This is the agency sworn to protect Federal facilities, specifically General Service Administration (GSA) facilities, from evil-doers. This daring-do includes law enforcement and physical security support, and allegedly a comprehensive risk assessment of each facility so resources can be allocated appropriately to high priority sites. This is the theory. The reality is that reports show the Federal Protective Service seems to be outmoded, outwitted and completely ineffective.
Browse through the Government Accountability Office (GAO) report on the FPS from 2008; it essentially says the agency is broken and demoralized (GAO, 2008). I don’t have time to write an in-depth treatise on this subject, so I’ll zero in on one basic subject – security risk management. Congressional reports and current news reporting indicate the FPS is having major problems in this arena.
Mark Goldstein, GAO director of physical infrastructure issues, emphasized that FPS still lacks a risk management approach to securing federal facilities. FPS approaches each building as requiring the same level of security with the same risk without actually conducting an analysis of threats and vulnerabilities for that building. “Without a risk management approach that identifies threats and vulnerabilities and the resources required to achieve FPS’s security goals, as GAO has recommended, there is limited assurance that programs will be prioritized and resources will be allocated to address existing and potential security threats in an efficient and effective manner,” Goldstein testified (Hong, 2011).
I’m obviously not intimately familiar with FPS’ problems, and I’m sure their leadership is doing it’s best. However, I question why the FPS is having so many problems with risk assessments when the security community is literally awash in this literature.
• FEMA has a very comprehensive Risk Management series available for download right now from their on-line library;
• The DoD has their own methodology;
• DHS describes a good methodology in their National Infrastructure Protection Plan, when they discuss critical infrastructure/key resources;
• DOE, in particular, has their own way of doing business, pioneered at Sandia National Laboratories;
• Private sector has many different approaches.
It really doesn’t matter which method you use, as long it is quantitative and sound. The basics are these:
• Evaluate the threats – what can impact the facility? Look at local crime stats and low-level intelligence bulletins from your state intelligence fusion center and the Homeland Security Information Network. Rank them;
• Evaluate your critical assets – what do you need to protect? Divide these into two groups; infrastructure (e.g. power, heat, water) and population (e.g. gathering areas, day care centers, leadership). Rank them;
• Evaluate your vulnerability – what are the weak points in your facility? Take a walk around with a set of good physical security criteria (the DHS has some good stuff), a clipboard and a pen, and make some notes on vulnerabilities. You don’t have to be a genius, just go off the checklist! Also consider vulnerability to the identified threats while you’re walking around;
• Quantify your risks – This isn’t hard. There are software programs that try to help, and actually do make this hard, but you don’t need them. The best work is developed with a Microsoft Word table and your brain – not mathematical computations from an aloof software program. I know some engineers out there hate me for saying this! How do you quantify? It’s real, real hard . . . You should have already prioritized threats, critical assets and vulnerability individually on a scale from 1-10. Use this equation – THREAT x CRITICALITY x VULNERABILITY = RISK. Rank the final numbers accordingly.
There is so much good information out there, it boggles the mind. The FPS has spent $41 million dollars trying to develop a program to track vulnerabilities agency-wide, and it has failed (Hong, 2011). Why? What is so hard about developing a database? It is possible they’re trying to develop a software program which will make the survey process easier for their overworked personnel, to streamline the process so the end product is standardized. This is a pervasive problem in any organization – unless your surveyers are well-trained to a specific standard, the results will vary widely and there is no guarentee the methodology will be consistent.
In the interim, this database problem can be solved with something as simple as an Excel document. I know it’s not sexy, and I know it’s not cool – so what? There is of course another option – borrow an existing software tool from another branch of government that already does the same thing. The Department of Veterans Affairs has one geared for crime assessments – steal it. The DoD has one specifically for anti-terrorism – steal it. Have a contractor modify it.
Risk assessments are a foundational piece of security work. The FPS’ troubles in this area are cause for concern. I know there are dedicated professionals at the FPS struggling through their own internal battles, and many of them probably share my viewpoint. I hope this agency can get back on it’s feet.
Hong, M. (2011). FPS optimistic on resolving plans for risk analysis, workforce. Homeland Security Today.
Government Accountability Office. (2008). The federal protective service faces several challenges that hamper its ability to protect federal facilities. Retrieved from http://www.gao.gov/new.items/d08683.pdf.