You are on page 1of 17

101000101010110101001010101011010100101110101010010111010101010101

101101010101010110110101010101001010101010101010101011010100101010
010111010110101100101010101010101010101010010101010101011010101010

the cip report


C E N T E R F O R I N F RAS T R U C T U R E P R O T E C T I O N volume 9 number 1
AND HOMELAND SECURITY
July 2010 This month’s issue of The CIP Report features the
Government Facilities Sector. This sector, which recently
Government Facilities transitioned into the National Protection and Programs
Directorate (NPPD) at the U.S. Department of
Homeland Security (DHS), has been diligently working
Sector Overview ...........................2 to update security standards for Federal facilities.

ISC...............................................6 First, the Infrastructure Protection Branch Chief at the


Federal Protective Service (FPS) provides an overview CENTER
JMU Symposium .........................7 of the Government Facilities Sector. Then, the for
Executive Director of the Interagency Security INFRASTRUCTURE PROTECTION

Green Facilities..............................8 Committee (ISC) discusses the new standards,


and
HOMELAND SECURITY
Physical Security Criteria for Federal Facilities (PSC) and
Federalization of Guards..............10 the Design-Basis Threat Report (DBT), which were established to better protect
nonmilitary Federal buildings and facilities. The Institute for Infrastructure and
Legal Insights..............................12
Information Assurance (IIIA) at James Madison University (JMU) describes an
event they recently co-hosted with the Federal Facilities Council of the National
Academy of Sciences about “Safe, Secure, and Sustainable Facilities.” Next, we
discuss the energy capabilities of commercial facilities leased by the Federal
Editorial Staff government and we summarize a recent report by the General Accountability
Office (GAO) which reviews the use of contract guards at Federal facilities.
Editors Finally, this month’s Legal Insights provides a risk analysis of security
Devon Hardy countermeasures for Federal facilities.
Olivia Pacheco
We would like to take this opportunity to thank the contributors of this month’s
Staff Writers issue. We truly appreciate your valuable insight.
Joseph Maltby
JMU Coordinators We hope you enjoy this issue of The CIP Report and find it useful and
Ken Newbold informative. Thank you for your support and feedback.
John Noftsinger
Publisher
Liz Hale-Salice

Contact: CIPP02@gmu.edu
703.993.4840
Mick Kicklighter
Click here to subscribe. Visit us online Director, CIP/HS
George Mason University, School of Law
for this and other issues at

http://cip.gmu.edu
The CIP Report July 2010

The Government Facilities Sector

by Mark P. Harvey
Infrastructure Protection Branch Chief
Risk Management Division
Federal Protective Service

Sector Overview centric philosophy to a mission- The Federal Protective Service


continuity philosophy. The sector (FPS), as part of the Department of
The Government Facilities Sector remains focused on applying best Homeland Security’s (DHS)
(GFS) is one of the largest and most practices for preserving the National Protection and Programs
diverse sectors within the National reliability of cyber elements housed Directorate (NPPD), is the Sector-
Infrastructure Protection Plan within facilities. In addition to Specific Agency (SSA) for the GFS.
(NIPP), and includes Federal, Building on its traditional role as
State, local, tribal, and protector of facilities owned and
territorial assets and associated leased by the General Services
elements located around the Administration (GSA), FPS
world. Although some types of coordinates efforts among
government facilities are government at all levels to
exclusive to the GFS, identify, assess, and enhance the
government facilities also exist protection of government
in most other sectors, but were facilities determined to be
categorized based on nationally critical.
predominant use. Many of
these assets and associated The GFS also includes the
elements are highly complex Education Facilities Subsector,
and require the highest levels of which covers pre-kindergarten
security because of their through 12th grade schools,
sensitive and unique mission, institutions of higher education,
while others are necessarily open and business and trade schools.
to the public to provide routine This subsector includes both
services. In all cases, the government-owned facilities and
American people depend on the facilities owned by private-sector
services provided by these entities, so it faces some unique
facilities on a daily basis, whether a these preventive and protective challenges. FPS works in close
facility is providing a routine measures, the GFS has assumed coordination with the Department
government service or ensuring responsibility for promoting of Education with regard to all
their safety and security. awareness of key Federal schools.
information security initiatives and
In addition to physical structures, compliance with industry standards, The sheer size and scope of the GFS
the sector also considers cyber and has begun educating building poses a challenge in providing for
elements that contribute to the occupants, employees, and sector infrastructure protection efforts.
protection of sector assets. The GFS partners about the dangers of cyber The Federal government alone
is increasing attention to cyber threats and the impact of these manages more than 3 billion square
security as its protective role ex- threats across the sector.
pands from a human- and asset- (Continued on Page 3)
2
The CIP Report July 2010

Sector Overview (Cont. from 2)

feet of space and more than 650 inherently governmental focus, against physical facilities,
acres of land. The sector also covers security partners are limited to government personnel, and
the facilities owned and operated by representatives from Federal, State, governmental cyber systems. The
the more than 87,000 municipal local, or tribal government entities sector contains a number of assets
governments across the Nation, as involved in the protection of that must be open to the public
well as U.S. embassies, consulates, owned or leased facilities. FPS also to conduct their daily activities,
and military installations located represents the sector on the NIPP including such places as Social
all over the world. These facilities Federal Senior Leadership Council Security offices, Department of
face a full range of both natural and and through similar coordinating Motor Vehicle (DMV) locations,
man-made hazards. mechanisms established by other city halls, and so on. While many
CIKR sectors. government facilities require public
Sector Coordination Efforts access, others are highly secure and
Threats to the Sector restricted. These locations often
Overall GFS coordination is take advantage of multiple and
conducted through FPS Although the sector has been a layered security measures, and
Headquarters, as the focal point for leader in security and preparedness, contain highly sensitive information
SSA activities and responsibilities. significant efforts to manage risk or materials.
Coordination mechanisms are continue to be applied.
utilized within the GFS and cross- Government facilities are attractive During the past year, there have
sector to support GFS activities. and strategically important targets been several attacks aimed at
The GFS has sought to improve the for both domestic and international government facilities and
coordination of sector partners and terrorists. Their symbolism, occupants, including the plane
identify challenges that can be importance, and the value their crash at the Internal Revenue
solved effectively through their services provide make them vital Service (IRS) facility in Austin, and
combined efforts. The GFS has elements of their respective the shooting incidents at the
traditionally been a leader in communities, and protecting these Pentagon, Fort Hood, and the
securing assets, and there are many facilities remains a national priority. Federal Courthouse in Las Vegas.
valuable lessons that can be shared In addition, the size and dispersion These attacks are a reminder of the
across the sector. of government facilities and magnitude of threats faced by the
associated elements introduces the GFS because of their high-profile
Interdependencies that exist full range of natural hazards that nature.
between sectors are one reason why can potentially impact the sector.
coordination mechanisms are Because of the high-profile nature Mitigating Sector Risks
critical to sector planning and of the sector, government facilities
operational efforts. Government operate within a very dynamic risk FPS has been actively involved in
facilities are highly interconnected, environment requiring a variety of enhancing the security posture of a
both physically and through a well-coordinated protective broad scope of Federal facilities by
variety of information and measures to ensure the safety and utilizing a variety of programs and
communications technologies. security of citizens and the tools, such as Operation Shield, the
continued availability of essential National Countermeasures
A Government Coordinating government functions. Program, the Occupant Emergency
Council, chaired by FPS, is the Plan Guide, and the Risk
primary coordination point with A historical examination of Assessment and Management
representatives from the terrorist attacks in modern times Program.
government entities with the shows the GFS to be the most
responsibility for the protection of frequently attacked of all the 18
government facilities. Due to its CIKR sectors; this includes attacks (Continued on Page 4)
3
The CIP Report July 2010

Sector Overview (Cont. from 3)

In an effort to avert or obstruct management issues. In the past, event of an incident inside or
potential insider threats as part of FPS utilized several contracts and immediately surrounding a facility.
terrorist operations and criminal vendors to supply screening For example, in February 2010, a
activity in and around Federal equipment for Federal facilities. The small plane crashed into a building
facilities, FPS employs Operation new contracts, established by the occupied by the IRS in Austin,
Shield. Operation Shield NCP, allow FPS to more effectively Texas. During the FPS
systematically measures the manage screening operations for investigation of the crash, reports
effectiveness of FPS Federal facilities by utilizing one from employees in the building
countermeasures, including the central point of service to acquire, revealed that the IRS had well-
effectiveness of FPS’ Protective train, maintain, and replace written and well-rehearsed OEP
Security Officers in detecting the screening equipment on established and evacuation procedures. IRS
presence of unauthorized persons schedules. FPS has awarded five- employees had sighted and reported
and potentially disruptive or year blanket purchase agreements to the low-flying plane and initiated
dangerous activities. Operation Smiths Detection, to lease x-ray the facility’s OEP, which was
Shield is a comprehensive operation machines, and Ceia-USA, to appropriately executed. The facility
that combines physical security purchase metal detectors. was estimated to have housed as
expertise and law enforcement many as 200 individuals as the
authority into an enhanced security In emergency situations, Occupant plane approached, yet the final
team to provide a visual deterrent at Emergency Plans (OEPs) can be tenant casualty toll included one
FPS-protected facilities, with the used to minimize the potential for fatality and 13 injuries. The saving
goal of demonstrating the outcomes involving devastation and of countless lives can be credited to
preparedness and agility of FPS’ chaos. OEPs describe the actions the rehearsal and execution of an
response to the current threat that occupants should take to established OEP for the facility.
environment within our Federal ensure their safety during an
community. emergency situation, and by To assist other agencies with the
providing facility-specific response development of these plans, FPS has
FPS has conceptualized and procedures for occupants to produced an OEP Guide that can
developed the National follow, OEPs can reduce the threat be used as a reference tool and
Countermeasures Program (NCP) to personnel, property, and other template when developing an OEP
to address all FPS countermeasure assets within the facility, in the for a facility. This guide provides
guidance pertaining to the
preparation, implementation, and
maintenance of OEPs with regard
to national preparedness efforts of
the NIPP and National Response
Framework (NRF), and serves as a
step-by-step approach for
developing, implementing, and
maintaining OEPs.

FPS developed and implemented


the Risk Assessment and
Management Program (RAMP) to
improve risk mitigation at Federal
facilities and enhance the safety and

Photo courtesy of FPS. (Continued on Page 5)


4
The CIP Report July 2010

Sector Overview (Cont. from 4)

security of building occupants. This (From left to right) Former FPS Director Gary Schenkel, Susan Burrill, Chief of
comprehensive tool was developed Staff Michelle Bryan, and Acting Deputy Director Richard Cline at the NextGov
to improve and standardize the way Awards. Photo courtesy of FPS.
FPS collects and manages
information at every step of the
security planning process, from the
initial collection of data, to risk
assessment, and countermeasure
implementation. RAMP was
launched in November 2009; it is a
secure, Web-enabled system that
has improved the way FPS collects,
stores, analyzes, and shares security
data on Federal facilities.

RAMP is based on a rigorous,


quantitative, and standards-based
risk assessment methodology. This
methodology conforms to the NIPP functions and services without
baseline criteria to mitigate risk by analysis. disruption. Sector partners work
incorporating threat, vulnerability, • Perform comprehensive analyses together to implement a long-term
and consequence considerations. of risks posed to Federal facilities government facility risk
RAMP will help FPS to better and the means of reducing these management program, organize and
manage the range of risk risks. partner for government facility
assessments, security tracking, and • Automate basic administrative protection, integrate government
measurement processes, and RAMP tasks, such as generating and facility protection as part of the
users will be able to: routing letters, reports, homeland security mission, manage
presentations, and statistical and develop the capabilities of the
• Assess and analyze potential risks analyses, and will allow for easy GFS, and maximize efficient use of
to Federal facilities stemming from access to Occupant Emergency resources for government facility
crime, natural hazards, and Plan information, callback lists, and protection.
terrorism to calculate the other critical information that was
probability that an adverse impact previously spread across multiple For additional information on the
will occur. systems. Government Facilities Sector or the
• Store, access, and report risk Federal Protective Service, send an
assessment findings, including The implementation of RAMP is a email to NIPP-GFS@dhs.gov.
historical information from major milestone for FPS, and is
pervious assessments and other expected to lead to significantly Additional Highlights
documentation, in a central improved security planning at
location. Federal facilities. 2009 Presidential Inauguration
• Automate and track
countermeasures The GFS continues to strive toward During the 2009 Presidential
recommendations, implementation a preparedness posture that ensures Inauguration, FPS conducted a
status, and life-cycle replacement the safety and security of major law enforcement effort to
schedules for security products. government facilities located support the safe, efficient transition
• Provide countermeasure product domestically and overseas, to of executive power. FPS
information to assist in cost-benefit preserve essential government (Continued on Page 15)
5
The CIP Report July 2010

The Interagency Security Committee

by Austin Smith
Executive Director, Interagency Security Committee

Protecting our Federal facilities About the ISC Single-Standard Approach


against evolving threats requires
setting and implementing robust, risk- Following the bombing of the The ISC’s new standards, Physical
based security standards. These Alfred P. Murrah Federal Building Security Criteria for Federal Facilities
standards leverage over a decade of in Oklahoma City, an Executive (PSC) and the Design-Basis Threat
collaboration and research by experts Order was signed establishing the Report (DBT), establish baseline
across the Federal government to ISC to address government-wide physical security measures for all
establish adaptable security measures security for Federal facilities. The nonmilitary Federal buildings and
that will better secure our Federal Assistant Secretary for Infrastructure facilities. The new standards
infrastructure. Protection within the NPPD of bolster protection against terrorist
DHS chairs the committee. attacks and other threats based on
- Secretary Janet Napolitano, Composed of chief security officers ongoing risk assessments. They
Department of Homeland Security, and other senior executives from 45 are innovative, reflect extensive
April 12, 2010 Federal departments and agencies, participation by ISC members, and
the ISC’s mission is to enhance the consolidate prior standards.
Committee Creates Security quality and effectiveness of physical
Standards to Better Safeguard security in the more than 3.26 The Physical Security Criteria for
Federal Facilities billion square feet of civilian Federal Federal Facilities is the culmination
facilities in the United States. of 15 years of information
Protecting the Nation’s more than The ISC has promulgated several gathering, information sharing,
300,000 nonmilitary Federal security standards and best practices and lessons learned in Federal
facilities begins with the creation that have contributed significantly facility security. It provides
and implementation of facility to the security of the Nation’s consistency across existing
security standards and best Federal facilities. standards and consolidates them
practices. The organization tasked into a single source for all facility
with this responsibility is the The full ISC meets quarterly. physical security standards — a
Interagency Security Committee Members serve on subcommittees compendium of standards.
(ISC).1 On April 12, 2010, the ISC and working groups to develop
released a new standard that physical security policies and The compendium establishes a
supersedes earlier standards and an standards that mitigate threats to baseline set of physical security
accompanying threat analysis employees and the visiting public. measures to be applied to all Federal
document. Used together, these The ISC also engages with industry facilities, at the same time that its
documents will standardize and and other government stakeholders framework allows for customization
strengthen security at covered to advance best practices. of security measures to address
Federal facilities. unique risks at a facility. These
Physical Security Criteria for
Nonmilitary Federal Facilities: A (Continued on Page 17)
1
The Interagency Security Committee resides organizationally in the Department of Homeland Security’s National
Protection and Programs Directorate, under the Office of Infrastructure Protection.

6
The CIP Report July 2010

“Safe, Secure, and Sustainable Facilities”

Co-hosted by the Federal Facilities Council of the


National Academy of Sciences and the
Institute for Infrastructure and Information Assurance at
James Madison University

National Academy of Sciences, Washington, DC


May 13, 2010
Event Overview

Today’s economic and political environment has generated a tremendous premium and demand for facilities
that are both secure and sustainable. Designing and renovating facilities that are both sustainable and secure
is challenging, but with proper life-cycle planning, coordination, and good engineering, such designs are
feasible. This year’s event was the fifth annual homeland security symposium co-hosted by the Federal
Facilities Council and the Institute for Infrastructure and Information Assurance, organized to bring
together speakers from government, academia, and the private sector to identify areas of synergy, potential
conflicts, and trade-offs among security and sustainability requirements.

The agenda included several case studies highlighting methods to achieve balanced design solutions that
minimize environmental impacts and energy use as well as ensuring the health, safety, security, and comfort
of building occupants. Case studies addressed the new DHS Headquarters complex, the Pentagon
Renovation Program, and innovations associated with the design for the United States Embassy in London.
Architectural design techniques to avoid security features posing an “armed camp” appearance were
described. An important symposium theme was the role of building control systems in achieving effective
security and energy saving solutions. Speakers discussed and provided updates on government and
industrial facility design standards, requirements, and building code documents. DHS provided an overview
of their research agenda for sustainable and
secure building materials. Looking to the future,
the symposium included an overview of the
importance of educating the next generation
on designing for sustainability based
on James Madison University’s new
engineering program with a focus on
sustainability.

For more information or to obtain a copy of


the symposium agenda and proceedings, please
contact Cheryl Wilkins, elliotcj@jmu.edu,
(540) 568-4442, or visit the symposium
website at: http://www.jmu.edu/iiia/2010
John Noftsinger, JMU Vice Provost for Research and Public
symposium/index.html. Service. Photo courtesy of JMU IIIA.

7
The CIP Report July 2010

Energy Smart & Greener Commercial Facilities:


New Challenges in Protecting KRitical Feds
by Michael Ebert, Principal Research Associate, CIP/HS, George Mason University
Duminda Wijesekera, Associate Professor, Department of Information and Software Engineering, George Mason, and
James A. Momoh, Professor, Electrical Engineering School of Engineering, Howard University

While the overall theme of this not occurred. The loss of classification of Federal buildings
issue of The CIP Report pertains to significant pools of human recommended...“by the DOJ
Government Owned Facilities in intelligence (including contractors) Study.”2 On October 19, 1995,
the contexts of critical working at Federal government Executive Order 12977 created the
infrastructure protection and owned or leased facilities renders ISC, whose mission was “to
homeland security, this article takes the Nation more vulnerable to new establish policies for security in and
a slightly different look: are key attacks as well as hampering our protection of Federal facilities.”3
resources (KR) — highly essential ability to recover rapidly from
Federal human resources — subsequent attacks or natural On October 15, 2001, just 35 days
adequately protected in commercial disasters. after the terrorist attacks against
facilities where the government has New York City and Washington,
leased space for its critical work- The path to Federal Interagency DC on September 11, 2001, an
force? Digging deeper, do new and Lease Security Standards (LSS) “instructional letter,”
emerging technologies and systems started in 1995 after the Oklahoma Implementation of the ISC Security
that are major components of large City domestic terrorist attack on a Design Criteria for New Federal
buildings and facilities — Federal office building. On April Office Buildings and Major
government owned or leased 20, 1995, President Bill Clinton Modernization Projects was issued by
commercial space — raise new directed the DOJ to assess the Public Buildings Service (PBS),
security challenges and risks for vulnerabilities of Federal office an entity within the GSA.
“KRitical Feds,” especially with buildings, particularly with regards According to the letter, “for all
regard to cybersecurity? Unlike to “acts of terrorism and other existing owned and leased space,
data and information systems, forms of violence.”1 Two months PBS will adhere to the minimum
which hopefully are secured using later, on June 28, DOJ released the standards set out in the DOJ
the best knowledge and report, Vulnerability Assessment of vulnerability study.”4 It was not
technologies available, and which Federal Facilities. That same day, until April 26, 2002 that Federal
exist elsewhere in at least one the President issued an executive security standards expanded to
physical facility, human intelligence memorandum entitled Upgrading leased commercial space and
can be far more difficult to protect Security at Federal Facilities. Among construction projects. The ISC
and is unlikely to be “redundant” other things, the President ordered directive, which was effective
— that is, highly effective and that, where feasible, Federal immediately, stated that “if a
continuous knowledge sharing/ facilities be increased to “minimum Regional Office cannot recommend
transfer among seasoned security standards” recommended
government officials and staff has for a particular security (Continued on Page 9)
1
http://www.gsa.gov/gsa/cm_attachments/GSA_DOCUMENT/RSL_ISC_Security_for_Leased_Space_R20O3-
e_0Z5RDZ-i34K-pR.pdf.
2
http://www.presidency.ucsb.edu/ws/index.php?pid=51554.
3
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=1995_register&docid=fr24oc95-145.pdf.
4
http://www.gsa.gov/gsa/cm_attachments/GSA_DOCUMENT/RSL_ISC_Security_for_Leased_Space_R20O3-
e_0Z5RDZ-i34K-pR.pdf.

8
The CIP Report July 2010

Green Facilities (Cont. from 8)

a site for new Federal construction George Mason University’s by the Building Owners and
or lease — construction project that Arlington, VA campus reveals a Managers (BOMA/Chicago) found
will achieve the 50-foot standoff large number of commercial that electricity costs are the second-
distance, an exemption must be buildings with mixed-tenant profiles highest component in operation
issued by the Commissioner of the (Federal, non-Federal, and retail of large facilities — a close second
PBS.”5 More than one year later, on traffic). only to property taxes. In a hightly
July 8, 2003, an ISC subcommittee competitive commercial buildings
published a report on leased The FPS, a law enforcement and environment, making significant
building security standards, and on security agency within DHS, reductions in this “low-hanging
February 10, 2005, the ISC provides the agents, guns, fruit” cost area confers competitive
approved the subcommittee’s and technologies to over one advantage and enhanced public
recommendations, Security million tenants and daily visitors to image. However, to implement
Standards for Leased Space.6 On GSA-owned and GSA-leased efficient green/smart technologies
April 12, 2010, as mentioned in an facilities.8 The challenge for FPS such as Advanced Metering
earlier article, the ISC released a and the security risks for Federal Infrastructure (AMI), Demand
new standard as well as a new and non-Federal occupants and Response (DR), “Nega-Watts” and
accompanying threat analysis visitors is that in a mixed-tenant net metering, “smarter” energy-
document which supersede previous environment, it is very difficult to consuming components, energy and
standards. During the next two secure a building. information technology systems are
years, the standards will be converging rapidly; utility-owned
implemented and field-tested.7 The risks and protection/security “closed” communications systems
challenges for Federal KRs and the are moving to public networks and
It is quite easy to run searches that general public have become more especially the Internet.
provide lists of Federal facilities as difficult since the leased standards Electromechanical and pneumatic
well as commercial, federally leased were introduced in 2005. “Green” controllers are rapidly giving way to
facilities within customizable energy efficient buildings and direct digital controllers for which
geographic regions. Search results “smart” energy grids are being the underlying communications
provide street coordinates and brief designed and implemented at an protocols are “IP” — Internet
descriptions of the Federal tenant(s). accelerated pace, in part as a result protocols. Large and small energy
In Washington, D.C., for example, of Federal cost-sharing for smart- consuming devices, new and old,
the number of GSA-owned versus green grids in the American are being manufactured or
GSA-leased facilities is Recovery and Reinvestment Act retrofitted with smart/green
approximately equal. However, (ARRA). Even absent money from controllers, sensors, meters, and RF
outside Washington, D.C. — the ARRA, the move to green modems, routers, etc. — much of it
including greater metropolitan parts buildings and smart energy grids is through the use of wireless
of Maryland and Virginia — the inevitable — this is largely a positive technologies.
sheer number of GSA-leased development as citizens, property
facilities is significantly greater than owners-managers, and public Thus, security risks for critical
GSA-owned. That is not surprising: officials grapple with increasing facilities, regardless of ownership,
a walk around the 15 to 20 block energy and electricity costs (despite are increasing as are the number of
radius of the Center for the recession), climate change, aging points of vulnerability.
Infrastructure Protection and electric infrastructure, and alarming
Homeland Security (CIP/HS) at workforce demographics. A study (Continued on Page 16 )
5
http://www.gsa.gov/graphics/pbs/ISC_Implementation_of_the_ISC_4-26-02.pdf.
6
This report is available at http://www.oca.gsa.gov.
7
Please see the article, The Interagency Security Committee (ISC), on page 6 for more information.
8
http://www.gsa.gov/Portal/gsa/ep/contentView.do?P=PS&contentType=GSA_OVERVIEW&contentId=11911.
9
The CIP Report July 2010

The Federal Protective Service (FPS):


The Federalization of Guards
Within the past year, FPS has faced complete 128 hours of training guards were reported to have used
criticism from both the GAO and prior to their first day on the job government computers to maintain
the House Committee on and must complete 40 hours of a for-profit adult website,
Homeland Security. At the center refresher training every two to three accidentally firing a weapon in the
of the debate is the question of years. Particular contracts often restroom while practicing drawing
whether FPS should rely more upon also require guards to hold specific it, and incorrectly storing
Federal employees and less upon certifications. GAO reviewed the semiautomatic handguns. The
contractors and, on a deeper level, records of a sample of guards and as most damaging result of the
whether FPS is accomplishing its late as July 2009, 62% of the guards investigation was the revelation that
designated mission to protect employed by FPS contractors were GAO investigators had managed to
Federal facilities. FPS is the not fully certified or had expired smuggle bomb components
primary agency responsible for certifications, in violation of FPS’s through security at all ten of the
security and law enforcement for own regulations. By February covertly tested sites. In the 53 tests
approximately 9,000 Federal 2010, that number was down to it has conducted since July 2009,
facilities managed by GSA. FPS 34%. However, according to GAO, GAO reported that guards failed to
employs over 1,200 full-time none of the guards identified in its recognize guns or knives at
employees; in addition, FPS investigation, who were part of a checkpoints more than half of the
consists of over 15,000 contract follow-up review, had received any time.
security guards. disciplinary action and all saw their
contracts renewed. In practice, After the GAO released the report,
In a recent report, which was there was substantial variance in the the House Homeland Security
released this April, GAO way contractors implemented FPS’s Committee held a hearing to
investigated FPS and its oversight of regulations on training. FPS was discuss the security of Federal
guards by analyzing FPS’s contract not performing regular performance facilities. While Chairman Bennie
files; visiting FPS sites; evaluations or maintaining proper G. Thompson acknowledged that
interviewing FPS officials, guards, files on guards. In addition, when FPS has diligently worked to
and contractors; and covertly contract issues emerged, FPS address the challenges listed in the
testing the security at ten Federal frequently failed to take proper report, it was suggested during the
facilities. GAO chose to visit level action with contractors to remedy hearing that a possible solution to
IV facilities, defined as those with these issues. the aforementioned problems
over 450 employees and significant would be to decrease FPS’s use of
public contact. These were large- According to the report, the lack of contractors and to federalize the
scale facilities in four major proper training was apparent when guards. Committee members raised
metropolitan areas, chosen because guards responded incorrectly to the argument that small-scale fixes
they represent regions where more test scenarios. For example, guards would not be sufficient in the face
than half of FPS guards operate. at high-level facilities committed of such severe deficiencies.
errors such as leaving evacuation
GAO reported that it found points unguarded, incorrectly Steven Amitay, representing the
numerous issues with the security of allowing employees into a building National Association of Security
the facilities and with FPS’s during an incident with a Companies (NASCO), emphasized
adherence to the regulations suspicious package, and being the number of serious incidents that
governing the hiring, firing, unsure as to when and where they
training, and employment of could and should act to detain
guards. Guards are required to escaping suspects. In addition, (Continued on Page 11)
10
The CIP Report July 2010

Federalization (Cont. from 10)

have occurred at Federal facilities training and benefits for guards. He employees and contractors, it was
within the past year where contract also argued that federalized guards considering the possibility of
security guards had either would have, on average, more federalization. According to
neutralized a deadly threat or played experience than contractors. Ervin Schenkel, NPPD is conducting a
an important role in the incident. cautioned against thinking that study which will consider
He referred specifically to the deadly federalizing guards would alone fix federalization. The study is
shootings at the Holocaust Museum the identified problems. He expected to be included in the
and the Pentagon as examples. In advocates for a wide spectrum of FY2012 budget.
fact, he somberly noted that changes, such as better pay, training,
contract security guards had died in and benefits to accompany such a Finally, David Wright spoke on
the line of duty at both of those move. behalf of the FPS union, offering an
incidents. He also stated that employee perspective on the issue.
replacing contractors with Federal Mark Goldstein spoke on behalf of He stated that he found the current
employees may double or even the GAO. He reiterated the results ratio of Federal employees to
triple the cost of filling positions. of their study and emphasized the contractors troubling and that this
In addition, he argued that troubling nature of the failures on move towards contractors stemmed
federalization would not the part of FPS. He recommended from, in his view, incorrect
significantly improve performance. a series of changes with regards to decisions FPS made in the
He pointed out that when the management of FPS’s contractor aftermath of the Oklahoma City
Transportation Security guards; however, he stopped short bombing in 1995. He argued that
Administration (TSA) screeners had of explicitly recommending Federal buildings could not be
been similarly federalized, federalization choosing instead to protected in the same manner as
assessments of this new approach recommend that FPS identify commercial facilities. Wright
demonstrated more or less the same “other options” to protect Federal contended that GSA and DHS had
rate of failure in covert tests after buildings that would be most erroneously attempted to make
the screeners have been federalized. appropriate. Federal guards journeymen and cut
He also contended that if the root costs, both of which were disastrous
cause of these problems is poor Gary Schenkel, former Director of in his opinion. He also asserted
training, then federalization would FPS, made a point of emphasizing that Federal employees would have
not help because the training is the sheer amount of facilities, a greater stake in protection than
already administered by the FPS. guards, and incidents FPS deals short-term contractors. Wright was
Amitay stated that, given the proper with on a daily basis and the unique emphatic in his support for giving
commitment of time and resources challenges it has endured while FPS and its guards more resources
to current initiatives, NASCO transitioning to a location within and federalizing guards.
believes the current deficiencies can DHS. FPS transferred into DHS
be corrected. in 2003; however, per the request of This most recent GAO report is not
the President’s Fiscal Year (FY) 2010 the first time FPS has faced external
Clark Ervin spoke as an Budget, FPS recently transitioned criticism. Last October, GAO
independent expert from the Aspen into the NPPD from U.S. released the results of an audit they
Institute. He stated that the Immigration and Customs (ICE). conducted of FPS’s overall security,
persistent concerns repeatedly Schenkel also listed some of the an audit that had begun in January
identified within FPS made initiatives FPS had recently begun 2008. While GAO reported that
federalization of security guards a and the improvements it had made FPS was making progress, GAO
necessity. He argued that because in many areas, including guard listed continuing deficiencies in the
security contractors are for-profit management. He indicated that areas of information sharing,
companies, they have an inherent while FPS could achieve its mission
incentive to save money by reducing with its current mix of Federal
(Continued on Page 16)
11
The CIP Report July 2010

Legal Insights

Risk Analysis of Security Countermeasures for Federal Facilities

Federal facilities — to be implement the legal security continuing government-wide


understood as any facility with standards and criteria outlined in security for Federal facilities.”5
Federal employees as occupants — the FMR for buildings under their The ISC was created on October
are among the most important care, GSA combines threat 19, 1995 by Executive Order
elements of any national assessments based on intelligence 12,977; it designates the
infrastructure, and, as a result, their analysis with vulnerability and Administrator of the GSA as the
physical security is at a consequence assessments. These chair of the ISC, and identifies
disproportionately higher risk than methodologies provide an specific duties that “pertain to the
most non-Federal facilities. The understanding of the threats, assessment of technology and
GSA is the government agency vulnerabilities, and potential information systems as a means to
charged with ensuring the security consequences of attacks or other providing cost-effective
of Federal facilities in the United hazards, and figure into a “thorough improvements in security in Federal
States. The policies outlined in and comprehensive decision- buildings,” as well as “the
GSA’s Federal Management making process that is applied on a development of long-term
Regulation (FMR) — last amended building-by-building basis.”3 construction standards for those
in August 2009 as the successor to locations with threat levels or
the Federal Property Management Security Design Criteria for missions that require blast resistant
Regulation (FPMR) — constitute Federal Facilities structures or other specialized
the body of regulatory law that security requirements.”6 In response
control property and management According to the FMR, executive to these duties, the GSA and ISC’s
practices on Federal facilities.1 The agencies making use of facilities Long-Term Construction Standards
policies outlined in Subpart B of built prior to May 28, 2001 must Standards Working Committee
the FMR, in particular, address the upgrade and maintain security to drafted the “Interagency Security
legal standards and criteria for the minimum standards specified in Committee Security Design
ensuring the security of federally the DOJ’s June 28, 1995 study Criteria for New Federal Office
owned and leased facilities.2 entitled, “Vulnerability Assessment Buildings and Major
of Federal Facilities” (hereafter, Modernization Projects” (hereafter,
Traditional law and economics have Vulnerability Assessment).4 This ISC Security Criteria).7 The
provided major analytical tools for DOJ study also calls for the document is dated May 28, 2001,
assessing various forms of risk, as creation of an Interagency Security after the Office of Management and
well as devising forms of legal Committee (ISC) to “provide a
intervention. In order to uniformly permanent body to address (Continued on Page 13)
1
GSA Background and History, available at http://www.gsa.gov/Portal/gsa/ep/contentView.do?contentType=GSA_
OVERVIEW&contentId=13339.
2
Federal Management Regulation (2010), available at http://www.gsa.gov/federalmanagementregulation.
3
Moravec, Joseph F., Memorandum for Heads of Services and Staff of ICES Regional Administrators (Oct., 2001): p. 3.
4
Federal Management Regulation (2010): Section 102-81.15.
5
Moravec, Joseph F., Memorandum for Heads of Services and Staff of ICES Regional Administrators (Oct., 2001): p. 1.
6
Ibid.
7
Federal Management Regulation: Section 102-81.20.
12
The CIP Report July 2010

Legal Insights (Cont. from 12)

Budget (OMB) and the National stipulates that existing Federal laws conceivable scenario. As a result,
Security Council conferred their and statutes, as well as other agency some risks can be mitigated, while
final approval. standards developed for “special others simply must be accepted.12
facilities,” such as border stations, The economic necessity of this type
Whereas the DOJ’s Vulnerability take precedence over the ISC of trade-off engenders a resource
Assessment was developed to ensure Security Criteria. allocation problem that requires an
that security issues are addressed appropriate balance between
during the periods of planning, Despite the foregoing list of considerations of risk, available
design, and construction for existing exemptions, the combined resources, and mitigation measures.
Federal facilities, “new” Federal regulatory impact of the DOJ’s To aid itself in making the difficult
facilities, that is, those owned or Vulnerability Assessment and the ISC choices about the appropriate
leased after May 28, 2001, are Security Design Criteria is difficult to balance, GSA employs a decision
subject to the ISC Security Design overestimate: several thousand procedure known as cost-benefit
Criteria. The ISC Security Design facilities are affected where more analysis, a cornerstone of modern
Criteria do not, however, apply to than one million people work every economics and a staple of OMB
all new Federal facilities. The FMR day.10 Indeed, the ISC Security methodology.13
explicitly enumerates several types Criteria alone governs the security
of Federal facilities that are, for of (i) all new “general purpose” On its utility as a resource allocation
various reasons, outside the scope of office construction, i.e. decision procedure for responding
the ISC Security Design Criteria. construction initiated after May 28, to catastrophic risks, that is, risks of
These include airports, prisons, 2001, (ii) new or lease-construction low or unknown probability that, if
hospitals, clinics, and ports of entry, of courthouses, (iii) lease- materialized, will inflict heavy
as well as any facilities that are construction projects being losses. Judge R. Posner describes
under the jurisdiction or control of submitted to Congress for cost-benefit analysis as:
the Department of Defense.8 So- appropriations or authorization,
called “unique facilities,” those and, “where prudent appropriate,” [A]n indispensable step in rational
classified as “Level V” facilities by and (iv) major modernization decision making in this as in other
the Vulnerability Assessment, such as projects.11 areas of government regulation.
the Pentagon, U.S. Department of Effective responses to most catastrophic
State, and Central Intelligence The Cost-Benefit Logic of Security risks are likely to be extremely costly,
Agency Headquarters, are subject to Countermeasure Selection and it would be mad to adopt such
unique security standards and responses without an effort to estimate
therefore outside the scope of the No agency can justify or afford to the costs and benefits. No areas of
ISC Security Design Criteria.9 In implement every possible security government is going to deploy a system
the case of conflicting security countermeasure for every
standards, the FMR further (Continued on Page 14)
8
The Department of Defense (DoD) has implemented antiterrorism security requirements to meet its specific needs
in the Unified Facilities Criteria (2002) and Unified Facilities Guide Specification.
9
Vulnerability Assessment of Federal Facilities, Department of Justice (June 1995): Appendix C-1, Classification Table.
10
The Site Security Design Guide (2007): p. 7, available at http://www.gsa.gov/graphics/pbs/GSA_Cover_Intro_8-8-
07.pdf.
11
Federal Management Regulation: Section 102-81.25.
12
The Site Security Design Guide (2007): p. 11.
13
Cost-Benefit analysis is, for example, the principal tool employed by OMB’s Office of Information and Regulatory
Affairs (OIRA) in order to assess the efficiency of “economically significant” regulations. Every executive agency,
from the Department of Homeland Security (DHS) to the Department of Veteran’s Affairs, is compelled by OIRA
to justify the efficacy of its regulatory policies within the economic framework of cost-benefit analysis.

13
The CIP Report July 2010

Legal Insights (Cont. from 13)

of surveillance and attack for decision theorists call a loss function, Criteria ‘recommends’ that new
preventing asteroid collisions, for a mapping of consequences to buildings achieve a standoff distance
example, without a sense of what the corresponding monetary estimates from a potential point of explosions of
system is likely to cost and what the of loss. at least 50 feet. The absolute
expected benefits are likely to be minimum distance required is 20 feet.
(roughly, the costs of asteroid Conclusion: Legal Implications of However, we know from our
collisions that the system would the GSA’s Cost-Benefit exhaustive research on this subject,
prevent multiplied by the probabilities Methodology that each foot that a building is
of such collisions) relative to the costs further removed from the center of the
and benefits both of alternative Despite its advantages, cost-benefit blast, there is less damage to human
systems and of doing nothing.14 analysis is not without its problems. life and property. We also know that it
In addition to the difficulties that costs us less in bricks and mortar to
Suppose, for example, that GSA is come with estimating probabilities protect our buildings as the standoff
in the process of assessing for rare, catastrophic threats, the distance is increased…The Office of
countermeasures to mitigate the risk breakdown of a countermeasure the Chief Architect is working with
posed to a Federal office building by selection problem in terms of a set expert consultants to try to quantify
the threat of an explosion. Before of credible threats, non-monetary cost and lifesafety issues associated
any cost-benefit assessments can be consequences, and alternative with different standoff distances.15
made, a number of items must be mitigation measures is arguably
identified to ensure a well-defined more art than science. There is The challenges inherent in often
decision problem. These include room for ambiguity in the GSA’s emotionally fraught decisions about
the probabilities of credible threats of interpretation of the ISC Security what to protect are thus
explosion, the non-monetary Design Criteria. That is, the same compounded by the extremely
consequences if the threat of countermeasure selection problem expensive nature of many security
explosion materializes, as well the can be described and therefore countermeasures, as well as by the
space of competing, alternative analyzed in different ways difficulty of identifying and
countermeasures for either reducing depending on which “credible” estimating the component threats,
the probability of the threat of threats, consequences, and vulnerabilities, and consequences.
explosion or reducing the mitigation measures are emphasized The legal implications of this point
magnitude of the consequences if in the analysis. The ISC are potentially significant, since it
the threat of explosion materializes. Commissioner J. Moravec has follows that the letter of the law —
The space of non-monetary derided such ambiguity as as encapsulated in documents such
consequences includes both the “counterproductive.” In his words, as the FMR, Vulnerability
purely physical consequences, as Assessment, and ISC Security Design
well as what is known as the impact [S]ometimes too ‘wide a range’ of Criteria — underdetermines its
loss, the degree to which the Federal interpretation can be implementation. While ambiguity
government’s functions are impaired counterproductive to the intent of the in interpretation is nothing new to
if the threat of explosion criteria as we try to work with our the law, unlike interpretative gaps in
materializes. The space of non- clients to implement the objectives. the common law or statutory law,
monetary consequences then Standoff distance recommendations in there is no judicial mediation in the
admits a monetary interpretation the ISC [Security] Criteria fall into
through what economists and this category. The ISC [Security] (Continued on Page 15)
14
Posner, Richard, “Catastrophic Risks, Resource Allocation, and Homeland Security,” Journal of Homeland Security
(October 2005).
15
Moravec, Joseph F., Memorandum for Assistant Regional Administrators for Public Buildings Service (April, 2002): p.
1.

14
The CIP Report July 2010

Sector Overview (Cont. from 5) Legal Insights (Cont. from 14)

responsibilities consisted of law colleagues internal and external to present context. Whether this is an
enforcement, intelligence gathering FPS, Ms. Burrill was able to not acceptable state-of-affairs depends
and dissemination, and physical only plan the development of on whether and to what extent
security operations during the RAMP, but lead the effort to lawmakers and government officials
Inaugural events that occurred in revitalize multiple FPS programs want to defer to the professional
and around Federal Facilities. FPS that will utilize the system. Thus, judgment of administrators within
maintained a presence of over 400 RAMP became not only a software the GSA to fill interpretive gaps
Law Enforcement and Security tool, but a comprehensive program originating in cost-benefit
Officers, and utilized its Mobile that involved software, hardware, methodology. v
Command Vehicles to conduct and process improvements to
operations. multiple high profile programs.
Since leading the development of
2010 NextGov Award RAMP, Ms. Burrill has also overseen
the development and execution of
Susan Burrill, Risk Management the national level training initiative
Division Director, FPS, was one of for over 1,000 FPS personnel to
eight winners of the 2010 NextGov learn how to utilize this new system.
Award, which is aimed at Ms. Burrill provided exemplary
recognizing government executives leadership and direction during the
who have developed new ideas and development and integration of
taken risks to improve the way RAMP into the FPS community,
government works. The individuals and continues to do so every day.
nominated for this award have
developed innovative programs, Out of more than 100 nominations,
policies, and management practices, only 19 individuals were selected as
and have brought information finalists. These finalists were
technology into the field to improve honored at a special awards
Federal government strategies and luncheon and ceremony on May 27,
guide policy decisions. 2010, at the Gov 2.0 Expo in
Washington, D.C. The eight
Ms. Burrill spearheaded the winners of the NextGov Award have
development of RAMP, a demonstrated their ability to take
revolutionary new system that will on risks and used technology to
change the way FPS protects more develop solutions. v
than 9,000 facilities nationwide.
After initially conceiving the system,
Ms. Burrill recognized the great
importance of involving all facets of
FPS in its development, and quickly
stood up several working groups to
provide input and expertise toward
the requirements for RAMP. From
these sessions, she conducted
thorough analyses of existing
policies and practices, to further
develop the concept for RAMP.
Working closely with a multitude of

15
The CIP Report July 2010

Green Facilities (Cont. from 9)

Having separate HVAC standards leased buildings now can be bypassed without the threat even being in the
building; interception, cracking, and tampering with IP-based wireless systems can cause these and other systems to
fail or shut down outside the 50-foot perimeter. “Smart” meters and AMI allows utilities and consumers to achieve
savings and conserve energy. Smart meters can, for example, be connected and disconnected remotely, and “read” in
5 to 15 second intervals instead of once monthly. But persons with ill intent could also play havoc with electricity
and natural gas flows to buildings; sophisticated, large scale attacks on AMI could also negatively affect regional
grids. Controls and sensors on back-up generators could cause these units to fail. A worst-case example is an attack
on one of the most common — and critical — component of buildings: high-pressure boilers (HPBs). Intercepting
and cracking the data that controls “smarter” HPBs could allow the boiler to reach pressures beyond design load, at
which point these boilers become extremely destructive “bombs” capable of taking out facilities and killing or
maiming persons in or proximate to the facilities. Sadly, the current building power engineering workforce does not
have the technical training and proven skills to understand and mitigate these new threats.

Moving ahead, policymakers, FPS personnel, and commercial building operators-engineers must appreciate the
benefits as well as the risks of advances in building technologies and energy delivery systems. The current leased
building security standards are inadequate to emerging and near-future threats, and our security agents and power
engineering technicians need additional education and training to take full advantage of the good while knowing
how to prevent, detect, and defeat the bad. v

Federalization (Cont. from 11)

coordination, risk management, and the use of technology. GAO indicated that FPS was falling short of its
protection responsibilities and substantial improvements would need to be made not only within FPS, but also
within the way FPS works with GSA, DHS, and individual building tenants. In addition, in June, GAO provided a
report to the House Committee on Appropriations’ Subcommittee on Homeland Security detailing the results of a
study into FPS’s workforce analysis and planning efforts. GAO studied FPS’s strategic planning to fill its staffing
requirements and manage its human resources. GAO found that FPS had begun determining its workforce
requirements, but had not yet finalized its planning efforts. GAO expressed concerns about FPS’s ability to fund its
human resources needs, track its staffing accurately, and measure improvements in strategic human resources
management. GAO also recommended improvements to FPS’s hiring processes.

The 2010 legislation that moved FPS to its present location within DHS was primarily the result of similar GAO
reports on FPS in 2009. There is much to be done and many Federal facilities to be protected if FPS is to continue
in its mission of securing government facilities. v

References:

“Homeland Security: Greater Attention to Key Practices Would Improve the Federal Protective Service’s Approach
to Facility Protection,” GAO 10-142 (October 2009), http://www.gao.gov/new.items/d10142.pdf.

“Homeland Security: Federal Protective Service’s Use of Contract Guard Program Requires More Oversight and
Reassessment of Use of Contract Guards,” GAO 10-341 (April 2010), http://www.gao.gov/new.items/d10341.pdf.

“Federal Protective Service: Would Federalization of Guards Improve Security at Critical Facilities?” House
Committee on Homeland Security (April 14, 2010), http://homeland.house.gov/Hearings/index.asp?ID=246.
16
The CIP Report July 2010

ISC (Cont. from 6)

baseline measures provide Threat: An ISC Report. determine specific adversary


comprehensive solutions in each characteristics that performance
area of physical security, including The Design-Basis Threat Report standards and countermeasures are
site, structural, facility entrance, designed to overcome.
interior, security systems, and The ISC’s interim Design-Basis
security operations and Threat Report is a stand-alone threat The new standards will undergo a
administration. analysis released in tandem with the 24-month validation period of field
Physical Security Criteria for Federal testing and implementation, after
The Physical Security Criteria Facilities. The DBT establishes a which time the ISC will publish
compendium applies to all buildings profile of the type, composition, final versions. v
and facilities in the United States and capabilities of adversaries.
occupied by Federal employees for For more information on the ISC
nonmilitary activities, including Designed to correlate with the and Federal facility standards, visit
existing buildings, new countermeasures contained in the www.dhs.gov/isc.
construction, or major Physical Security Criteria
modernizations; facilities owned, to compendium of standards and to be For more information about critical
be purchased, or leased; stand- updated as needed, the DBT infrastructure protection, visit www.
alone facilities; Federal campuses analysis is an estimate of the threat dhs.gov/criticalinfrastructure.
and, where appropriate, individual facing Federal facilities across a
facilities on Federal campuses; and range of undesirable events. The
special-use facilities. analysis is based on the best
intelligence information, reports,
The new compendium supersedes assessments, and crime statistics
the physical security standards available to the ISC working group
established in the ISC Security at the time of publication.
Standards for Leased Space, ISC
Design Criteria for New Federal The DBT’s intent is threefold: to
Office Buildings and Major inform the deliberations of ISC
Modernization Projects, and the working groups as they establish
1995 Department of Justice (DOJ) standards; to support the calculation
Report. It also integrates some of of the threat, vulnerability, and
the standards and concepts that consequence to a facility when
will be contained in Facility Security calculating risk to that facility and
Committees: An Interagency Security determining an appropriate level of
Guideline, expected to be released protection when applying the ISC’s
later this year, and from Design-Basis new PSC standard; and, to

The Center for Infrastructure Protection and Homeland Security works in conjunction with James Madison Univerity and seeks to fully
integrate the disciplines of law, policy, and technology for enhancing the security of cyber-networks, physical systems, and economic
processes supporting the Nation’s critical infrastructure. The Center is funded by a grant from the National Institute of Standards and
Technology (NIST).

If you would like to be added to the distribution list for The CIP Report, please click on this link:
http://listserv.gmu.edu/cgi-bin/wa?SUBED1=cipp-report-l&A=1

17