[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
FACILITY PROTECTION: IMPLICATIONS OF THE NAVY YARD SHOOTING ON HOMELAND
SECURITY
=======================================================================
HEARING
before the
SUBCOMMITTEE ON OVERSIGHT
AND MANAGEMENT EFFICIENCY
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEENTH CONGRESS
FIRST SESSION
__________
OCTOBER 30, 2013
__________
Serial No. 113-40
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PRINTING OFFICE
87-184 WASHINGTON : 2014
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Paul C. Broun, Georgia Yvette D. Clarke, New York
Candice S. Miller, Michigan, Vice Brian Higgins, New York
Chair Cedric L. Richmond, Louisiana
Patrick Meehan, Pennsylvania William R. Keating, Massachusetts
Jeff Duncan, South Carolina Ron Barber, Arizona
Tom Marino, Pennsylvania Dondald M. Payne, Jr., New Jersey
Jason Chaffetz, Utah Beto O'Rourke, Texas
Steven M. Palazzo, Mississippi Tulsi Gabbard, Hawaii
Lou Barletta, Pennsylvania Filemon Vela, Texas
Chris Stewart, Utah Steven A. Horsford, Nevada
Richard Hudson, North Carolina Eric Swalwell, California
Steve Daines, Montana
Susan W. Brooks, Indiana
Scott Perry, Pennsylvania
Mark Sanford, South Carolina
Greg Hill, Chief of Staff
Michael Geffroy, Deputy Chief of Staff/Chief Counsel
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON OVERSIGHT AND MANAGEMENT EFFICIENCY
Jeff Duncan, South Carolina, Chairman
Paul C. Broun, Georgia Ron Barber, Arizona
Lou Barletta, Pennsylvania Donald M. Payne, Jr., New Jersey
Richard Hudson, North Carolina Beto O'Rourke, Texas
Steve Daines, Montana, Vice Chair Bennie G. Thompson, Mississippi
Michael T. McCaul, Texas (Ex (Ex Officio)
Officio)
Ryan Consaul, Subcommittee Staff Director
Deborah Jordan, Subcommittee Clerk
Tamla Scott, Minority Subcommittee Staff Director
C O N T E N T S
----------
Page
Statements
The Honorable Jeff Duncan, a Representative in Congress From the
State of South Carolina, and Chairman, Subcommittee on
Oversight and Management Efficiency:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Beto O'Rourke, a Representative in Congress From
the State of Texas............................................. 4
The Honorable Ron Barber, a Representative in Congress From the
State of Arizona, and Ranking Member, Subcommittee on Oversight
and Management Efficiency:
Prepared Statement............................................. 5
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Prepared Statement............................................. 6
Witnesses
Mr. L. Eric Patterson, Director, Federal Protective Service, U.S.
Department of Homeland Security:
Oral Statement................................................. 8
Joint Prepared Statement....................................... 10
Mr. Greg Marshall, Chief Security Officer, U.S. Department of
Homeland Security:
Oral Statement................................................. 16
Prepared Statement............................................. 18
Mr. Caitlin Durkovich, Assistant Secretary, Infrastructure
Protection, U.S. Department of Homeland Security, Testifying on
Behalf of The Interagency Security Committee:
Oral Statement................................................. 20
Joint Prepared Statement....................................... 10
Mr. Mark L. Goldstein, Director, Physical Infrastructure Issues,
U.S. Government Accountability Office:
Oral Statement................................................. 22
Prepared Statement............................................. 24
Appendix
Question From Chairman Jeff Duncan for L. Eric Patterson......... 51
Questions From Ranking Member Ron Barber for L. Eric Patterson... 51
Questions From Chairman Jeff Duncan for Caitlin Durkovich........ 53
Question From Chairman Jeff Duncan for Greg Marshall............. 53
Questions From Ranking Member Ron Barber for Greg Marshall....... 54
Questions From Chairman Jeff Duncan for Mark L. Goldstein........ 55
Questions From Ranking Member Ron Barber for Mark L. Goldstein... 55
FACILITY PROTECTION: IMPLICATIONS OF THE NAVY YARD SHOOTING ON HOMELAND
SECURITY
----------
Wednesday, October 30, 2013
U.S. House of Representatives,
Subcommittee on Oversight and Management
Efficiency,
Committee on Homeland Security,
Washington, DC.
The subcommittee met, pursuant to call, at 9:32 a.m., in
Room 210, Cannon House Office Building, Hon. Jeff Duncan
[Chairman of the subcommittee] presiding.
Present: Representatives Duncan, Hudson, Barber, and
O'Rourke.
Also present: Representative Jackson Lee.
Mr. Duncan. All right. The House Committee on Homeland
Security, Subcommittee on Oversight and Management Efficiency
will come to order.
The purpose of this hearing is to examine what the
Department of Homeland Security is currently doing to protect
Federal facilities and what steps, if any, need to be taken to
improve current layers of security, so that incidents such as
the Navy Yard shooting do not occur in the future.
Now, this isn't our normal committee room, so we are going
to work through some things today, I am sure.
But I will now recognize myself for an opening statement.
The events that took place on September 16 at the
Washington Navy Yard, less than 2 miles from where we are right
now, were shocking and tragic. Twelve innocent lives were lost
that day, along with several injured. Our thoughts and prayers
go out to the families of the victims and those survivors and
the folks that work as co-workers in the Navy Yard.
While much of the security of this horrific event will
rightly focus on how someone in Aaron Alexis' mental state was
able to pass a Governmental background investigation and to
hold a security clearance, today's hearing will concentrate on
the physical preventative security measures that are currently
in place for our Federal facilities.
How do we control access to these facilities to protect
both employees and public visitors? What physical security
measures, if any, can be taken to prevent future tragedies?
The Federal Protective Service, or FPS, is charged with
protection of Federal facilities and safeguarding Federal
employees, contractors, and visitors within those facilities.
FPS is the primary agency for protecting and securing
almost 50 percent of the General Service Administration's, or
GSA's, owned or leased properties. That is about 9,600
facilities Nation-wide.
As the front-line personnel charged with the daily safety
of Federal employees and visitors, it is crucial that this
workforce is adequately trained and prepared to respond at
moment's notice.
I strongly support the public/private partnership model
that DHS uses with the contract guard force. Having private
guards can increase the accountability for the taxpayer, but
DHS cannot be deficient in its management responsibilities and
must deploy the right number of guards, based on risk.
Unfortunately, according to the Government Accountability
Office, or GAO, report that was released today, the Federal
Protective Service has many weaknesses with the oversight and
management of the guard program.
For example, FPS continues to lack effective management
controls to ensure that all guards have met their certification
and training requirements.
GAO has previously urged FPS to develop a management
control system to document and verify training in reports
submitted to Congress in 2010 and 2012, but FPS has yet to
implement this recommendation.
Without such a system, how can FPS know and ensure that its
guard force is sufficiently trained?
It seems common-sense to me that FPS should be able to
verify that its guards are trained and certified properly,
especially when others trust and rely on FPS guards for their
protection.
One of the most shocking findings in the most recent GAO
report is FPS' inadequate approach to active-shooter scenarios.
From the Holocaust Museum shooting in 2009 and the Navy
Yard shooting to the most recent Federal courthouse shooting in
Wheeling, West Virginia, in October, examples exist of the risk
FPS and facility guards must confront from active-shooter
scenarios. While FPS does require its guard force to receive
training on active-shooter situations, it is unclear how this
training is conducted and for what length of time.
GAO also noted that not all guards receive this training,
and, even for those that have, it is unclear how their contract
guards are expected to respond to an active shooter.
According to DHS, if an active shooter is not in a guard's
line of sight, that guard's actions are then dictated by his or
her post orders. So, does that mean that if an active shooter
is in the building, killing innocent people, an armed guard is
not allowed to assist until Federal or local law enforcement
arrive at the scene?
If this is the case, then DHS' bureaucratic process is
putting lives at risk.
The American people need to know how these guards can
protect them in life-threatening situations, and I am looking
forward to DHS providing clarity on this issue today.
As an additional layer of security, Federal employees are
required to carry valid identification credentials for
admittance into Federal facilities. As a Federal Government
contractor, Aaron Alexis had valid identification, which gave
him access to the Naval Sea Systems Command headquarters, and
that enabled him to pass through security.
While some buildings only require an ID to be used as a
flash pass or visually inspected, other facilities require
verification by use of a credential access control system, or
swiping of the card.
Although the second scenario may provide higher security
against individuals using fraudulent or expired and flagged
credentials, it was discouraging to learn from my staff that
DHS officials informed them that the department currently is
not aware of the type of access control systems in place across
DHS facilities.
How, after 10 years, does the Department not have a handle
on what measures are in place to secure their own employees,
let alone the general public, at Federal facilities?
I want to know precisely what DHS is doing to obtain this
information and when it will have a full and complete grasp of
the issue.
Considering the heinous events which took place just close
by at the Navy Yard, it is important to ensure that the
security framework in place at our Federal facilities is strong
and effective.
The Federal Protective Service and its contract guard force
put their lives on the line every day on a daily basis to
protect the American people, and I want to thank them for their
service and the tremendous amount of heroism that was exhibited
in the Navy Yard.
I hope this hearing can serve as an opportunity to assess
the state of physical security across Federal facilities and
what DHS must do to improve the protection of employees and
visitors to these facilities and prevent future tragedies as we
recently witnessed.
[The statement of Chairman Duncan follows:]
Statement of Chairman Jeff Duncan
October 30, 2013
The events that took place on September 16 at the Washington Navy
Yard--less than 2 miles from where we are right now--were shocking and
tragic. Twelve innocent lives were lost that day along with several
injured.
While much of the scrutiny of this horrific event will rightly
focus on how someone in Aaron Alexis's mental state was able to pass a
Government background investigation and to hold a security clearance,
today's hearing will concentrate on the physical preventative security
measures that are currently in place at our Federal facilities. How do
we control access to these facilities to protect employees and public
visitors? What physical security measures, if any, can be taken to
prevent future tragedies?
The Federal Protective Service (FPS) is charged with the protection
of Federal facilities and the safeguarding of Federal employees,
contractors, and visitors within those facilities. FPS is the primary
agency for protecting and securing almost 50% of the General Services
Administration's (GSA) owned or leased properties. That's about 9,600
facilities Nation-wide. As the front-line personnel charged with the
daily safety of Federal employees and visitors, it is crucial that this
workforce is adequately trained and prepared to respond at a moment's
notice.
I strongly support the public-private partnership model DHS uses
with the contract guard force. Having private guards can increase
accountability for the taxpayer but DHS cannot be deficient in its
management responsibilities and must deploy the right number of guards
based on risk.
Unfortunately, according to a Government Accountability Office
(GAO) report that was released today, the Federal Protective Service
has many weaknesses with the oversight and management of their guard
program. For example, FPS continues to lack effective management
controls to ensure that all guards have met their certification and
training requirements.
GAO has previously urged FPS to develop a management control system
to document and verify training in reports submitted to Congress in
2010 and 2012, but FPS has yet to implement this recommendation.
Without such a system, how can FPS know and ensure that its guard force
is sufficiently trained? It seems common-sense to me that FPS should be
able to verify that its guards are trained and certified properly--
especially when others trust and rely on FPS guards for their
protection.
One of the most shocking findings in this most recent GAO report is
FPS's inadequate approach to active-shooter scenarios. From the
Holocaust Museum shooting in 2009, and the Navy Yard shooting to the
most recent Federal courthouse shooting in Wheeling, West Virginia in
October, examples exist of the risks FPS and facility guards must
confront from active-shooter scenarios.
While FPS does require its guard force to receive training on
active-shooter situations, it is unclear how this training is conducted
and for what length of time. GAO also noted that not all guards
received this training, and even for those who have, it is unclear how
their contract guards are expected to respond to an active shooter.
According to DHS, if an active shooter is not in a guard's line of
sight, that guard's actions are then dictated by his or her post
orders. So does that mean that if an active shooter is in the building,
killing innocent people, an armed guard is not allowed to assist until
Federal or local law enforcement arrive at the scene? If this is the
case, then DHS's bureaucratic process is putting lives at risk. The
American people need to know how these guards can protect them in life-
threatening situations. I am looking forward to DHS providing clarity
on this issue today.
As an additional layer of security, Federal employees are required
to carry valid identification credentials for admittance into Federal
facilities. As a Federal Government contractor, Aaron Alexis had valid
identification which gave him access to the Naval Sea Systems Command
headquarters which enabled him to pass through security.
While some buildings only require an ID to be used as a ``flash
pass'' or visually inspected, other facilities require additional
verification by use of a credential access control system, or
``swiping'' of the card. Although the second scenario may provide
higher security against individuals using fraudulent or expired and
flagged credentials, it was discouraging to learn from my staff that
DHS officials informed them that the Department currently is not aware
of the type of access control systems in place across DHS facilities.
How, after 10 years, does the Department not have a handle on what
measures are in place to secure their own employees, let alone the
general public at Federal facilities? I want to know precisely what DHS
is doing to obtain this information and when it will have a full grasp
of this issue.
Considering the heinous events which took place at the Navy Yard,
it is important to ensure that the security framework in place at our
Federal facilities is strong and effective.
The Federal Protective Service and its contract guard force put
their lives on the line on a daily basis to protect the American
people, and I thank them for their service. I hope this hearing can
serve as an opportunity to assess the state of physical security across
Federal facilities and what DHS must do to improve protection of the
employees and visitors to these facilities and prevent future
tragedies.
Mr. Duncan. The Chairman will now recognize the Ranking
Member of the subcommittee, the gentleman from Texas who is
sitting in for the Ranking Member, Mr. Barber. But the
gentleman from Texas, Mr. O'Rourke, is recognized for an
opening statement.
Mr. O'Rourke. Thank you.
I want to thank Chairman Duncan for calling and organizing
today's hearing.
I want to thank the witnesses for their testimony, in
advance, and I want to thank them in advance for answering our
questions.
I want to thank the committee staff from both sides for
doing all the leg work to get us ready for today.
I also want to extend my condolences to the families and
survivors from those horrific events last month.
I know that any time there is a hearing like this or the
issue reappears in the news, that has to open up those memories
again, and must cause some additional pain and heartache for
those who are involved.
So I want to make sure that we use today's hearing to learn
what we can from what took place, and to apply those lessons to
ensuring or trying to ensure that we don't have a repeat of
this event at a Federal facility in the future.
I also want to make sure that we are proportionate in our
response to what we learn. As the Chairman said, we want to
have the right number of guards proportionate to the risk that
we understand to take place.
These are, after all, public buildings. We want to make
sure that we don't so fortify them that we exclude the public,
that we create an impression that the public is not welcome,
that we make it unduly difficult for people to access
Government, to receive the services that they are paying for.
They should have the right to expect to access.
I also hope that we will be able to explore the true cost
of contracting services, using contractors versus dedicated
civil servants or professionals who are in those jobs for their
careers. There is a balance that we have to strike in terms of
cost savings and efficiencies versus some level of
dependability and building a culture that might, in fact,
ultimately prevent these kinds of activities in the future.
I hope that, in closing, and I want to be brief because I
want to get to the testimony from our witnesses, I hope that we
use what we learn from horrific events like these--and
unfortunately there are far too many over the last few years--
to strike that right balance in all of those areas.
So I look forward to the testimony, to applying those
lessons, to the Chairman's leadership in making sure that we
strike that balance. With that, I will conclude and yield back
to the Chairman.
Mr. Duncan. I thank the gentleman from Texas.
Other Members of the subcommittee are reminded that opening
statements may be submitted for the record.
[The statements of Ranking Members Barber and Thompson
follow:]
Statement of Ranking Member Ron Barber
October 30, 2013
Thank you, Chairman Duncan, for holding this very important hearing
to examine how extensively standards for Federal facility security are
being followed to ensure the safety of Federal personnel and visitors
to these buildings.
Across the country, we are experiencing a rise in attempts by
individuals to shoot at or otherwise attack Federal facilities, and it
is both timely and critical that we hear today from Department
officials and other witnesses about the efficacy of the standards put
in place by the Interagency Security Committee to protect our people as
well Federal facilities.
In addition to my own personal experience as the unintended victim
of a shooting incident, we seem to get all-too-frequent news reports of
attempts by mentally unstable or disgruntled individuals who open fire
at Federal facilities.
I will be interested to hear today from the witnesses how effective
they think the Interagency Security Committee has been to date not only
in establishing a set of physical security standards, but also in
providing enough guidance to Federal agencies and departments to
increase their adoption of these standards.
It is not sufficient to issue standards--it is also incumbent upon
the Interagency Security Committee and the Federal Protective Service,
or FPS, as the implementing agency to make sure that Executive branch
agencies understand how the Government's standards for physical
security can best be utilized.
In the Government Accountability Office or GAO report issued at
Ranking Member Thompson's request in January, GAO states that the
Interagency Security Committee's standards are frequently the second
choice of Federal physical security managers after their own
institutional knowledge.
This is a troubling finding by GAO, and given the recent uptick in
attempted shootings at Federal facilities, it is incumbent upon all of
us to assist the Interagency Security Committee in strengthening its
outreach and guidance regarding its standards for the safety of all
Federal personnel and visitors.
In addition, GAO states in their testimony that Federal facility
security is further jeopardized by FPS' on-going mismanagement of its
contract guard force, and alarmingly, but the agency's failure to
ensure that its guards receive the required active-shooter response
training that would best prepare them to protect Federal facilities.
Further, GAO's testimony indicates that FPS and several other
Federal agencies are not currently using an appropriate methodology to
assess risk at Federal facilities which only increases the
vulnerability of those who work in or visit Federal buildings. I look
forward to hear the witnesses address these and other pertinent issues
related to Federal facility security.
______
Statement of Ranking Member Bennie G. Thompson
The purpose of this hearing is to review the security protocols in
place to safeguard Federal facilities and the Federal personnel who
work within them, and the visitors to those buildings. I am a long-
standing observer of the Federal Protective Service, or FPS, and at the
beginning of this Congress, I reintroduced my legislation, H.R. 735,
the Federal Protective Service Improvement and Accountability Act of
2013. My legislation seeks to move FPS away from its over-reliance on
contract security guards, and to instead build up the agency's internal
capacity.
Also, at my request, the Government Accountability Office has
produced 10 reports related to FPS, the most recent of which pertains
to today's topic of Federal facility security protocols and which was
released in January of this year. We are all cognizant of the recent
shooting at the Navy Yard on September 16, yet incidents of active
shooters who breach Federal facilities have become all too commonplace.
In my own home district of Jackson, Mississippi, a man was arrested
on October 2 for attempting to walk inside the Veterans Affairs
regional affairs office with a pistol and was then recommended to
undergo a psychiatric evaluation. Some other recent examples of
individuals who have attempted to open fire on Federal facilities
include a former police officer in Wheeling, West Virginia who fired
more than 20 shots at a Federal courthouse located there on October 8
of this year; on February 15, 2012, an ICE agent shot and killed one
colleague and wounded another in the Federal building in Long Beach,
California; and a bag containing an improvised explosive device, or
IED, was left undetected for several weeks inside the Federal building
in Detroit, Michigan in February 2011. An FPS contract guard brought
the bag inside the building and placed it under a screening console
where the IED remained in the bag until it was discovered 21 days
later.
Clearly, we must ensure that the personnel who oversee physical
security programs at our Federal facilities are adhering closely to the
uniform set of standards provided by the Interagency Security
Committee. In 1995, after the bombing of the Alfred P. Murrah Federal
building in Oklahoma City, President Bill Clinton signed Executive
Order 12977. As an outcome of Executive Order 12977, the Interagency
Security Committee was created to produce a coherent set of physical
security standards that can be tailored to meet the diverse needs of
Federal agencies and departments.
This hearing should allow us to determine how closely Federal
agencies and departments are complying with the Interagency Committee's
security protocols, and demonstrate what remaining outreach work DHS
must undertake to make sure that its physical security protocols are
being implemented and adhered to in the interest of National safety.
Mr. Duncan. We are pleased to have a distinguished panel of
witnesses before us today on this important topic. Let me
remind the witnesses that their entire written statement will
appear in the record.
I will introduce each of you first and then I will
recognize you individually for your testimony.
Members of the Committee may come and go today. There is a
lot going on on the Hill with mark-ups and other committee
hearings on a Wednesday morning. So Members may come and go as
the committee progresses.
So let me start off by introducing the witnesses. The first
one is Mr. L. Eric Patterson. Eric was appointed director of
the Federal Protective Service, a subcomponent of the National
Protection and Programs Directorate of the Department of
Homeland Security in September 2010.
Mr. Patterson previously served as deputy director of
defense, counterintelligence, and HUMINT center at the Defense
Intelligence Agency, DIA. Prior to joining DIA, Mr. Patterson
served as a principal with Booz Allen Hamilton, where he
supported two of the Defense Technical Information Center
analysis centers.
Mr. Patterson is a retired United States Air Force
brigadier general with 30 years of service.
Sir, thank you for your service to our great Nation.
Mr. Greg Marshall is the chief security officer for the
Department of Homeland Security. In this capacity, Mr. Marshall
is responsible for security-related issues effecting the
Department personnel security, physical security, special
security, special access programs, security training and
awareness.
Mr. Marshall began his Federal career as a police officer
with the United States Capitol Police in 1984 and later
transferred to the Howard County Maryland Police Department
where he retired in 2007.
He returned to Federal service when he joined DHS as deputy
chief of physical security and was later promoted deputy chief
security officer.
Ms. Caitlin Durkovich is the assistant secretary for
infrastructure protection at the Department for Homeland
Security. In this role, she leads the Department's efforts to
strengthen public-private partnerships and coordinate programs
to protect the Nation's critical infrastructure, assess and
mitigate risk, build resilience, and strengthen instant
response and recovery.
Previously, Ms. Durkovich served as the National Protection
and Program Directorate as chief of staff, overseeing day-to-
day management of the director and the development of internal
policies and strategic planning.
She is testifying on behalf of the inter-agency security
committee, a committee comprised of 53 representatives of
Federal agencies and departments with the mandate to enhance
the quality and effectiveness of physical security of Federal
buildings in the United States.
Last, Mr. Mark Goldstein is the director of physical
infrastructure issues at the GAO. Mr. Goldstein is responsible
for GAO's work in the areas of Government property, critical
infrastructure, and telecommunications.
Mr. Goldstein has held other public-sector positions
including serving as the deputy executive director and chief of
staff to the District of Columbia financial control board,
legislative adviser of the commissioner of internal revenue,
and a senior staff member of the United States Senate Committee
on Homeland Security and Governmental Affairs.
Prior to Government service, Mr. Goldstein was an
investigative journalist and author.
We can see that we have got a great panel here today and I
look forward to your testimony. So I want to thank you all for
being here. I now recognize Mr. Patterson for his opening
statement.
STATEMENT OF L. ERIC PATTERSON, DIRECTOR, FEDERAL PROTECTIVE
SERVICE, U.S. DEPARTMENT OF HOMELAND SECURITY
Mr. Patterson. Good morning, sir. Good morning and thank
you, Chairman Duncan and Congressman O'Rourke and the other
distinguished Members of the subcommittee.
My name is Eric Patterson and I am the director of the
Federal Protective Service within the National Protection and
Programs Directorate of the Department of Homeland Security. I
am honored to testify before this committee today regarding the
mission and operations of the Federal Protective Service.
In the United States, Government facilities remain a
potential target of attacks. FPS's mission is to protect over
9,000 Federal facilities and over 1.4 million occupants and
visitors.
To accomplish our mission, FPS inspectors and contract
protective security officers, referred to as PSOs, work in
tandem to attend to daily security needs at Federal facilities
and respond to threats directed against the facilities or the
Government personnel working within them.
PSOs are the eyes and ears of our organization. PSOs are
responsible for controlling access to Federal facilities,
detecting and reporting criminal acts, and responding to
emergency situations.
PSOs also ensure prohibited items such as firearms,
explosives, knives, and drugs do not enter Federal facilities.
In fact, FPS PSOs stop approximately 700,000 prohibited items
from entering Federal facilities annually.
All PSOs must undergo preliminary background investigation
checks to determine their fitness to begin work on behalf of
the Federal Government.
FPS partners with private-sector guard companies to ensure
that the guards have met the certification, training, and
qualification requirements specified in the contracts, covering
subject areas such as ethics, crime scene protection, actions
to take in special situations such as building evacuations,
safety in fire prevention, and public relations.
To ensure high performance of our contractor PSO force, FPS
law enforcement personnel conduct PSO post-inspections and
integrate covert test activities to monitor vendor compliance
and countermeasure effectiveness. Additionally, vendor files
are audited periodically to validate the PSO certifications and
training records reflect compliance with contract requirements.
In fiscal year 2013 alone, FPS conducted 54,000 post
inspections and 17,000 PSO personnel file audits.
As Members of the committee may be aware, the GAO has in
the past raised some concerns regarding FPS's handling of PSO
training and oversight. FPS has taken significant steps to
improve oversight of PSO contracts.
For example, FPS is currently hiring 39 additional contract
officer representatives in order to improve oversight of vendor
contract compliance. FPS has also drafted and is vetting an
enhanced policy for FPS PSO contract performance monitoring and
oversight.
Due in part to these actions, FPS has made significant
progress toward closing GAO and OIG recommendations pertaining
to our oversight.
FPS also directly employs 1,000 Federal law enforcement
personnel who perform a variety of critical functions,
including PSO oversight, facility security assessments, and
uniformed police response.
To assist our law enforcement personnel in performing
oversight of PSO posts, FPS has partnered with DHS Science and
Technology to develop a near-term, real-time post-tracking
system, also referred to as PTS, which will facilitate the
identification of the most effective and efficient solutions
for managing our guard force.
One of the most important responsibilities of FPS law
enforcement personnel is conducting facility security
assessments, also referred to as FSAs. FSAs document security-
related risk to a facility and provide a record of
countermeasure recommendations designed to enable tenant
agencies to meet inter-agency security committee standards for
Federal facility security.
Specifically, FPS conducts multiple interviews and in-depth
research to support the accomplishment of facility-specific
threat assessments. These assessments are an integral first
step in establishing the foundation for the risk framework.
FPS collaboration with private sector and Government
stakeholders is critical to the successful implementation and
characterization of a risk-management framework for each unique
facility.
Finally, FPS officers respond to tens of thousands of calls
for service annually, which entail responding to criminal
activity in progress, to protect life and property, and to
respond to National security events or to support other law
enforcement responding to a critical situation, as was in the
case at the Navy Yard on September 16, 2013.
With regard to responding to an active-shooting incident, I
would like to take this opportunity to note that FPS does
administer an active-shooter tenant awareness training program
and has provided training to more than 3,300 Federal facility
tenants. Additionally, while FPS PSOs are not sworn Federal law
enforcement officers and are statutorily limited in the scope
of actions that they can take during an active-shooter
incident, FPS does provide them instruction regarding actions
to take in special situations such as a building fire or report
of workplace violence or other emergency situations or
evacuations.
In closing, I would like to acknowledge and thank our
partners, especially members of the law enforcement community,
who responded the day of the Navy Yard shooting. The events of
September 16 were both a testament to their dedication and
training, and a stark reminder of the critical importance of
the mission of the Department of Homeland Security and the
Federal Protective Service.
The Federal Protective Service remains committed to
providing safety, security, protection, and a sense of well-
being to thousands of Federal employees, citizens, and visitors
who work and conduct business in our Federal facilities daily.
Thank you again for the opportunity to testify before this
committee, and I will be pleased to answer any questions you
may have.
[The joint prepared statement of Mr. Patterson and Ms.
Durkovich follows:]
Joint Prepared Statement of Leonard E. Patterson and Caitlin Durkovich
October 30, 2013
Thank you Chairman Duncan, Ranking Member Barber, and the
distinguished Members of the subcommittee. We are pleased to appear
before the committee today to discuss the efforts by the National
Protection and Programs Directorate (NPPD) to increase security and
resilience at our Nation's Federal facilities. The men and women
serving in NPPD have wide-ranging responsibilities, from serving on the
front lines of law enforcement to developing standards with
stakeholders to conducting training Nation-wide. NPPD works with owners
and operators, public safety, and countless others daily to keep the
Nation secure. These efforts prepare our partners for steady state and
day-to-day activity, but also for large-scale and complex incidents.
NPPD builds capabilities among our stakeholders and enhances
coordination and planning efforts, so when an incident occurs, our
employees and stakeholders are prepared to respond and mitigate future
incidents.
In addition to working with public and private-sector partners to
enhancing security across the sectors, NPPD provides daily protection
at Federal facilities through the Federal Protective Service (FPS),
protecting more than 1.4 million tenants and visitors in the
facilities, on the grounds, and on property owned, occupied, or secured
by the Federal Government. Across the country FPS provides law
enforcement and security management services, which include operations
and oversight of approximately 12,000 contract Protective Security
Officers (PSO), and security countermeasure services for more than
9,000 General Services Administration-owned, -leased, or -operated
facilities located across the country and other Federal facilities.
ENSURING THE SECURITY AND RESILIENCE OF CRITICAL INFRASTRUCTURE
Within NPPD, the Office of Infrastructure Protection (IP) works
with public and private-sector partners to increase the security and
resilience of critical infrastructure and protect the individuals
relying on infrastructure. This includes programs to support critical
infrastructure owners and operators in enhancing their facilities'
security and resilience and coordinating critical infrastructure
sectors.
IP is responsible for overall coordination of the Nation's critical
infrastructure security and resilience efforts, including development
and implementation of the National Infrastructure Protection Plan
(NIPP). The NIPP establishes the framework for integrating the Nation's
various critical infrastructure security and resilience initiatives
into a coordinated effort. The NIPP provides the structure through
which the Department of Homeland Security (DHS), in partnership with
Government and industry, implements programs and activities to protect
critical infrastructure, promote National preparedness, and enhance
incident response. The NIPP is regularly updated to capture evolution
in the critical infrastructure risk environment, and DHS is currently
updating the NIPP based on requirements set forth in Presidential
Policy Directive (PPD) 21.\1\
---------------------------------------------------------------------------
\1\ In February 2013, President Obama issued Presidential Policy
Directive (PPD) 21 on Critical Infrastructure Security and Resilience.
PPD-21 advances a National unity of effort to strengthen and maintain
secure, functioning, and resilient critical infrastructure. One of the
requirements set forth in the policy was for DHS to update the NIPP.
---------------------------------------------------------------------------
IP conducts on-site risk assessments of critical infrastructure and
shares risk and threat information with State, local, and private-
sector partners. In addition to helping critical infrastructure owners
and operators become more aware of the risks, hazards, and mitigation
strategies, we're also helping them measure and compare their levels of
security and resilience and how they can improve. In the last year, we
conducted more than 900 vulnerability assessments and security surveys
on critical infrastructure to identify potential gaps and provide the
owners and operators with options to mitigate those gaps and strengthen
security and resilience. In addition to serving owners and operators
and Government officials directly, IP supports the development of
standards, reports, guidelines, and best practices for civilian Federal
facilities through the Interagency Security Committee (ISC).
Interagency Security Committee
The mission of the ISC is to safeguard U.S. civilian facilities
from all hazards by developing state-of-the-art security standards in
collaboration with public and private homeland security partners. The
ISC was created following the bombing of the Alfred P. Murrah Federal
Building in Oklahoma City on April 19, 1995--the deadliest attack on
U.S. soil before September 11, 2001 and the worst domestic-based
terrorist attack in U.S. history. Following the attack, Executive Order
12977 created the ISC to address ``continuing Government-wide
security'' for Federal facilities in the United States.
ISC standards apply to all civilian Federal facilities in the
United States. These include facilities that are Government-owned, -
leased, or -managed, to be constructed or modernized, or to be
purchased, accounting for more than 399,000 Federally-owned and -leased
assets and over 3.35 billion square feet Nation-wide.\2\ The ISC is
truly an interagency body exhibiting collaboration and communication
between 53 Federal agencies and departments.\3\ When agencies cannot
solve security-related problems on their own, the ISC brings chief
security officers and senior executives together to solve continuing
Government-wide security concerns. The ISC is responsible for the
creation and implementation of numerous standards, guidelines, and best
practices for the protection of over 300,000 nonmilitary Federal
facilities across the country. This work is based on real-world,
present-day conditions and challenges and allows for cost savings by
focusing on specific security needs of the agencies.
---------------------------------------------------------------------------
\2\ The Federal Real Property Council's Fiscal Year 2010 Federal
Real Property Report, An Overview of the U.S. Federal Government's Real
Property Assets.
\3\ Additional information on ISC membership is located in the
Appendix.
---------------------------------------------------------------------------
The ISC is a permanent body with appointed members who often serve
multi-year terms. Several have represented their organizations for more
than a decade. Leadership of the ISC is provided by the assistant
secretary for infrastructure protection, an executive director, as well
as 8 standing subcommittees: Steering, Standards, Technology,
Convergence, Training, Countermeasures, Design-Basis Threat, and the
Chair Roundtable.
FPS is an active participant in the work of the ISC, helping shape
standards, guidance, and best practices that enable FPS employees to
perform their protection mission with consistency and efficiency. FPS
sits on the ISC Steering committee, chairs the Training subcommittee,
and has representatives on a number of other ISC committees and working
groups, including the Design Basis Threat group, the Countermeasures
subcommittee, and others. FPS chaired the working group that authored a
``Best Practices for Federal Mobile Workplace Security'' document in
2013 that is currently under review, and is also on the Active Shooter-
Prevention and Response as well as the PPD-21 and Compliance working
groups that are currently meeting. In recent years, FPS has also co-
chaired the working groups that produced the Items Prohibited from
Federal Facilities: An ISC Standard and Best Practices for Armed
Security Officers in Federal Facilities, 2nd Edition documents. FPS
also serves as the Sector-Specific Agency for the Government Facilities
Sector. In this role FPS is responsible for working with various
partners--including other Federal agencies; State, local, Tribal, and
territorial governments as well as other sectors--to develop and
implement the Government facilities sector-specific plan.
Standards and Best Practices for Secure Facilities
The ISC issues standards, reports, guidelines, and best practices
to protect approximately 1.2 million Federally-owned buildings,
structures, and land parcels more than 2.5 million tenant employees,
and millions of visitors each day from harm. The documents developed by
the ISC affect all civilian Federal facilities--Government-owned, -
leased, to be constructed, modernized, or purchased.
Examples of ISC Standards and Guidelines
The Risk Management Process for Federal Facilities
Standard.--Issued August 2013, this ISC Standard defines the
criteria and processes that those responsible for the security
of a facility should use to determine its facility security
level and provides an integrated, single source of physical
security countermeasures for all non-military Federal
facilities. The Standard also provides guidance for
customization of the countermeasures for Federal facilities and
encompasses the following documents:
(1) Facility Security Level Determinations (FSL)--2008;
(2) Physical Security Criteria for Federal Facilities--2010;
(3) Design Basis Threat--2013;
(4) Facility Security Committees--2012;
(5) Use of Physical Security Performance Measures--2009;
(6) Child-Care Centers--Level of Protection Template--2010.
Violence in the Federal Workplace: A Guide for Prevention
and Response.--Issued April 2013, these Government-wide
procedures for threat assessment, intervention, and response to
incidents of workplace violence were developed by the ISC, in
conjunction with the Chief Human Capital Officers Council and
the National Institutes of Occupational Safety and Health.
Occupant Emergency Programs: An ISC Guide.--Issued March
2013, this guidance outlines the components of an Occupant
Emergency Program, including those items that comprise an
emergency plan, and defines the basic guidelines/procedures to
be used for establishing and implementing an effective occupant
emergency program.
Items Prohibited From Federal Facilities: An ISC Standard.--
Issued February 2013, this standard establishes a guide-line
process for detailing control of prohibited items into Federal
facilities, and identifies responsibilities for denying entry
to those individuals who attempt to enter with such items.
Best Practices for Armed Security Officers in Federal
Facilities, 2nd Edition.--Issued February 2013, this best
practice recommends a set of minimum standards to be applied to
all contract armed security officers working in Federal
facilities.
Security Specialist Competencies: An ISC Guideline.--Issued
January 2012, this document provides the range of core
competencies Federal Security Specialists should possess to
perform their basic duties and responsibilities.
Best Practices for Mail Screening and Handling.--Issued
September 2011, this joint ISC-Department of Defense Combating
Terrorism Technical Support Office/Technical Support Working
Group (CTTSO/TSWG) document provides mail center managers,
supervisors, and security personnel with a framework for
mitigating risks posed by mail and packages.
The ISC continues to identify new initiatives based on current and
emerging threats as well as revise policies which may become outdated.
Currently the ISC is working on several new initiatives:
Active Shooter--Prevention and Response.--Streamlining
existing Federal guidance and ISC policy on Active Shooter into
one cohesive guidance document that agencies housed in non-
military Federal facilities can use as a reference to enhance
preparedness for an active-shooter incident.
Facility Security Plan.--Utilizing the ISC's Risk Management
Process to develop guidance agencies can use to develop a
Facility Security Plan.
Security Office Staffing.--Establishing criteria and
policies which will inform agencies' staffing of Security
Offices.
Resource Management.--Developing guidance to help agencies
make the most effective use of resources available for physical
security across their portfolio of facilities and examine the
use of organizational practices for resource management
purposes.
Presidential Policy Directive 21 and Compliance.--Developing
security criteria for critical infrastructure supporting
mission-essential functions to account for PPD-21 requirements
and to create a strategy for compliance.
Best Practices for Federal Mobile Workplace Security.--
Analyzing the future impact on physical and cybersecurity
policy and practices.
Threats to our critical infrastructure, including Federal
facilities, are wide-ranging. Not only are there terrorist threats,
like the bombing at the Boston Marathon this past spring, but threats
from weather-related events, such as Hurricane Sandy, as well as
threats to our cyber infrastructure which may have a direct impact on
the security of our Federal buildings. While it's impossible to
anticipate every threat, NPPD is taking a holistic approach to create a
more resilient infrastructure environment to better handle these
challenges, and the work of the ISC exemplifies these efforts. Ensuring
our Federal facilities are secure and resilient is a large challenge,
but by providing our partners with standards and best practices, law
enforcement agencies serving at Federal facilities every day, like the
Federal Protective Service, have the tools and resources necessary to
mitigate threats.
Active-Shooter Preparedness
Recent events have demonstrated the need to identify measures that
can be taken to reduce the risk of mass casualty shootings, improve
preparedness, and expand and strengthen on-going efforts intended to
prevent future incidents. DHS aims to enhance preparedness through a
``whole community'' approach by providing training, products, and
resources to a broad range of stakeholders on issues such as active-
shooter awareness, incident response, and workplace violence.
FPS has developed an Active-Shooter Tenant Awareness training
program and has provided this training to more than 3,300 Federal
facility tenants so they may be better equipped to analyze a potential
situation and work through concerns, actions, and decisions. In
addition, more than 1,000 FPS law enforcement officers and agents have
been trained in ``Active-Shooter Response Tactics.'' To date, over
9,700 individuals have viewed DHS's active-shooter webinar, over 7,300
attendees have participated in over 100 active-shooter workshops and
exercises Nation-wide, and over 263,400 Americans have taken DHS's
``Active Shooter: What You Can Do'' course. Each workshop allows
participants to ``live'' an emergency incident and analyze the
situation to work through concerns, actions, and decisions. DHS also
launched an active-shooter webpage in January 2013, which includes
active-shooter training resources for Federal, State, and local
partners, as well as the public. Since its launch, the page has been
accessed more than 258,000 times. In addition to the training FPS
provides to tenants, FPS's PSOs receive instruction regarding actions
to take in special situations, such as a building fire, a report of an
active shooter or workplace violence, and other emergency situations or
evacuations.
ENSURING THE SECURITY AND RESILIENCE OF FEDERAL FACILITIES
In the United States Government facilities remain a potential
target of attacks. The NPPD FPS mission is to protect Federal
facilities and their occupants and visitors by providing superior law
enforcement and protective security services, leveraging the
intelligence and information resources of its network of Federal,
State, local, Tribal, territorial, and private-sector partners. To
accomplish our mission and help prevent incidents like the Navy Yard
tragedy from occurring at FPS-protected Federal facilities, our
inspectors and PSOs work in tandem to attend to daily security needs at
Federal facilities, assess individual Federal facilities'
vulnerabilities to both natural and man-made events, and effectively
respond to security-related activities and threats directed against the
facilities or the Government personnel working within them.
In performing the mission of protecting Federal facilities and
persons thereon, we rely on our law enforcement and security
authorities found at 40 U.S.C. � 1315; our ability to enter into
agreements with State, local, and Tribal law enforcement agencies for
purposes of protecting Federal property; the enforcement of Federal
Management Regulation sections pertinent to conduct on Federal property
under 41 C.F.R., Part 102-74 Subpart C; and our responsibility as a
recognized ``first responder'' for all crimes and suspicious
circumstances occurring at GSA-owned or -leased property.
FPS OPERATIONS
FPS contracted PSOs are the eyes and ears of our organization. PSOs
are responsible for controlling access to Federal facilities,
conducting screening at access points to Federal facilities, enforcing
property rules and regulations, detecting and reporting criminal acts,
and responding to emergency situations involving facility safety and
security. PSOs also ensure prohibited items, such as firearms,
explosives, knives, and drugs, do not enter Federal facilities. In
fact, FPS PSOs stop approximately 700,000 prohibited items from
entering Federal facilities annually.
Suitability
All PSOs must undergo preliminary background investigation checks
to determine their fitness to begin work on behalf of the Government.
At FPS, preliminary checks consist of a review of the applicant's
background investigation questionnaire form as well as automated record
checks with the FBI, National Crime Information Center, credit
reporting bureaus, and naturalization/citizenship checks, when
applicable. If derogatory information cannot be mitigated to allow for
a favorable preliminary decision, the background investigation must be
completed and favorably adjudicated prior to ``Entry On Duty''
approval. For PSOs serving in Federal facilities requiring a high-level
security clearance, DHS uses the Defense Security Service to adjudicate
background investigations.
Training
FPS partners with private-sector guard companies to ensure that
PSOs are prepared to accomplish their duties. FPS works with the guard
companies to ensure the guards have met the certification, training,
and qualification requirements specified in the contracts, covering
subject areas such as ethics, crime scene protection, actions to take
in special situations such as building evacuations, safety and fire
prevention, and public relations. Courses are taught by FPS, by the
contract guard company, or by a qualified third party such as the
American Red Cross for CPR. PSOs also receive instruction in areas such
as X-Ray and magnetometer equipment, firearms training and
qualification, baton qualification, and First-Aid certification. PSOs
are required to attend refresher training and they must recertify in
weapons qualifications in accordance with Federal and State
regulations.
The FPS training team is working closely with industry and Federal
partners in an effort to further standardize the PSO training screening
station-related training. For example, our trainers work with the U.S.
Marshals Service and Transportation Security Administration trainers to
incorporate best practices into the base X-Ray, Magnetometer, and Hand-
Held Metal Detector training. Additionally, FPS is working closely with
the National Association of Security Companies to develop a National
Lesson Plan for PSOs that will establish a basic and National training
program for all PSOs; this is important to ensure standards are
consistent across the Nation. These efforts will further standardize
training PSOs receive and will provide for a great capability to
validate training and facilitate rapid adjustments to training to
account for changes in threat and technological advancements.
Oversight
FPS is committed to ensuring high performance of its contracted PSO
workforce. FPS Law Enforcement personnel conduct PSO post inspections
and integrated covert test activities to monitor vendor compliance and
countermeasure effectiveness. Additionally, vendor files are audited
periodically to validate that PSO certifications and training records
reflect compliance with contract requirements. In fiscal year 2013, FPS
conducted 54,830 PSO post inspections and 17,500 PSO personnel file
audits.
In addition, and in accordance with procurement regulation and
policy, contract deficiencies and performance issues are documented in
the annual Contractor Performance Assessment Report. FPS Headquarters
and regional leadership are provided with regular reports to maintain
visibility on the status of these important assessments that are also
used by agency source selection officials in the procurement process
when awarding new PSO contracts.
As Members of the committee may be aware, the GAO has, in the past,
raised some concerns regarding FPS's handling of PSO training and
oversight. FPS has taken significant steps to improve oversight of PSO
contracts. For example, FPS is currently hiring 39 additional
Contracting Officer Representatives in order to improve oversight of
vendor contract compliance. FPS has also drafted and implemented an
enhanced policy for FPS PSO performance monitoring, security force
management, and contractor management functions. Among other
improvements, this standardizes Nationally the methods and frequencies
of PSO post inspections and audits of contractor files.
Due in part to these actions, FPS has made significant progress
toward closing GAO and OIG recommendations pertaining to oversight.
Since 2011, FPS has successfully closed 13 GAO and 4 OIG
recommendations and has submitted closure documentation for 9
additional recommendations. Of these, 2 were successfully closed and 7
are pending GAO's internal review for closure.
LAW ENFORCEMENT PERSONNEL
FPS also directly employs over 1,000 Federal Law Enforcement
Personnel who are trained physical security experts. Law Enforcement
Personnel perform a variety of critical functions, including conducting
comprehensive security assessments of vulnerabilities at facilities,
developing and implementing protective countermeasures, and providing
uniformed police response and investigative follow-up. As previously
noted, Law Enforcement Personnel also conduct PSO guard post
inspections on a daily basis as well as Operation Shield activities,
which involve deployments of a highly visible array of law enforcement
personnel to validate and augment the effectiveness of FPS
countermeasures across the protective inventory.\4\
---------------------------------------------------------------------------
\4\ This includes providing highly-visible law enforcement presence
to disrupt terrorist/criminal activity, expand patrol and response
operations through increased coverage, demonstrate FPS's commitment to
employing the highest standards for the security of Federal facilities
and the safety of their occupants; and collect and assimilate data to
continually assess and improve FPS's ability to achieve its core
mission--to secure facilities and safeguard occupants.
---------------------------------------------------------------------------
Facility Security Assessments
One of the most important responsibilities of FPS Law Enforcement
Personnel is conducting Facility Security Assessments (FSAs) at FPS-
protected facilities Nation-wide. FSAs document security-related risks
to a facility and provide a record of countermeasure recommendations.
The process analyzes potential threats toward a facility through a
variety of research sources and information. Upon identification of the
threats, the process identifies and analyzes vulnerabilities to a
particular facility utilizing Protective Measure Indices (PMI).
Assessors utilize the Modified Infrastructure Survey Tool (MIST) to
document the existing protective posture at a facility and compares how
a facility is, or is not, meeting the baseline level of protection for
its FSL as set forth in the ISC's Physical Security Criteria for
Federal Facilities standard and the ISC's Design Basis Threat report.
MIST also compares the disparities identified against the baseline
level of protection specified in the ISC standards, thereby
operationalizing those standards, and enabling mitigation of the
vulnerabilities identified. The FSA report is a historical record and
informative report provided to FPS stakeholders to support their
decision making in risk mitigation strategies.
FSAs require collaboration between FPS private-sector stakeholders
and Government stakeholders. Collaboration between these entities is
critical to successful implementation of a risk management framework.
FPS partners with all of the stakeholders to identify and gather all
necessary information for characterizing the risks to each unique
facility. FSA is accomplished on a recurring schedule broken down by
FSL.
Law Enforcement Response
FPS officers respond to tens of thousands of calls for service
annually, some of which entail responding to criminal activity in
progress, others to protect life and property, and still others to
respond to National security events or to support other law enforcement
responding to a critical situation, as was the case in the Navy Yard
complex on September 16, 2013. In this case, FPS responded to the on-
scene Navy Yard Unified Command center in a supporting role and
deployed six K9 Explosive Detection Dog teams to be staged at the Navy
Yard and sweep the Nationals Park parking lot in response to mutual-aid
calls from the District of Columbia Metropolitan Police Department and
the FBI. Additionally, given the proximity of the FPS-protected U.S.
Department of Transportation (DOT) building to the Navy Yard complex,
FPS deployed to the DOT building, coordinated a Shelter-in-Place for
all occupants, established a secure perimeter around the building,
conducted K9 sweeps around the perimeter, and increased uniformed
patrol activities at other FPS-protected Federal facilities located
within the southeast corridor of the District of Columbia.
COMMITMENT TO SECURING FEDERAL FACILITIES
In closing, we would like to acknowledge and thank our partners in
both the public and private sector, especially members of the law
enforcement community who responded the day of the Navy Yard shooting.
We are grateful for their continued service. The shooting at the Navy
Yard on September 16 provided a reminder of the need to ensure our
infrastructure is secure and resilient so we can protect our
communities, regardless of the threat. We must maintain our
partnerships and continue to seek new opportunities to enhance the
security and resiliency of our Nation while providing our first
responders with the resources and tools they need.
DHS is committed to ensuring our Federal facilities remain safe and
secure for employees and visitors. Our employees will continue serving
on the front lines at Federal facilities and working behind the scenes
to develop standards and supporting law enforcement efforts. Thank you
again for the opportunity to testify before this committee. We look
forward to answering any questions you may have.
Appendix.--Interagency Security Committee Membership
Membership in the ISC consists of over 100 senior-level executives
from 53 Federal agencies and departments. In accordance with Executive
Order 12977, modified by Executive Order 13286, primary members
represent 21 Federal agencies. Associate membership is determined at
the discretion of the ISC Steering Committee and the ISC Chair.
Currently, associate members represent 32 Federal departments.
Primary Members (21)
(1) Assistant to the President for National Security Affairs
(2) Central Intelligence Agency
(3) Department of Agriculture
(4) Department of Commerce
(5) Department of Defense
(6) Department of Education
(7) Department of Energy
(8) Department of Health and Human Services
(9) Department of Homeland Security
(10) Department of Housing and Urban Development
(11) Department of the Interior
(12) Department of Justice
(13) Department of Labor
(14) Department of State
(15) Department of Transportation
(16) Department of the Treasury
(17) Department of Veterans Affairs
(18) Environmental Protection Agency
(19) General Services Administration
(20) Office of Management and Budget
(21) U.S. Marshals Service
Associate Members (32)
(1) Commodity Futures Trading Commission
(2) Court Services and Offender Supervision Agency
(3) Federal Aviation Administration
(4) Federal Bureau of Investigation
(5) Federal Communications Commission
(6) Federal Deposit Insurance Corporation
(7) Federal Emergency Management Agency
(8) Federal Protective Service
(9) Federal Reserve Board
(10) Federal Trade Commission
(11) Government Accountability Office
(12) Internal Revenue Service
(13) National Aeronautics & Space Administration
(14) National Archives & Records Administration
(15) National Capital Planning Commission
(16) National Institute of Building Sciences
(17) National Institute of Standards & Technology
(18) National Labor Relations Board
(19) National Science Foundation
(20) Nuclear Regulatory Commission
(21) Office of the Director of International Intelligence
(22) Office of Personnel Management
(23) Office of the U.S. Trade Representative
(24) Securities and Exchange Commission
(25) Smithsonian Institution
(26) Social Security Administration
(27) U.S. Army Corps of Engineers
(28) U.S. Capitol Police
(29) U.S. Coast Guard
(30) U.S. Courts
(31) U.S. Institute of Peace
(32) U.S. Postal Service
Mr. Duncan. Thank you.
The Chairman will now recognize Mr. Marshall to testify.
STATEMENT OF GREG MARSHALL, CHIEF SECURITY OFFICER, U.S.
DEPARTMENT OF HOMELAND SECURITY
Mr. Marshall. Chairman Duncan, Congressman O'Rourke,
Members of the committee, good morning and thank you for the
opportunity to provide testimony on access control for Federal
facilities.
I am Greg Marshall, the chief security officer for the U.S.
Department of Homeland Security. I am a career official with
nearly 30 years of law enforcement experience. The mission of
my office is to safeguard the Department's people, property,
and information. Accordingly, I am responsible, often in
partnership with my colleagues at the Federal Protective
Service, for security-related issues affecting more than
235,000 DHS employees that comprise the Department.
The security oversight and guidance authority of my office
applies across the Department. However, operational components
play a significant role in managing the facilities which they
inhabit, including access. The diverse missions and
responsibilities of the Department and the facilities used to
meet these missions underscore the challenges involved with the
physical security and access control disciplines.
The tragic events of Monday, September 16 at the Navy Yard
have placed the issue of physical security, access control, and
personnel vetting front and center in the minds of security
professionals across the Federal landscape. I need to make
clear, however, that security aims to manage risk, not
eliminate it. Our job is to do everything we can to keep our
employees safe, and in doing so we have the benefit of policies
and procedures and processes and technologies, both proven and
emerging, to help guide and improve our security programs.
When we consider the security for a Federal facility,
including access control, we follow the interagency security
community standards. Facilities are assessed for risk and
appropriate countermeasures are employed. The outcome of these
risk assessments drives the level of protection, to include an
appropriate access control posture. A one-size security
solution, however, cannot and will not fit all.
For employees to qualify for access to facilities, they
must undergo a background investigation to establish
suitability or fitness for employment. These investigations are
for the most part conducted by OPM. Contractors are screened in
a similar process to determine fitness for work on a DHS
contract and to also have facility access. Background
investigations for suitability and fitness examine character
and conduct, past conduct. Based upon all available
information, we make an adjudicative decision concerning a
person's suitability or fitness for employment or access to
classified information.
It is important to note that any background investigation,
no matter how rigorous, is no guarantee that all relevant
information is known, available, or has been included in the
investigation. Also, a background investigation may not
reliably predict future behavior. A background investigation is
an exercise in risk management, establishing some basic facts,
but cannot guarantee any individual's continuing fitness to
carry out their duties or to behave in a lawful or safe manner.
Recent improvements in our ability to manage these
incidents--these inherent risks and incidents include Homeland
Security Presidential Directive 12, which mandated a
Government-wide standard for secure and reliable credential to
be used when accessing Federal facilities. This credential,
also known as a PIV card, represents a marked improvement over
legacy identity cards. The background investigation process
itself is undergoing major Government-wide reform with phased
implementation to begin this fiscal year.
The concept of continuous evaluation has been developed to
supplement normal reinvestigation reviews with a process that
examines conduct between the reinvestigation time frames.
Relevant security information, like a recent arrest, would
become available in near-real time, helping to ensure that
Classified information and/or Federal facilities are
appropriately safeguarded.
Finally, this administration's recent information sharing
and safeguarding initiative, also known as ``insider threat,''
seeks to complement background investigations and continuous
evaluation with continuous monitoring. This program will
incorporate and analyze data in near-real time from a much
broader set of sources. Its focus is the protection of
Classified information, but its applicability to suitability
and contractor fitness is evident.
To conclude, suitability determinations and access control
to Federal facilities remains a work in progress, but is
evolving toward dramatic improvement. We have made great
progress, but managing employee and facility risks will
continue to be a challenge.
Thank you again for the opportunity to testify today.
[The prepared statement of Mr. Marshall follows:]
Prepared Statement of Gregory Marshall
October 30, 2013
Chairman Duncan, Ranking Member Barber, Members of the committee,
good morning and thank you for the opportunity to provide testimony on
access control for Federal facilities.
I am Greg Marshall, chief security officer of the U.S. Department
of Homeland Security (DHS). I lead the dedicated men and women who make
up the Office of the Chief Security Officer. My office is an element of
the Department's Management Directorate, and I report to the under
secretary for management.
The mission of our office is to safeguard the Department's people,
property, information, and systems. Accordingly, the DHS chief security
officer, often in partnership with the Federal Protective Service, is
responsible for security-related issues affecting the more than 240,000
DHS employees that compose the Department. I exercise DHS-wide security
program authorities in the areas of personnel security, physical
security, administrative security, special security, identity
management, special access programs, and security training and
awareness. I also support the chief information officer in the area of
IT security policy and the under secretary for intelligence and
analysis in the protection of intelligence sources and methods, and
accreditations of Classified facilities.
The security oversight and guidance authority of my office applies
across the Department. However, Operational components play a
significant role in managing the facilities which they inhabit,
including access to those facilities. The diverse missions and
responsibilities of the Department underscore the challenges involved
within the physical security and access control disciplines.
The tragic events of Monday, September 16 at the Washington Navy
Yard have placed the issue of physical security, access control, and
personnel vetting front and center in the minds of security
professionals across the Federal landscape.
Shortly after the Navy yard incident, I convened a meeting of the
Department's Chief Security Officer Council. Each component Chief
Security Officer (CSO) acknowledged the significance of the Navy Yard
tragedy to access control and the underlying vetting processes and each
CSO commented on the complexities of vetting and access, including the
costs involved. With this in mind, the Department remains committed to
ensuring that only those persons with a legitimate need to access any
given facility are allowed to enter, that those persons possess no
prohibited items, and that the backgrounds of those persons who do
enter have been vetted to an appropriate level of rigor.
I would make clear, however, that security involves risk
management. Our job is to do everything we can to reduce the risk and
keep our employees safe. In pursuit of our mission, please be assured
that DHS security leadership and the professionals we manage have the
benefit of extensive knowledge, training, and experience. We also have
the benefit of comprehensive policies, procedures, processes, and
emerging technologies to help guide and improve our key security
programs.
For example, when we consider the security posture for a Federal
facility, including access control, we at DHS follow Interagency
Security Committee standards. During this process, facilities are
assessed for risk, and appropriate countermeasures are employed to
mitigate the risks. Using a decision matrix involving mission
criticality, the sensitivity of the activities conducted, threats to
the facility, facility population of persons who work and visit there,
and other factors, an appropriate Federal Security Level is assigned to
each facility. Accordingly, the outcomes of these risk assessments
drive the level of protection for each facility, to include an
appropriate access control posture. Simply put, a one-size security
solution does not and cannot fit all facilities.
For our employees to qualify for access to a Federal DHS facility,
an employee must undergo a background investigation to establish his or
her suitability for employment. These investigations are, for the most
part, conducted by OPM on behalf of DHS. Contractors are screened in a
process similar to employees in order to determine their fitness to
work on a DHS contract and have unescorted access to DHS facilities.
Background investigations for suitability and fitness examine character
and conduct behaviors, such as criminal history, alcohol and drug use,
and employment history, among others. Based upon all available
information, a personnel security specialist makes an adjudicative
decision concerning a person's suitability or fitness for employment,
including access to facilities.
It is important to understand that a background investigation for
suitability and one for a security clearance processes with multiple
levels of investigation dependent upon the access required and level of
risk. A security clearance allows access to Classified information,
while a favorable suitability or fitness determination allows
employment and access to facilities. On its own, a background
investigation for suitability does not permit access to Classified
information.
It is also important to note that a background investigation for
either a suitability determination or a security clearance, no matter
how rigorous, is no guarantee that every bit of relevant information
about the individual is available or has been included. For example,
prior criminal convictions and/or arrest information may not be
reported in State and/or Federal repositories, often simply due to data
entry resource constraints. It is these types of checks that are basic
elements of any Federal employment background investigation.
Also, it is important to note that a background investigation may
not be an indicator of future behavior. Even those who have
successfully undergone the most rigorous set of background checks
available--even a comprehensive polygraph examination--may someday
prove untrustworthy. Ultimately, a Federal background investigation
only examines past behavior and is sometimes based on limited available
information.
A Federal background investigation is an exercise in risk
management, establishing some basic facts such as identity,
citizenship, criminal history, etc. However, a background investigation
cannot be characterized, in and of itself, does not guarantee any
single individual's continuing day-to-day fitness to carry out his or
her employment responsibilities or to behave in a lawful and safe
manner.
With these limitations in mind, there have been several recent
improvements to the ability of the Government to manage these inherent
risks.
First, Homeland Security Presidential Directive 12 (HSPD-12)
mandated the development and implementation of a Government-wide
standard for a secure and reliable Personal Identity Verification (PIV)
card for gaining access to Federally-controlled facilities. To date,
DHS Headquarters and components have issued over 250,000 PIV cards to
Federal employees and contractors. For the first time, this process has
effectively linked the completion of a person's background
investigation with the issuance to that person of a unique Federal
identity credential. The PIV card represents a marked improvement over
the various legacy access/identity cards, but is only a part of any
solution. As a result, Federal facility access control processes use
this PIV card and its various authentication mechanisms to verify the
identity of the holder, link the holder to the card, and link the card
itself to a database of valid employees and contractors having
legitimate business at any given facility.
Second, the background investigation process itself is undergoing a
major Government-wide reform effort, to include revised Federal
investigative standards signed jointly by the director of National
Intelligence and the director of the Office of Personnel Management in
2012, and phased implementation to begin this fiscal year. With the
Federal investigative standards, the concept of ``continuous
evaluation'' is being developed to supplement the normal re-
investigation reviews of employees which, under the revised standards,
will be in 5-year increments, with a Government-led process that
examines a person's conduct within his or her normal re-investigation
time frames. As such, relevant security information like a recent
arrest or conviction for a crime outside of the Federal system, for
example, would become available on a timelier basis to security
officials responsible for assessing a person's eligibility for access
to Classified information, thereby helping to ensure that Classified
information and/or Federal facilities are appropriately safeguarded.
``Continuous evaluation'' represents a significant process improvement
over current capabilities and will mitigate some of the limitations in
the existing background investigation process discussed above.
Finally, this administration's recent Information Sharing and
Safeguarding initiative, also known as ``Insider Threat,'' seeks to
complement background investigations and continuous evaluation with
continuous monitoring. Continuous monitoring will incorporate data in
near-real time from a much broader set of data sources, as compared to
information that was previously available in the background
investigation process. The initiative focuses on monitoring certain IT
systems and incorporates analysis and collation software to aid in the
identification of behavioral trends that could be indicative of an
insider threat problem. Strict referral protocols are in place to
investigate abnormalities. The aim is the detection and mitigation of
threats to Classified information before any damage can be done. The
focus of this program is the protection of Classified information, but
its applicability to other behavioral issues, including suitability and
contractor fitness, is evident.
In conclusion, the suitability determinations of and access control
to Federal facilities by Federal employees and contractors remains a
work in progress, but is evolving toward dramatic improvement. It is
our responsibility as DHS security leaders, with the support of
Congress, to ensure a safe and secure workplace. We have made important
strides, but assessing and managing employee and facility risks will
continue to be a challenge in the future. We will continue to work
every day to meet these challenges. Thank you again for the opportunity
to testify today.
Mr. Duncan. Thank you so much, Mr. Marshall.
Ms. Durkovich. If I pronounced that wrong, just tell me--
Durkovich?
Ms. Durkovich. You have pronounced it correctly. Thank you,
sir.
Mr. Duncan. Thank you so much. You are recognized for 5
minutes.
STATEMENT OF CAITLIN DURKOVICH, ASSISTANT SECRETARY,
INFRASTRUCTURE PROTECTION, U.S. DEPARTMENT OF HOMELAND
SECURITY, TESTIFYING ON BEHALF OF THE INTERAGENCY SECURITY
COMMITTEE
Ms. Durkovich. Thank you very much, Chairman Duncan and
Ranking Member O'Rourke and the distinguished Members of the
subcommittee. I am honored to appear before you today.
As assistant secretary for infrastructure protection, I
have the responsibility to lead the overall coordination of the
Nation's critical infrastructure security and resilience
efforts, including development and implementation of the
National Infrastructure Protection Plan, or the NIPP. The NIPP
establishes the framework for integrating the Nation's various
critical infrastructure security and resilience initiatives
into a coordinated effort.
One of the most rewarding opportunities I have is to serve
as chair of the Interagency Security Committee and oversee the
development of standards and guidelines and best practices for
civilian Federal facilities through the Interagency Security
Committee, or the ISC. The ISC was created by Executive Order
following the bombing of the Alfred P. Murrah Federal Building
in Oklahoma City on April 19, 1995.
The ISC is responsible for the creation and adoption of
numerous standards, guidelines, and best practices for the
protection of nearly 400,000 non-military Federal facilities
across the country. This work is based on real-world present-
day conditions and challenges and allows for cost savings by
focusing on specific security needs of the agencies.
ISC standards provide the Federal community with strategies
for identifying physical security measures and support the
design and implementation of risk-based security policies. In
August, the ISC issued the risk management process for Federal
facilities standard, which defines the criteria and processes
that those responsible for security should use to determine a
facility's security level and provides an integrated single
source of physical security countermeasures for all non-
military Federal facilities.
The standard also provides guidance for customization of
countermeasures for Federal facilities and explains that risk
can be addressed in various ways, depending on agency mission
needs, for example, the presence of child care on-site and
historical significance. It is most important to note that the
ISC is truly a collaborative interagency body. Fifty-three
Federal departments and agencies participate in the ISC and
take the lead on bringing ideas to the table and drafting
standards and best practices.
When agencies cannot solve security-related problems on
their own, the ISC is a convening body for chief security
officers and senior executives to solve continuing Government-
wide security concerns. The ISC membership develops standards
and best practices based on real-world threats. Recent events
have demonstrated the need to identify measures that can be
taken to reduce the risk of mass-casualty shootings, improve
preparedness, and expand and strengthen on-going efforts
intended to prevent future incidents.
DHS aims to enhance preparedness through a whole-of-
community approach, by providing resources to a broad range of
stakeholders on issues such as active-shooter awareness,
incident response, and workplace violence.
Working with partners in the private sector, DHS developed
training and other awareness materials to assist critical
infrastructure owners and operators with better training their
staff and coordinating with local law enforcement.
We have hosted hundreds of workshops and developed an on-
line training tool targeted at preparing those who work in
these buildings.
These efforts and resources have been well-received and are
applicable to Government facilities as well as commercial
spaces.
Cognizant of this growing threat, the ISC this past spring
formed a Federal active-shooter working group. While a number
of Federal guidance documents previously existed on active-
shooter preparedness and response, including our designed basis
threat report, the violence in Federal workplace, a guide for
prevention response, and occupant emergency programs, an ISC
guide, the working group was formed to streamline existing ISC
policies into a single cohesive document.
To date, the working group has met four times and has
reviewed numerous publications and guidance documents,
including training materials developed by the Department for
commercial facilities.
It will also leverage lessons learned from real-world
incidents, including the Navy Yard shooting.
It is our intention that the resulting work will serve as a
resource for agencies to enhance preparedness for an active-
shooter incident in a Federal facility.
Threats to our critical infrastructure, including Federal
facilities, are wide-ranging. Not only are there terrorist
threats, like the bombing at the Boston Marathon this past
spring, or the complex shopping mall attack we saw recently
overseas, but threats from weather-related events, such as
Hurricane Sandy, as well as threats to our cyber infrastructure
which may have a direct impact on the security of our Federal
buildings.
While it is impossible to anticipate every threat, the
Department is taking a holistic approach to create a more
secure and resilient infrastructure environment to better
handle these challenges, and the work of the ISC exemplifies
these efforts.
Ensuring our Federal facilities are secure and resilient is
a large undertaking. But the work of our 53 member departments
and agencies to ensure those responsible for Federal facility
security have the tools and resources necessary to mitigate
these threats is worth noting.
In closing, I would like to thank you for the opportunity
to appear before you and discuss the important work of the ISC.
I look forward to answering any questions you may have.
Mr. Duncan. Thank you so much.
The Chairman will now recognize Mr. Goldstein for 5
minutes.
STATEMENT OF MARK L. GOLDSTEIN, DIRECTOR, PHYSICAL
INFRASTRUCTURE ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Goldstein. Good morning, Mr. Chairman and Members of
the subcommittee. We are pleased to be here today to discuss
our latest report on the Federal Protective Service and the
protection of Federal facilities.
As part of the Department of Homeland Security, the FPS is
responsible for protecting Federal employees and visitors in
approximately 9,600 Federal facilities.
Sadly, recent incidents at Federal facilities demonstrate
their continued vulnerability to attacks and other acts of
violence.
To help accomplish its mission, FPS conducts the facility
risk assessments and provides oversight of approximately 13,500
contract security guards deployed to Federal facilities.
My testimony today is based on the results of a September
2013 report which is being released by the subcommittee today,
previous GAO reports on this topic and the preliminary results
of work GAO conducted for a report that we will issue to the
Chairman later this year.
My testimony today discusses challenges FPS faces in
ensuring contract security guards deployed to Federal
facilities are properly trained and certified, and the extent
to which FPS and select Federal agencies' facility risk
assessment methodologies align with standards issued by the
ISC.
Our findings are as follows: First, the Federal Protective
Service faces challenges ensuring that contract guards have
been properly trained and certified before being deployed to
Federal facilities.
In particular, GAO found that providing active-shooter
response and screener training is a challenge for FPS. For
example, according to officials at five guard companies, their
contract guards have not received training on how to respond
during incidents involving an active shooter.
Without ensuring that all guards receive this training, FPS
has limited assurance that its guards are prepared for such a
threat. Similarly, officials from one of FPS' contract guard
companies stated that 133, about 38 percent of its
approximately 350 guards, had never received screener training.
As a result, those guards may be using X-ray and magnetometer
equipment at Federal facilities that they are not qualified to
use, raising questions about their ability to properly screen
access control points at Federal facilities, one of their
primary responsibilities.
We were unable to determine the extent to which FPS' guards
have received active-shooter response and screener training.
Second, GAO also found that FPS continues to lack effective
management controls to ensure its guards have met its training
and certification requirements.
For instance, although FPS agreed with GAO's 2010 and 2012
recommendations that it develop a comprehensive and reliable
system for managing information on guard's training,
certifications, and qualifications, it still does not have such
a system.
Additionally, 23 percent of nearly 300 guard files that GAO
examined, maintained by 11 of the 31 contract guard companies
we interviewed, lacked required training and certification
documents. Examples of missing items include documentation of
initial weapons and screener training and firearms
qualifications.
Finally, GAO's preliminary results on our risk assessment
report indicate that several agencies, including FPS, do not
use a methodology to assess risk at their facilities that
aligns with the ISC's risk assessment standards.
Risk assessments help decision makers identify and evaluate
security risks and implement protective measures to mitigate
risk. ISC's standards state that agencies' facility risk
assessment methodologies must, first, consider all of the
undesirable events identified by ISC as a possible risk to
Federal facilities, and, No. 2, assess the threat vulnerability
and consequences of specific undesirable events.
Most commonly, FPS and eight agencies' methodologies that
we reviewed are inconsistent with ISC standards because they do
not assess facilities' vulnerabilities to specific undesirable
events. If an agency does not know its facility's potential
vulnerabilities to specific scenarios, it cannot set priorities
to mitigate these vulnerabilities.
In addition, as GAO reported in August 2012, although
Federal agencies pay FPS millions of dollars to assess risk at
their facilities, FPS' own risk assessment tool is not
consistent with ISC's risk assessment standards, because it
does not assess consequence, the level, duration, and nature of
loss, resulting from undesirable events.
As a result, FPS and the agencies we reviewed may not have
a complete understanding of the risks facing approximately
57,000 Federal facilities located around the country, including
the 9,600 facilities that FPS protects. As mentioned, our final
report on this topic will be available later this fall.
Mr. Chairman, this completes my statement. I would be happy
to respond to any questions. Thank you.
[The prepared statement of Mr. Goldstein follows:]
Prepared Statement of Mark L. Goldstein
October 30, 2013
GAO HIGHLIGHTS
Highlights of GAO-14-128T, a testimony before the Subcommittee on
Oversight and Management Efficiency, Committee on Homeland Security,
House of Representatives.
Why GAO Did This Study
As part of the Department of Homeland Security (DHS), FPS is
responsible for protecting Federal employees and visitors in
approximately 9,600 Federal facilities under the control and custody of
the General Services Administration (GSA). Recent incidents at Federal
facilities demonstrate their continued vulnerability to attacks or
other acts of violence. To help accomplish its mission, FPS conducts
facility risk assessments and provides oversight of approximately
13,500 contract security guards deployed to Federal facilities.
This testimony is based on the results of our September 2013 report
(released by the subcommittee today), previous reports, and preliminary
results of work GAO conducted for a report that GAO plans to issue to
the Chairman later this year. GAO discusses: (1) Challenges FPS faces
in ensuring contract security guards deployed to Federal facilities are
properly trained and certified, and (2) the extent to which FPS and
select Federal agencies' facility risk assessment methodologies align
with standards issued by the ISC. To perform this work, GAO reviewed
FPS and guard company documentation and interviewed officials about
oversight of guards. GAO also reviewed FPS's and 8 Federal agencies'
risk assessment documentation and compared it to ISC's standards. These
agencies were selected based on their missions and types of facilities.
What GAO Recommends
DHS and FPS agreed with GAO's recommendations in its September 2013
report.
homeland security.--challenges associated with federal protective
service's contract guards and risk assessments at federal facilities
What GAO Found
The Federal Protective Service (FPS) faces challenges ensuring that
contract guards have been properly trained and certified before being
deployed to Federal facilities around the country. In a September 2013
report, GAO found that providing active-shooter response and screener
training is a challenge for FPS. For example, according to officials at
five guard companies, their contract guards have not received training
on how to respond during incidents involving an active shooter. Without
ensuring that all guards receive this training, FPS has limited
assurance that its guards are prepared for such a threat. Similarly,
officials from one of FPS's contract guard companies stated that 133
(about 38 percent) of its approximately 350 guards have never received
screener training. As a result, those guards may be using X-ray and
magnetometer equipment at Federal facilities that they are not
qualified to use, raising questions about their ability to properly
screen access control points at Federal facilities--one of their
primary responsibilities. We were unable to determine the extent to
which FPS's guards have received active-shooter response and screener
training. FPS agreed with GAO's 2013 recommendation that they take
steps to identify guards that have not had required training and
provide it to them. GAO also found that FPS continues to lack effective
management controls to ensure its guards have met its training and
certification requirements. For instance, although FPS agreed with
GAO's 2010 and 2012 recommendations that it develop a comprehensive and
reliable system for managing information on guards' training,
certifications, and qualifications, it still does not have such a
system. Additionally, 23 percent of the 276 guard files GAO examined
(maintained by 11 of the 31 guard companies we interviewed) lacked
required training and certification documentation. Examples of missing
items include documentation of initial weapons and screener training
and firearms qualifications.
GAO's preliminary results indicate that several agencies, including
FPS, do not use a methodology to assess risk at their facilities that
aligns with the Interagency Security Committee's (ISC) risk assessment
standards. Risk assessments help decision makers identify and evaluate
security risks and implement protective measures to mitigate the risk.
ISC's standards state that agencies' facility risk assessment
methodologies must: (1) Consider all of the undesirable events
identified by ISC as possible risks to Federal facilities, and (2)
assess the threat, vulnerability, and consequence of specific
undesirable events. Most commonly, agencies' methodologies that GAO
reviewed are inconsistent with ISC's standards because they do not
assess facilities' vulnerabilities to specific undesirable events. If
an agency does not know its facilities' potential vulnerabilities to
specific undesirable events, it cannot set priorities to mitigate these
vulnerabilities. In addition, as GAO reported in August 2012, although
Federal agencies pay FPS millions of dollars to assess risk at their
facilities, FPS's risk assessment tool is not consistent with ISC's
risk assessment standards because it does not assess consequence (i.e.,
the level, duration, and nature of loss resulting from undesirable
events). As a result, FPS and the other non-compliant agencies GAO
reviewed may not have a complete understanding of the risks facing
approximately 57,000 Federal facilities located around the country
(including the 9,600 protected by FPS).
Chairman Duncan, Ranking Member Barber, and Members of the
subcommittee: We are pleased to be here to discuss the results of our
September 2013 report, which the subcommittee is releasing today, and
the efforts of the Department of Homeland Security's (DHS) Federal
Protective Service (FPS) to protect the nearly 9,600 Federal facilities
that are under the control and custody of the General Services
Administration (GSA). The 2012 shooting at the Anderson Federal
Building in Long Beach, California, and the results of our 2009 covert
testing and FPS's on-going penetration testing demonstrate the
continued vulnerability of Federal facilities. Moreover, the challenge
of protecting Federal facilities is one of the major reasons why we
have designated Federal real property management as a high-risk
area.\1\
---------------------------------------------------------------------------
\1\ GAO, High Risk Series: An Update, GAO-13-283 (Washington, DC:
Feb. 14, 2013).
---------------------------------------------------------------------------
FPS is authorized: (1) To protect the buildings, grounds, and
property that are under the control and custody of GSA, as well as the
persons on the property; (2) to enforce Federal laws and regulations
aimed at protecting such property and persons on the property; and (3)
to investigate offenses against these buildings and persons.\2\ FPS
conducts its mission by providing security services through two types
of activities: (1) Physical security activities--conducting security
assessments and recommending countermeasures aimed at preventing
incidents--and, (2) law enforcement activities--proactively patrolling
facilities, responding to incidents, conducting criminal
investigations, and exercising arrest authority. To accomplish its
mission, FPS currently has almost 1,200 full-time employees and about
13,500 contract guards deployed at Federal facilities across the
country. It expects to receive approximately $1.3 billion in fees for
fiscal year 2013.\3\
---------------------------------------------------------------------------
\2\ Section 1315(a) of title 40, United States Code, provides that:
``To the extent provided for by transfers made pursuant to the Homeland
Security Act of 2002, the Secretary of Homeland Security . . . shall
protect the buildings, grounds, and property that are owned, occupied,
or secured by the Federal Government (including any agency,
instrumentality, or wholly owned or mixed-ownership corporation
thereof) and the persons on the property.''
\3\ To fund its operations, FPS charges fees for its security
services to Federal tenant agencies in GSA-controlled facilities.
---------------------------------------------------------------------------
Since 2008, we have reported on the challenges FPS faces with
carrying out its mission, including overseeing its contract guards and
assessing risk at Federal facilities. FPS's contract guard program is
the most visible component of the agency's operations, and the agency
relies on its guards to be its ``eyes and ears'' while performing their
duties. However, we reported in 2010 and again in 2013 that FPS
continues to experience difficulty ensuring that its guards have the
required training and certifications. Before guards are assigned to a
post (an area of responsibility) at a Federal facility, FPS requires
that they all undergo employee fitness determinations \4\ and complete
approximately 120 hours of training provided by the contractor and FPS,
including basic training and firearms training. Among other duties,
contract guards are responsible for controlling access to facilities;
conducting screening at access points to prevent the introduction of
prohibited items, such as weapons and explosives; and responding to
emergency situations involving facility safety and security.\5\ FPS
also faces challenges assessing risks at the 9,600 facilities under the
control and custody of GSA. For instance, in 2012, we reported that
FPS's ability to protect and secure Federal facilities has been
hampered by the absence of a risk assessment program that is consistent
with Federal standards.
---------------------------------------------------------------------------
\4\ A contractor employee's fitness determination is based on the
employee's suitability for work for or on behalf of the Government
based on character and conduct.
\5\ In general, guards may only detain, not arrest, individuals at
their facility. Some guards may have arrest authority under conditions
set forth by the individual States.
---------------------------------------------------------------------------
This testimony is based on our September 2013 report, released
today,\6\ previous reports,\7\ and preliminary results of work we
conducted for a report that we plan to issue to the Chairman later this
year.\8\ This testimony discusses: (1) Challenges FPS faces in ensuring
contract security guards deployed to Federal facilities are properly
trained and certified, and (2) the extent to which FPS and select
Federal agencies' facility risk assessment methodologies align with
Federal risk assessment standards issued by the Interagency Security
Committee (ISC).\9\ To identify challenges associated with ensuring
FPS's contract guards are properly trained and certified, we analyzed
selected guard services contracts active as of September 2012 and FPS's
Security Guard Information Manual. We drew a non-generalizable sample
of 31 contracts from FPS's 117 guard services contracts (one contract
for every guard company with which FPS has contracted for non-emergency
guard services).\10\ A subset (11) of the 31 guard contracts was chosen
based on geographic diversity and geographic density of contracts
within FPS regions to allow us to conduct file reviews for multiple
contracts during each of four site visits that we conducted. For each
of these 11 contracts, we reviewed the contracts as well as a random
sample of guard files associated with each contract. The remaining 20
guard services contracts we selected were the most recent contract for
each of the remaining guard companies that FPS had contracted with as
of November 2012. We also interviewed officials from each of the 31
contract guard companies.
---------------------------------------------------------------------------
\6\ GAO, Federal Protective Service: Challenges with Oversight of
Contract Guard Program Still Exist, and Additional Management Controls
Are Needed, GAO-13-694 (Washington, DC: September 2013).
\7\ GAO, Federal Protective Service: Actions Needed to Assess Risk
and Better Manage Contract Guards at Federal Facilities, GAO-12-739
(Washington, DC: August 2012), GAO, Homeland Security: Federal
Protective Service's Contract Guard Program Requires More Oversight and
Reassessment of Use of Contract Guards, GAO-10-341 (Washington, DC:
April 2010), and GAO, Homeland Security: The Federal Protective Service
Faces Several Challenges That Hamper Its Ability to Protect Federal
Facilities, GAO-08-683 (Washington, DC: June 2008).
\8\ That report will contain our final evaluation and
recommendations about agencies' risk assessment methodologies.
\9\ The Interagency Security Committee (ISC) was created pursuant
to Executive Order 12977, 60 Fed. Reg. 54411 (Oct. 19, 1995), as
amended by Executive Order 13286, 68 Fed. Reg. 10610 (March 5, 2003).
The ISC is a permanent body established to address continuing
Government-wide security for Federal facilities and was tasked with,
among other things, developing security standards for Federal
facilities. The ISC is comprised of primary members from Federal
Executive branch agencies designated by the Executive Order as well as
associate members from other agencies and departments not designated in
the Executive Order. The ISC is to be chaired by the Secretary of DHS
or a designee of the Secretary.
\10\ When we chose contracts for review, FPS had a total of 117
contracts with 32 guard companies. However, 1 of the 32 companies had a
contract with FPS for only emergency guard services. As such, we chose
1 contract for review for each company with which FPS had contracted
for non-emergency guard services as of November 2012.
---------------------------------------------------------------------------
To determine the extent to which contract guard companies
documented compliance with FPS's guard training and certification
requirements, we examined documentation related to our non-
generalizeable sample of 11 contracts, as previously discussed. From
these 11 contracts, we randomly selected 276 guard files to review for
compliance with FPS requirements. For each guard file, we compared the
file documents to a list of requirements contained in FPS's
Administrative Audit and Protective Security Officer File Review Forms,
which FPS uses to conduct its monthly guard file reviews.
To identify the management controls and processes FPS and the guard
companies use to ensure compliance with training, certification, and
qualification requirements, we reviewed FPS's procedures for: (1)
Conducting monthly guard file reviews; (2) documenting compliance with
guard training, certification, and qualification requirements; and (3)
monitoring performance. We also visited 4 of FPS's 11 regions to
discuss how regional officials ensure that guards are qualified to be
deployed to Federal facilities. We selected the 4 regions to provide
geographic density of contracts in the region to facilitate reviews of
guard files, diversity in the size of guard companies, and geographic
diversity. In addition, we interviewed officials from each of FPS's 31
guard companies regarding their policies and procedures for complying
with FPS's guard training and certification requirements. While the
results of our work are not generalizeable, about 40 percent of the GSA
facilities with guards are located in the four regions where we
conducted our site visits and our review of guard files involved 11 of
FPS's 31 guard companies. To assess the extent to which FPS's monthly
guard-file review results identified files with missing documentation
of training, certifications, and qualifications, we compared FPS's
monthly file review results from the month in which we conducted our
file review for each of the 11 contracts to identify guard files that
were included in both our review and FPS's monthly review. We
identified any discrepancies between the reviews and used FPS's file
review forms to examine the discrepancies.
To determine the extent to which FPS and select Federal agencies'
facility risk assessment methodologies align with ISC's risk assessment
standards, we reviewed and analyzed risk assessment documentation and
interviewed officials at 9 Federal agencies and compared each agency's
methodology to ISC's standards. The nine selected agencies include:
Department of Energy, Office of Health, Safety, and Security;
Department of Interior; Department of Justice, Justice Protective
Service; Department of State, Diplomatic Security; Department of
Veterans Affairs; Federal Emergency Management Agency; Federal
Protective Service; Nuclear Regulatory Commission; and Office of
Personnel Management. These agencies were selected to achieve diversity
with respect to the number and types of agencies' facilities, as well
as the agencies' missions.
We conducted our on-going work from August 2012 to October 2013 in
accordance with generally accepted Government auditing standards. Also,
our previously-issued reports were done in accordance with these
standards. Those standards require that we plan and perform the audit
to obtain sufficient, appropriate evidence to provide a reasonable
basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for
our findings and conclusions based on our audit objectives.
fps faces challenges ensuring contract guards have been properly
trained and certified before being deployed to federal facilities
Some FPS Contract Guards Have Not Received Required Training on
Responding to Active-Shooter Scenarios
According to FPS officials, since 2010 the agency has required its
guards to receive training on how to respond to an active-shooter
scenario. However, as our 2013 report shows,\11\ FPS faces challenges
providing active-shooter response training to all of its guards.
According to FPS officials, the agency provides guards with information
on how they should respond during an active-shooter incident as part of
the 8-hour FPS-provided orientation training. FPS officials were not
able to specify how much time is devoted to this training, but said
that it is a small portion of the 2-hour special situations
training.\12\ According to FPS's training documents, this training
includes instructions on how to notify law enforcement personnel,
secure the guard's area of responsibility, appropriate use of force,
and direct building occupants according to emergency plans.
---------------------------------------------------------------------------
\11\ GAO-13-694.
\12\ This training is provided during a block of training on
special situations, which includes information on how guards should
respond to situations other than their normal duties, such as reports
of missing or abducted children, bomb threats, and active-shooter
scenarios. FPS officials stated that guards hired before 2010 should
have received this information during guard-company-provided training
on the guards' post orders (which outline the guards' duties and
responsibilities) as part of basic and refresher training.
---------------------------------------------------------------------------
However, when we asked officials from 16 of the 31 contract guard
companies we spoke to if their guards had received training on how
guards should respond during active-shooter incidents, responses
varied.\13\ For example, of the 16 contract guard companies we
interviewed about this topic:
---------------------------------------------------------------------------
\13\ The remaining 15 guard companies did not respond to this
question.
---------------------------------------------------------------------------
officials from 8 contract guard companies stated that their
guards have received active-shooter scenario training during
FPS orientation;
officials from 5 guard companies stated that FPS has not
provided active-shooter scenario training to their guards
during the FPS-provided orientation training; and,
officials from 3 guard companies stated that FPS had not
provided active-shooter scenario training to their guards
during the FPS-provided orientation training, but that the
topic was covered at some other time.
We were unable to determine the extent to which FPS's guards have
received active-shooter response training. Without ensuring that all
guards receive training on how to respond to active-shooter incidents,
FPS has limited assurance that its guards are prepared for this threat.
FPS agreed with our recommendation that they take immediate steps to
determine which guards have not received this training and provide it
to them.
Some FPS Guards Have Not Received Required Screener Training
As part of their 120 hours of training, guards must receive 8 hours
of screener training from FPS on how to use X-ray and magnetometer
equipment. However, in our September 2013 report,\14\ we found that FPS
has not provided required screener training to all guards. Screener
training is important because many guards control access points at
Federal facilities and thus must be able to properly operate X-ray and
magnetometer machines and understand their results. In 2009 and 2010,
we reported that FPS had not provided screener training to 1,500
contract guards in one FPS region.\15\ In response to our reports, FPS
stated that it planned to implement a program to train its inspectors
to provide screener training to all of its contract guards. However, 3
years after our 2010 report, guards continue to be deployed to Federal
facilities who have never received this training. For example, an
official at one contract guard company stated that 133 of its
approximately 350 guards (about 38 percent) on three separate FPS
contracts (awarded in 2009) have never received their initial X-ray and
magnetometer training from FPS. The official stated that some of these
guards are working at screening posts. Further, officials at another
contract guard company in a different FPS region stated that, according
to their records, 78 of 295 (about 26 percent) guards deployed under
their contract have never received FPS's X-ray and magnetometer
training. These officials stated that FPS's regional officials were
informed of the problem, but allowed guards to continue to work under
this contract, despite not having completed required training. Because
FPS is responsible for this training, according to guard company
officials no action was taken against the company. Consequently, some
guards deployed to Federal facilities may be using X-ray and
magnetometer equipment that they are not qualified to use--thus raising
questions about the ability of some guards to execute a primary
responsibility to properly screen access control points at Federal
facilities. We were unable to determine the extent to which FPS's
guards have received screener training. FPS agreed with our
recommendation that they take immediate steps to determine which guards
have not received screener training and provide it to them.
---------------------------------------------------------------------------
\14\ GAO-13-694.
\15\ GAO, Homeland Security: Federal Protective Service Has Taken
Some Initial Steps to Address Its Challenges, but Vulnerabilities Still
Exist, GAO-09-1047T (Washington, DC: Sept. 23, 2009) and GAO-10-341.
---------------------------------------------------------------------------
FPS Lacks Effective Management Controls to Ensure Guards Have Met
Training and Certification Requirements
In our September 2013 report, we found that FPS continues to lack
effective management controls to ensure that guards have met training
and certification requirements. For example, although FPS agreed with
our 2010 and 2012 recommendations to develop a comprehensive and
reliable system for contract guard oversight, it still does not have
such a system. Without a comprehensive guard management system, FPS has
no independent means of ensuring that its contract guard companies have
met contract requirements, such as providing qualified guards to
Federal facilities. Instead, FPS requires its guard companies to
maintain files containing guard-training and certification information
and to provide it with a monthly report containing this information. In
our September 2013 report, we found that 23 percent of the 276 guard
files we reviewed (maintained by 11 of the 31 guard companies we
interviewed) lacked required training and certification
documentation.\16\ As shown in Table 1, some guard files lacked
documentation of basic training, semi-annual firearms qualifications,
screener training, the 40-hour refresher training (required every 3
years), and CPR certification.
---------------------------------------------------------------------------
\16\ See GAO-13-694. During our non-generalizeable review of 276
randomly-selected guard files, we found that 64 files (23 percent) were
missing one or more required documents.
TABLE 1.--TOTAL MISSING DOCUMENTS IDENTIFIED IN 64 OF 276 GUARD FILES
GAO REVIEWED
------------------------------------------------------------------------
Number of
Instances of
Requirement Each Missing
Document
------------------------------------------------------------------------
Copy of driver's license/State ID....................... 1
Domestic Violence ``Lautenberg'' Form................... 1
Medical certification................................... 1
Verified alien/immigration status....................... 3
Current baton certification............................. 3
Basic training.......................................... 3
Firearms qualifications................................. 3
First-aid certification................................. 5
FPS screener training--8 hours.......................... 5
FPS orientation......................................... 8
Contractor employee fitness determination............... 12
CPR certification....................................... 12
AED certification....................................... 12
Refresher training...................................... 15
Pre-employment drug testing............................. 16
Initial weapons training................................ 17
---------------
Total............................................. \1\ 117
------------------------------------------------------------------------
Source.--GAO analysis of contract guard company data.
Note.--These results are non-generalizeable and based on a review of 276
randomly-selected guard files for 11 of 117 FPS guard contracts.
\1\ Some of the files that did not comply with requirements were missing
more than one document, for a total of 117 missing documents.
FPS has also identified guard files that did not contain required
documentation. FPS's primary tool for ensuring that guard companies
comply with contractual requirements for guards' training,
certifications, and qualifications is to conduct monthly reviews of
guard companies' guard files. From March 2012 through March 2013, FPS
reviewed more than 23,000 guard files.\17\ It found that a majority of
the guard files had the required documentation but more than 800 (about
3 percent) did not. FPS's file reviews for that period showed files
missing, for example, documentation of screener training, initial
weapons training, CPR certification, and firearms qualifications.
However, as our September 2013 report explains, FPS's process for
conducting monthly file reviews does not include requirements for
reviewing and verifying the results, and we identified instances in
which FPS's monthly review results did not accurately reflect the
contents of guard files. For instance, FPS's review indicated that
required documentation was present for some guard files, but we were
not able to find documentation of training and certification, such as
initial weapons training, DHS orientation, and pre-employment drug
screenings.\18\ As a result of the lack of management controls, FPS is
not able to ensure that guards have met training and certification
requirements.
---------------------------------------------------------------------------
\17\ FPS has approximately 13,500 contract guards, but FPS may
review a guard file more than once annually.
\18\ For more information on this review and our methodology, see
GAO-13-694.
---------------------------------------------------------------------------
GAO's Recommendations to Improve the Management and Oversight of FPS's
Contract Guard Program
In our September 2013 report, we recommended that DHS and FPS take
the following actions:
take immediate steps to determine which guards have not had
screener or active-shooter scenario training and provide it to
them and, as part of developing a National curriculum, decide
how and how often these trainings will be provided in the
future;
require that contract guard companies' instructors be
certified to teach basic and refresher training courses to
guards and evaluate whether a standardized instructor
certification process should be implemented; and,
develop and implement procedures for monthly guard-file
reviews to ensure consistency in selecting files and verifying
the results.
DHS and FPS agreed with our recommendations.
preliminary results indicate that fps and select federal agencies' risk
assessment methodologies do not align with isc's risk assessment
standards
Risk assessments help decision makers identify and evaluate
security risks and implement protective measures to mitigate the
potential undesirable effects of these risks. ISC's risk assessment
standards state that agencies' facility risk assessment methodologies
must: Consider all of the undesirable events identified by ISC as
possible risks to Federal facilities, and assess the threat,
vulnerability, and consequence of specific undesirable events.
Preliminary results from our on-going review of 9 Federal agencies'
risk assessment methodologies indicate that several agencies, including
FPS, do not use a methodology that aligns with ISC's risk assessment
standards to assess Federal facilities.\19\
---------------------------------------------------------------------------
\19\ ISC's risk assessment standards define ``Federal facilities''
as Government-leased or -owned facilities in the United States occupied
by Federal employees for non-military activities. Aside from
intelligence-related exceptions, Executive branch agencies and
departments are required to cooperate and comply with ISC's standards,
including its risk assessment standards. These standards do not apply
to Legislative branch agencies and Federal facilities occupied by
military employees.
---------------------------------------------------------------------------
Most commonly, agencies' methodologies are not consistent with
ISC's standards because agencies do not assess their facilities'
vulnerabilities to specific undesirable events. For example, officials
from one agency told us that their vulnerability assessments are based
on the total number of protective measures in place at a facility,
rather than how vulnerable the facility is to specific undesirable
events, such as insider attacks or vehicle bombs. Because agencies'
risk assessment methodologies are inconsistent with ISC's risk
assessment standards, these agencies may not have a complete
understanding of the risks facing approximately 57,000 Federal
facilities located around the country--including the 9,600 protected by
FPS and several agencies' headquarters facilities.\20\
---------------------------------------------------------------------------
\21\ For example, if an agency's methodology does not consider all
the undesirable events identified by ISC, and/or it does not assess all
three components of risk (threat, vulnerability, and consequence), then
the agency would have an incomplete picture of risk at facilities
assessed using this methodology.
---------------------------------------------------------------------------
Moreover, because risk assessments play a critical role in helping
agencies tailor protective measures to reflect their facilities' unique
circumstances and risks, these agencies may not allocate security
resources effectively, i.e., they may provide too much or too little
protection at their facilities. Providing more protection at a facility
than is needed may result in an unnecessary expenditure of Government
resources, while providing too little protection may leave a facility
and its occupants vulnerable to attacks. For example, if an agency does
not know its facility's potential vulnerabilities to specific
undesirable events, it cannot set priorities to mitigate them.
In addition, we reported in 2012 that although Federal agencies pay
FPS millions of dollars to assess risk at their facilities, FPS's
interim facility assessment tool--the Modified Infrastructure Survey
Tool (MIST)--was not consistent with Federal risk assessment standards
and had other limitations. Specifically, FPS's risk assessment
methodology was inconsistent with ISC's risk assessment standards
because it did not assess the consequence of possible undesirable
events (i.e., the level, duration, and nature of loss resulting from
undesirable events). FPS officials told us that MIST was not designed
to assess consequence, and that adding this component would have
required additional testing and validation. However, without a risk
assessment tool that includes all three components of risk--threat,
vulnerability, and consequence--as we have recommended, FPS has limited
assurance that facility decision-makers can efficiently and effectively
prioritize programs and allocate resources to address existing and
potential security risks.\21\ Furthermore, because MIST also was not
designed to compare risks across facilities, FPS has limited assurance
that it prioritizes and mitigates critical risks within the agency's
portfolio of more than 9,600 Federal facilities.
---------------------------------------------------------------------------
\21\ FPS agreed with our 2012 recommendation, but has yet to
implement it.
---------------------------------------------------------------------------
This concludes our testimony. We are pleased to answer any
questions you, Ranking Member Barber, and Members of the subcommittee
might have.
Mr. Duncan. Well, I thank you so much, Mr. Goldstein and
all the witnesses for your excellent testimony.
Mr. O'Rourke is recognized.
Mr. O'Rourke. Mr. Chairman, I ask unanimous consent that
the gentlewoman from Texas, Ms. Jackson Lee, be allowed to sit
and question the witnesses at the hearing's end.
Mr. Duncan. Without objection, so ordered.
The Chairman will now recognize himself for 5 minutes.
My intent today is, since we do have a small committee,
active committee today, is just to allow us to delve into the
issue. We are going to try to adhere to the 5-minute rule, but
I will allow some leeway, because I do want some questions
answered and I want you to have--to feel free to--to really get
into the subject, but within reason. So.
What I would like to do is I want to go to the Navy Yard
shooting, Director Patterson, first, and ask you a question
about how a FPS officer actually engages an active shooter or
doesn't engage.
Then I will back up and start delving into the background
checks and what we do to make sure this doesn't happen.
I realize that we have a lot of Federal facilities. I also
realize that risk assessment is generally looking at keeping
someone from breaking into the facility from outside, and this
was a unique inside access issue with the Navy Yard shooter.
So, now we have had to think about that sort of thing
versus a typical risk assessment of a facility, looking at the
entries and exits and the guards, the personnel necessary to
secure the premises.
But now we have got a different scenario to think about.
So, according to your response letter to GAO's report,
Director Patterson, a protective service officer, or PSO's,
actions if unable to visibly see an active shooter, they are
dictated by his or her post orders. Although armed, a PSO is
not supposed to engage in tactics associated with law
enforcement response.
So, could you please explain in further detail what steps a
PSO is supposed to take in an active-shooting situation?
Mr. Patterson. Yes, sir, I sure can.
Well, first of all, sir, I just want to let you know that
our No. 1 priority is the protection of the people in the
Federal facility. That is No. 1.
The first--in the event of an active-shooting situation,
the first step to be taken by the PSO, because that is our
first line of defense, will be to call our megacenter, to allow
them to pass that information on to our megacenter. That is
where the information is passed that will allow not only that
information to be passed to our inspectors, but also to local
law enforcement, that there is a situation that is evolving or
taking place in that facility.
Mr. Duncan. Excuse me, just a second. Will you do that by
landline or would that be a radio comm?
Mr. Patterson. It will be both, sir. He will do it by
landline and then by radio comm.
Mr. Duncan. Okay.
Mr. Patterson. So that we have a general awareness of what
is going on. Then there will be an assessment by that PSO as to
what action that he needs to take next.
Our PSOs are trained to take action in emergency
situations. Because they are not Federal or State law
enforcement officials, they are constrained by--the contractor
is constrained by State law as to what he or his company can do
in these situations. So that is why we don't have what we call
active-shooter training, if you will, where our PSOs will go
out and actively pursue an active shooter.
However, if we come across a situation where that PSO is
the only individual in that facility and has no reasonable
expectation that law enforcement can respond in a reasonably
quick manner, then that individual will more than likely take
action to limit the damage of the active shooter.
Mr. Duncan. Let me ask this, because as you were talking, I
am trying to envision--you have an active shooter in a building
like the Navy Yard. The PSO hears the shots, understands lives
are possibly threatened, picks up the phone, calls his
supervisor to try to get permission or at least let them know
what is going on, but then try to get permission on how to act
beyond his post orders.
Does the same thing with radio comms. Coordination between
the PSOs within the facility. While these bureaucratic, seems
to me bureaucratic, steps are put in place or being activated,
are lives not threatened even further during that? Is there a
delay, I guess is what I am asking? Does that put the public
safety at risk?
Mr. Patterson. Unfortunately, sir, the challenge here is
that we don't know what is really happening and neither does
the PSO. So he has a responsibility to the people in that area.
His responsibility is to ensure that he can get either--keep
people from coming into the building or getting people out of
the building.
So he has got a job to do right there. In this case, we are
hoping, we believe that we are going to have a quick response
by either Federal law enforcement, our folks, or by the State
and local, if they are in the area. If the situation dictates
that we believe that we are in a remote area and we don't think
that someone is going to be able to come quickly, then he will
take action.
Mr. Duncan. Right, and I get that. We had a conversation
yesterday with staff about that scenario. The PSO actually
securing his entry-door exit, but also making sure that an exit
is available for personnel within the building to flee the
scene and make sure no one--another active shooter doesn't come
in as part of a team. So I get all that.
Mr. Patterson. Right.
Mr. Duncan. I just want to make sure there is not a delay.
You have answered that question fairly well.
So I want to go to Mr. Marshall and ask, if for any reason
an individual is deemed a threat, and I know with the Navy Yard
shooter, there was some evidence there, but whether it got to
the proper person to make that decision is still being
investigated. You know, how we miss those signals.
But if an individual is deemed a threat, are you able to
deactivate their access credential remotely? Talk me through
the process of how their credentials are pulled or their access
is denied and limited, if you could.
Mr. Marshall. Yes, sir. If derogatory information about an
individual reaches us, we will investigate it and we will take
the necessary steps to make sure that if that person is deemed
a threat after the investigation, we can deactivate their card.
Not only their card, but we can also deactivate their access in
whatever physical security access system or PACS system that
that person has access to.
That can be done remotely, yes, sir.
Mr. Duncan. That is on a swipe. But let's talk about maybe
a flash pass or some credential that they may have on their
persons. I guess at this point an actual supervisor would take
that, if it was a termination issue.
If it was an issue where they were going to restrict their
access, would they be issued an additional credential, a
different color, a different code on there, which I think is
important? How would that be handled?
Mr. Marshall. No, sir. If derogatory information reached
us, and it was deemed to be good information, we would
deactivate their card, both their card and also the access
system. We would bring them in and read them out, if they had a
security clearance, we would read them out.
So they would not only not have access to Classified
information any longer, they would also not have access to
facilities. An added step that we would take, once we would
deactivate their access, we would also do something called a
``do not admit''. That is a couple of different things. We
would go into our personnel security system, which is an
enterprise system, and make a notation in their record in the
personnel security system that they no longer have a clearance
or access to facilities.
We would also notify the buildings or the locations where
that person primarily has a mission responsibility, and we
would send a flyer with that individual's picture on it and
circumstances surrounding that person's removal of access to
that facility. So everybody would be notified.
Mr. Duncan. Yes. I think this has some implications with
how we deal with TSA and access Air Force training Mr. Hudson
may get into. Because I think we are looking at the whole scope
of access and whatnot.
Just my last question--you told the subcommittee staff at a
recent meeting that DHS lacks information on access control
systems across the DHS facilities. Headquarters is in the
process of compiling this information from its components. But
10 years after the Department's creation, it is unclear to me
why DHS headquarters would not know how to access DHS
facilities, how that is controlled throughout the Department.
So what is going on now? Is there some sort of uniformity,
some sort of activity now to--listen, I go to a lot of Federal
buildings here in this city and I know that access to every
building is different. Whether they are DHS-coordinated or
whether GSA handles that.
So what is going on? Are we looking for uniformity? Are we
looking for changes to those systems? If you could just tell me
that.
Mr. Marshall. Yes, sir. That is exactly what we are doing,
Congressman. We are moving towards a federated system.
Obviously, you know DHS is a legacy agency. We are formed
of agencies that were already in existence. As a result of that
legacy heritage, everybody had their own PACS systems, their
own access controls systems, and they are all completely
different.
So the first order of business when the Homeland Security
Presidential Directive 12 was implemented was to issue the PIV
cards. Because there is no sense in changing out all the
readers unless everybody had the card to use on the reader.
So that was a heavy lift. We issued over 250,000 PIV cards
with the help of the components. Everybody has a PIV card now.
So then the next step, the next phase was to roll out an
implementation of these legacy systems and eliminating them
altogether. Last fall, I issued a--with the help of my staff--
issued a PACS modernization strategy for DHS, which includes
headquarters and the eight components. That directed all the
components' chief security officers to develop implementation
plans on their strategy for switching out the PACS systems and
the readers.
They were required to submit implementation plans by early
2013. They all did. Now we are moving towards the roll out, the
switching out of the readers.
Headquarters, which I have oversight over, direct oversight
over, we have 34 facilities. All 34 facilities have been
switched out. We now have HSPD-12 compliant readers in all the
headquarters facilities.
FLETC, which is one of our components, it switched out all
their facilities. FEMA, which I am happy to say is leading the
effort with this, were the first to switch out all their
readers.
So we have--we are at various degrees of completion in this
whole process. I know ICE has started to switch out their
readers. They are at approximately 12 percent of switching out,
so they have begun their roll out.
I know TSA has begun their roll out. They are approximately
at 12 percent. Citizen Immigration Service, they are right
behind TSA and ICE, they are at about 9 percent.
So mostly the larger agencies like CBP and Coast Guard and
the Secret Service, to some degree, they are following close
behind. But the important thing to know for this committee is
that we have already begun that roll out and a lot of the
components are looking for funding streams to accelerate the
roll out, but we are well on our way.
Mr. Duncan. Yes, well, let me just say that I understand
the enormity of the number of Federal buildings across the
Nation that you are charged with trying to protect. It is going
to take a while. But I am glad to see a task force is looking
at that.
My final question--you mentioned 3,200 personnel security
guards have been trained. Where are they trained? Is that
private training and what is the process of certifying that
training facility? Or do they go to FLETC? Are they trained by
some sort of Governmental agency? Or is it all private?
Mr. Marshall. Is that question for me, sir?
Mr. Duncan. Yes.
Mr. Marshall. Okay.
Mr. Duncan. I think you are the one that said 3,200
officers have been trained.
Mr. Marshall. That wasn't me, sir.
Mr. Duncan. Okay. Was that Director Patterson?
Mr. Patterson. I am sorry. What was the context of the
question, sir? I am sorry.
Mr. Duncan. Well, regardless, how are the contract
personnel, the officers, trained? Are they trained at FLETC or
are they trained by private contractors? How is that facility
certified? I don't care who answers.
Mr. Patterson. Yes, sir, I can answer that. Yes. Our 13,000
contracting guards are trained in a couple of ways. One, much
of the training is done in-house by the contractor. But second,
we also, as FPS, our inspectors also are trained as trainers to
go out and provide much of the--some of the training as well.
For instance, firearms training is conducted by the
contractor, but overseen by a firearms instructor from FPS. So
there is some oversight where they are in fact doing the
training. So there are a number of training venues where you
have the contractor who is providing the training, but FPS is
providing oversight for that training.
Mr. Duncan. They are looking at the total curriculum, not
just firearms training?
Mr. Patterson. Yes, sir. That is exactly--yes, we look
across the spectrum. Now, there are some things that we just
leave to the contractor. It might be CPR. We probably don't
need to be involved in that and a few other things, but for the
most part, yes, we do have oversight.
Mr. Duncan. Thank you.
The Chairman will recognize Mr. O'Rourke, the acting
Ranking Member, for questions.
Mr. O'Rourke. I want to thank the Chairman again for making
today's hearing possible. I recognize that the true Ranking
Member has just arrived. I am going to keep my questions brief,
and then we will yield this chair to him.
But on this issue of balance, almost each of you mentioned
a risk-based approach and trying to balance the costs and
benefits both in dollars and security, and what it is we get
out of that. So, for Director Patterson, what kind of metrics
do you have or what numbers do you use to know whether or not
we have struck that right balance?
Then I want to ask a follow-up question on what you are
doing to implement some of the recommendations made by the GAO
with respect to that. But first, I would like to ask you to
respond to that question about balance and how you measure
that.
Mr. Patterson. Sure. Well, you know, we have over 9,500
Federal facilities that we are responsible for protecting. Of
those facilities, there are a large number that are what we
call facilities, security level 4, which really are a very high
priority. So we have to take a look at how we dedicate
resources to those facilities and doing assessments at those
facilities over a period of time.
So, we have a metric there that we look at those number of
facilities and how often we get to take a look at and use a
risk-based method, if you will, for how often we do surveys at
those facilities. Currently, we are surveying those facilities,
doing security facility security assessments approximately
every 3 years at our most sensitive and vulnerable, what we
feel to be, high-risk facilities.
But however, we are applying a risk-based model to look at,
you know, what are the real vulnerabilities there; what is the
threat; and do we really have to continue to expend really
scarce resources on doing it every 3 years, or could we extend
that out a little bit? So, we do have a metric there to look at
and work with the security council at those facilities to look
at what is the right mix of service that we provide relative to
the assessment process.
Mr. O'Rourke. Let me ask you a question, sorry to interrupt
you.
Mr. Patterson. Yes.
Mr. O'Rourke. You know, on one end of the spectrum, you
could pat down every single person who enters a Federal
facility; search every square inch of their cars they are
driving into a Federal garage. On the other end, you could wave
everybody through without taking any precautions. When you have
an event like the Navy Yard's shooting, how does that change
your assessment? How does that factor into looking at what you
are already doing right now? How does that change your
procedures and your policies? How does that change what you are
willing to spend on it or what you are willing to ask for to be
spent on it?
Mr. Patterson. Yes, we look at that very carefully. I will
tell you, you know, when an individual is given a PIV card,
there is a level of trust that the Government says that we are
giving to you based upon a background investigation. We still
have confidence in that background investigation process until
we find out that it is not serving us well. We still think--
believe that it has served us well.
So, as far as doing anything that would be beyond, or
moving beyond the current process that we utilize to bring
people into the building, we are looking at our processes. We
are evaluating them, but we think that they still hold true
relative to the protection that they provide us based on the
background investigation.
Mr. O'Rourke. Last question. In terms of GAO findings that
we weren't assessing risk at a number of Federal facilities;
some of the training issues that the Chairman has brought up,
do you agree with those conclusions and findings? Is your plan
over the coming year to actively address those based on those
conclusions reached in that report?
Mr. Patterson. Yes, sir. We have been addressing these
since 2010. What we are looking at is a multitude of ways that
we can approach the myriad of challenges that we have in this
area. We are looking at how we leverage technology. We are
looking at how we bring on more folks in specialized areas like
contract oversight that will help us to better understand what
is going on in our contracts.
We are looking at how we refocus the day-to-day efforts of
our inspectors to help us better understand how we can move
forward in providing a better service to our customers. So yes,
sir, we are, but we have been working on this since 2010 and we
have still got some ways to go, but I think we are making a lot
of progress.
Mr. O'Rourke. Thank you.
Mr. Chairman, I yield back.
Mr. Duncan. I thank the gentleman from Texas, and now
recognize the gentleman from North Carolina, the Chairman of
the Transportation Security Subcommittee, Mr. Hudson, for 5
minutes.
Mr. Hudson. Thank you, Mr. Chairman.
I want to thank our panel for being here today. I
appreciate your time and expert testimony.
Director Patterson, thank you for your service to our
country. One of the statements you made was that PSOs are
constrained by State law in terms of what they can do in
response to an incident. Can you help me understand that, maybe
give me an example of a State law that would prevent PSOs from
engaging an active shooter?
Mr. Patterson. Yes, sir. That would be in the use of
firearms. They are regulated--the States regulate the way that
they--what they can do and the use of their firearms. So,
because they are not Federal law enforcement officers, they
don't carry the same statutory authority as we do to go in and
take charge of searches in certain situations.
So, State laws will dictate whether or not a PSO has the
authority to go in and take certain actions that would normally
be performed by a law enforcement officer.
Mr. Hudson. Has there been any analysis of the impacts of
that? I assume, you know, there are certain States that we are
all aware of that have more strict gun control laws.
Mr. Patterson. Right. As a result of the Navy Yard
shooting, we are looking at that and working with our
contracting office. We are working with the legal folks, as
well as internally within DHS to take a look at, is there
something that we can do to maybe move beyond where we are now
to actually provide our contracting guards active-shooter
training so that it will in fact allow them to go out, pursue,
and function as a law enforcement officer would?
Mr. Hudson. I appreciate that.
I guess the follow-up question would be, as you look at, I
guess each State has different ways you can respond. I am still
concerned, though, that there is not--seems to be widespread-
enough active-shooter training for these guards, even if you
can't engage with a firearm. It seems like running through
scenarios and having training on how to deal with this type of
scenario would still be beneficial.
Mr. Patterson. Yes, sir. I totally agree. We are doing
that. We are looking at what training--we are working with the
security companies now to look at, you know, how we can deliver
that training and what training would be beneficial to them.
Yes, sir, we are doing that.
Mr. Hudson. Great. I think that is important.
What role did FPS play in the Navy Yard shooting
specifically? Could you maybe give us a little more details,
sort-of how that played out and what your role was in that
incident?
Mr. Patterson. Yes, sir. Well, we didn't play an active
role. What we did is when we received a notification that in
fact there was an active shooter at the Navy Yard, we did
recognize at that point--well, first of all, we were part of
the incident command center where the District of Columbia,
where the Defense Department and other Federal agencies had a
command center to more or less--information would pass back and
forth. So we put someone there so that we were in full
cognizance of what was going on.
We also recognized at that point that we had a Federal
facility that was adjacent, the Department of Transportation is
adjacent to the Navy Yard.
So we immediately contacted and worked with the Federal
folks there, and looked at whether or not we needed to shut
down the building and control access, and we did.
So, from that standpoint, what we did was we ensured that
we had complete control of the Federal facilities around the
Navy Yard, so that there was no egressor or someone coming in
that we--that shouldn't, as well as standing by for any
assistance that the folks at the Navy Yard might need.
Eventually, they did call us and ask for some canine
support that we provided. So we sent over a couple of our bomb
dogs to assist with their activities over there, as they were
working--going through the buildings to assess whether or not
the shooter had left some explosive devices.
Mr. Hudson. Thank you.
Mr. Marshall, according to several news reports, radios
failed law enforcement once they got inside the facility that
day. What has been done or is being done to ensure this problem
doesn't exist for Federal Protective Service or other Federal
partners?
Is there a radio interoperability issue that we need to be
aware of?
Mr. Marshall. Well, let me caveat my answer, Congressman,
with, first of all, I haven't been briefed on the Navy Yard
incident first-hand, so everything I know about what happened
there, is anecdotal.
But I--what I can speak on interoperability to some degree:
We learned some lessons, obviously, from 9/11, about the
inability of the NYPD and FDNY to interoperate during that
incident, so much so that it caused a lot of State and local
police departments around the United States to address that
issue.
In my former agency, I was actually in charge of addressing
that issue, going to an 800-megahertz radio system so that we
could interoperate with our regional partners and our allied
law enforcement agencies.
Specifically to your question, I did hear, second-hand,
that there were some interoperability problems at the Navy
Yard. I can speak, first-hand, about what actions I have taken
with respect to that issue at DHS headquarters.
I am fortunate enough at headquarters to have a cadre of
law enforcement officers who are FLETC-trained with full arrest
powers. We work in conjunction with the Federal Protective
Service and the contract guard force there.
We also have a great relationship with the Metropolitan
Police Second District that services the facility on the
Nebraska Avenue complex.
So I asked that question right after the Navy Yard. There
are some interoperability issues that we are addressing.
The first thing we did was, we have an opportunity to join
the regional police mutual aid radio network, also known as
PMARS. I first became acquainted with PMARS when I was a U.S.
Capitol police officer, back in the 1980s. So the U.S. Capitol
Police is a member of that organization.
So I have petitioned the Metropolitan Council of
Governments to become a member of the PMARS system. I believe
our application will be accepted, and hopefully when that is
implemented, we will be able to push a button, or somebody will
be able to push a button and everybody can go to a single talk
group and be able to address any kind of incident that might
occur.
Mr. Hudson. Appreciate that.
Mr. Chairman, I see I am out of time, so I yield back.
Mr. Duncan. I thank the gentleman.
Now, the Chairman will recognize the Ranking Member, the
gentleman from Arizona, Mr. Barber. Welcome to the committee
hearing. I know you had a mark-up today. As we mentioned
earlier, a lot of Members did. But I am glad you were able to
make it, and I recognize you for 5 minutes.
Mr. Barber. Thank you, Mr. Chairman.
Thanks to the witnesses. I am sorry I wasn't here to hear
your testimony in person, but I do have a couple questions.
They may have been asked and answered, but I would like to
explore them.
Let me start, if I could, with Mr. Goldstein.
The question, first of all, is: Based upon your review of
the security screening processes at Federal facilities, what is
your view of a need for a uniform standard, no matter what the
facility, where it is? Do you believe that we need to have that
imposed across all Federal facilities?
Mr. Goldstein. We haven't looked specifically at whether
that policy would be beneficial or not. But I can tell you that
the variety of systems used throughout the Federal facilities
combined with the fact that many officers, contract guard
officers have not been fully trained, certainly does not give
FPS or the public or workers, Federal employees, assurance that
the facilities are well-protected.
Those things combined I think do create problems for the
Government.
Mr. Barber. Well, let me follow up on what you just said
about training and the perhaps inadequacy of the training,
particularly with the companies under contract to provide
security services.
Could you give a couple of examples--you may have already
done it in your earlier testimony--of what you found in regard
to the training, of deficiencies with the security companies
that have been under contract with DHS?
Mr. Goldstein. Yes, sir. We found in our review, in the
report that is being released today, that several contract
guard companies that we interviewed did not have any experience
with FPS providing them the active-shooter training or the
screener training, both of which are required in their
contracts.
Mr. Barber. Having said that, let me ask Mr. Patterson a
follow-up question regarding that.
Every contract that the Federal Government lets has
expectations, I presume has performance standards. Could you
tell us what the expectations and the performance standards are
for contractors with regards to training of their personnel?
Mr. Patterson. Yes, sir. We have an expectation that every
guard who stands post at a magnetometer or X-ray machine will
be trained. Period.
Now, there are not X-ray machines and magnetometers at
every post. So, there could conceivably be, quite frankly, a
number of posts, a number of guards, who aren't necessarily
trained on X-ray and magnetometer services who are serving on
duty because they are not at one of those posts.
But our expectation is that if you are standing post at an
X-ray or magnetometer, you will be trained in that service.
Mr. Barber. Beyond that, I assume the contracts have some
specificity regarding other aspects of training the personnel.
Mr. Patterson. Yes, sir. There are about 13 certifications
that each PSO must have in order to take a position as a
contract guard, from firearms to CPR to, in some cases,
magnetometer and X-ray machine, safety, and things of that
nature.
Mr. Barber. So in order to get out in front of a problem
that apparently has been identified by the GAO, in other words,
finding those companies that have not fully met their
commitments under the contract, what can you, what have you
been doing proactively to find out where those deficiencies are
identified?
What, if any, contract requirements, in terms of any
reimbursement to the Federal Government or any potential loss
of contract--what happens, first of all, do you find it;
second, what happens when you find there is a problem with a
contract agency?
Mr. Patterson. Yes, sir. There are a number of things that
we do. First of all, our inspectors conduct what we call post
inspections. That means they go out to the facilities and they
talk to the guards and validate through a number of ways their
training. They actually--we are required--it is an FPS
requirement for us to review at least 10 percent per month of
all of the contractor training records for a particular
geographic area.
So if we, within a particular FPS region, that regional
director is required to go out and review at least 10 percent
of those records.
One of the challenges that we have had is that there have
been some inconsistencies in the process in which we review
those records. So we are getting that together now and figuring
out and going about a, or moving forward in a more uniform
manner in how we review those records.
Currently, I have directed a--we are conducting a 100
percent audit in four of the regions to take a look at how--and
when I say 100 percent, I am talking about 100 percent right
now. We are not gonna wait 10 percent, 10 percent, 10 percent.
It is 100 percent within the next few months--2 months, within
4 of our regions, so that we can validate and look at what, in
fact, our contractors are delivering to us, relative to the
training that they say that they are.
So, we are also developing, working with the Department of
Homeland Security Science and Technology group a way that we
can electronically validate and track this, so that I don't
have 600 of my law enforcement guys out trying to track down
over 160,000 training records, okay?
It is inefficient and ineffective right now.
So what we are trying to do is better--instead of having to
plow through these records every month, to create an electronic
system where these records can be folded into the system and
then we can review them that way without having to send our
folks to physically go and touch each record. Because it takes
a lot of time. Quite frankly, the records can change. Records
expire, they change. So in effect, when you have got 160,000
records at any given time, some of those records can be out of
date, just because they expire over time.
Mr. Barber. Well, I thank you. My time is up, but I just
want to urge you to continue this aggressive action to make
sure that everyone is trained to a standard, because that is
one way for sure that we can hope for the protection to be
universal across all Federal facilities.
Thank you, Mr. Chairman. I yield back.
Mr. Duncan. I thank the gentleman.
The Chairman will now recognize Ms. Jackson Lee, the
gentlelady from Texas, for 5 minutes.
Ms. Jackson Lee. Mr. Chairman, let me thank both you and
Mr. Barber for your courtesies and how timely a meeting this
is. I thank you so very much.
I hope that the witnesses, let me thank you for your
testimony, will view the work of this committee, this
subcommittee in particular, but the full committee Chairman and
Ranking Member, as partners in excellence. I see this hearing
as an attempt for excellence on behalf of the American people.
Certainly, although we know that the jurisdiction of the
Navy Yard falls in particular under DOD, and we know that there
is a pending investigation, let me just say for the record two
things before I pose my questions.
One, I hope that this committee will have another--I know
that we had some conversation, a secured briefing on the Navy
Yard circumstances. Second, as a Member of Congress, I am
always disturbed no matter what administration it is to rebuff
members by talking about a pending investigation. We are sworn
as officers of this Nation. We take an oath. We take a signed
statement on Classified information. But more importantly, that
is an easy way to hinder our oversight, which is it is a
pending investigation.
Well, a pending investigation could last for eternity. As I
reflect on having been here for 9/11, what we discovered and
should have been discovered--maybe it should have been
discovered preceding the heinous and horrific tragedy if there
was the appropriate interaction between the levels of
government with the Members of Congress both House and Senate.
So, I hope that the pending investigation of the Navy Yard
will either move quickly or that the persons engaged will
recognize that we, as Members of Congress, have a
responsibility to the American people and those lost souls to
be able to provide immediate solutions and resolutions. Which
lies in the questioning that I wish to pose and hopefully will
have the time to do so, as I thank all of the Members who are
here.
One, like the Ranking Member of the full committee, I
believe that we should be enormously concerned of the securing
of the Federal buildings that are throughout America. You could
look at the Navy Yard as a Federal entity. It had a different
jurisdiction, but it was penetrated, as was the Fort Hood in my
State, which we continue to mourn the loss of military
personnel and civilians who should have technically been on the
safest place--one of the safest places in America.
So, my question is to follow up on the training of those
who protect. I am reminded of the Holocaust Museum, which is I
guess semi-private, semi-public, but let me go further into how
do we get a handle on training those who are then contracted-
out on these Federal buildings? FPS contracts out. How do we
get a handle? Is there an inventory of all of these
contractors? Is there a set training structure for all of those
contractors? One question.
The second question is: Do we do continuous training of
these individuals that are hired? I want to say to those in the
Mickey Leland Building in Houston and FPS, we respect and thank
you for your great service. We want to make it better.
Last, this is a discussion I had with Chairman Duncan. I
would like to know from Homeland Security how you would
perceive having the responsibility of doing your background
check? Do you do your own background check? Could it not be
placed under the Office of Management to be able to have
control over the contractors that you contract, and also your
employees?
It is a simple task. Mr. Chairman, I know that I am down at
the limit, but I would ask for the ability for these
individuals to answer the question.
Mr. Duncan. I will grant a little leeway.
Ms. Jackson Lee. I thank you.
I haven't told--I will start with the gentleman from GAO,
but I would like a response from the interagency and others who
jump in on this last question dealing with the background
checks.
Mr. Goldstein. Ma'am, the work we have done that we are
presenting to the committee today doesn't actually get into the
issue of background checks. It was focused on the training and
the certification of the contract guards. So I am not really in
a position to answer that.
Ms. Jackson Lee. Yes, I wasn't asking you that. You answer
the question that you are able to do, which is the training of
the contractors and how often. I want other members to answer
the background checks question. Thank you.
Mr. Goldstein. Certainly.
We do feel that more attention to training and
certification on the part of FPS is required. Much of the
training that the contract guard companies say they are not
getting is training related to active shooters and to other
screening that is presented by FPS.
To some degree, there has been an issue of shortages among
personnel to get out to all the contractors, but to be fair,
they have had a number of years. We first raised the issue of
screener training about 4 years ago when we did penetration
testing at Federal facilities around the country and were able
to get bomb-making materials into 10 Federal buildings in 4
cities.
So this has been an open issue now for a number of years.
So, to still have Federal Protective Service contract guards at
Federal facilities who don't have the required training to be
in front of the machines they are using, this does not bode
well.
Ms. Jackson Lee. Again, the rest of the members there,
answer the question about do you do your internal background
checks, do you continuously have background checks on your
contractors? Do you believe with a structural change, maybe the
collaboration of this committee to internalize the background
checks on both contractors and on your own staff for homeland
security?
Mr. Marshall. Yes, ma'am, I can answer that question.
Everybody who works for the Department of Homeland
Security, both the Federal employee or contract employee, has
to have either a suitability determination or a fitness
determination. Essentially what that is is that even though
they are called two different things, the criteria is the same.
We are trying to determine if that person belongs in DHS and is
suitable for employment, and is in the best interest of the
agency and for the efficiency of Government.
We look at things like conduct in past employment, criminal
history, alcohol and drug abuse, that type of thing; whether or
not the person has engaged in any activities that are contrary
to U.S. interests and so forth.
With respect to contractors, they undergo the fitness. We,
DHS, we adjudicate for that fitness determination. If that
contractor has to have a security clearance, a National
security clearance, that is conducted by the Department of
Defense, Defense Security Service. They have jurisdiction over
those investigations under the National Industrial Security
Program.
So, we do the fitness and we do the adjudication for the
fitness to determine if that person is suitable, but any kind
of security clearance falls under the purview of the Department
of Defense.
Ms. Jackson Lee. So after you do your clearance, if they do
not need a National security clearance, that person is hired.
Mr. Marshall. Correct.
Ms. Jackson Lee. Do you do it for the contractors as well?
Mr. Marshall. Yes, ma'am. That is correct. If there is no
derogatory information developed, that person is deemed to be
suitable to enter on duty and they can come on-board.
Ms. Jackson Lee. May I ask Ms. Durkovich, you were tasked
by President Clinton to--the agency was tasked to set certain
standards for Federal buildings. Where is that in terms of its
implementation and oversight of the security of Federal
buildings throughout the Nation, I assume, working on the
security protocols for all of the Federal buildings?
Ms. Durkovich. Thank you. That is a very good question,
Congresswoman.
We have been hard at work for the last 17 years working
with our 53 member agencies to develop a set of physical
security criteria that is included in our risk-management
process for Federal facilities. This is applicable to 399,000
non-military Federal buildings across the United States. Our
member companies--our member organizations are responsible for
developing these standards.
Our risk-based process for Federal facility standards
includes six key elements, the first of which is establishing
the Federal security level for a building. That is driven by
the function of that particular building, the agencies that
reside in it, the people who pass through it, the iconic and
historical significance of that building.
Once that physical security level is set, we look at the
baseline standards and measures and mitigation measures that
are applicable to that building, and then look at 31 different,
what we call design basis threat scenarios. So it ranges from
active-shooter scenarios to arson to water to small aircraft.
Based on those scenarios and physical--the facility security
level, the facility is responsible for implementing the
physical security criteria.
All of the member agencies, according to the Executive
Order, shall comply with the standards that they develop. So I
would say over the course of the last 17 years, we have been
very successful in helping implement a baseline security
standard for non-military Federal facilities.
Ms. Jackson Lee. What is the oversight? Who is checking?
Ms. Durkovich. At this juncture, we do not have the
resources to do formal compliance. Many of our member agencies
have developed risk assessment tools that allow them to ensure
that they are in compliance with these standards.
We are looking at ways to begin more of a soft compliance
effort, but again, the Executive Order requires our member
agencies to comply with the standards that this interagency
body develops.
Mr. Duncan. Ms. Jackson Lee, we may have time for another
round of questions. So I----
Ms. Jackson Lee. But can I just thank you very much for
your courtesies? I would just like to put one question on the
record. I will not ask for an answer. I didn't hear from Mr.
Patterson. That one question on the record, if we could get an
answer, is: Does FPS do--FPS, does it do continuing background
checks on its contractors once the contract is given? Is there
an on-going check on the individuals that are utilized?
Mr. Chairman, Mr. Barber, thank you for your courtesy.
Mr. Duncan. Thank you, Ms. Jackson Lee.
That is a question we can have answered.
I am going to go into a second round of questioning. I know
Members do have a lot of interest in this subject, including
myself.
I want to follow up on--I recognize myself for 5 minutes--I
want to follow up on an issue that Mr. Hudson brought up about
the radios, because I think that is important, communications
inside of a building and communication with local law
enforcement is tremendously important.
In my State, the Palmetto State, South Carolina, we learned
after Hurricane Hugo that law enforcement needs to be able to
communicate all across the State. I believe with a homeland
security grant back after 9/11, the State of South Carolina
went to an 800-megahertz radio system that we had highway
patrol and DNR, and local sheriffs' agencies were all able to
communicate in the event of an emergency.
I understand that inside the District of Columbia, FPS may
not want to hear all the chatter that is going on on the Hill
and at the White House and at every other Federal building.
That could be a little overwhelming if you were having to
monitor all of that. But in the event of an active shooter, can
they communicate with other law enforcement personnel about
what is actually going on?
So I am going to ask Mr. Marshall if you could just follow
up on that. What are we doing? What steps are we taking to
address the issue raised by the gentleman from North Carolina?
Mr. Marshall. Congressman, I would like nothing better than
to have an 800-megahertz radio capability within DHS. Speaking
first-hand, like I said, I have implemented that in the local
police department here in Maryland, a neighboring police
department. The capabilities are tremendous with an 800-
megahertz radio system.
You don't have to listen to, like you said, all the chatter
at the Federal buildings and so forth. But in the event of an
active shooter, you would be notified to go to a specific talk
group, everybody involved in that incident, say. Let's use the
DHS headquarters, for example, on Nebraska Avenue. If, God
forbid, something were to happen at DHS headquarters, we can
notify our colleagues at the Federal Protective Service,
Metropolitan Police Second District, my force protection group,
to all go to a specific talk group to handle that incident.
You are absolutely right. That capability is vital in any
kind of incident.
Mr. Duncan. Would something like an 800-megahertz system be
able to penetrate most of the walls so most of the Federal
facilities would be able to communicate?
Mr. Marshall. Yes, sir. In my experience now, obviously, we
would have to do something called acceptance testing. We would
have to--once we were able to acquire that capability, we would
have to go to certain spots on a grid and test the radio to
find out where those dead spots might be. But from my
experience, it works in like 99 percent of the locations, at
least where I came from.
But again, that capability is vital. So if that is
available, I know those 800-megahertz frequencies are like
hen's teeth. They are hard to get your hands on, because I
think most of them are taken up. But I believe the Metropolitan
Police is on an 800-megahertz system. If for some reason we
could--or some, you know, capability to attach ourselves to the
Metropolitan Police or, for that matter, Federal Protective
Service or any other Federal Government agency who has that
800-megahertz frequency, that would be the ideal situation in
the District of Columbia.
Mr. Duncan. Right. Well, thanks for that. I may have taken
Mr. Hudson's question, but it was on my mind.
I want to ask you one other thing. Mr. Marshall, what have
we learned about background checks and information flow that
would affect clearances like we saw with the Navy Yard shooter,
where local law enforcement, even supervisory positions within
the agency they worked for, they had indicators?
So how does that--what have we learned? How does that
information flow down to the person that makes the decision on
who gets clearances or not? Just tell me what we have learned
and how we are applying it.
Mr. Marshall. Okay. First of all, you mentioned the local
agencies. One of the things I have always been troubled with
with respect to local agencies is that there are roughly
between 18,000 and 20,000 police departments or law enforcement
agencies, sheriffs, local police, State police, and Federal
agencies within the United States.
The thing that has troubled me about what, the information
we receive from the State and locals and the Federals, is that
not all of those agencies contribute to, like, the FBI CJIS
system. A person can be arrested in your State, the Palmetto
State, and some small police department. They may not be a
contributor to the FBI database. So that when we go to do our
agency checks and our fingerprint checks, we may not have
access to that information of that person's arrest within South
Carolina.
So, that is a gap. That is a gap that I think can be
remedied. I don't know what it would take, maybe legislation
perhaps, but that if we can get more of these agencies--and I
don't know what percentage that are out there that don't
contribute. But I believe it is large enough that we could
probably close that gap somewhat by maybe encouraging,
legislating for these folks to contribute, particularly if they
get Homeland Security money.
Now, with respect to the second part of your question,
again, I wasn't briefed on the Navy Yard shooting specifically.
But what I know through the media accounts and some anecdotal
comments or conversations I have had with other people, from
what I know, Mr. Alexis had a security clearance with the Navy.
When he left the Navy, it was still an in-scope clearance,
meaning that the investigation was within the required time
frame in order for the organization he was going to to accept
that investigation on reciprocity.
We are required by Executive Order in the Federal
Government to accept security clearances on reciprocity if
there is an investigation that we can point to. The one thing
about reciprocity is that we are also required to accept it on
its face. We are not allowed to do any additional checks unless
we have information--derogatory information to the contrary.
So, it looks to me, not having been briefed, that the
contracting company accepted Mr. Alexis's security clearance on
reciprocity, which was one gap, without having to do additional
checks. That also there was a faulty investigation. There was
information within the investigation that was done by a private
contractor that wasn't accurate.
So, it was almost like a perfect storm. It was a gap that
was--it was unfortunately hard to overcome.
Mr. Duncan. Yes, we are human. I get that.
Mr. Marshall. Yes, sir.
Mr. Duncan. Timing is everything. So, I don't have any
further questions. I will ask the gentleman from North Carolina
if he would like to follow up with a 5-minute question.
Mr. Hudson. Thank you, Mr. Chairman.
I guess I would like to maybe get back to this issue of
communications between, you know, FPS and the local and State
agencies. Mr. Marshall mentioned there are 18,000 to 20,000 law
enforcement agencies around the United States.
In terms of passing along warnings, intelligence,
information about suspects, could you, Mr. Marshall, and also
Director Patterson answer if you like, maybe talk about what
the gaps are that exist there, whether it is information flow
from DHS down or from local law enforcements up, FPS, back and
forth.
What are the gaps in communications? What are the real
challenges?
I know some were highlighted with the Boston bombing
incident, others may--we may have learned lessons from the Navy
Yard. But what are some of the challenges we are facing when it
comes to that up-and-down communication?
Mr. Marshall. Well, Congressman, we are very fortunate in
the Washington, DC, area to have so many law enforcement
agencies, both Federal and local, and, of course, the regional
county police departments.
We are all members of that fraternity here, within this
region. I believe we communicate very well together. We are all
part of different working groups and organizations,
intelligence organizations.
So, I believe our sharing capability is a good one here,
within this region.
Where I have seen some gaps during my time here is when you
get outside of this D.C. area and you deal with people who are
coming in from other parts of the country. We don't always
communicate well in that regard.
We rely heavily on information from the criminal justice
information system. If we see somebody suspicious, obviously,
we would rely on a radio check for, you know, a criminal
history check or a radio check, wants and wanted type of BOLOs
and so forth.
But regionally, I think we are okay. It is when we get
outside of this region where I don't think we share often as
well as we should.
Mr. Hudson. Director Patterson.
Mr. Patterson. Yes, sir. I would agree with Mr. Marshall
that within the region here, I think we do a pretty good job.
Part of the challenges that we have in FPS is that, as you
well know, we are in 50 States. Some of our inspectors have to
travel a very long way to move from facility to facility,
sometimes between States.
The challenge there sometimes is that the radio--the
connectivity that they have when they leave one State to go to
another State, we lose it.
So we have to work within those States or with other
Federal agencies to try to help us bridge between the
facilities, sometimes, that our inspectors may travel.
On the intelligence side of things, though, I think we do
pretty well, because we try to link up with each one of the
States' fusion centers, as many as we can. We have people that
are linked and members of the joint terrorism task forces.
So relative to threat information and those kind of things,
we think we move that information fairly well up and down and
have pretty good access.
It is sometimes--what concerns me sometimes is just the
ability and officer safety issue of, can my officer or can my
inspector communicate or call for help if, in fact, he runs
into a problem, if he is maybe somewhere in the northern tier,
where it is--he is right out in the middle of nowhere and help
is a bit of ways away, and he has got to figure out which radio
he is or how he is gonna communicate back to ask for help?
We are working that. We are working within the Department,
and we are working with State and local as well as other
Federal agencies, again, to bridge those gaps where we
recognize them.
Mr. Hudson. Appreciate that. Obviously I think this
committee is very concerned about this issue, so please keep us
informed as you move forward with this.
Just to sort-of redirect a little bit, Ms. Durkovich, you
talked a little bit about sort-of different facilities that are
leased or owned by GSA and the different security level
depending on the type of facility.
You talked about the fact that ISC has set security
standard guidelines for these non-Federal--or non-military
Federal facilities.
How well does the Federal Protective Service, in your
opinion, follow these policies? Does their adherence differ
based on the different type of location of the Federal
facilities?
Ms. Durkovich. Let me begin--and, first of all, thank you
very much for that question--but by saying that FPS is an
active member of the Interagency Security Committee.
We have worked over the course of the last several years,
both at--within the Office of Infrastructure Protection, but
certainly with--within ISC to help them understand and
implement the various standards, guidelines, and practices that
we develop. Certainly, as they have worked to develop their own
assessment tool, it has been done with the ISC standards in
mind.
I would say that they do a very good job. Again, it varies
on the facility security level and the measures that are
implemented at each of those facilities. But they have to work
very closely with the facility security committee within each
of those buildings to ensure that they are providing a level of
security that is consistent with the Federal security level and
the standards that are outlined by the ISC.
They are, again, a very active participant in the ISC. They
sit on a number of our standing committees, on a number of our
working groups, to include the active-shooter working group.
They recently chaired a working group on prohibited Federal
items, which has become a standard for Federal facilities
across the Nation, and have worked very closely with us with
some best practices on armed security guards.
So they are an active, robust member, again of the ISC, and
I think do a very good job of implementing the standards and
best practices that we promulgate.
Mr. Hudson. Thank you.
Mr. Chairman, thanks for the leeway. I will yield back.
Mr. Duncan. Thank you, Mr. Hudson.
The Chairman will recognize the Ranking Member for the last
and final questions.
Mr. Barber. Thank you, Mr. Chairman.
Once again, thanks to our witnesses this morning for your
testimony and for the work you are doing to make sure that
Federal facilities, the people who work in them, and the people
who come to them are properly protected.
I just wanted to continue with a question for Mr. Patterson
regarding what you are doing proactively, I guess, to probe and
test how well safety and security standards are being
implemented.
Within the context of this open hearing, you may not be
able to say all, but what can you tell us about what you are
doing proactively to find out whether or not these facilities
are following the standards that have been established?
What do you do when you find that they are not?
Mr. Patterson. Sir. Yes, sir.
Well, one of the things that we are doing proactively is
that we are creating something called a portfolio approach for
each one of our inspectors. That means that the inspector will
take ownership of a series of buildings, okay, and within those
buildings will have responsibility to ensure that he or she are
meeting with the facility security committees and others in
there to ensure that we are, No. 1, in compliance or that they
are in compliance with whatever standards that have been set
forth for that facility.
So that is a very proactive approach by us to ensure that
we don't miss anything in a movement forward to better
understand how we can, if you will, better do our job.
We are working with the NASCO, the National Association of
Security Companies, in looking at how we can collaborate, how
we can partner in working in training our PSOs, relative to
giving them the best training, better training, and to fill in
the gaps that were pointed to today by the General Accounting
Office, so that the next time that we come before this
committee, we are not talking about some of the challenges that
we are having there, because we have, in fact, taken a
proactive approach in filling that, because we are working
collaboratively with the security companies.
We are also looking at partnering with local law
enforcement in areas, departments, to help us in our response
times, to ensure that when there are challenges for our
inspectors to get to Federal facilities, that we do have an
agreement and a partnership with them that they will respond
sometimes when we cannot.
So there are a myriad of things that we are looking for as
moving forward to ensure that we have a very comprehensive
approach to how the people, which are the most important thing,
are protected in those facilities in the event of something
bad, if you will.
Mr. Barber. Does your proactive work include deliberately
trying to breach these securities?
Mr. Patterson. Yes, sir, we have a program called the
covert testing program, where we actually have--we have a
number of scenarios that we introduce through the system when
we, through the magnetometer, X-ray, and it is done by our
special agents, who are trained in introducing these objects.
Once--you know, if there is a failure, then what we do is
we work with the contractor to, No. 1, that we have identified
a failure. Then we work to train those individuals so that
there is an understanding of what just happened, what did we
just do? How do we fix this? How do we rectify the situation so
that it doesn't happen again?
Sometimes we have to do it more than once, quite frankly,
to--it is the process of standing behind a magnetometer X-ray
machine, it can be a perishable skill if you are not doing it
often.
So one of the things that we are doing proactively is to
work with the contractors to look at, you know, how often this
training is being delivered to them? Then we are gonna look at
how often we are testing that, and then using a metric there to
see how well we are performing in that area.
Mr. Barber. Let me just ask you one last question before my
time expires.
Mr. Patterson. Sure.
Mr. Barber. Obviously, every Federal agency has been asked
to not only tighten their belt but cinch it up so tight you can
hardly breathe.
What impact have budget cuts or appropriation reductions
had on your ability to get the job done?
Mr. Patterson. We are still able to get the job done, sir.
You know, we have to work smarter. We look to how we leverage
technology to do things that maybe we had done using an
individual, and now--so, we are getting the job done, even with
the sequestration and some of the budget cuts that have been
coming. I am confident that we will continue to be able to
effectively get the job done as we move forward.
Mr. Barber. Thank you, Mr. Chairman. I yield back.
Mr. Duncan. I want to thank the committee Members for their
participation today, and thank the witnesses. As we mentioned,
I think the goal of the hearing was to provide oversight of the
DHS, and what it is currently doing to make sure that we
protect Federal facilities, and what steps, if any, need to be
taken to make sure that instances like the Navy Yard don't
happen at any other Federal facilities.
I want to thank you for your leadership and your valuable
testimony today. You answered a lot of questions for us as we
delved into that. So I want to thank you for that, and the
Members for their valuable questions.
Members of the subcommittee may have additional questions.
We ask that you respond to those in writing.
Without objection--any other questions, or without
objection, the subcommittee will stand adjourned.
[Whereupon, at 11:11 a.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Question From Chairman Jeff Duncan for L. Eric Patterson
Question. What is the status of the standardized National Lesson
Plan for guards, and the revising of the Security Guard Information
Manual (SGIM)?
When will the National Lesson Plan for guards be implemented?
Answer. The Federal Protective Service (FPS) recognizes that
ensuring that Protective Security Officers receive quality training is
key to the success of the FPS protective mission. As such, FPS is
working with the National Association of Security Companies (NASCO) to
conduct a curriculum review of all Protective Security Officer (PSO)
training. This review will consider long-standing requirements
pertaining to PSO training and will result in a comprehensive PSO basic
training curricula complete with written and performance measures. FPS
anticipates that the PSO National Lesson Plan will be finalized and
available for implemention in fiscal year 2015. The Security Guard
Information Manual (SGIM) is undergoing a complete revision and will be
released as the FPS Protective Security Officer Security Manager and
Resource Tool (SMART) Book. An updated version of the SMART Book is
expected to be released by the end of the second quarter of fiscal year
2014.
Questions From Ranking Member Ron Barber for L. Eric Patterson
Question 1. Does FPS conduct on-going evaluations of both its
contract guards and Federal workforce?
Answer. The Federal Protective Service (FPS) conducts rigorous and
continuous Protective Security Officer (PSO) contract performance
monitoring through various methods, including post inspections,
administrative audits, monitoring of contractor-provided training and
firearms qualifications, penetration tests, and obtaining customer
feedback. FPS adheres to policies and procedures to ensure proper
contract monitoring, including FPS Directive 15.9.1.3 ``Contract
Protective Security Force Performance Monitoring'' and Office of
Procurement Operations (OPO) Procurement Operating Procedure (POP)
403R4 ``Contractor Performance Assessment Reporting and Procedure''.
FPS Contracting Officers have the ability and authority to take
contractual actions to address contractor performance that does not
comply with contract terms and conditions. Specifically, FPS employs
remedies available under the Federal Acquisition Regulations and within
the terms of its contracts to address contractor performance issues. A
number of remedies are available for a contractor's non-performance or
unacceptable performance in FPS PSO contracts. Remedies include, but
are not limited to monitoring of contractor corrective action plans,
assessing monetary deductions, directing removal of a contractor
employee from performing under a contract, electing not to exercise a
contract option, or terminating a contract for default or cause.
To ensure robust contractor oversight, FPS is currently in the
process of hiring and training 39 Contracting Officer Representatives
(COR). CORs will assist FPS Contracting Officers in identifying adverse
contract performance and taking timely corrective action.
FPS adheres to the performance management regulations established
by the Office of Personnel Management, and guidelines of the Department
of Homeland Security and National Protection Programs Directorate to
evaluate Federal employee performance.
Question 2. Mr. Patterson, what protocols are used by FPS' facility
security officers and facility security committee members to determine
which standards to implement at Federal facilities?
Answer. The Federal Protective Service (FPS) provides Facility
Security Committee members with recommendations as part of the FPS's
Facility Security Assessment (FSA) process. FPS designed its FSA
process to meet the requirements of the Interagency Security
Committee's (ISC) Risk Management Process for Federal Facilities. The
FSA report provided by FPS includes an assessment of threats and
vulnerabilities, and a comparison of the baseline level of protection
called for in the ISC process with the existing level of protection at
the facility, and FPS's recommendations for countermeasures to mitigate
risk.
FPS has also established an FSA steering committee to ensure
consistency in implementation of the FSA program. The primary mission
of the Steering Committee is the coordination of all FSA-related
standards, programs, and operational applications. The Steering
Committee serves as the FSA consultation entity, providing
clarification and updates on development of the FPS FSA program. The
Steering Committee also assists FPS Regions with guidance on the
implementation of FSA reports, policies, and applications.
Question 3. How does FPS intend to address the shortcomings of its
risk assessment methodology as identified by GAO, particularly its
absence of a component to assess consequence?
Answer. The Federal Protective Service (FPS) has incorporated the
Interagency Security Committee's (ISC) Risk Management Process for
Federal Facilities into its current Facility Security Assessment (FSA)
process. Specifically, the FSA process includes the ISC's Facility
Security Level (FSL) Determinations, Physical Security Criteria for
Federal Facilities, and the Design Basis Threat as incorporated into
the Modified Infrastructure Survey Tool to identify and mitigate
vulnerabilities. FPS also conducts a threat assessment and provides a
Threat Assessment Report as part of each FSA, to ensure that
stakeholders have an understanding of the threats they face.
While potential impacts are considered as part of the FSL
determination, FPS is continuing to explore the inclusion of
consequence into the process. Quantifying applicable categories of
consequence for Federal facilities and incorporating them into an
algorithm in an assessment tool, however, is currently not feasible as
there is not a body of work existing to facilitate such development.
FPS continues to work with the ISC to explore consequences and impacts
in the context of Federal facilities and missions.
Question 4a. FPS has a long history of budget woes due to its
reliance on fees, and a workforce that has too many contract guard
staff. Further, GAO has documented that FPS' contract guard staff has
been about 13,000 since 2001.
What is the current ratio of contract guard to Federal guard staff
at FPS?
Question 4b. What elements are contained in FPS' contracts
pertaining to the training curriculum used by private firms to train
and certify guards?
Answer. To accomplish its protective mission, the Federal
Protective Service (FPS) employs Law Enforcement Personnel as well as
contract Protective Security Officers (PSOs) who work in tandem to
attend to daily security needs at Federal facilities and respond to
threats directed against the facilities or the personnel working within
them. Law Enforcement Personnel and PSOs have separate, but
complementary, roles and responsibilities in ensuring Federal facility
security.
FPS directly employs approximately 1,007 Law Enforcement Personnel
who are trained physical security experts and sworn law enforcement
officers employed directly by the Federal Government. Law Enforcement
Personnel perform a variety of critical functions, including conducting
comprehensive security assessments of vulnerabilities at facilities,
developing and implementing protective countermeasures, and providing
uniformed police response and investigative follow-up. FPS Law
Enforcement Personnel also conduct PSO guard post inspections on a
daily basis.
FPS also contracts approximately 13,000 PSOs, often referred to as
``security guards.'' PSOs are responsible for controlling access to
Federal facilities, detecting and reporting criminal activities, and
responding to emergency situations.
PSOs also ensure prohibited items, such as firearms, explosives,
knives, and other dangerous weapons, do not enter Federal facilities.
It is important to note that PSOs are not sworn Law Enforcement
officers. FPS works with the private guard companies to ensure the
guards have met the certification, training, and qualification
requirements specified in the contracts. These include, but are not
limited to, FPS orientation, National Weapons Detection training,
weapons qualification for both lethal and non-lethal weapons, FPS Basic
Training, which covers subject areas such as defensive tactics, legal
authorities, and response to incidents such as workplace violence, and
bomb threats, and any State, local, and customer-specific requirements.
It is important to note that the FPS does not unilaterally
determine the total number of PSOs Nationally. Rather, the FPS works in
partnership with tenant Facility Security Committees to build a
consensus regarding the number of guard posts appropriate for each
individual facility. The number of posts is determined by a number of
factors, including a facility's security level, Facility Security
Assessment, and the security needs and preferences of tenant agencies.
Questions From Chairman Jeff Duncan for Caitlin Durkovich
Question 1. Ms. Durkovich, in your role as chair of the Interagency
Security Committee, what steps are you taking to make sure that Federal
agencies are compliant in utilizing the committee's standards for
physical security?
Answer. Executive Order (EO) 12977 states that each executive
agency and department shall cooperate and comply with the policies and
recommendations of the Interagency Security Committee (ISC) issued
pursuant to the order, but at this time the committee does not have the
resources to carry out enforcement for nearly 400,000 facilities
Nation-wide. The ISC relies on agencies to conduct their own compliance
as required by the EO.
That said, the ISC is examining potential options to support
agencies' compliance efforts and is currently reviewing internal member
agencies' best practices and lessons learned to develop a strategy to
propose to the ISC membership. This work is being conducted through the
ISC's Lessons Learned and Best Practices Working Group; a group
established as a result of Government Accountability Office (GAO)
Recommendation Report GAO 12-901 Federal Real Property Security--
Interagency Security Committee Should Implement a Lessons Learned
Process.
Additionally, the ISC has also developed a strategy for Federal
departments and agencies to ensure risk assessment data tools are
compliant with ISC standards. To date, one tool has been certified as
ISC compliant and another tool is in the queue for certification.
Question 2. Please explain the actions your staff is taking to
increase the rate of utilization of the committee's standards.
Answer. The ISC is developing an outreach strategy to improve
engagement, marketing, and training efforts. The plan defines the goals
and objectives of future outreach efforts; specifies the target
audience of outreach activities; and describes outreach options. This
strategy also consists of a number of on-line training programs,
personal interaction, printed materials, and on-line communications.
The ISC currently relies on Chief Security Officers (CSOs) and
working group representatives to share information about ISC standards
and best practices. The ISC is developing an enhanced outreach plan to
increase awareness and improve marketing and training efforts. The plan
will increase marketing activities, providing CSOs with materials they
can share with their facilities, as well as new on-line training
programs, on-line communications, and greater personal interaction.
Question 3. How do you evaluate the outcomes of your agency's
outreach efforts in terms of measuring Federal agencies' usage of the
Interagency Security Committee's standards?
Answer. As noted above, the ISC is currently assessing and
enhancing its outreach efforts. The Interagency Security Committee
Outreach Strategic Plan will provide a foundation for the ISC's
implementation of outreach activities to increase awareness,
understanding, and use of the ISC Standards, guidelines, best
practices, and white papers among Federal agencies. The ISC developed a
plan that defines the goals and objectives of future outreach efforts;
specifies target audiences; and describes three categories of outreach
options: Printed materials, personal interaction, and on-line
communications which is consistent with the GAO's recommendations. An
important aspect of the ISC's outreach is training and the ISC is
currently doubling training available to Federal agencies. Both on-line
and in-person training will be amplified through implementation of the
plan. The implementation of the outreach plan will enable the ISC to
better measure the most effective and efficient approach for increasing
awareness, understanding, and application of the ISC standards.
Question From Chairman Jeff Duncan for Greg Marshall
Question. During the October 30 hearing, you discussed remotely
deactivating access credentials if a change in an individual's
suitability occurs. To clarify, how long does the deactivation process
take? Can it be done in real time to avoid potential threat?
Answer. The deactivation process can be done in real time and from
remote locations. Execution of this access removal process includes the
revocation of the individual's Personal Identification Verification
Card (PIV card) in the Identity Management System (IDMS), suspension of
access in the electronic physical access control system (PACS) that
services the component who employs the individual, and updates to
security guard post orders to include ``Do Not Admit'' instructions
associated with the individual. Manual notifications are provided via
email and/or telephone to all respective organizational points of
contact to support facilities where either visual inspection or
electronic verification is performed. Automated PIV card revocation
checks is a functionality that is supported by the IDMS. DHS is
currently working to deploy this capability to all the components.
Questions From Ranking Member Ron Barber for Greg Marshall
Question 1. Mr. Marshall, please explain to the committee what
standards are involved in granting individuals' access to Federal
facilities. Also, what process is used to identify and individual as
being suitable for Federal employment?
Question 2. Also, please describe to the committee how the mental
health of an individual is taken into consideration when making a
determination about his or her suitability for Federal employment?
Answer. All individuals working for or on behalf of the DHS must
undergo a background investigation with favorable results. In order for
an individual to gain access to a DHS facility, a criminal history
check with favorable results must be completed. For issuance of a PIV
card, the background investigation must be initiated in accordance with
Homeland Security Presidential Directive 12 requirements.
DHS adheres to all Federal regulations and guidelines for
suitability for Federal employment. DHS uses the criteria set forth in
5 Code of Federal Regulations, Part 731, to assess an individual's
suitability. The individual completes security paperwork, Standard Form
(SF) 85P, and undergoes a background investigation. Based on the
suitability criteria, an adjudicative determination is made whether the
individual will promote the integrity and efficiency of the service.
Currently, there are no requirements for individuals to report
mental health information when applying for Federal employment for non-
cleared positions; however, OPM does permit agencies to use the SF 85P-
S supplemental form for positions that require the carrying of a
firearm. This supplemental questionnaire does require individuals to
report consultation with mental health professionals and/or health care
providers regarding a mental health condition. Otherwise, when DHS
adjudicates a background investigation, the mental health condition of
an individual is only considered to determine eligibility for access to
National security information. It is reviewed when the individual
chooses to report this information on standard security form SF-86, or
during investigative interviews and other records checks. In cases
where mental health information is not reported in an investigation by
the individual, references, or by review of records, potential mental
health issues are not examined. This poses a vulnerability and risk to
the Department.
In National security clearance investigations, DHS can obtain
mental health records when the information is reported either on the
security forms or through investigative interviews. This is in
accordance with Executive Order 12968, Access to Classified Information
and its implementing guidance. Additionally, the Adjudicative
Guidelines for Determining Eligibility for Access to Classified
Information requires DHS to evaluate an individual's ability to handle
and protect National security information. DHS renders adjudicative
determinations for access to classified material.
When evaluating the information, DHS must apply the adjudicative
criteria, which includes evaluating whether an individual's mental
health condition adversely affects the individual's judgment and
trustworthiness to safeguard classified information.
Question 3. Mr. Marshall, what authority and access do you as a
security professional have to the mental health records of individuals
seeking approval for access into Government facilities, or to be
cleared for Federal employment?
Answer. As a security professional, I do not have categorical
access to mental health records for the approval of access into DHS
facilities or to be cleared (suitable) for Federal employment. In
National security clearance investigations, DHS can only obtain mental
health records when the information is reported either on security
forms or through investigative interviews, and then only with the
consent of the individual being investigated and the cooperation of the
provider. At DHS, when applicants submit their security forms, included
in their packages are signed release forms that allow investigators the
ability to pursue information reported by the applicants on their SF 86
or other security/suitability questionnaire. The applicant's signature
signals ``consent'' and the intent of the applicant for mental health
providers to ``cooperate'' with any investigation. This is in
accordance with Executive Orders and implementing guidance.
Question 4. With regard to suitability assessments, does the
Department contract with private firms to conduct background checks? If
so, who is responsible for vetting contractors who conduct the checks?
Answer. Yes, the Department does contract with private firms to
conduct background checks. The Office of Personnel Management and the
Department of Defense have oversight responsibility for the background
investigation contract workforce. OPM delegates investigative authority
to certain DHS components, who then employ contract background
investigators. It is a requirement of the delegation that contract
investigators must have been appropriately adjudicated. The Department
of Defense has responsibilities regarding the security clearance
adjudications of contract employees under the National Industrial
Security Program. DHS accepts reciprocity of the investigation and
adjudication of contract background investigators.
Questions From Chairman Jeff Duncan for Mark Goldstein
Question 1. Your testimony noted that taxpayer dollars may be put
at risk because of problems with FPS's risk assessment process.
Specifically, you said that these problems may result in facilities
with too much or too little protection.
On this issue, I think back to earlier in the year when many were
alarmed by FPS's presence at protests outside IRS buildings. How does
the risk assessment process impact FPS's responses to specific events,
such as peaceful protests?
Answer. Risk assessments, which are among FPS's physical security
responsibilities, allow FPS to determine which protective measures
should be in place at a facility. Responding to events/incidents, such
as peaceful protests, is among FPS's law enforcement responsibilities.
While the risk assessment process does not directly influence how FPS
responds to specific events, it allows FPS to determine whether and
what types of protective measures are needed to help mitigate the risks
associated with these events.
Question 2. How does the fact that FPS collects fees for certain
services impact the oversight performed by DHS? Do you think because
FPS collects fees for certain security services that less oversight is
conducted by DHS than if the programs were based on appropriations?
Answer. We have not conducted the work necessary to answer this
question. For information on FPS's fee design, proposed alternatives,
and challenges related to FPS and customer agency budget formulation,
please see GAO's May 2011 report Budget Issues: Better Fee Design Would
Improve Federal Protective Service's and Federal Agencies' Planning and
Budgeting for Security (GAO-11-492).
Questions From Ranking Member Ron Barber for Mark Goldstein
Question 1. Mr. Goldstein, is there a need to impose a uniform
physical security screening standard across the Federal Government?
Also, should the Capitol Hill standard of administering a full
screening of all personnel and visitors to Federal facilities
regardless of their security clearance status be adopted?
Answer. We have not conducted the work necessary to answer this
question.
Question 2. What process do agencies and departments use to
determine which physical screening standards to apply throughout the
Federal Government?
Answer. To determine which physical screening measures to implement
at Federal facilities, Federal agencies generally conduct risk
assessments. These assessments evaluate the threat, vulnerability, and
consequence of undesirable events (such as terrorist attacks or other
acts of violence) occurring at a facility. After the assessments are
completed, the information is used to determine risk and to recommend
countermeasures, such as physical screening measures, to mitigate it.
�