United States General Accounting Office GAO Testimony Before the Subcommittee on Oversight, Investigations, and Emergency Management, Committee on Transportation and Infrastructure House of Representatives For release on Delivery Expected at 2:00 p.m. EDT GENERAL SERVICES Thursday October 7, 1999 ADMINISTRATION Status of Efforts to Improve Management of Building Security Upgrade Program Statement of Bernard L. Ungar, Director Government Business Operations Issues General Government Division GAO/T-GGD/OSI-00-19 Statement General Services Administration: Status of Efforts to Improve Management of Building Security Upgrade Program Madame Chairwoman and Members of the Subcommittee: I am pleased to be here today to discuss the General Services Administration’s (GSA) progress in upgrading the security of federal buildings under its operation. As you know, following the April 19, 1995, bombing of the Murrah Federal Building in Oklahoma City, the President directed the Department of Justice (DOJ) to assess the vulnerability of federal office buildings, particularly to acts of terrorism and other forms of violence. Under the direction of DOJ, an interagency working group comprising security professionals from nine federal departments and agencies issued in June 1995 a report recommending specific minimum security standards for federal buildings. Subsequently, the President directed executive departments and agencies to upgrade the security of their facilities to the extent feasible based on the DOJ report’s recommendations. The President gave GSA this responsibility for the buildings it controls, and in July 1995, GSA initiated a multimillion-dollar security enhancement program for these buildings. We would like to discuss our past and current work on GSA’s building security upgrade program. First, we reported to the Subcommittee on Public Buildings and Economic Development in June 1998 that GSA was making progress in upgrading security in its buildings, but we noted that 1 there were problems remaining in the security upgrade program. We pointed out that data reliability problems prevented GSA and us from determining the exact status of security upgrades or the cost of the building security upgrade program. We expressed concerns about whether all GSA buildings had been evaluated for security needs and whether funding sources for needed security upgrades had been determined. In addition, we pointed out that, because it had not established program outcome measures, GSA did not know the extent to which completed upgrades had resulted in greater security or reduced vulnerability for federal office buildings. Further, GSA had not resumed security-related building evaluations, which it curtailed after the Oklahoma City bombing, nor had GSA updated its risk assessment methodology to ensure that a wider range of risks would be addressed during these evaluations. We concluded, therefore, that GSA was not in a good position to manage its program to mitigate security threats to its buildings, and we recommended that GSA take the following steps: • ensure completion of security evaluations for all of its buildings; 1 General Services Administration: Many Building Security Upgrades Made But Problems Have Hindered Program Implementation (GAO/T-GGD-98-141, June 4, 1998). Page 1 GAO/T-GGD/OSI-00-19 Statement General Services Administration: Status of Efforts to Improve Management of Building Security Upgrade Program • correct the data in its upgrade tracking and accounting systems; • complete agreements with the Office of Management and Budget (OMB) regarding funding the costs of its building security program; • develop outcome-oriented goals and measures for its building security program; and • complete review of its security risk assessment methodology and resume periodic security inspections of its buildings. At the Subcommittee’s request, we have followed up on GSA’s progress in implementing these recommendations. In summary, we found that GSA has made progress in implementing our recommendations. Specifically, we found that: • GSA directed its regions to reassess the security of all the buildings in its inventory by April 1,1999, for two purposes: (1) to ensure that all of its buildings have been assessed and meet the DOJ minimum standards for security, and (2) to determine whether the security upgrade information for each building was correctly represented in both the upgrade tracking system and the accounting system; • GSA completed negotiations with OMB and, as a result, has a means of recouping more of its building security costs; • GSA, however, still lacks completely accurate data in its upgrade tracking and accounting systems and has not completed development of outcome- oriented goals and measures for its building security program; • GSA decided on a new risk assessment methodology and is in the process of evaluating how to implement the methodology in future building security surveys; and finally, • GSA’s recent reassessment of each building was to mark the restart of the routine physical security surveys that were suspended because of a lack of sufficient personnel after the Oklahoma City bombing. I would like to briefly describe our scope and methodology in responding to your request and preparing this statement. We interviewed key GSA officials at headquarters in Washington, D.C.; at 4 GSA regional offices; and at 31 GSA buildings we visited throughout the country. In addition, we observed the operations of security upgrades installed in selected buildings in each of these GSA regions. We obtained and reviewed GSA’s Office of Inspector General (OIG) reports on the security upgrade program, the DOJ report, and GSA documents relating to the steps it has taken in response to our 1998 recommendations. We held discussions and obtained data from representatives of OMB and several federal agencies that have personnel housed in GSA-owned and -leased buildings. We Page 2 GAO/T-GGD/OSI-00-19 Statement General Services Administration: Status of Efforts to Improve Management of Building Security Upgrade Program coordinated our work with GSA’s OIG. We did not evaluate the overall effectiveness of GSA’s building security program. We did our work from June 1999 to October 1999 in accordance with generally accepted government auditing standards. We have included more details about our scope and methodology in the attachment. In our June 1998 testimony, we said that, because of the unreliability of the Steps Taken to GSA’s building security upgrade tracking system, neither GSA nor we Complete Evaluations could determine whether all GSA buildings had been evaluated for security and Correct Data needs. Further, we said that we could not make a reliable determination of the status of the building security upgrade program because of errors in GSA’s building security upgrade tracking system. In addition, we reported that we could not reliably determine the actual costs or obligations incurred by GSA for security upgrades because GSA’s accounting system also contained significant errors. We found in our most recent work that GSA has acted to ensure that its buildings have been assessed for security needs and to correct the data in its upgrade tracking system. It appears that, as a result of GSA’s efforts, at least 98 percent of GSA’s high-risk buildings and at least 96 percent of its lower-risk buildings have been evaluated for security needs and that the accuracy of GSA’s security upgrade tracking system has improved. However, GSA recognizes that its accounting system still contains errors, some of which pertain to funds reported by GSA’s OIG as inappropriately expended. In May 1998, GSA’s Federal Protective Service (FPS) directed its staff in GSA’s 11 regions to assess each GSA-controlled building to ensure that security evaluations had been completed and verify that the security upgrades in place were accurately reflected in GSA’s building security upgrade tracking and accounting systems. The regions were further directed to submit to FPS headquarters certifications that all buildings in their respective regions had been assessed and that security upgrade data in the tracking and accounting systems had been reviewed, verified, and where needed, corrected. The directive stated that these actions were to be completed for all high-risk (level IV) buildings by October 1, 1998, and 2 for all lower-risk (level I through III) buildings by April 1, 1999. According to GSA, these assessments were also to mark the restart of the periodic building security inspections that GSA had curtailed after the bombing incident in 1995. 2 According to GSA’s database, as of July 7, 1999, there were 803 level IV buildings and 6,535 level I through III buildings under its control. Page 3 GAO/T-GGD/OSI-00-19 Statement General Services Administration: Status of Efforts to Improve Management of Building Security Upgrade Program Subsequently, each FPS regional director provided FPS headquarters certifications that the directive had been met, and that all buildings in each region had been assessed and the appropriate corrections made to the tracking and accounting systems, with a few exceptions—relating primarily to the errors in the accounting system--noted. According to FPS officials, to do these reassessments, regional FPS physical security specialists met with each building’s GSA and agency tenant representatives to inspect and evaluate the security needs of the building. Building Evaluations A GSA headquarters official told us that at least 97 percent of GSA’s buildings were assessed as a result of this initiative. We randomly sampled Completed 300 buildings (150 level IV and 150 level I through III buildings) from GSA’s nationwide building inventory, and contacted each building’s physical security specialist, and requested the assessment report for each building. Based on our analysis of the information and documentation provided to us on our sampled buildings, it appears that 98 to 100 percent of GSA’s high-risk buildings and 96 to 100 percent of its lower-risk buildings have now been assessed for security needs. Tracking System In our June 1998 testimony, we reported that we had reviewed the security upgrade records for 53 buildings, inspected the security upgrades in place Corrections at 43 of these buildings, and compared the upgrades in place in the buildings with the data shown in GSA’s upgrade tracking system. We reported that GSA’s building security upgrade tracking system contained errors in 24, or 45 percent, of the buildings reviewed. In addition, we cited a similar study by GSA’s OIG that found that in 65, or 54 percent, of the buildings it reviewed, the status of the security upgrades in the buildings was not accurately reflected in the building security upgrade tracking system. We recently visited 31 of the buildings reviewed either by the OIG or us and found that most of the inaccuracies in the tracking system previously identified had been corrected. Specifically, in our earlier review, we found that 163 security upgrades in these 31 buildings were inaccurately recorded in the tracking system. During our most recent visits to these buildings, we found that corrections had been made in the tracking system for 152 of the upgrades. For example, we found earlier that a privately- owned building in which GSA leased space would not allow GSA to install certain security upgrades because building management believed that the upgrades would inconvenience private tenants. However, the upgrades were shown as completed in the tracking system. In our most recent review, we found that the upgrades had been cancelled out of the upgrade tracking system. Page 4 GAO/T-GGD/OSI-00-19 Statement General Services Administration: Status of Efforts to Improve Management of Building Security Upgrade Program In an another example, the OIG had found six inoperable closed circuit television cameras in one building, while the upgrade tracking system showed that these cameras were a completed security upgrade. Our recent visit to this building revealed that all six of the cameras were installed and operational. On the other hand, we found that the tracking system continued to contain some errors. We found errors relating to 11 upgrades in 10 of the 31 buildings we visited. Examples of these errors include the following: • For one building, 15 light poles for the building parking lot were shown as a completed upgrade in the tracking system; in fact, we found that GSA had installed two mercury vapor lights in the building’s parking lot instead of the 15 light poles • In another building, the tracking system showed that two magnetometers and two x-ray machines were completed upgrades; we found that only one magnetometer and one x-ray machine were operating in the building • In yet another building, the upgrade tracking system showed that an x-ray machine was a completed upgrade; we found that the x-ray machine was in storage inside the building. New upgrade tracking system: GSA officials also told us that a new system is being developed that will replace the existing building security upgrade tracking system by early next year. The current building security upgrade tracking system, developed to track all security upgrades by building, became operational in early 1996. However, GSA officials have described the tracking system as inflexible and ineffective. According to GSA, the new upgrade tracking system is designed to be easier to use and a more reliable source for building security upgrade status. The new system was developed with the help of GSA’s Regional Physical Security Specialists who, as part of a team, provided input on the needs and requirements of such a system. GSA officials anticipate that any needed changes to data in the new tracking system will be easier to make and thus believe the new system will more accurately reflect the status of building security upgrades. According to GSA, the new tracking system also is to interface with GSA’s System for Tracking and Administering Real Property (STAR), a database of building and tenant information used by GSA for, among other things, rent calculations. According to GSA, its Southwest region in Ft. Worth, TX, is to begin piloting the new system in November 1999, prior to its planned implementation across all regions. Page 5 GAO/T-GGD/OSI-00-19 Statement General Services Administration: Status of Efforts to Improve Management of Building Security Upgrade Program Accounting System We reported in June 1998 that we couldn’t reliably determine the actual costs or obligations incurred by GSA for security upgrades because GSA’s Corrections accounting system, like its tracking system, contained significant errors. GSA attributed the inaccuracies in its accounting system to errors GSA personnel made when they recorded obligations for upgrade transactions in the accounting system. Our June 1998 testimony cited several examples of these errors, including one in which about $1 million in obligations related to GSA programs other than building security had been erroneously recorded in the accounting system as building security program obligations, and another in which about $9.7 million in estimated costs for building security upgrades shown in the tracking system had no corresponding obligations recorded in the accounting system. According to GSA officials and documentation they provided to us, GSA’s efforts to correct security upgrade cost data in its accounting system have not been completely successful. GSA officials told us that, when the building security upgrade program first began, there was uncertainty concerning which funding code was to be used for security upgrade capital costs. GSA intended that obligations for all upgrades should come from specially coded funds setaside specifically for the building security program. However, GSA regional officials were not all aware of the special funding code until after a number of upgrades had been entered into the system under another code. In addition, GSA officials explained that the cost figures in the security upgrade tracking system were only estimates, while the cost figures in the accounting system represented actual costs, which led to numerous discrepancies between the two systems. Further, they said that correcting data in the accounting system was more difficult than correcting the data in the upgrade tracking system because the accounting system would not allow some changes to be made, particularly changes to data that had been in the accounting system for 2 years or more. As a result, the costs of security upgrades in the accounting system still do not correspond to those recorded in the tracking system, and the accounting system still contains security upgrade costs charged to the wrong funding code. Inappropriate use of upgrade funds: In an audit report dated March 18, 1999, GSA’s OIG reported 10 incidents of GSA’s using security upgrade funds, totaling $926,638, for items that were not related to the building security program or were not approved by GSA headquarters. The OIG reported that these funds were used for such items as new doors, radio equipment, renovation of judges’ chambers, and the buildout of an agency’s space. GSA officials explained to us that some of these items Page 6 GAO/T-GGD/OSI-00-19 Statement General Services Administration: Status of Efforts to Improve Management of Building Security Upgrade Program were security related, and they had not attempted to change how the costs of these items were recorded in the accounting system; for other items, changes to the programs that these items were charged to in the accounting system were attempted, but the system would not allow the changes to be made. Examples of these reported inappropriate uses of security program funds by GSA include the following: 1. GSA regional officials told us that some construction work necessary to complete approved security measures was paid for with building security funds. These officials considered the cost of the work a valid building security program cost and charged it to the building security program in the accounting system, even though this cost was not an approved security-related cost recorded in the tracking system. 2. According to a regional GSA official, GSA purchased security communications equipment that was not an approved security upgrade recorded in the upgrade tracking system. The GSA official told us that they have since added the communication equipment to the upgrade tracking system. 3. GSA regional officials told us that a new security system had been approved as a security upgrade for an older building. The security system involved door contacts to detect opening of the doors. However, because the doors were old and warped, the contacts wouldn’t work. GSA officials told us that FPS had requested approval from headquarters to replace the doors, but that while FPS waited for approval, the building manager authorized the replacement. The officials told us that they subsequently attempted to change the funding code in the accounting system to show that the cost of the doors was not to be charged to the building security program, but that the system would not accept the change. The $233,000 cost of the doors remains under the wrong accounting code in the accounting system. 4. GSA regional officials stated that they made changes to correct the funding codes for the costs incurred at two other federal buildings for items that were inappropriately charged to the building security program in the accounting system. According to GSA officials, the cost of demolition work for a GSA construction project at one building and the cost of an antenna system at another were inappropriately paid out of building security program funds. They said that, subsequently, the accounting system was changed to reflect the appropriate funding code and source for the costs of these two projects. Page 7 GAO/T-GGD/OSI-00-19 Statement General Services Administration: Status of Efforts to Improve Management of Building Security Upgrade Program According to GSA data, in fiscal year 1994, before the April 1995 bombing OMB-GSA Security of the federal building in Oklahoma City, GSA obligated about $96 million Costs Reimbursement for security. By fiscal year 1997, it’s obligations for security had increased Negotiations to $258 million. For fiscal years 1999 and 2000, GSA estimates that its obligations for security will be about $291 million and $289 million, respectively. Further, GSA’s 5-year plan (fiscal years 2001 to 2005) shows estimated capital expenditures of $2.3 billion for blast mitigation, surveillance upgrades, and chemical and biological detection equipment for heating, ventilating, and air conditioning systems. We reported in our June 1998 testimony that GSA has faced the problem of uncertain funding for the costs of its building security program since increased emphasis was placed on security following the Oklahoma City bombing. The DOJ report anticipated that funding the numerous security upgrades would be problematic and recommended that GSA consider increasing the rent charged to federal agencies to pay for the increased costs of upgraded security. We, in turn, recommended that GSA complete agreements with OMB on the most appropriate means of funding the security needs of GSA-operated buildings at the minimum standard levels recommended in the DOJ report. Since that time, GSA and OMB have agreed on two major points concerning funding the cost of security for GSA-leased, -owned, or - controlled federal buildings. First, beginning in fiscal year 2000, all federal agencies are to pay a security charge of $0.16 a square foot instead of the previous $0.06 per square foot as part of the lease payment. The new security charge was developed to cover the cost of (1) national control centers that provide central monitoring of alarms and dispatch of emergency personnel; (2) security evaluations and reassessments conducted by FPS officials; and (3) investigations by GSA law enforcement officers of reported crimes in federal buildings. Second, federal agencies are to be required to pay increased building-specific fees that reflect the operational costs of the security enhancements and amortization of newly identified capital cost items beyond those already installed. The new $0.16 a square foot charge was effective for fiscal years 1998 and 1999 for new and renovated GSA buildings, and is to go into effect in all other existing buildings beginning in fiscal year 2000. The building-specific fee increases were effective for all buildings beginning in fiscal year 1999. GSA estimates that, at a minimum, it will not recover $43 million in fiscal year 1999 and $44.7 million in fiscal year 2000 for its patrol and response costs, for which it has no agreement with OMB for billing the agencies. There may be other unrecovered costs, but according to a GSA official, Page 8 GAO/T-GGD/OSI-00-19 Statement General Services Administration: Status of Efforts to Improve Management of Building Security Upgrade Program GSA does not specifically track security program revenues to identify unrecovered costs. No determination has been made on how to fund the proposed $2.3 billion in security capital costs in GSA’s 5- year plan. In our June 1998 testimony we reported that we did not believe that GSA Security Goals and had sufficient information on security program goals and results for us or Measures Still Not GSA to know the extent to which upgrades had improved security or Fully Developed reduced federal office building vulnerability to acts of terrorism or other forms of violence. In addition, we said that, without sufficient information, GSA could not evaluate whether the benefits justify the costs of the upgrades. As you know, the Government Performance and Results Act of 1993 (the Results Act) requires every major federal agency to establish its mission, its goals and how they will be achieved, how its performance toward meeting its goals will be measured, and how performance measures will be used to make improvements. Although the exact number of security upgrades implemented by GSA in its buildings is still uncertain, based on GSA data and observations at numerous federal buildings throughout the country by both the GSA OIG and us, it is clear that GSA has installed and has in operation thousands of security upgrades in its buildings and has expended millions of dollars to 3 purchase and operate these upgrades. And, we believe that, as a result, federal buildings are safer now than before the Oklahoma City bombing. Nevertheless, GSA still has not completely developed outcome-oriented performance goals and measures for its building security program. GSA’s Performance Plan 2000 contains one goal relating to building security. That goal is to reduce the number of buildings that have protection costs in the high range of the benchmark set by private sector experts, while continuing to maintain effective security in government buildings. The performance measure would compare GSA’s Public Buildings Service average protection cost per square foot to the private sector’s cost per square foot. A GSA official told us that the implementation of this goal would begin in October 1999. However, he expressed concern that, because the federal government requires a higher level of security in federal buildings than does the private sector in its buildings, benchmarking security costs will be difficult. In addition, GSA has hired a private firm to assist in developing performance goals and measures for the Public Buildings Service. 3 According to GSA’s security upgrade tracking system, as of July 7, 1999, 3,733 upgrades had been completed for level IV buildings and 3,635 completed for level I through III buildings. Page 9 GAO/T-GGD/OSI-00-19 Statement General Services Administration: Status of Efforts to Improve Management of Building Security Upgrade Program Specifically, GSA asked the Logistics Management Institute (LMI) to develop performance measures in the three primary business areas of the Public Buildings Service--operations (cleaning, utilities, maintenance, and security), leasing, and construction. An initial report from LMI, dated August 1998, stated that security benchmarks are problematic because it is difficult to find appropriate industry data that would enable LMI to account for different levels of security. In discussions with GSA officials, they said that GSA is currently measuring its contract guard costs against national industry costs for contract guards. One official said that further performance measures and related benchmarks are being developed and should be completed by the end of October 1999. GSA officials told us that, even without measurements for improved safety, they believe that federal buildings are definitely safer today than they were prior to the Oklahoma City bombing. However, they also stated that it is impossible to guarantee that another Oklahoma City incident will not occur. The GSA officials told us that federal building tenants feel safer now than they did before the installation of magnetometers, x-rays, and other security devices. Some GSA officials attributed this feeling of safety to the knowledge that these devices have identified small firearms or other weapons before those weapons could be brought into the building. GSA believes that the results of a periodic survey it conducted support its contention that federal employees generally feel safer. GSA said it surveys one-half of its building tenants one year and the remaining half the following year. Results of this survey conducted in 1994/1995 and 1997/1998 indicated customer satisfaction with security in federal office buildings increased by at least 5 percent on all security indices during these survey periods. For example, ratings ranged from 1 to 5 in satisfaction levels with 1 being “very dissatisfied” and 5 being “very satisfied.” Customer satisfaction for “security of individuals within a building” increased from a mean of 3.19 in 1994/1995 to 3.52 in1997/1998, or 10 percent. GSA officials noted that the increase in customer satisfaction occurred even though the Oklahoma City bombing occurred during the 1994/1995 survey period. Page 10 GAO/T-GGD/OSI-00-19 Statement General Services Administration: Status of Efforts to Improve Management of Building Security Upgrade Program We reported in our June 1998 testimony that GSA had not fully New Risk Assessment implemented a key recommendation from an internal “lessons learned” Methodology and study done in October 1995, after the Oklahoma City bombing incident. Periodic Building The study recommended that GSA evaluate its current risk assessment methodology to ensure that it addressed a wider range of risks, with an Inspections increased emphasis on acts of mass violence. The study concluded that GSA’s security and law enforcement processes in place at that time did not adequately address the current threat environment. In addition, we reported in our June 1998 testimony that building security- related inspections that GSA security staff were routinely doing prior to the Oklahoma City bombing were curtailed because these staff were needed to help implement the security upgrade program, and at the time of our review, these inspections had not been resumed. We recommended that once GSA determined the appropriate building security risk assessment methodology, it resume a program of periodic building security inspections by its security specialists. In July 1998, a GSA team, including GSA regional Physical Security Specialists, examined GSA’s risk assessment methodology and recommended that GSA adopt a new methodology. The methodology recommended was Security Risk Management, which was designed by Applied Research Associates, Inc., and reportedly used by the Federal Aviation Administration. The objective of the methodology is to reduce the risks from all types of threats, including criminal and terrorist attacks, to an acceptable level. Security Risk Management provides a means of determining the levels of acceptable risk and mitigating those risks by placing a value on all assets. Under this methodology, GSA physical security specialists, working on-site in conjunction with building management and agency officials, would identify critical assets, determine the importance and risk of these assets, and ultimately identify cost effective security countermeasures to reduce risk to an acceptable level. In December 1998, a team of GSA physical security specialists met to develop a policy that would merge the new risk assessment methodology with the restarted GSA periodic building security inspections or surveys. Under the new policy, level IV buildings are to be surveyed every 2 years; level III buildings every 3 years; and level I and level II buildings every 4 years. GSA’s goal is to implement the new risk assessment and survey policy by January 2000. Until that time, building security surveys are to be based on GSA’s previous risk assessment methodology. Page 11 GAO/T-GGD/OSI-00-19 Statement General Services Administration: Status of Efforts to Improve Management of Building Security Upgrade Program GSA has made progress in implementing our June 1998 recommendations Conclusions to improve its building security program, and we believe that GSA’s federal building security upgrade program has enhanced federal building security. Further, GSA now has better information on the status of the security upgrade program and is positioned to recoup more of its security program costs from federal agencies. However, it still lacks completely accurate data in its upgrade tracking and accounting systems on the number and cost of completed security upgrades. In addition, we believe that GSA is still not in a good position to know how adequate the security of federal buildings is because it (1) has not yet implemented its new building security assessment methodology, (2) has made only limited progress in establishing outcome-oriented performance goals and measures for its building security program, and (3) still has some buildings that do not have all the approved upgrades installed and operating. Madame Chairwoman, this concludes my prepared statement. I will be pleased to answer any questions you or other Members of the Subcommittee may have. Contact and Acknowledgement For future contacts regarding this testimony, please contact Bernard L. Ungar on 202-512-8387. Individuals making key contributions to this testimony include Sherrill H. Johnson, Dorothy M. Tejada, Stella M. Flores, and Thomas G. Keightley. Page 12 GAO/T-GGD/OSI-00-19 Page 13 GAO/T-GGD/OSI-00-19 Attachment Objectives, Scope, and Methodology Our overall objective was to evaluate GSA’s progress in implementing recommendations we made during our June 1998 testimony regarding GSA’s building security upgrade program. Specifically, we were asked to determine the steps GSA has taken to (1) ensure completion of all building security evaluations, (2) correct the data in its building security upgrade tracking and accounting systems, (3) complete agreements with OMB regarding the funding of future security upgrades, (4) develop security program outcome-oriented goals and measures, and (5) complete review of its security risk assessment methodology and resume periodic building security inspections. To determine whether GSA had reviewed all its buildings to ensure that security evaluations had been completed, we interviewed GSA officials and obtained documentation regarding the directive from GSA’s Commissioner, Public Buildings Service, to assess or reassess buildings for security needs. We had discussions with GSA Federal Protective Service (FPS) officials from four regions regarding the steps they took to assess or reassess buildings in their regions. We reviewed certifications and other documentation from all 11 GSA regions relating to the requirement to assess or reassess buildings in the regions. In addition, we randomly selected a sample of 150 high-risk (level IV) buildings from GSA’s nationwide inventory listing of 803 such buildings, and 150 lower-risk (level I through III) buildings from GSA’s nationwide inventory listing of 6,535 such buildings. We requested that GSA officials responsible for these buildings provide documentation relating to the assessment or reassessment of the 300 buildings in our sample. For various reasons, we had to exclude some of the buildings from our sample. For example, GSA’s lease on some of the buildings had expired; thus, the buildings were no longer under GSA control. Other buildings in our sample were vacant at the time of the reassessments or the buildings’ security was not GSA’s responsibility. Table I.1 summarizes the reasons that 24 level IV and 9 level I through III buildings were excluded from our sample. Page 14 GAO/T-GGD/OSI-00-19 Attachment Objectives, Scope, and Methodology Table .1: Reasons Buildings Were Excluded from Our Sample and Number of Buildings in Sample With/Without Level IV buildings Level I through III buildings Completed Reasons for excluding Assessments/Reassessments buildings from sample Under construction 2 0 Vacant/no tenants 3 16 No longer in region’s inventory 2 4 Owned by U.S. Postal Service 1 1 Lease expired 0 3 a Delegated building 1 0 Total excluded 9 24 Buildings with completed reassessments 141 125 Buildings without completed reassessments 0 1 Total of original sample 150 150 a Delegated buildings are those buildings for which GSA has no security responsibility. Source: GAO analysis of GSA-provided documentation. We found all level IV buildings in our sample were assessed/reassessed while one lower-level building in our sample did not receive a reassessment. Based on statistical analyses, we are 95 percent confident that between 98 and 100 percent of GSA’s level IV buildings were assessed/reassessed and between 96 and 100 percent of its level I through III buildings were assessed/reassessed. To meet our second objective of determining the steps GSA has taken to correct the data in its upgrade tracking and accounting systems, we interviewed officials in GSA’s headquarters and in four regional offices regarding policies and related procedures for inputting and correcting data in both systems. We evaluated 31 buildings in 4 GSA regions that had been identified by us during our 1998 review or by the GSA OIG in its reports as buildings with security upgrades that were not correctly identified in GSA’s upgrade tracking system. For each building, we reviewed the security upgrades that previously were incorrectly identified in the security upgrade system and compared the current security upgrade status to current data in the upgrade tracking system to verify that corrective action had been taken. Corrective actions included completing the upgrade, voiding the upgrade record in the upgrade tracking system, or adding an upgrade record to the tracking system to correspond with the completed upgrade. In addition, we contacted responsible officials from the GSA regions where the GSA OIG had identified funds that it considered Page 15 GAO/T-GGD/OSI-00-19 Attachment Objectives, Scope, and Methodology as inappropriately expended on nonsecurity-related items to discuss these expenditures and any corrective actions taken or attempted. To meet our third objective of determining whether GSA had completed agreements with OMB regarding the funding of future security upgrades, we had discussions with responsible GSA and OMB officials and obtained and reviewed related documentation. Also, we reviewed documentation prepared by GSA for GSA building tenants explaining how the costs of security would be incorporated into lease payments. Further, we obtained and reviewed GSA expenditure data for security in fiscal years 1995 through 1998, and planned expenditures for several subsequent fiscal years. To meet our objective of determining whether GSA has developed building security program outcome-oriented goals and measures, we reviewed GSA’s 5-year plan (fiscal years 2001 to 2005) and its Performance Plan 2000. In addition, we discussed the process of developing goals and measures with responsible GSA officials. Also, we obtained and reviewed results from a GSA building tenant survey for the fiscal year 1994 through fiscal year 1998 period to determine whether tenants felt safer after the security upgrades were completed. To meet our objective of determining whether GSA had completed its review of its security risk assessment methodology and had resumed periodic building security inspections, we held discussions with GSA officials and reviewed documentation used by GSA in training its security specialists in the use of a new risk assessment methodology. We also reviewed documentation and had discussions with GSA about its planned resumption of its periodic building security inspections. We did our work at GSA headquarters in Washington, D.C., and in four GSA regional offices between June 1999 and October 1999 in accordance with generally accepted government auditing standards. We provided GSA officials with a draft of our statement and incorporated their comments where appropriate. Page 16 GAO/T-GGD/OSI-00-19 Page 17 GAO/T-GGD/OSI-00-19 Page 18 GAO/T-GGD/OSI-00-19 Page 19 GAO/T-GGD/OSI-00-19 Ordering Information The first copy of each GAO report and testimony is free. Additional copies are $2 each. Orders should be sent to the following address, accompanied by a check or money order made out to the Superintendent of Documents, when necessary. VISA and MasterCard credit cards are accepted, also. Orders for 100 or more copies to be mailed to a single address are discounted 25 percent. Order by mail: U.S. General Accounting Office P.O. Box 37050 Washington, DC 20013 or visit: Room 1100 700 4th St. NW (corner of 4th and G Sts. NW) U.S. General Accounting Office Washington, DC Orders may also be placed by calling (202) 512-6000 or by using fax number (202) 512-6061, or TDD (202) 512-2537. Each day, GAO issues a list of newly available reports and testimony. To receive facsimile copies of the daily list or any list from the past 30 days, please call (202) 512-6000 using a touch- tone phone. A recorded menu will provide information on how to obtain these lists. For information on how to access GAO reports on the INTERNET, send e-mail message with “info” in the body to: firstname.lastname@example.org or visit GAO’s World Wide Web Home Page at: http://www.gao.gov United States Bulk Rate General Accounting Office Postage & Fees Paid Washington, D.C. 20548-0001 GAO Permit No. G100 Official Business Penalty for Private Use $300 Address Correction Requested (240355)
General Services Administration: Status of Efforts to Improve Management of Building Security Upgrade Program
Published by the Government Accountability Office on 1999-10-07.
Below is a raw (and likely hideous) rendition of the original report. (PDF)