Michael O'Connell | April 17, 2015 5:44 pm
A new report from the Government Accountablity Office revealed a host of concerns regarding the security personnel who protect federal employees and contractors at their offices.
The report proved to be rich fodder for a hearing this morning by the House Homeland Security Subcommittee on Oversight and Management Efficiency.
The purpose of Wednesday’s hearing was to determine what the Department of Homeland Security is doing to protect federal facilities and the steps it’s taking to prevent incidents like the Navy Yard shootings from occurring in the future.
“While much of the security of this horrific event will rightly focus on how someone in [Navy Yard shooter] Aaron Alexis’ mental state was able to pass a governmental background investigation and hold a security clearance, today’s hearing will concentrate on the physical, preventable security measures that are currently in place for our federal facilities,” Subcommittee Chairman Jeff Duncan (R-S.C.) said in his opening statement. “How do we control access to these facilities to both protect employees and public visitors? What physical security measures, if any, can be taken to prevent future tragedies?”
Understand progress being made in the evolving cyber scorecard. Download our free Expert Edition: Cyber Exposure in DoD.
The Federal Protective Service is charged with protecting more than 9,000 federal facilities and 1.4 million occupants and visitors of those facilities. FPS is also responsible for securing more than 50 percent of the General Services Administration’s owned or leased properties nationwide, or approximately 9,600 facilities.
“To accomplish its mission, FPS inspectors and contract protective security officers (PSOs) work in tandem to tend to the daily security needs at federal facilities and respond to threats against the facilities or government personnel working within them,” FPS Director L. Eric Patterson told the subcommittee, adding that PSOs stop approximately 700,000 prohibited items from entering federal facilities annually.
According to the GAO report released today, FPS has many weaknesses with the oversight of its guard program.
All of the approximately 13,500 PSOs receive background checks to determine their fitness to working within the federal government. FPS partners with private contractors to make sure all PSOs receive the proper training, certification and qualification requirements set out in their contracts.
“FPS continues to lack effective management controls to ensure that all guards have met their certification and training requirements,” Duncan said. “GAO has previously urged FPS to develop a management control system to document and verify training and reports submitted to Congress in 2010 and 2012. But FPS has yet to implement this recommendation. Without such a system, how can FPS know and ensure that its guard force is sufficiently trained?”
FPS contract guards not primary responders to Navy Yard shootings
The most shocking finding of the GAO report, according to Duncan, concerned FPS’ response in active-shooter scenarios. Although FPS requires training of each of its guards in active-shooter situations, it’s not clear the length of this training or how it is conducted. GAO reported that not all guards receive this training.
It’s also unclear how exactly the guards are supposed to react to an active-shooter.
In the event of an active-shooter situation, a PSO’s first responsibility is to notify his or her command center, where that information will be shared with FPS inspectors and local law enforcement. The PSO does this through land line and radio communications. It’s up to the PSO then to determine what action he will take next.
“Our PSOs are trained to take action in emergency situations,” Patterson said. “Because they’re not federal or state law enforcement officials, the contractor is constrained by state law what he or his company can do in these situations. That’s why we don’t have what we call ‘active-shooter training,’ if you will, where our PSOs will go out and actively pursue an active shooter. However, if we come across a situation where that PSO is the only individual in that facility and has no reasonable expectation that law enforcement can respond in a reasonably quick manner, then that individual will more than likely take action to limit the damage of this active shooter.”
On Sept. 16, federal and local law enforcement were the primary responders to the active shooter at the Navy Yard, despite the fact that PSOs were already on the scene as part of their daily duties. While PSOs maintained contact with the primary command center, they focused their efforts on ensuring that federal buildings nearby were secure during the incident. Later in the day, they provided K-9 units to help law enforcement agencies search the area for possible explosive devices.
Duncan asked Patterson whether or not, in an emergency situation, “bureaucratic” back-and-forth of PSOs contacting their superiors to determine how they should respond put lives at risk.
“Unfortunately, sir, we don’t know what’s happening and neither does the PSO,” Patterson said. “He has a responsibility to the people in that area. His responsibility is to ensure that he can either keep people from coming into the building or getting people out of the building. So he’s got a job to do right there. In this case, we believe that we’re going to have a quick response by either federal law enforcement, our folks, or by the state and local, if they’re in the area.”
FPS faces challenges in ensuring contract guards are properly trained
Mark Goldstein, GAO’s director of physical infrastructure issues, wrote the report. He told the subcommittee that FPS faced challenges ensuring its contract guards were receiving the proper training and certifications before being placed on the job.
“In particular, GAO found that providing active-shooter response and screener training is a challenge for FPS,” he said. “For example, according to officials at five guard companies, the contract guards have not received training on how to respond to incidents involving an active shooter. Without ensuring that all guards have received this training, FPS has limited assurance that its guards are prepared for such a threat.”
In addition, officials from one of FPS’ guard companies told GAO that 133 of its approximately 350 guards, about 38 percent, have never received screener training.
“As a result, those guards may be using X-ray and magnetometer equipment at federal facilities they are not qualified to use, raising questions about their ability to properly screen access control points at federal facilities,” Goldstein said.
In fact, GAO was unable to determine how many of FPS’ guards have received active-shooter and screener training. It also found that FPS continues to lack effective management controls to ensure its guards are meeting their training and certification requirements.
“Although FPS agreed with GAO’s 2010 and 2012 recommendations that it develop a comprehensive and reliable system for managing information on guards’ training, certifications and qualifications, it still does not have such a system,” Goldstein said. “Additionally, 23 percent of nearly 300 guard files that GAO examined, maintained by 11 of the 33 guard companies we interviewed, lacked required training and certification documents.”
GAO also reported that FPS and several other agencies did not employ a methodology to assess risk at their facilities that are in line with standards set down by the Interagency Security Committee.
“If an agency doesn’t know its facilities’ potential vulnerabilities to specific scenarios, it cannot set priorities to mitigate these vulnerabilities,” Goldstein said.
‘Managing the risk, not eliminating it’
FPS inspectors routinely conduct facility risk assessments to determine vulnerability to various threat scenarios, including an active-shooter situation. The agency also provides active-shooter awareness training for tenants of federal facilities and other safety-related training, such as evacuations during fires or other disasters.
“Security aims to manage risk and not eliminate it,” Greg Marshall, DHS’ chief security officer, said at the hearing. “Our job is to do everything we can to keep our employees safe.”
DHS follows the security standards set down by the ISC.
“Facilities are assessed for risk and measures are employed. The outcome of these risks drives the level of protection to include an appropriate access-control posture,” Marshall said. “A one-size security solution cannot and will not fit all.”
In order for employees to qualify for access to a federal facility, they must undergo a background investigation, most of which are conducted by the Office of Personnel Management. Contractors undergo a similar screening.
“Backgrounds for suitability and fitness examine the character and past conduct,” Marshall said. “And based on all available information, we make an adjudicated decision concerning the person’s suitability or fitness for employment or access to classified information. It is important to note that any background investigation, no matter how rigorous, is no guarantee that all relevant information is known, available or has been included in the investigation.”
Marshall added that a background investigation does not necessarily predict future behavior. “A background investigation is an exercise in risk management, establishing some basic facts but it cannot guarantee any individual’s continuing fitness to carry out their duties or behave in a lawful, safe manner,” he said.
If DHS receives derogatory information about an individual, Marshall told the subcommittee DHS would investigate the situation.
“If that person is deemed a threat after the investigation, we can deactivate their card,” Marshall said. “Not only their card, but we can also deactivate their access in whatever physical security access system that that person has access to. That can be done remotely.”
For people with security clearances, DHS would bring the individual in and “read them out,” so they could no longer access classified information or government facilities.
“We would also do something called a ‘do not admit,’ and that’s a couple of different things,” Marshall said. “We would go into our personnel security system, which is an enterprise system, and make a notation in their record in the personal security system that they no longer have a clearance or access to facilities.”
DHS would also notify the facilities where that person has a primary mission responsibility and send a flier with that person’s photo.
Gaps can occur in security clearance process
Although Marshall was not briefed on the particulars of the Navy Yard incident, he did explain gaps could occur in the clearance process that would allow an unstable person to enter a facility with the proper identification.
“There’s roughly between 18,000 and 20,000 police departments and law enforcement agencies, sheriffs, local police, state police, federal agencies within the United States,” he said. “The thing that troubles me about the information we receive from the state and locals is that not all of those agencies contribute to the FBI CJIS [Criminal Justice Information Services] system. A person can be arrested in your state … and some small police department and they may not be a contributor to the FBI database. So that when we go to do our agency checks and our fingerprint checks, we may not have access to that person’s arrest.”
Marshall said gaps like that could be remedied, possibly through legislation.
On Wednesday, bipartisan legislation was introduced that would put in place an automated review of public records to double check anyone who already has a security clearance. According to a release from Sen. Claire McCaskill (D-Mo.), the reviews would check for information that employees with clearances are already required to disclose, including information about criminal or legal proceedings they are involved in.
On Thursday, the Senate Homeland Security and Governmental Affairs Committee will hold a hearing on the government clearance and background check process.
Before coming to the Navy Yard, Alexis had a security clearance with the Navy. The background investigation done during his clearance process was still valid at the time Alexis applied for the Navy Yard position, which meant a new background check was not required and the investigation was accepted on reciprocity. Agencies are required by executive order to accept security clearances on reciprocity provided they can point to a background investigation being done.
“The one thing about reciprocity is that we’re required to accept it on its face,” Marshall said. “We’re not allowed to do any additional checks, unless we have derogatory information to the contrary. So, it looks to me, not having been briefed, that the contracting company accepted Mr. Alexis’ security clearance on reciprocity — which was one gap — without having to do additional checks and that there was a faulty investigation. There was information within the investigation that was done by a private contractor that wasn’t accurate. … It was a gap, unfortunately, that was hard to overcome.”