Officials hopeful new executive order will help lagging security implementation at federal facilities
Leaders from the Federal Protective Service and Cybersecurity and Infrastructure Security Agency applaud a recent White House directive around federal facility security, but also support additional measures to help implement recommendations.
Officials tasked with helping secure federal buildings and facilities said Wednesday that a recent White House executive order helps clarify their mission, but additional steps could be taken to ensure a litany of recommendations may finally get implemented at agencies.
Testifying before the Senate Homeland Security and Government Affairs Committee, leaders from the Federal Protective Service and Cybersecurity and Infrastructure Security Agency said Monday’s directive from the Biden administration to update the Interagency Security Committee will help streamline its operations in crafting security policies for federal facilities.
“We believe the new executive order will enhance departments’ and agencies’ acceptance of security assessment countermeasures,” said Richard Cline, FPS director.
While the new order adds to Cline, as FPS director, to the ISC — a coterie of agency leaders tasked with crafting federal facility security standards following the Oklahoma City bombing — longstanding challenges remain in ensuring that security recommendations from both the committee and the FPS are ever implemented.
HSGAC Chairman Gary Peters, D-Mich., noted in the hearing that between 2017 and 2021, FPS offered 25,000 recommendations to federal agencies to help secure their facilities, and “federal agencies completely ignored roughly half of those,” with only 27% of them eventually applied.
“In other words, we’re getting very useful information about how to improve security, but it’s not being implemented to the extent that it should be,” said Peters.
The Government Accountability Office, which has had federal real property management on its High Risk list for 20 years, reported that agencies only implemented 1,800 of more than 32,000 FPS recommendations made between 2017 and 2023.
David Marroni, GAO’s acting director physical infrastructure, said that agency officials told the watchdog that the reasons for the lack of implementation ranged from their cost, feasibility at the federal facility sites and even challenges discerning how to divide the security responsibilities at multi-tenant sites housing multiple agencies.
“On the other side, even more concerning, was the 55% of recommendations where there was no response,” Marroni said. “The reasons cited there ranged from the timeframe — agencies have 45 days from receiving the recommendations to make a decision. Some agencies said that was too tight of a timeframe for more complex countermeasures. Also, reluctance sometime to accept risk of not implementing recommendations they choose not to implement, they don’t want to formally note that.”
Peters said he was working on potential legislation that would require agencies to at least respond to FPS and ISC recommendations within 90 days, which both Cline and Marroni said would be helpful in ensuring better compliance.
GAO has recommended the Homeland Security Department better assess implementation of the ISC and FPS assessments and that it identify the acceptance of risk by agencies were countermeasure suggestions were not implemented.
ISC officials told GAO they are updating the committee’s annual questionnaire to improve its oversight of countermeasure implementation, including verifying the documentation of risk acceptance for countermeasures not implemented.
Monday’s executive order included the first updates to the ISC executive order since 2003, adding the FPS director to the committee, tasking it with providing best practices for securing a mobile federal workforce, calls for a biennial report on compliance to the Office of Management and Budget director and the National Security Adviser, designates an official at each agency responsible for implementation and compliance of security standards and that the Homeland Security secretary monitor agency security compliance at a minimum, among other items.