Diplomatic Security:

Overseas Facilities May Face Greater Risks Due to Gaps in Security-Related Activities, Standards, and Policies

GAO-14-655: Published: Jun 25, 2014. Publicly Released: Jun 25, 2014.

Multimedia:

Additional Materials:

Contact:

Michael J. Courts
(202) 512-8980
courtsm@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

To manage risks at its overseas work facilities, the Department of State (State) tracks information about each facility, assesses threat levels at posts, develops security standards to meet threats facing different types of facilities overseas, identifies vulnerabilities, and sets risk-based construction priorities. For example, State assesses six types of threats, such as terrorism, and assigns threat levels, which correspond to physical security standards at each overseas post. However, GAO found several inconsistencies in terminology used to categorize properties and within the property inventory database used to track them, raising questions about the reliability of the data. For example, GAO identified a facility categorized as a warehouse that included offices and therefore should have been subject to more stringent standards. Gaps in categorization and tracking of facilities could hamper the proper implementation of physical security standards.

Although State has established physical security standards for most types of overseas facilities, GAO identified some facility types for which standards were lacking or unclear, instances in which the standards were not updated in a timely manner, and inconsistencies within the standards. The following are examples:

  •  It is unclear what standards apply to some types of facilities.
  •  In some instances, updating standards took more than 8 years.
  •  One set of standards requires anti-ram perimeter walls at medium- and higher-threat posts; another required them only at higher-threat posts. 

Furthermore, GAO found that State lacks a process for reassessing standards against evolving threats and risks. GAO identified several posts that put security measures in place that exceed the standards because the standards did not adequately address emerging threats and risks. Without adequate and up-to-date standards, post officials rely on an ad hoc process to establish security measures rather than systematically drawing upon collective subject-matter expertise.

Although State takes steps to mitigate vulnerabilities to older, acquired, and temporary work facilities, its waivers and exceptions process has weaknesses. When posts cannot meet security standards for a given facility, the posts must submit requests for waivers and exceptions, which identify steps the post will take to mitigate vulnerabilities. However, GAO found neither posts nor headquarters systematically tracks the waivers and exceptions and that State has no process to re-evaluate waivers and exceptions when the threat or risk changes. Furthermore, posts do not always request required waivers and exceptions and do not always take required mitigation steps. With such deficiencies, State cannot be assured it has all the information needed to mitigate facility vulnerabilities and that mitigation measures have been implemented.

GAO found that State has not fully developed and implemented a risk management policy for overseas facilities. Furthermore, State's risk management activities do not operate as a continuous process or continually incorporate new information. State does not use all available information when establishing threat levels at posts, such as when posts find it necessary to implement measures that exceed security standards. State also lacks processes to re-evaluate the risk to interim and temporary facilities that have been in use longer than anticipated. Without a fully developed risk management policy, State may lack the information needed to make the best security decisions concerning personnel and facilities.

To manage risk to overseas work facilities, State conducts a range of ongoing activities, including the setting of security standards. However, GAO identified a number of problems with these activities. Moreover, GAO found that State lacked a fully developed risk management policy to coordinate these activities (see figure). 

State’s Key Risk Management Activities and Decisions Concerning Facility Security and Problems Identified by GAO

Graphic of State’s Key Risk Management Activities and Decisions Concerning Facility Security and Problems Identified by GAO

This is the public version of a Sensitive but Unclassified report by the same title.

Why GAO Did This Study

U.S. policy can call for U.S. personnel to be posted to high-threat, high-risk posts overseas. To maintain a presence in these locations, State has often relied on older, acquired (purchased or leased), and temporary work facilities that do not meet the same security standards as more recently constructed permanent facilities.

GAO was asked to review how State assures the security of these work facilities. GAO evaluated (1) how State manages risks at work facilities overseas; (2) the adequacy of State's physical security standards for these facilities; (3) State's processes to address vulnerabilities when older, acquired, and temporary overseas facilities do not meet physical security standards; and (4) the extent to which State's activities to manage risks to its overseas work facilities align with State's risk management policy and with risk management best practices. GAO reviewed U.S. laws and State's policies, procedures, and standards for risk management and physical security. GAO reviewed facilities at a judgmental sample of 10 higher-threat, higher-risk, geographically dispersed, overseas posts and interviewed officials from State and other agencies in Washington, D.C., and at 16 overseas posts, including the 10 posts at which GAO reviewed facilities.

What GAO Recommends

GAO is making 13 recommendations for State to address gaps in its security-related activities, standards, and policies. State generally agreed with GAO’s recommendations.

Specifically, GAO is recommending that the Secretary of State:

1. Define the conditions when a warehouse should be categorized as an office facility and meet appropriate security standards.

2. Harmonize the terminology State uses to categorize facilities in its security standards and property databases.

3. Establish a routine process for validating the accuracy of the data in State’s property database.

4. Establish a routine process for validating the accuracy of the data in State’s risk matrix.

5. Identify and eliminate inconsistencies between and within State’s physical security guidance.

6. Develop physical security standards for facilities not currently covered by existing standards.

7. Clarify existing flexibilities to ensure that security and life-safety updates to the security standards are updated through an expedited review process.

8. Develop a process to routinely review all security standards to determine if the standards adequately address evolving threats and risks.

9. Develop a policy for the use of interim and temporary facilities that includes definitions for such facilities, time frames for use, and a routine process for reassessing the interim or temporary designation.

10. Automate waivers and exceptions documentation, and ensure that headquarters and post officials have ready access to the documentation.

11. Routinely ensure that necessary waivers and exceptions are in place for all work facilities at posts overseas.

12. Develop a process to ensure that mitigating steps agreed to in granting waivers and exceptions have been implemented.

13. Develop a risk management policy and procedures for ensuring the physical security of diplomatic facilities, including roles and responsibilities of all stakeholders and a routine feedback process that continually incorporates new information.

For more information, contact Michael J. Courts at (202) 512-8980 or courtsm@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: State has defined the conditions when a warehouse should be categorized as an office facility and should meet appropriate physical security standards. These conditions, which are documented in the Foreign Affairs Handbook, state that for standalone warehouses used both for storage and full-time office space for U.S. government employees performing non-warehouse staff functions, the office space must meet the physical security standards for Sole Occupant of a Building or Compound.

    Recommendation: To improve the consistency and data reliability of Department of State risk management data, the Secretary of State should direct Office of Management Policy, Rightsizing, and Innovation (M/PRI), Bureau of Diplomatic Security (DS), and Bureau of Overseas Buildings Operations (OBO) to define the conditions when a warehouse should be categorized as an office facility and meet appropriate office physical security standards.

    Agency Affected: Department of State

  2. Status: Open

    Comments: State has taken steps to standardize data associated with domestic and overseas facilities, but it has not incorporated this standardized dataset into its physical security standards as of October 2016.

    Recommendation: To improve the consistency and data reliability of Department of State risk management data, the Secretary of State should direct M/PRI, DS, and OBO to harmonize the terminology State uses to categorize facilities in State's physical security standards and property databases.

    Agency Affected: Department of State

  3. Status: Open

    Comments: State has taken steps to establish an annual process for posts to review and verify the accuracy of the property database, and, as of October 2016, is in the process of revising the Foreign Affairs Manual to formalize this process.

    Recommendation: To improve the consistency and data reliability of Department of State risk management data, the Secretary of State should direct OBO to establish a routine process for validating the accuracy of the data in OBO's property database.

    Agency Affected: Department of State

  4. Status: Closed - Implemented

    Comments: State agreed with this recommendation. Subsequently, State developed a mechanism for crosschecking its risk data and published a standard operating procedure on how this information should be updated.

    Recommendation: To improve the consistency and data reliability of Department of State risk management data, the Secretary of State should direct DS to establish a routine process for validating the accuracy of the data in DS's risk matrix.

    Agency Affected: Department of State

  5. Status: Open

    Comments: State has taken steps to revise sections of the Foreign Affairs Manual and Foreign Affairs Handbook related to physical security through the Security Standards Committee. The committee, which is made up of DS and OBO officials, meet monthly to create and revise physical and technical security standards, as needed, and resolve inconsistencies in chapter 12 of the Foreign Affairs Manual and Foreign Affairs Handbook. However, as of October 2016 State has not conducted a comprehensive review of all physical security guidance to identify inconsistencies.

    Recommendation: To improve the consistency and data reliability of Department of State risk management data, the Secretary of State should direct the Under Secretary for Management to identify and eliminate inconsistencies between and within the Foreign Affairs Manual, Foreign Affairs Handbook (FAH), and other guidance concerning physical security.

    Agency Affected: Department of State

  6. Status: Open

    Comments: As of October 2016, State is in the process of developing physical security standards for one type of facility not covered by existing standards.

    Recommendation: To strengthen the applicability and effectiveness of the Department of State's physical security standards, the Secretary of State should work through DS or, in his capacity as chair, through the Overseas Security Policy Board (OSPB) to develop physical security standards for facilities not currently covered by existing standards.

    Agency Affected: Department of State

  7. Status: Open

    Comments: As of October 2016, State is in the process of revising the OSPB Working Group Guidelines in the FAH to clarify existing flexibilities for and to formalize an expedited process for making security and life-safety updates to the OSPB standards and Physical Security Handbook.

    Recommendation: To strengthen the applicability and effectiveness of the Department of State's physical security standards, the Secretary of State should work through DS or, in his capacity as chair, through the OSPB to clarify existing flexibilities in the FAH to ensure that security and life-safety updates to the OSPB standards and Physical Security Handbook are updated through an expedited review process.

    Agency Affected: Department of State

  8. Status: Open

    Comments: State has a standing committee -- the DS/OBO Security Standards Committee -- that reviews security standards on an as needed basis. In addition, State conducts an annual review of the Foreign Affairs Handbook, which includes the OSPB standards and the Physical Security Handbook, to identify and review any sections of the Handbook that have not been updated within the past five years. As of October 2016, State has not provided evidence indicating that either the standing committee's reviews or the annual review includes a comprehensive review of all OSPB standards and the Physical Security Handbook to determine whether the standards adequately address evolving threats and risks.

    Recommendation: To strengthen the applicability and effectiveness of the Department of State's physical security standards, the Secretary of State should work through DS or, in his capacity as chair, through the OSPB to develop a process to routinely review all OSPB standards and the Physical Security Handbook to determine if the standards adequately address evolving threats and risks.

    Agency Affected: Department of State

  9. Status: Open

    Comments: To address this recommendation, State is developing additional guidance relating to physical security systems and measures, such as hardened alternative trailer systems (HATS), surface-mounted anti-ram barriers, and anti-climb wall toppings for temporary facilities. This additional guidance has not yet been finalized as of October 2016.

    Recommendation: To strengthen the applicability and effectiveness of the Department of State's physical security standards, the Secretary of State should work through DS or, in his capacity as chair, through the OSPB to develop a policy for the use of interim and temporary facilities that includes definitions for such facilities, time frames for use, and a routine process for reassessing the interim or temporary designation.

    Agency Affected: Department of State

  10. Status: Closed - Implemented

    Comments: In response to the GAO recommendation, the Bureau of Diplomatic Security scanned in all waiver and exception packages and made them available electronically to all regional security officers (RSOs) as of August 25, 2015. According to DS, the scanned packages now constitute the "Published Waivers and Exceptions" library, and is available for viewing through the classified Regional Security Officer (RSO) Security Management Console (SMC).

    Recommendation: To strengthen the effectiveness of the Department of State's ability to identify risks and mitigate vulnerabilities, the Secretary of State should direct DS to automate its documentation of waivers and exceptions, and ensure that DS officials in headquarters and at each post have ready access to post's waivers and exceptions documentation.

    Agency Affected: Department of State

  11. Status: Open

    Comments: DS recently modified its template for surveying work facilities by adding language that specifically asks about the status of waivers and exceptions. However, as of October 2016 DS officials stated that they were still in the process of taking additional steps to address this recommendation.

    Recommendation: To strengthen the effectiveness of the Department of State's ability to identify risks and mitigate vulnerabilities, the Secretary of State should direct DS to routinely ensure that necessary waivers and exceptions are in place for all work facilities at posts overseas.

    Agency Affected: Department of State

  12. Status: Open

    Comments: DS plans to track waiver mitigation steps in a database and treat them as pending deficiencies until implemented. As of October 2016, DS anticipates this will be accomplished by December 31, 2016.

    Recommendation: To strengthen the effectiveness of the Department of State's ability to identify risks and mitigate vulnerabilities, the Secretary of State should direct DS to develop a process to ensure that mitigating steps agreed to in granting waivers and exceptions have been implemented.

    Agency Affected: Department of State

  13. Status: Open

    Comments: State is conducting a number of risk management-related activities, but as of October 2016, it has not developed a risk management policy to guide these activities.

    Recommendation: To strengthen the effectiveness of the Department of State's risk management policies, the Secretary of State should develop a risk management policy and procedures for ensuring the physical security of diplomatic facilities, including roles and responsibilities of all stakeholders and a routine feedback process that continually incorporates new information.

    Agency Affected: Department of State

 

Explore the full database of GAO's Open Recommendations »

Nov 2, 2016

Oct 4, 2016

Sep 28, 2016

Sep 27, 2016

Sep 22, 2016

Sep 20, 2016

Sep 7, 2016

Aug 31, 2016

Looking for more? Browse all our products here