/shipping procedures (modified)	G	F	M	M	M
Access control
Evaluate facility for security guard requirements	G	F	M	M	M
Security guard patrol	G	G	F	F	F
Intrusion detection system with central monitoring capability	G	F	M	M	M
Upgrade to current life safety standards (fire detection, fire suppression systems, etc.)	M	M	M	M	M
Entrances/Exits
X-ray and magnetometer at public entrances	N/A	G	F	F	M
Require x-ray screening of all mail/packages	N/A	G	F	M	M
Peepholes	F	F	N/A	N/A	N/A
Intercom	F	F	N/A	N/A	N/A
Entry control with CCTV and door strikes	G	F	N/A	N/A	N/A
High security locks	M	M	M	M	M

Source: Vulnerability Assessment of Federal Facilities, Department of Justice, June 28, 1995.

	Level of security
Interior Security	I	II	III	IV	V
Employee/Visitor identification
Agency photo ID for all personnel displayed at all times	N/A	G	F	M	M
Visitor control/screening system	G	M	M	M	M
Visitor identification accountability system	N/A	G	F	M	M
Establish ID issuing authority	F	F	F	M	M
Utilities
Prevent unauthorized access to utility areas	F	F	M	M	M
Provide emergency power to critical systems (alarm systems, radio communications, computer facilities, etc.)	M	M	M	M	M
Occupant emergency plans
Examine occupant emergency plans (OEP) and contingency procedures based on threats	M	M	M	M	M
OEPs in place, updated annually, periodic testing exercise	M	M	M	M	M
Assign & train OEP officials (assignment based on largest tenant in facility)	M	M	M	M	M
Annual tenant training	M	M	M	M	M
Daycare centers
Evaluate whether to locate daycare facilities in buildings with high threat activities	N/A	M	M	M	M
Compare feasibility of locating daycare in facilities outside locations	N/A	M	M	M	M

Source: Vulnerability Assessment of Federal Facilities, Department of Justice, June 28, 1995.

	Level of security
Security Planning	I	II	III	IV	V
Intelligence Sharing
Establish law enforcement agency/security liaisons	M	M	M	M	M
Review/establish procedure for intelligence receipt and dissemination	M	M	M	M	M
Establish uniform security/threat nomenclature	M	M	M	M	M
Training
Conduct annual security awareness training	M	M	M	M	M
Establish standardized unarmed guard qualifications/training requirements	M	M	M	M	M
Establish standardized armed guard qualifications/training requirements	M	M	M	M	M
Tenant assignment
Co-locate agencies with similar security needs	G	G	G	G	G
Do not co-locate high/low risk agencies	G	G	G	G	G
Administrative procedures
Establish flexible work schedule in high threat/high risk areas to minimize employee vulnerability to criminal activity	F	F	G	G	G
Arrange for employee parking in/near building after normal workhours	F	F	F	F	F
Conduct background security checks and/or establish security control procedures for service contract personnel	M	M	M	M	M
Construction/Renovation
Install mylar film on all exterior windows (shatter protection)	G	G	F	M	M
Review current projects for blast standards	M	M	M	M	M
Review/establish uniform standards for construction	M	M	M	M	M
Review/establish new design standards for blast resistance	F	F	M	M	M
Establish street setback for new construction	G	G	F	M	M

Source: Vulnerability Assessment of Federal Facilities, Department of Justice, June 28, 1995.

FAS | Intelligence | GAO Reports | GGD-98-141 Building Security |||| Index | Search | Join FAS

General Services Administration: Many Building Security Upgrades Made But Problems Have Hindered Program Implementation (Testimony, 06/04/98, GAO/T-GGD-98-141)

FAS | Intelligence | GAO Reports | GGD-98-141 Building Security ||||
Index | Search | Join FAS

General Services Administration: Many Building Security Upgrades Made But Problems Have Hindered Program Implementation
(Testimony, 06/04/98, GAO/T-GGD-98-141)