oversight

General Services Administration: Status of Efforts to Improve Management of Building Security Upgrade Program

Published by the Government Accountability Office on 1999-10-07.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

                          United States General Accounting Office

GAO                       Testimony
                          Before the Subcommittee on Oversight, Investigations,
                          and Emergency Management, Committee on
                          Transportation and Infrastructure
                          House of Representatives

For release on Delivery
Expected at
2:00 p.m. EDT             GENERAL SERVICES
Thursday
October 7, 1999           ADMINISTRATION

                          Status of Efforts to
                          Improve Management of
                          Building Security Upgrade
                          Program
                          Statement of
                          Bernard L. Ungar, Director
                          Government Business Operations Issues
                          General Government Division




GAO/T-GGD/OSI-00-19
Statement

General Services Administration: Status of
Efforts to Improve Management of Building
Security Upgrade Program
                Madame Chairwoman and Members of the Subcommittee:

                I am pleased to be here today to discuss the General Services
                Administration’s (GSA) progress in upgrading the security of federal
                buildings under its operation. As you know, following the April 19, 1995,
                bombing of the Murrah Federal Building in Oklahoma City, the President
                directed the Department of Justice (DOJ) to assess the vulnerability of
                federal office buildings, particularly to acts of terrorism and other forms of
                violence. Under the direction of DOJ, an interagency working group
                comprising security professionals from nine federal departments and
                agencies issued in June 1995 a report recommending specific minimum
                security standards for federal buildings. Subsequently, the President
                directed executive departments and agencies to upgrade the security of
                their facilities to the extent feasible based on the DOJ report’s
                recommendations. The President gave GSA this responsibility for the
                buildings it controls, and in July 1995, GSA initiated a multimillion-dollar
                security enhancement program for these buildings.

                We would like to discuss our past and current work on GSA’s building
                security upgrade program. First, we reported to the Subcommittee on
                Public Buildings and Economic Development in June 1998 that GSA was
                making progress in upgrading security in its buildings, but we noted that
                                                                                  1
                there were problems remaining in the security upgrade program. We
                pointed out that data reliability problems prevented GSA and us from
                determining the exact status of security upgrades or the cost of the
                building security upgrade program. We expressed concerns about whether
                all GSA buildings had been evaluated for security needs and whether
                funding sources for needed security upgrades had been determined. In
                addition, we pointed out that, because it had not established program
                outcome measures, GSA did not know the extent to which completed
                upgrades had resulted in greater security or reduced vulnerability for
                federal office buildings. Further, GSA had not resumed security-related
                building evaluations, which it curtailed after the Oklahoma City bombing,
                nor had GSA updated its risk assessment methodology to ensure that a
                wider range of risks would be addressed during these evaluations. We
                concluded, therefore, that GSA was not in a good position to manage its
                program to mitigate security threats to its buildings, and we recommended
                that GSA take the following steps:

              • ensure completion of security evaluations for all of its buildings;

                1
                 General Services Administration: Many Building Security Upgrades Made But Problems Have
                Hindered Program Implementation (GAO/T-GGD-98-141, June 4, 1998).




                Page 1                                                                  GAO/T-GGD/OSI-00-19
  Statement
  General Services Administration: Status of Efforts to Improve Management of Building
  Security Upgrade Program




• correct the data in its upgrade tracking and accounting systems;
• complete agreements with the Office of Management and Budget (OMB)
  regarding funding the costs of its building security program;
• develop outcome-oriented goals and measures for its building security
  program; and
• complete review of its security risk assessment methodology and resume
  periodic security inspections of its buildings.

  At the Subcommittee’s request, we have followed up on GSA’s progress in
  implementing these recommendations. In summary, we found that GSA
  has made progress in implementing our recommendations. Specifically, we
  found that:

• GSA directed its regions to reassess the security of all the buildings in its
  inventory by April 1,1999, for two purposes: (1) to ensure that all of its
  buildings have been assessed and meet the DOJ minimum standards for
  security, and (2) to determine whether the security upgrade information
  for each building was correctly represented in both the upgrade tracking
  system and the accounting system;
• GSA completed negotiations with OMB and, as a result, has a means of
  recouping more of its building security costs;
• GSA, however, still lacks completely accurate data in its upgrade tracking
  and accounting systems and has not completed development of outcome-
  oriented goals and measures for its building security program;
• GSA decided on a new risk assessment methodology and is in the process
  of evaluating how to implement the methodology in future building
  security surveys; and finally,
• GSA’s recent reassessment of each building was to mark the restart of the
  routine physical security surveys that were suspended because of a lack of
  sufficient personnel after the Oklahoma City bombing.


  I would like to briefly describe our scope and methodology in responding
  to your request and preparing this statement. We interviewed key GSA
  officials at headquarters in Washington, D.C.; at 4 GSA regional offices;
  and at 31 GSA buildings we visited throughout the country. In addition, we
  observed the operations of security upgrades installed in selected
  buildings in each of these GSA regions. We obtained and reviewed GSA’s
  Office of Inspector General (OIG) reports on the security upgrade
  program, the DOJ report, and GSA documents relating to the steps it has
  taken in response to our 1998 recommendations. We held discussions and
  obtained data from representatives of OMB and several federal agencies
  that have personnel housed in GSA-owned and -leased buildings. We



  Page 2                                                             GAO/T-GGD/OSI-00-19
                       Statement
                       General Services Administration: Status of Efforts to Improve Management of Building
                       Security Upgrade Program




                       coordinated our work with GSA’s OIG. We did not evaluate the overall
                       effectiveness of GSA’s building security program. We did our work from
                       June 1999 to October 1999 in accordance with generally accepted
                       government auditing standards. We have included more details about our
                       scope and methodology in the attachment.

                       In our June 1998 testimony, we said that, because of the unreliability of the
Steps Taken to         GSA’s building security upgrade tracking system, neither GSA nor we
Complete Evaluations   could determine whether all GSA buildings had been evaluated for security
and Correct Data       needs. Further, we said that we could not make a reliable determination of
                       the status of the building security upgrade program because of errors in
                       GSA’s building security upgrade tracking system. In addition, we reported
                       that we could not reliably determine the actual costs or obligations
                       incurred by GSA for security upgrades because GSA’s accounting system
                       also contained significant errors.

                       We found in our most recent work that GSA has acted to ensure that its
                       buildings have been assessed for security needs and to correct the data in
                       its upgrade tracking system. It appears that, as a result of GSA’s efforts, at
                       least 98 percent of GSA’s high-risk buildings and at least 96 percent of its
                       lower-risk buildings have been evaluated for security needs and that the
                       accuracy of GSA’s security upgrade tracking system has improved.
                       However, GSA recognizes that its accounting system still contains errors,
                       some of which pertain to funds reported by GSA’s OIG as inappropriately
                       expended.

                       In May 1998, GSA’s Federal Protective Service (FPS) directed its staff in
                       GSA’s 11 regions to assess each GSA-controlled building to ensure that
                       security evaluations had been completed and verify that the security
                       upgrades in place were accurately reflected in GSA’s building security
                       upgrade tracking and accounting systems. The regions were further
                       directed to submit to FPS headquarters certifications that all buildings in
                       their respective regions had been assessed and that security upgrade data
                       in the tracking and accounting systems had been reviewed, verified, and
                       where needed, corrected. The directive stated that these actions were to
                       be completed for all high-risk (level IV) buildings by October 1, 1998, and
                                                                                           2
                       for all lower-risk (level I through III) buildings by April 1, 1999. According
                       to GSA, these assessments were also to mark the restart of the periodic
                       building security inspections that GSA had curtailed after the bombing
                       incident in 1995.

                       2
                        According to GSA’s database, as of July 7, 1999, there were 803 level IV buildings and 6,535 level I
                       through III buildings under its control.




                       Page 3                                                                         GAO/T-GGD/OSI-00-19
                       Statement
                       General Services Administration: Status of Efforts to Improve Management of Building
                       Security Upgrade Program




                       Subsequently, each FPS regional director provided FPS headquarters
                       certifications that the directive had been met, and that all buildings in each
                       region had been assessed and the appropriate corrections made to the
                       tracking and accounting systems, with a few exceptions—relating
                       primarily to the errors in the accounting system--noted. According to FPS
                       officials, to do these reassessments, regional FPS physical security
                       specialists met with each building’s GSA and agency tenant representatives
                       to inspect and evaluate the security needs of the building.

Building Evaluations   A GSA headquarters official told us that at least 97 percent of GSA’s
                       buildings were assessed as a result of this initiative. We randomly sampled
Completed              300 buildings (150 level IV and 150 level I through III buildings) from GSA’s
                       nationwide building inventory, and contacted each building’s physical
                       security specialist, and requested the assessment report for each building.
                       Based on our analysis of the information and documentation provided to
                       us on our sampled buildings, it appears that 98 to 100 percent of GSA’s
                       high-risk buildings and 96 to 100 percent of its lower-risk buildings have
                       now been assessed for security needs.

Tracking System        In our June 1998 testimony, we reported that we had reviewed the security
                       upgrade records for 53 buildings, inspected the security upgrades in place
Corrections            at 43 of these buildings, and compared the upgrades in place in the
                       buildings with the data shown in GSA’s upgrade tracking system. We
                       reported that GSA’s building security upgrade tracking system contained
                       errors in 24, or 45 percent, of the buildings reviewed. In addition, we cited
                       a similar study by GSA’s OIG that found that in 65, or 54 percent, of the
                       buildings it reviewed, the status of the security upgrades in the buildings
                       was not accurately reflected in the building security upgrade tracking
                       system.

                       We recently visited 31 of the buildings reviewed either by the OIG or us
                       and found that most of the inaccuracies in the tracking system previously
                       identified had been corrected. Specifically, in our earlier review, we found
                       that 163 security upgrades in these 31 buildings were inaccurately
                       recorded in the tracking system. During our most recent visits to these
                       buildings, we found that corrections had been made in the tracking system
                       for 152 of the upgrades. For example, we found earlier that a privately-
                       owned building in which GSA leased space would not allow GSA to install
                       certain security upgrades because building management believed that the
                       upgrades would inconvenience private tenants. However, the upgrades
                       were shown as completed in the tracking system. In our most recent
                       review, we found that the upgrades had been cancelled out of the upgrade
                       tracking system.



                       Page 4                                                             GAO/T-GGD/OSI-00-19
  Statement
  General Services Administration: Status of Efforts to Improve Management of Building
  Security Upgrade Program




  In an another example, the OIG had found six inoperable closed circuit
  television cameras in one building, while the upgrade tracking system
  showed that these cameras were a completed security upgrade. Our recent
  visit to this building revealed that all six of the cameras were installed and
  operational.

  On the other hand, we found that the tracking system continued to contain
  some errors. We found errors relating to 11 upgrades in 10 of the 31
  buildings we visited. Examples of these errors include the following:

• For one building, 15 light poles for the building parking lot were shown as
  a completed upgrade in the tracking system; in fact, we found that GSA
  had installed two mercury vapor lights in the building’s parking lot instead
  of the 15 light poles
• In another building, the tracking system showed that two magnetometers
  and two x-ray machines were completed upgrades; we found that only one
  magnetometer and one x-ray machine were operating in the building
• In yet another building, the upgrade tracking system showed that an x-ray
  machine was a completed upgrade; we found that the x-ray machine was in
  storage inside the building.

  New upgrade tracking system: GSA officials also told us that a new system
  is being developed that will replace the existing building security upgrade
  tracking system by early next year. The current building security upgrade
  tracking system, developed to track all security upgrades by building,
  became operational in early 1996. However, GSA officials have described
  the tracking system as inflexible and ineffective. According to GSA, the
  new upgrade tracking system is designed to be easier to use and a more
  reliable source for building security upgrade status.

  The new system was developed with the help of GSA’s Regional Physical
  Security Specialists who, as part of a team, provided input on the needs
  and requirements of such a system. GSA officials anticipate that any
  needed changes to data in the new tracking system will be easier to make
  and thus believe the new system will more accurately reflect the status of
  building security upgrades. According to GSA, the new tracking system
  also is to interface with GSA’s System for Tracking and Administering Real
  Property (STAR), a database of building and tenant information used by
  GSA for, among other things, rent calculations. According to GSA, its
  Southwest region in Ft. Worth, TX, is to begin piloting the new system in
  November 1999, prior to its planned implementation across all regions.




  Page 5                                                             GAO/T-GGD/OSI-00-19
                    Statement
                    General Services Administration: Status of Efforts to Improve Management of Building
                    Security Upgrade Program




Accounting System   We reported in June 1998 that we couldn’t reliably determine the actual
                    costs or obligations incurred by GSA for security upgrades because GSA’s
Corrections         accounting system, like its tracking system, contained significant errors.
                    GSA attributed the inaccuracies in its accounting system to errors GSA
                    personnel made when they recorded obligations for upgrade transactions
                    in the accounting system. Our June 1998 testimony cited several examples
                    of these errors, including one in which about $1 million in obligations
                    related to GSA programs other than building security had been
                    erroneously recorded in the accounting system as building security
                    program obligations, and another in which about $9.7 million in estimated
                    costs for building security upgrades shown in the tracking system had no
                    corresponding obligations recorded in the accounting system.

                    According to GSA officials and documentation they provided to us, GSA’s
                    efforts to correct security upgrade cost data in its accounting system have
                    not been completely successful. GSA officials told us that, when the
                    building security upgrade program first began, there was uncertainty
                    concerning which funding code was to be used for security upgrade capital
                    costs. GSA intended that obligations for all upgrades should come from
                    specially coded funds setaside specifically for the building security
                    program. However, GSA regional officials were not all aware of the special
                    funding code until after a number of upgrades had been entered into the
                    system under another code.

                    In addition, GSA officials explained that the cost figures in the security
                    upgrade tracking system were only estimates, while the cost figures in the
                    accounting system represented actual costs, which led to numerous
                    discrepancies between the two systems. Further, they said that correcting
                    data in the accounting system was more difficult than correcting the data
                    in the upgrade tracking system because the accounting system would not
                    allow some changes to be made, particularly changes to data that had been
                    in the accounting system for 2 years or more. As a result, the costs of
                    security upgrades in the accounting system still do not correspond to those
                    recorded in the tracking system, and the accounting system still contains
                    security upgrade costs charged to the wrong funding code.

                    Inappropriate use of upgrade funds: In an audit report dated March 18,
                    1999, GSA’s OIG reported 10 incidents of GSA’s using security upgrade
                    funds, totaling $926,638, for items that were not related to the building
                    security program or were not approved by GSA headquarters. The OIG
                    reported that these funds were used for such items as new doors, radio
                    equipment, renovation of judges’ chambers, and the buildout of an
                    agency’s space. GSA officials explained to us that some of these items



                    Page 6                                                             GAO/T-GGD/OSI-00-19
Statement
General Services Administration: Status of Efforts to Improve Management of Building
Security Upgrade Program




were security related, and they had not attempted to change how the costs
of these items were recorded in the accounting system; for other items,
changes to the programs that these items were charged to in the
accounting system were attempted, but the system would not allow the
changes to be made. Examples of these reported inappropriate uses of
security program funds by GSA include the following:

1. GSA regional officials told us that some construction work necessary
   to complete approved security measures was paid for with building
   security funds. These officials considered the cost of the work a valid
   building security program cost and charged it to the building security
   program in the accounting system, even though this cost was not an
   approved security-related cost recorded in the tracking system.

2. According to a regional GSA official, GSA purchased security
   communications equipment that was not an approved security upgrade
   recorded in the upgrade tracking system. The GSA official told us that
   they have since added the communication equipment to the upgrade
   tracking system.

3. GSA regional officials told us that a new security system had been
   approved as a security upgrade for an older building. The security
   system involved door contacts to detect opening of the doors.
   However, because the doors were old and warped, the contacts
   wouldn’t work. GSA officials told us that FPS had requested approval
   from headquarters to replace the doors, but that while FPS waited for
   approval, the building manager authorized the replacement. The
   officials told us that they subsequently attempted to change the
   funding code in the accounting system to show that the cost of the
   doors was not to be charged to the building security program, but that
   the system would not accept the change. The $233,000 cost of the
   doors remains under the wrong accounting code in the accounting
   system.

4. GSA regional officials stated that they made changes to correct the
   funding codes for the costs incurred at two other federal buildings for
   items that were inappropriately charged to the building security
   program in the accounting system. According to GSA officials, the cost
   of demolition work for a GSA construction project at one building and
   the cost of an antenna system at another were inappropriately paid out
   of building security program funds. They said that, subsequently, the
   accounting system was changed to reflect the appropriate funding
   code and source for the costs of these two projects.



Page 7                                                             GAO/T-GGD/OSI-00-19
                      Statement
                      General Services Administration: Status of Efforts to Improve Management of Building
                      Security Upgrade Program




                      According to GSA data, in fiscal year 1994, before the April 1995 bombing
OMB-GSA Security      of the federal building in Oklahoma City, GSA obligated about $96 million
Costs Reimbursement   for security. By fiscal year 1997, it’s obligations for security had increased
Negotiations          to $258 million. For fiscal years 1999 and 2000, GSA estimates that its
                      obligations for security will be about $291 million and $289 million,
                      respectively. Further, GSA’s 5-year plan (fiscal years 2001 to 2005) shows
                      estimated capital expenditures of $2.3 billion for blast mitigation,
                      surveillance upgrades, and chemical and biological detection equipment
                      for heating, ventilating, and air conditioning systems.

                      We reported in our June 1998 testimony that GSA has faced the problem of
                      uncertain funding for the costs of its building security program since
                      increased emphasis was placed on security following the Oklahoma City
                      bombing. The DOJ report anticipated that funding the numerous security
                      upgrades would be problematic and recommended that GSA consider
                      increasing the rent charged to federal agencies to pay for the increased
                      costs of upgraded security. We, in turn, recommended that GSA complete
                      agreements with OMB on the most appropriate means of funding the
                      security needs of GSA-operated buildings at the minimum standard levels
                      recommended in the DOJ report.

                      Since that time, GSA and OMB have agreed on two major points
                      concerning funding the cost of security for GSA-leased, -owned, or -
                      controlled federal buildings. First, beginning in fiscal year 2000, all federal
                      agencies are to pay a security charge of $0.16 a square foot instead of the
                      previous $0.06 per square foot as part of the lease payment. The new
                      security charge was developed to cover the cost of (1) national control
                      centers that provide central monitoring of alarms and dispatch of
                      emergency personnel; (2) security evaluations and reassessments
                      conducted by FPS officials; and (3) investigations by GSA law enforcement
                      officers of reported crimes in federal buildings. Second, federal agencies
                      are to be required to pay increased building-specific fees that reflect the
                      operational costs of the security enhancements and amortization of newly
                      identified capital cost items beyond those already installed.

                      The new $0.16 a square foot charge was effective for fiscal years 1998 and
                      1999 for new and renovated GSA buildings, and is to go into effect in all
                      other existing buildings beginning in fiscal year 2000. The building-specific
                      fee increases were effective for all buildings beginning in fiscal year 1999.
                      GSA estimates that, at a minimum, it will not recover $43 million in fiscal
                      year 1999 and $44.7 million in fiscal year 2000 for its patrol and response
                      costs, for which it has no agreement with OMB for billing the agencies.
                      There may be other unrecovered costs, but according to a GSA official,



                      Page 8                                                             GAO/T-GGD/OSI-00-19
                     Statement
                     General Services Administration: Status of Efforts to Improve Management of Building
                     Security Upgrade Program




                     GSA does not specifically track security program revenues to identify
                     unrecovered costs. No determination has been made on how to fund the
                     proposed $2.3 billion in security capital costs in GSA’s 5- year plan.

                     In our June 1998 testimony we reported that we did not believe that GSA
Security Goals and   had sufficient information on security program goals and results for us or
Measures Still Not   GSA to know the extent to which upgrades had improved security or
Fully Developed      reduced federal office building vulnerability to acts of terrorism or other
                     forms of violence. In addition, we said that, without sufficient information,
                     GSA could not evaluate whether the benefits justify the costs of the
                     upgrades. As you know, the Government Performance and Results Act of
                     1993 (the Results Act) requires every major federal agency to establish its
                     mission, its goals and how they will be achieved, how its performance
                     toward meeting its goals will be measured, and how performance
                     measures will be used to make improvements.

                     Although the exact number of security upgrades implemented by GSA in
                     its buildings is still uncertain, based on GSA data and observations at
                     numerous federal buildings throughout the country by both the GSA OIG
                     and us, it is clear that GSA has installed and has in operation thousands of
                     security upgrades in its buildings and has expended millions of dollars to
                                                              3
                     purchase and operate these upgrades. And, we believe that, as a result,
                     federal buildings are safer now than before the Oklahoma City bombing.
                     Nevertheless, GSA still has not completely developed outcome-oriented
                     performance goals and measures for its building security program.

                     GSA’s Performance Plan 2000 contains one goal relating to building
                     security. That goal is to reduce the number of buildings that have
                     protection costs in the high range of the benchmark set by private sector
                     experts, while continuing to maintain effective security in government
                     buildings. The performance measure would compare GSA’s Public
                     Buildings Service average protection cost per square foot to the private
                     sector’s cost per square foot. A GSA official told us that the
                     implementation of this goal would begin in October 1999. However, he
                     expressed concern that, because the federal government requires a higher
                     level of security in federal buildings than does the private sector in its
                     buildings, benchmarking security costs will be difficult.

                     In addition, GSA has hired a private firm to assist in developing
                     performance goals and measures for the Public Buildings Service.

                     3
                      According to GSA’s security upgrade tracking system, as of July 7, 1999, 3,733 upgrades had been
                     completed for level IV buildings and 3,635 completed for level I through III buildings.




                     Page 9                                                                       GAO/T-GGD/OSI-00-19
Statement
General Services Administration: Status of Efforts to Improve Management of Building
Security Upgrade Program




Specifically, GSA asked the Logistics Management Institute (LMI) to
develop performance measures in the three primary business areas of the
Public Buildings Service--operations (cleaning, utilities, maintenance, and
security), leasing, and construction. An initial report from LMI, dated
August 1998, stated that security benchmarks are problematic because it is
difficult to find appropriate industry data that would enable LMI to
account for different levels of security.

In discussions with GSA officials, they said that GSA is currently
measuring its contract guard costs against national industry costs for
contract guards. One official said that further performance measures and
related benchmarks are being developed and should be completed by the
end of October 1999.

GSA officials told us that, even without measurements for improved safety,
they believe that federal buildings are definitely safer today than they were
prior to the Oklahoma City bombing. However, they also stated that it is
impossible to guarantee that another Oklahoma City incident will not
occur. The GSA officials told us that federal building tenants feel safer now
than they did before the installation of magnetometers, x-rays, and other
security devices. Some GSA officials attributed this feeling of safety to the
knowledge that these devices have identified small firearms or other
weapons before those weapons could be brought into the building.

GSA believes that the results of a periodic survey it conducted support its
contention that federal employees generally feel safer. GSA said it surveys
one-half of its building tenants one year and the remaining half the
following year. Results of this survey conducted in 1994/1995 and
1997/1998 indicated customer satisfaction with security in federal office
buildings increased by at least 5 percent on all security indices during
these survey periods. For example, ratings ranged from 1 to 5 in
satisfaction levels with 1 being “very dissatisfied” and 5 being “very
satisfied.” Customer satisfaction for “security of individuals within a
building” increased from a mean of 3.19 in 1994/1995 to 3.52 in1997/1998,
or 10 percent. GSA officials noted that the increase in customer
satisfaction occurred even though the Oklahoma City bombing occurred
during the 1994/1995 survey period.




Page 10                                                            GAO/T-GGD/OSI-00-19
                      Statement
                      General Services Administration: Status of Efforts to Improve Management of Building
                      Security Upgrade Program




                      We reported in our June 1998 testimony that GSA had not fully
New Risk Assessment   implemented a key recommendation from an internal “lessons learned”
Methodology and       study done in October 1995, after the Oklahoma City bombing incident.
Periodic Building     The study recommended that GSA evaluate its current risk assessment
                      methodology to ensure that it addressed a wider range of risks, with an
Inspections           increased emphasis on acts of mass violence. The study concluded that
                      GSA’s security and law enforcement processes in place at that time did not
                      adequately address the current threat environment.

                      In addition, we reported in our June 1998 testimony that building security-
                      related inspections that GSA security staff were routinely doing prior to
                      the Oklahoma City bombing were curtailed because these staff were
                      needed to help implement the security upgrade program, and at the time of
                      our review, these inspections had not been resumed. We recommended
                      that once GSA determined the appropriate building security risk
                      assessment methodology, it resume a program of periodic building
                      security inspections by its security specialists.

                      In July 1998, a GSA team, including GSA regional Physical Security
                      Specialists, examined GSA’s risk assessment methodology and
                      recommended that GSA adopt a new methodology. The methodology
                      recommended was Security Risk Management, which was designed by
                      Applied Research Associates, Inc., and reportedly used by the Federal
                      Aviation Administration. The objective of the methodology is to reduce the
                      risks from all types of threats, including criminal and terrorist attacks, to
                      an acceptable level. Security Risk Management provides a means of
                      determining the levels of acceptable risk and mitigating those risks by
                      placing a value on all assets. Under this methodology, GSA physical
                      security specialists, working on-site in conjunction with building
                      management and agency officials, would identify critical assets, determine
                      the importance and risk of these assets, and ultimately identify cost
                      effective security countermeasures to reduce risk to an acceptable level.

                      In December 1998, a team of GSA physical security specialists met to
                      develop a policy that would merge the new risk assessment methodology
                      with the restarted GSA periodic building security inspections or surveys.
                      Under the new policy, level IV buildings are to be surveyed every 2 years;
                      level III buildings every 3 years; and level I and level II buildings every 4
                      years. GSA’s goal is to implement the new risk assessment and survey
                      policy by January 2000. Until that time, building security surveys are to be
                      based on GSA’s previous risk assessment methodology.




                      Page 11                                                            GAO/T-GGD/OSI-00-19
              Statement
              General Services Administration: Status of Efforts to Improve Management of Building
              Security Upgrade Program




              GSA has made progress in implementing our June 1998 recommendations
Conclusions   to improve its building security program, and we believe that GSA’s federal
              building security upgrade program has enhanced federal building security.
              Further, GSA now has better information on the status of the security
              upgrade program and is positioned to recoup more of its security program
              costs from federal agencies. However, it still lacks completely accurate
              data in its upgrade tracking and accounting systems on the number and
              cost of completed security upgrades. In addition, we believe that GSA is
              still not in a good position to know how adequate the security of federal
              buildings is because it (1) has not yet implemented its new building
              security assessment methodology, (2) has made only limited progress in
              establishing outcome-oriented performance goals and measures for its
              building security program, and (3) still has some buildings that do not have
              all the approved upgrades installed and operating.

              Madame Chairwoman, this concludes my prepared statement. I will be
              pleased to answer any questions you or other Members of the
              Subcommittee may have.

              Contact and Acknowledgement

              For future contacts regarding this testimony, please contact Bernard L.
              Ungar on 202-512-8387. Individuals making key contributions to this
              testimony include Sherrill H. Johnson, Dorothy M. Tejada, Stella M. Flores,
              and Thomas G. Keightley.




              Page 12                                                            GAO/T-GGD/OSI-00-19
Page 13   GAO/T-GGD/OSI-00-19
Attachment

Objectives, Scope, and Methodology


              Our overall objective was to evaluate GSA’s progress in implementing
              recommendations we made during our June 1998 testimony regarding
              GSA’s building security upgrade program. Specifically, we were asked to
              determine the steps GSA has taken to (1) ensure completion of all building
              security evaluations, (2) correct the data in its building security upgrade
              tracking and accounting systems, (3) complete agreements with OMB
              regarding the funding of future security upgrades, (4) develop security
              program outcome-oriented goals and measures, and (5) complete review
              of its security risk assessment methodology and resume periodic building
              security inspections.

              To determine whether GSA had reviewed all its buildings to ensure that
              security evaluations had been completed, we interviewed GSA officials
              and obtained documentation regarding the directive from GSA’s
              Commissioner, Public Buildings Service, to assess or reassess buildings for
              security needs. We had discussions with GSA Federal Protective Service
              (FPS) officials from four regions regarding the steps they took to assess or
              reassess buildings in their regions. We reviewed certifications and other
              documentation from all 11 GSA regions relating to the requirement to
              assess or reassess buildings in the regions.

              In addition, we randomly selected a sample of 150 high-risk (level IV)
              buildings from GSA’s nationwide inventory listing of 803 such buildings,
              and 150 lower-risk (level I through III) buildings from GSA’s nationwide
              inventory listing of 6,535 such buildings. We requested that GSA officials
              responsible for these buildings provide documentation relating to the
              assessment or reassessment of the 300 buildings in our sample.

              For various reasons, we had to exclude some of the buildings from our
              sample. For example, GSA’s lease on some of the buildings had expired;
              thus, the buildings were no longer under GSA control. Other buildings in
              our sample were vacant at the time of the reassessments or the buildings’
              security was not GSA’s responsibility. Table I.1 summarizes the reasons
              that 24 level IV and 9 level I through III buildings were excluded from our
              sample.




              Page 14                                                  GAO/T-GGD/OSI-00-19
                                      Attachment
                                      Objectives, Scope, and Methodology




Table .1: Reasons Buildings Were
Excluded from Our Sample and Number
of Buildings in Sample With/Without                                             Level IV buildings        Level I through III buildings
Completed                             Reasons for excluding
Assessments/Reassessments             buildings from sample
                                      Under construction                                            2                                0
                                      Vacant/no tenants                                             3                               16
                                      No longer in region’s
                                      inventory                                                     2                                4
                                      Owned by U.S. Postal
                                      Service                                                       1                                1
                                      Lease expired                                                 0                                3
                                                         a
                                      Delegated building                                            1                                0
                                      Total excluded                                                9                               24
                                      Buildings with completed
                                      reassessments                                               141                              125
                                      Buildings without completed
                                      reassessments                                                 0                                1
                                      Total of original sample                                    150                              150
                                      a
                                      Delegated buildings are those buildings for which GSA has no security responsibility.
                                      Source: GAO analysis of GSA-provided documentation.


                                      We found all level IV buildings in our sample were assessed/reassessed
                                      while one lower-level building in our sample did not receive a
                                      reassessment. Based on statistical analyses, we are 95 percent confident
                                      that between 98 and 100 percent of GSA’s level IV buildings were
                                      assessed/reassessed and between 96 and 100 percent of its level I through
                                      III buildings were assessed/reassessed.

                                      To meet our second objective of determining the steps GSA has taken to
                                      correct the data in its upgrade tracking and accounting systems, we
                                      interviewed officials in GSA’s headquarters and in four regional offices
                                      regarding policies and related procedures for inputting and correcting data
                                      in both systems. We evaluated 31 buildings in 4 GSA regions that had been
                                      identified by us during our 1998 review or by the GSA OIG in its reports as
                                      buildings with security upgrades that were not correctly identified in
                                      GSA’s upgrade tracking system. For each building, we reviewed the
                                      security upgrades that previously were incorrectly identified in the
                                      security upgrade system and compared the current security upgrade status
                                      to current data in the upgrade tracking system to verify that corrective
                                      action had been taken. Corrective actions included completing the
                                      upgrade, voiding the upgrade record in the upgrade tracking system, or
                                      adding an upgrade record to the tracking system to correspond with the
                                      completed upgrade. In addition, we contacted responsible officials from
                                      the GSA regions where the GSA OIG had identified funds that it considered




                                      Page 15                                                                     GAO/T-GGD/OSI-00-19
Attachment
Objectives, Scope, and Methodology




as inappropriately expended on nonsecurity-related items to discuss these
expenditures and any corrective actions taken or attempted.

To meet our third objective of determining whether GSA had completed
agreements with OMB regarding the funding of future security upgrades,
we had discussions with responsible GSA and OMB officials and obtained
and reviewed related documentation. Also, we reviewed documentation
prepared by GSA for GSA building tenants explaining how the costs of
security would be incorporated into lease payments. Further, we obtained
and reviewed GSA expenditure data for security in fiscal years 1995
through 1998, and planned expenditures for several subsequent fiscal
years.

To meet our objective of determining whether GSA has developed building
security program outcome-oriented goals and measures, we reviewed
GSA’s 5-year plan (fiscal years 2001 to 2005) and its Performance Plan
2000. In addition, we discussed the process of developing goals and
measures with responsible GSA officials. Also, we obtained and reviewed
results from a GSA building tenant survey for the fiscal year 1994 through
fiscal year 1998 period to determine whether tenants felt safer after the
security upgrades were completed.

To meet our objective of determining whether GSA had completed its
review of its security risk assessment methodology and had resumed
periodic building security inspections, we held discussions with GSA
officials and reviewed documentation used by GSA in training its security
specialists in the use of a new risk assessment methodology. We also
reviewed documentation and had discussions with GSA about its planned
resumption of its periodic building security inspections.

We did our work at GSA headquarters in Washington, D.C., and in four
GSA regional offices between June 1999 and October 1999 in accordance
with generally accepted government auditing standards. We provided GSA
officials with a draft of our statement and incorporated their comments
where appropriate.




Page 16                                                 GAO/T-GGD/OSI-00-19
Page 17   GAO/T-GGD/OSI-00-19
Page 18   GAO/T-GGD/OSI-00-19
Page 19   GAO/T-GGD/OSI-00-19
Ordering Information

The first copy of each GAO report and testimony is free.
Additional copies are $2 each. Orders should be sent to the
following address, accompanied by a check or money order made
out to the Superintendent of Documents, when necessary. VISA
and MasterCard credit cards are accepted, also. Orders for 100 or
more copies to be mailed to a single address are discounted 25
percent.

Order by mail:

U.S. General Accounting Office
P.O. Box 37050
Washington, DC 20013

or visit:

Room 1100
700 4th St. NW (corner of 4th and G Sts. NW)
U.S. General Accounting Office
Washington, DC

Orders may also be placed by calling (202) 512-6000 or by using
fax number (202) 512-6061, or TDD (202) 512-2537.

Each day, GAO issues a list of newly available reports and
testimony. To receive facsimile copies of the daily list or any list
from the past 30 days, please call (202) 512-6000 using a touch-
tone phone. A recorded menu will provide information on how to
obtain these lists.

For information on how to access GAO reports on the INTERNET,
send e-mail message with “info” in the body to:

info@www.gao.gov

or visit GAO’s World Wide Web Home Page at:

http://www.gao.gov
United States                       Bulk Rate
General Accounting Office      Postage & Fees Paid
Washington, D.C. 20548-0001           GAO
                                Permit No. G100
Official Business
Penalty for Private Use $300

Address Correction Requested




(240355)