[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]



 
    EXAMINING SECURITY AT FEDERAL FACILITIES: ARE ATLANTA'S FEDERAL 
                           EMPLOYEES AT RISK?

=======================================================================

                                HEARING

                               before the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED SEVENTH CONGRESS

                             SECOND SESSION
                               __________

                             APRIL 30, 2002

                               __________

                           Serial No. 107-82


Printed for the use of the Committee on Government Reform




 Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform
                              __________

                       U. S. GOVERNMENT PRINTING OFFICE
80-883                          WASHINGTON : 2002
___________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001








                       COMMITTEE ON GOVERNMENT REFORM

                     DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York         HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland       TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut       MAJOR R. OWENS, New York
ILEANA ROS-LEHTINEN, Florida         EDOLPHUS TOWNS, New York
JOHN M. McHUGH, New York             PAUL E. KANJORSKI, Pennsylvania
STEPHEN HORN, California             PATSY T. MINK, Hawaii
JOHN L. MICA, Florida                CAROLYN B. MALONEY, New York
THOMAS M. DAVIS, Virginia            ELEANOR HOLMES NORTON, Washington, 
MARK E. SOUDER, Indiana                  DC
STEVEN C. LaTOURETTE, Ohio           ELIJAH E. CUMMINGS, Maryland
BOB BARR, Georgia                    DENNIS J. KUCINICH, Ohio
DAN MILLER, Florida                  ROD R. BLAGOJEVICH, Illinois
DOUG OSE, California                 DANNY K. DAVIS, Illinois
RON LEWIS, Kentucky                  JOHN F. TIERNEY, Massachusetts
JO ANN DAVIS, Virginia               JIM TURNER, Texas
TODD RUSSELL PLATTS, Pennsylvania    THOMAS H. ALLEN, Maine
DAVE WELDON, Florida                 JANICE D. SCHAKOWSKY, Illinois
CHRIS CANNON, Utah                   WM. LACY CLAY, Missouri
ADAM H. PUTNAM, Florida              DIANE E. WATSON, California
C.L. ``BUTCH'' OTTER, Idaho          STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia                      ------
JOHN J. DUNCAN, Jr., Tennessee       BERNARD SANDERS, Vermont 
JOHN SULLIVAN, Oklahoma                  (Independent)


                      Kevin Binger, Staff Director
                 Daniel R. Moll, Deputy Staff Director
                     James C. Wilson, Chief Counsel
                     Robert A. Briggs, Chief Clerk
                 Phil Schiliro, Minority Staff Director







                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on April 30, 2002...................................     1
Statement of:
    Malfi, Ronald, Acting Managing Director, Office of Special 
      Investigation, General Accounting Office; John Cooney, 
      Special Agent, Office of Special Investigations, General 
      Accounting Office; Patrick F. Sullivan, Assistant Director, 
      Office of Special Investigations, General Accounting 
      Office; Wendell C. Shingler, Assistant Commissioner, Office 
      of Federal Protective Service, General Services 
      Administration; and Sabina Sims, Director, Office of 
      Federal Protective Service, GSA Region 4...................    12
Letters, statements, etc., submitted for the record by:
    Barr, Hon. Bob, a Representative in Congress from the State 
      of Georgia, prepared statement of..........................     5
    Malfi, Ronald, Acting Managing Director, Office of Special 
      Investigation, General Accounting Office, prepared 
      statement of...............................................    17
    Shingler, Wendell C., Assistant Commissioner, Office of 
      Federal Protective Service, General Services 
      Administration, prepared statement of......................    23


    EXAMINING SECURITY AT FEDERAL FACILITIES: ARE ATLANTA'S FEDERAL 
                           EMPLOYEES AT RISK?

                              ----------                              


                        TUESDAY, APRIL 30, 2002

                          House of Representatives,
                            Committee on Government Reform,
                                                       Atlanta, GA.
    The subcommittee met, pursuant to notice, at 10:30 a.m., in 
the Summit Building, 401 West Peachtree Street, Atlanta, GA, 
Hon. Bob Barr (vice chairman of the committee) presiding.
    Present: Representatives Barr and LaTourette.
    Staff present: Daniel R. Moll, deputy staff director; 
Robert A. Briggs, chief clerk; Susan Mosychuk, counsel; and 
David Rapallo, minority counsel.
    Mr. Barr. I hereby convene this hearing of the Committee on 
Government Reform of the U.S. House of Representatives open. 
The focus of the hearing will be to examine security at Federal 
facilities, are Atlanta's Federal employees at risk.
    The events of September 11, 2001 have focused our attention 
on a frightening reality. Even our most sacred institutions are 
vulnerable to attack. Terrorists do not engage in conventional 
warfare.
    While terrorists may attack or threaten our military, the 
most tempting terrorist targets of choice are innocent and 
unsuspecting civilians. They use fear as a weapon, and will go 
to whatever extreme to heighten the shock effect.
    Terrorists also seek to exploit environments that are a 
normal part of our daily routine. They aim to take out large 
numbers of victims to generate high media attention, and 
engender mass panic and public anxiety. What better targets 
than high profile landmarks and government institutions.
    Government buildings are among the most visible 
institutions in our society by design, and selecting them for 
attack serves a very distinct purpose. When they attack these 
institutions the terrorists not only kill, maim, and destroy, 
but also instill fear that our government is unable to protect 
us. When terrorists attack, they are always trying to catch 
their victims in situations where they would otherwise feel 
safe. How safe are we in our Federal buildings?
    The September 11th terrorist attacks in New York and at the 
Pentagon prompted immediate security crackdowns in Washington, 
DC, including the closing of streets, bolstering the security 
presence at Federal buildings, and curtailing visitor access to 
government compounds and buildings. Securing Federal buildings 
in the Nation's Capitol is clearly of vital importance. 
However, we must not overlook the quality and effectiveness of 
security in all buildings and facilities occupied by Federal 
employees and visitors in every major city and across the 
Nation.
    Congress and the Federal Government had the opportunity to 
lead by example working with the District of Columbia, local 
business leaders, and concerned citizens to meet security needs 
without necessarily impeding the city's or the government's 
ability to go about its daily business in the Capitol.
    Despite the workable security measures deployed at Federal 
facilities in Washington, DC, many local Federal agencies have 
not addressed, or remain unable to address security needs in 
the aftermath of last year's terrorist attacks. Many media 
outlets reported that security procedures at Federal agencies 
varied tremendously in both process and effect throughout the 
country. Inconsistent and vague security procedures at our 
Federal facilities leave thousands of Federal employees, 
visitors, and constituents highly vulnerable and at risk. The 
extent to which our government buildings are vulnerable to 
attack should concern not only the Federal employees of these 
buildings, but every family member of these employees, any 
member of the general public visiting these buildings, and any 
individual or company that conducts business with an agency 
housed in one of these buildings. In other words, this concerns 
every member of our community.
    Building security is not just about securing the physical 
structure itself; it is about protecting the lives and 
livelihood of everyone and everything in these buildings.
    Consider for a moment the repercussions of a terrorist 
attack at the IRS service center here in Atlanta. The building 
which you can see a picture of here houses 3,000 occupants and 
is the main processing center for the entire Southeast Region 
of the United States. The human toll would be staggering, and 
the financial impact devastating.
    Or consider the repercussions of a terrorist attack at the 
Sam Nunn Federal Building. Look at the sheer numbers of 
employees and the variety and importance of the government 
agencies that would be directly affected.
    Today representatives from the General Accounting Office, 
Office of Special Investigations [OSI], will provide testimony 
on the results of a recently completed investigation. At the 
request of this committee the investigators tested security 
measures at five Federal office buildings in the Atlanta area, 
which has one of the largest Federal presences outside of 
Washington, DC.
    Acting in an undercover capacity investigators were able to 
gain unauthorized access to every secured government building 
they attempted to penetrate. Not only were the investigators 
able to gain unauthorized access to these buildings, they 
gained access which allowed them unfettered admission to any 
areas of the buildings day or night.
    The ease whereby the investigators were successful is 
shocking. A simple pretext was concocted and easily carried 
out, allowing agents to obtain building passes. In fact, they 
were able to obtain passes which denote the bearer as being 
authorized to carry firearms. This building pass allowed them 
to move freely about, and extensively bypassing magnetometers 
and x-ray machines. They even obtained an after-hours access 
code allowing them to enter the facilities after security 
personnel had gone home.
    By employing a few simple tactics and off-the-shelf 
technology investigators thwarted the security in such a manner 
that weapons, explosives, nuclear, chemical, or biological 
agents, listening devices, and other life-threatening or 
hazardous materials could have easily been carried into and 
left throughout these Federal buildings. They were given in 
effect the keys to the kingdom. In the words of the 
investigators, they owned those buildings.
    At a time when Federal facilities are operating under the 
highest level of security, these undercover investigators were 
able to freely enter the buildings without proper 
identification or authority carrying packages which had not 
been scanned or inspected.
    The problem is not isolated to the Atlanta area alone. The 
Department of State in Washington, DC, recently had to overhaul 
its security operations following a string of serious breaches 
compromising classified information.
    It had been an open secret that security was lax at State. 
In fact, in late 1998 an unidentified man in a brown tweed 
jacket entered then Secretary of State Albright's executive 
suite and carried out unchallenged a pile of classified 
documents. He was never seen again.
    We no longer live in an environment in which we can afford 
such a casual attitude toward security and safety. All 
principal personnel must stress the importance of security, and 
combat perceived weaknesses in the security culture, and proper 
measures must be demanded and enforced.
    Beyond that, there are specific areas in which we can focus 
with regard to security personnel, training, and equipment. 
Following numerous security reviews, inspections, and reports 
one major area for reform at the State Department was 
tightening controls of the State Department building passes. At 
the time there were 33,000 State Department passes with 2,000 
per year completely lost. Diplomats kept their passes even when 
stationed overseas, making those passes prime targets for theft 
or misuse.
    Given the potential threat, State Department began a 
process of redoing all building passes, deactivating those of 
former employees, and making the process of obtaining them much 
tougher.
    Implementing security procedures with the aim of thwarting 
any and every conceivable infiltration would be impractical. To 
do that would make daily operations of our government agencies 
impossible. However, we can, and should, and must make 
buildings both safe and accessible by consistently following 
guidelines, deploying appropriate technology, and employing 
basic common sense.
    We must take a rational approach to security to ensure 
safety concerns are addressed in a manner that does not make 
things worse. We cannot allow terrorism to destroy our sense of 
community or the ability of the institutions that run our 
government to serve us.
    Understanding the nature of terrorist attacks and how 
terrorists organizations operate helps us prepare and prevent 
future attacks. We can regain control and eliminate fear by 
taking proactive steps to avoid falling victim.
    I thank the witnesses that will be appearing here today, 
and look forward to working with them and others on a 
subsequent legislative remedy to provide an oversight remedy to 
provide security procedures at our Federal installations.
    While the results of this current investigation are 
frightening, we hope the steps taken in response will be 
reassuring in both effect and perception.
    [The prepared statement of Hon. Bob Barr follows:]
    [GRAPHIC] [TIFF OMITTED] 80883.001
    
    [GRAPHIC] [TIFF OMITTED] 80883.002
    
    [GRAPHIC] [TIFF OMITTED] 80883.003
    
    [GRAPHIC] [TIFF OMITTED] 80883.004
    
    [GRAPHIC] [TIFF OMITTED] 80883.005
    
    Mr. Barr. I would like to now turn to my colleague from the 
State of Ohio, a senior member of our Government Reform 
Committee, Steve LaTourette.
    Mr. LaTourette. Thank you very much, Chairman Barr. And 
first of all thank you for inviting me to Atlanta. And second I 
want to commend Congressman Barr for the leadership that you 
and the chairman of our full committee, Dan Burton of Indiana, 
have demonstrated in dealing with the security of the Federal 
buildings, this particular issue, and you in particular because 
of your concern for the men and women that work in the 
buildings in Atlanta, Ga.
    As you correctly point out in your opening remarks the 
security of the Federal work force and those who visit the 
Federal buildings in the United States is of vital concern to 
the government. In 1995 one of the shocking revelations that 
came to our attention after the bombing of the Murrah Federal 
Building in Oklahoma City was that there was one contract guard 
assigned to three different buildings on that occasion, and 
clearly security was not where we needed to be in 1995. I think 
many of us hoped that in the years between 1995 and certainly 
2002 improvements have been made.
    The report that we are here to talk about today is 
disturbing. Although the agents that we will hear from are 
certainly skilled at what they do, the ability to completely 
breach the buildings in Atlanta, GA I think is incomprehensible 
in the wake of September 11th.
    Hopefully this hearing and other hearings like it will help 
assist not only the agencies in charge of the security, but 
also the Congress and the administration reach some conclusions 
that can make these buildings safer.
    One of the other happy tasks that I have in the Congress is 
chairing the Public Buildings, Economic Development, and 
Emergency Management Subcommittee of Transportation and 
Infrastructure that has concurrent jurisdiction over some of 
the issues that we are going to be talking about today, and the 
good news is that legislation relative to the Federal 
Protective Service is in fact moving through that committee, 
and one of the alarming notes I would say is that we appear to 
be going backward. When we talked to Steve Perry, the 
administrator of the General Services Administration, the goal 
was to beef up the Federal Protective Service work force from 
600 full-time employees to 900, and what we have seen instead 
according to Mr. Perry is that they have gone down to 450, and 
the reason being--and we must bear some of that 
responsibility--is that there is about a $10,000 starting 
salary differential between what someone for FPS can make and 
what someone can make working for the Capitol Hill police 
department. So that is an example of some of the things that we 
are going to have to take a look at in the Congress.
    The other thing that the hearings revealed on this 
particular issue is that the training received by the contract 
guard authorities utilized by GSA do not receive equivalent 
training to those who are employed as police officers in my 
home State of Ohio or here in the State of Georgia, and 
training is something that we also have to emphasize.
    And last, I am not a big believer in gotcha anything, but I 
did read the report, I read the recommendations following the 
briefing of the GAO officers, and one of the recommendations 
was that there be at least three people stationed by the 
magnetometers, and during our break I went outside to engage in 
one of the few vices I am allowed, and that is to have a 
cigarette, and I came back in through the building and there 
were only two stationed at the magnetometer that I entered, and 
I am also today in possession of two visitors passes permitting 
me access to this building, and it seems to me that we can 
address that during the hearing as well to determine how that 
could be.
    I thank you very much.
    Mr. Barr. Is that in case you lose one?
    Mr. LaTourette. I do not know if it is in case I lose one, 
or in case I have another visitor I want to bring with me.
    I appreciate very much the opportunity to be here today, 
and I thank you again for your leadership.
    Mr. Barr. Thank you very much.
    For those unfamiliar with hearings conducted by the 
Government Reform Committee, basically what we will do now is 
we will swear in the five witnesses, and we will hear from each 
one of them if in fact each one of them wishes to make an 
opening statement for the record. If there is any additional 
material that any of our witnesses seeks to be made a part of 
the record either in more extensive opening statement or 
additional material that might come to light, or be relevant 
based on subsequent questions, the record will remain open for 
10 days for the submission of any additional material.
    Following the opening statements of witnesses, Mr. 
LaTourette and I will ask questions. If counsel has any 
additional questions, she will ask questions as well. And then 
we will conclude the hearing.
    At this time if the five witnesses would stand, please, to 
be sworn. If you would raise your right hands.
    [Witnesses sworn.]
    Mr. Barr. Let the record reflect that all witnesses 
responded in the affirmative. Thank you, and please be seated.
    We have five very distinguished witnesses here today, all 
of whom have the same goal in mind that we on this committee 
do, and that is to provide the very best security for not just 
the Federal buildings and Federal employees and their families, 
but all who visit, come in contact with, or have an interest in 
our Federal Government, and we appreciate each one of them 
being with us today to assist us in our oversight 
responsibilities to ensure this vital function of our Federal 
Government is carried out, and to hear from them not only with 
regard to what steps they have and believe ought to be taken, 
but ways in which we in the Congress might help. As Mr. 
LaTourette mentioned, we in the Congress have a responsibility 
to make sure that the laws reflect the needs of our Federal 
agencies and our Federal officials, and also that the funds 
necessary to carry out those functions are made available. So 
this is very much a team effort, and we appreciate again the 
witnesses being with us today.
    The witnesses that we will hear from today--I believe there 
is a witness list available in the back of the room--we will 
hear from in the following order.
    Mr. Ronald Malfi, the Acting Managing Director, Office of 
Special Investigations, General Accounting Office. He has 
extensive background which he is certainly free to go into to 
establish his bona fides in the Secret Service.
    Also then testifying second will be Mr. Patrick Sullivan, 
the Assistant Director, Office of Special Investigations for 
the General Accounting Office, also with extensive background 
in law enforcement and particularly with the Secret Service; 
and finally testifying on behalf of GAO will be Mr. John 
Cooney, Special Agent, Office of Special Investigations, 
General Accounting Office, with a similar and very extensive 
and distinguished background in Federal law enforcement.
    We will then hear from Mr. Wendell Shingler, the Assistant 
Commissioner of the Office of Federal Protective Service [FPS], 
of the General Services Administration. The General Services 
Administration is generally known as the government's landlord. 
It is the responsibility of GSA to maintain thousands of 
Federal buildings all across the country, including many of 
those here in the Atlanta area.
    And finally testifying will be Ms. Sabina Sims, the 
Director of the Office of Federal Protective Service for GSA 
Region 4 which includes as its center Atlanta, GA.
    With that introduction, Mr. Malfi, the floor is yours to 
make an opening statement, and if you would basically lay out 
the parameters of why your agency got involved in this 
investigation and how you carried it out.

STATEMENTS OF RONALD MALFI, ACTING MANAGING DIRECTOR, OFFICE OF 
SPECIAL INVESTIGATION, GENERAL ACCOUNTING OFFICE; JOHN COONEY, 
   SPECIAL AGENT, OFFICE OF SPECIAL INVESTIGATIONS, GENERAL 
  ACCOUNTING OFFICE; PATRICK F. SULLIVAN, ASSISTANT DIRECTOR, 
 OFFICE OF SPECIAL INVESTIGATIONS, GENERAL ACCOUNTING OFFICE; 
WENDELL C. SHINGLER, ASSISTANT COMMISSIONER, OFFICE OF FEDERAL 
PROTECTIVE SERVICE, GENERAL SERVICES ADMINISTRATION; AND SABINA 
   SIMS, DIRECTOR, OFFICE OF FEDERAL PROTECTIVE SERVICE, GSA 
                            REGION 4

    Mr. Malfi. Thank you. Mr. Chairman, members of the 
committee. We are here today to discuss the results of our 
tests of security measures at Federal office buildings in the 
Atlanta, GA area. Specifically you asked that special agents of 
the Office of Special Investigations acting in an undercover 
capacity attempt to gain unauthorized access to secure 
facilities in such a manner that weapons, explosives, chemical/
biological agents, listening devices, or that hazardous 
materials could have been brought into these facilities.
    During February and March 2002 our agents breached the 
security at four of the Federal office buildings that we tested 
in the Atlanta area by entering these buildings without proper 
authority, carrying a briefcase or package, and bypassing the 
magnetometers and x-ray machines. They were able to move freely 
and extensively throughout these facilities during both day and 
evening hours, and were not challenged by anyone. Our 
undercover agents could have carried in weapons, listening 
devices, explosives, chemical/biological agents, or other such 
items.
    All buildings required screening of visitors and valises, 
for example briefcases and baggage, which included the use of 
magnetometers and x-ray machines at security checkpoints.
    The buildings required the wearing of either a blue pass or 
a yellow pass for identification of employees working in these 
buildings, which allowed them to bypass the magnetometers and 
x-ray machines.
    The blue pass could also have an additional feature added 
to it that would denote the bearer as being authorized to carry 
a firearm. All passes included photo identification, and had 
holograms on them, but were worn inside plastic pockets that 
could partially obscure the hologram as well as the bearer's 
photograph.
    Mr. Barr. Excuse me, Mr. Malfi. Do you have a couple of 
those badges we could look at while you are testifying?
    Mr. Malfi. Yes, I do.
    One of the badges that you are going to be getting, sir, is 
the genuine, and one is the counterfeit badge. The genuine 
badge has the holograms that are easily seen when they are 
reflected off the light.
    Mr. Barr. This one?
    Mr. Malfi. That is correct. The other is a counterfeit 
badge.
    Mr. Barr. And they were put in these plastic pouches?
    Mr. Malfi. That is how they were handed out. When the 
building passes were given out, these plastic pouches came with 
the passes. And you will note one side of the plastic is clear, 
the other side is opaque, and we put the photograph, the 
building pass with the photograph and the hologram in the 
opaque side to obscure it.
    Mr. Barr. Without going into--and I do not want you to 
disclose particularly sensitive investigative techniques here--
would you describe what a pretext is?
    Mr. Malfi. Basically a pretext is a ruse that we concocted 
in order to allow ourselves to get into the building and to 
meet with GSA people who were issuing the passes.
    Mr. Barr. A story?
    Mr. Malfi. It is a story, a fabricated story to give the 
people a reason as to why we needed these passes.
    Mr. Barr. Was there anything particularly complex about 
that story? Could anybody have made something up?
    Mr. Malfi. That is correct. We used one ruse; we could have 
used one of many ruses to get into the building in order to 
obtain a building pass.
    Mr. Barr. Thank you.
    Mr. Malfi. You are welcome.
    I am going to go into how we exactly breached the security 
of these buildings.
    In early March using a pretext for gaining access, an agent 
who had no building pass entered one of the buildings carrying 
a briefcase, bypassing the magnetometer and the x-ray machines. 
He met with the General Services Administration employee 
responsible for issuing building passes, and obtained a yellow 
building pass and an after-hours access code for that building.
    The next day the same agent entered another building 
carrying a briefcase. He showed his yellow pass and stated that 
he wanted to obtain a blue pass for that building, and bypassed 
the magnetometers and the x-ray machines based on the strength 
of the yellow pass.
    Mr. Barr. Do you have that yellow pass, please?
    Mr. Malfi. Yes.
    He then met with the GSA contract employee responsible for 
issuing building passes, and based solely on the strength of 
having a yellow pass obtained a blue building pass and an 
after-hours access code to two of the subject buildings.
    In addition, this agent was able to obtain a second feature 
on the blue building pass that identified him as a law 
enforcement officer and permitted him to carry a firearm in 
those buildings.
    Finally, through the use of another pretext the same agent 
obtained----
    Mr. Barr. Excuse me. There is a specific designation on the 
badge that the folks at the building would know authorized the 
bearer to carry a firearm in the building?
    Mr. Malfi. That is correct. It is a little round insignia 
that would notify the marshals basically that the bearer had 
the right to carry a firearm.
    Finally, through the use of another pretext the same agent 
obtained the security guard's after-hours access code for one 
of the buildings.
    Mr. Barr. This would be a security code that was designated 
specifically to that particular person?
    Mr. Malfi. That is correct.
    Mr. Barr. And he gave it to the undercover agent, yourself, 
or one of your colleagues----
    Mr. Malfi. That is correct.
    Mr. Barr [continuing]. So that they could get into the 
building after hours?
    Mr. Malfi. Based again on some social engineering we had an 
access code that allowed us entry to the building at night.
    Mr. Barr. What do you mean social engineering?
    Mr. Malfi. Basically conning the security guard into having 
him reveal his access code. The importance to that would have 
been that if anything would have occurred we could have used 
that access code to gain entry into the buildings after hours. 
If something--we could have put explosives in the building, and 
basically if they would have went back and checked who entered 
in they never would have even been able to check it to our 
false identification. They would have wound up going back to 
the guard as one of the people that gained entry into that 
building that night.
    Then after we received the original passes we counterfeited 
both the yellow and blue building passes using commercially 
available software, inserting in them the fictitious names used 
by our undercover agents and their photographs in preparation 
for an attempt as a group to breach the security of these 
facilities.
    Mr. Barr. Excuse me. In other words, the software that was 
used to create the false badges is available to anybody on the 
open market? It was not something that was uniquely available 
to yourselves as law enforcement officials and investigators?
    Mr. Malfi. That is correct. Everything that we did and we 
used was available to the public. We did not use any of our 
inside technology in order to enhance this operation. We wanted 
to make it that anyone basically without being involved in the 
law enforcement community could have accomplished what we did.
    The counterfeit passes contained printed holograms on them, 
not actual holograms. Had anyone made a physical inspection of 
the counterfeit passes they should have been able to detect 
them as being bogus.
    Mr. Barr. In other words, the hologram that is available if 
you look at it?
    Mr. Malfi. That is correct. On the counterfeit ones we just 
printed a duplicate of the hologram which did not perform the 
function that a hologram does. It does not change shades when 
it is exposed to the light or moved; it is flat.
    Mr. Barr. And that is obvious to us, and it would have been 
obvious had one of the guards checked it, just physically 
looked at it for a moment?
    Mr. Malfi. That is correct.
    Mr. Barr. But that did not happen?
    Mr. Malfi. That is correct.
    Later in March other agents using the counterfeit yellow 
and blue building passes entered three of the buildings 
bypassing the magnetometers and x-ray machines. One of these 
agents carried a briefcase. The same agents also successfully 
entered these same buildings in the evening utilizing the 
access codes that they previously acquired.
    An agent using a counterfeit yellow building pass met with 
the GSA contract employee responsible for issuing building 
passes for the two buildings. Based on the strength of the 
counterfeit yellow pass and a fictitious request form the agent 
was issued a genuine blue building pass and an access code for 
the evening entry after security check points were closed.
    Additionally, one agent wore another agent's legitimate 
blue pass into one of the buildings, crossed over into another 
building through a tunnel, and was never challenged.
    Mr. Barr. Is there a physical similarity between the person 
who utilized that badge and the picture on the badge?
    Mr. Malfi. Actually I used Agent Cooney's picture 
identification to gain access into the buildings.
    Mr. Barr. I will not ask which one of you was insulted, but 
in other words you used the badge of somebody that does not 
look very much like you at all, and you were not challenged?
    Mr. Malfi. That is correct.
    Two agents then drove to another Federal facility, and 
based on the strength of a legitimate yellow pass and a 
counterfeit yellow pass and a pretext gained admittance to that 
building bypassing the magnetometer and x-ray machines.
    Finally, after we completed our test of the security for 
these buildings we met with officials from the U.S. attorney's 
office, the U.S. Marshal Service, GSA, and the Federal 
Protective Service, and briefed them on the results of the 
security tests, identifying the weaknesses we found.
    Mr. Barr. This was immediately following the conclusion of 
your investigation?
    Mr. Malfi. That is correct. Actually the day that I wore 
the pass was the day of the meeting, so we were finished. As 
soon as we finished the actual last function of the operation 
we immediately had a meeting with these individuals and advised 
them of the weaknesses that we found.
    Subsequently, the Federal Protective Service issued a 
security bulletin which addressed weaknesses we identified.
    In closing, I would like to add that last week GAO's chief 
technologist testified at a hearing before the Subcommittee on 
Technology and Procurement Policy, House Committee on 
Government Reform, concerning security technologies to protect 
Federal facilities. As part of that testimony it was 
acknowledged that effective security also entails having a 
well-trained staff that follows and enforces policies and 
procedures. It was noted that breaches in security resulting 
from human error are more likely to occur if personnel do not 
understand the risks and the policies that are put in place to 
mitigate them. Good training is essential to successfully 
implementing policies by ensuring that personnel exercise good 
judgment following security procedures.
    Cited as an example was our previous work where we breached 
the security at 19 Federal agencies and two airports. This case 
further exemplifies this point. Further, the Federal Protective 
Service bulletin reinforces this point.
    Mr. Chairman, that completes my prepared statement. We 
would be happy to respond to any questions you have, or members 
of the committee. Thank you.
    [The prepared statement of Mr. Malfi follows:]
    [GRAPHIC] [TIFF OMITTED] 80883.006
    
    [GRAPHIC] [TIFF OMITTED] 80883.007
    
    [GRAPHIC] [TIFF OMITTED] 80883.008
    
    [GRAPHIC] [TIFF OMITTED] 80883.009
    
    Mr. Barr. Thank you, Mr. Malfi.
    Mr. Sullivan, do you have an opening statement?
    Mr. Sullivan. No, sir, I do not have an opening statement.
    Mr. Barr. Mr. Cooney?
    Mr. Cooney. Also I have none.
    Mr. Barr. You are both available to answer any questions?
    Mr. Cooney. Yes, sir.
    Mr. Sullivan. Yes, sir.
    Mr. Barr. Mr. Shingler.
    Mr. Shingler. Good morning, Mr. Chairman, members of the 
committee.
    I am Wendell Shingler, Assistant Commissioner of the 
Federal Protective Service, General Services Administration 
[GSA]. Although I am relatively new to this position, I have 30 
years of security experience in progressively more demanding 
positions within the Federal Government, most recently with the 
U.S. Marshal Service.
    I look forward to the challenges that we face, as well as 
working with other Federal agencies in meeting their needs. I 
am pleased to appear before you today and provide information 
on the GSA's program to secure Federal buildings that it owns 
or leases, and the methodology that we use to assess potential 
vulnerabilities to these facilities.
    GSA's Federal Protective Service [FPS] provides law 
enforcement and security to over 8,000 owned and leased 
buildings, and approximately 1 million Federal employees and 
visitors to these facilities on a daily basis.
    We are comprised of police officers, criminal 
investigators, physical security specialists, and rely on the 
use of nearly 7,000 contract guards to supplement our needs.
    With the terrorist attacks of September 11th there is one 
clear message: that there is no security silver bullet. 
Security is a dynamic and ever-changing discipline. GSA's 
Federal Protective Service strives to provide the safest 
environment for the Federal agencies we house and the American 
public that visit these Federal buildings. The threat and our 
response to it changes daily.
    The dedicated men and women of the Federal Protective 
Service welcome that challenge, and are constantly striving to 
improve our services and reduce potential threats to our 
buildings. Our primary goal is to make everyone feel safe when 
entering GSA-controlled buildings.
    Since there is no one-size-fits all in security to achieve 
this goal, each of our facilities receives an individual 
building security assessment. The building security assessment 
program is designed to determine the specific security measures 
needed to eliminate or reduce threats directly associated with 
each individual building. Tailored security measures, 
countermeasures are then recommended based on reducing or 
eliminating determined vulnerabilities and threats at 
buildings.
    In addition, we are now working with the FBI, CIA, State 
and local law enforcement agencies in sharing of intelligence 
information that enables us to better assess the credibility of 
those threats.
    In addition to physical countermeasures such as guards, 
physical barriers, alarms, cameras, x-ray machines, and 
magnetometers we also provide law enforcement services. These 
services include responding to calls, arrests, and when 
necessary conducting investigations.
    On a national level we accomplish this challenging and very 
important job of protecting GSA-controlled facilities with a 
small but dedicated uniformed staff. To augment our Civil 
Service force, we rely on 7,000 contract guards nationwide.
    Here in GSA's Southeast Sunbelt Region we have 1,327 
buildings of which 143 are Level 4, our highest security level. 
To protect these facilities we supplement our law enforcement 
personnel with 960 armed contract guards.
    The only acceptable minimum security level for all of these 
facilities nationwide is that which provides a safe and secure 
environment for GSA co-workers, customers, and visitors. This 
is the driving force behind our FPS mission, to permit Federal 
agencies and members of the public to conduct their business 
without fear of violence, crime, or disorder.
    I know I face many challenges in my new position, and I am 
certain that the Federal Protective Service and I are ready to 
take them on.
    This concludes my prepared statement, Mr. Chairman, and we 
are prepared to answer any of your questions.
    [The prepared statement of Mr. Shingler follows:]
    [GRAPHIC] [TIFF OMITTED] 80883.010
    
    [GRAPHIC] [TIFF OMITTED] 80883.011
    
    [GRAPHIC] [TIFF OMITTED] 80883.012
    
    Mr. Barr. Thank you, Mr. Shingler.
    Ms. Sims, please.
    Ms. Sims. I have nothing further to add, but I would be 
more than happy to answer any specific questions that you have 
for me.
    Mr. Barr. OK. Maybe you could briefly for the benefit of 
the audience and the listening public who are very concerned 
about this just very briefly describe the FPS or the Federal 
Protective Service and its function, and how it interfaces with 
GSA.
    Ms. Sims. The Federal Protective Service is the law 
enforcement and security arm of the U.S. General Services 
Administration. I am 1 of 11 FPS regional directors around this 
country, and I am the Director of the Southeast Sunbelt Region. 
I have approximately 1,300 facilities around eight States in 
this region.
    Mr. Barr. OK. Thank you.
    I have a couple of preliminary questions, and then I would 
like to turn to my colleague Mr. LaTourette, then I may have 
some more, and he may as well.
    Back in 1993 the World Trade Center was bombed in the 
garage. Two years later the Murrah Federal Building in Oklahoma 
City was bombed and crumbled with tremendous loss of life, and 
of course on September 11th of last year our Nation suffered 
the most serious terrorist attacks ever perpetrated against us 
in our homeland or anywhere.
    After each one of those I would presume that our government 
took a look at security procedures, not just at Federal 
buildings, but particularly at Federal buildings, and took 
steps to address those, yet obviously we still have some 
problems.
    I know also, Mr. Malfi, that your office conducted an 
investigation I think 2 years ago was it. If you could, briefly 
describe that investigation.
    Mr. Malfi. We were requested to test the security at 
various government buildings and airports. We undertook an 
operation, undercover operation where we used false police 
credentials in an effort to obtain access into these buildings 
and bypassing the magnetometers and x-ray machines, carrying in 
briefcases to simulate the fact that we could have brought in 
weapons, explosives into these buildings.
    We attempted 19 entries in the Washington area, and were 
successful in all 19 entries. We attempted two airports, and 
obtained entry into both airports, circumventing the 
magnetometers and x-ray machines in all the instances where we 
went out.
    Mr. Barr. Were steps taken subsequent to that investigation 
to correct the deficiencies that investigation uncovered?
    Mr. Malfi. After we completed the investigation we had 
again a debriefing with the agencies that were involved, and 
they instituted immediate steps to try and correct the measures 
that made it allowable for us to circumvent their security. So 
there was much concern about it, and the agencies reacted to 
this and put in certain policy changes to effectively enhance 
their security measures.
    Mr. Barr. I want to make sure that Mr. LaTourette and the 
public and we understand exactly the scope of what you were 
able to do here, but also to indicate as I would like you to 
whether or not there were in fact areas of these Federal 
buildings--and we see pictures of the Federal buildings with 
many, many agencies housed therein, and many thousands of 
Federal employees--it is my understanding that you were able to 
gain access to each one of the I think actually four buildings 
that you sought to penetrate; is that correct?
    Mr. Malfi. That is correct.
    Mr. Barr. And the identification cards that you were able 
to secure based on pretexts, that is false stories which 
apparently were not checked out; is that correct?
    Mr. Malfi. That is correct. No due diligence was done in 
regards to the story that we used for the reasons we needed a 
building pass. We were able to obtain--Agent Cooney was able to 
obtain two legitimate building passes. From those legitimate 
building passes we counterfeited building passes for our other 
agents to gain infiltration into these buildings as a group, 
and then we went and on the strength of some counterfeit 
passes, building passes, we were able to obtain a legitimate 
building pass. So in turn through a ruse we got genuine 
building passes, counterfeited them, were able to get entry 
into the buildings using the counterfeited building passes, get 
access to the buildings when they were closed and after hours, 
and based on the strength of a counterfeit building pass we 
were able to obtain genuine building pass. So we would have 
eventually turned all of the counterfeit credentials, 
counterfeit building passes we had into legitimate passes.
    Mr. Barr. Of course if one of our law enforcement agencies 
were conducting a true undercover operation, or an intelligence 
operation, you are familiar with the concept of backstopping; 
correct? In other words, if you are going to send an agent out 
in an undercover capacity you will backstop so that steps are 
taken down the line so that if his story is checked out it 
appears to be legitimate.
    Mr. Malfi. Absolutely.
    Mr. Barr. Their undercover operations are backstopped. You 
did not do that in this case; is that correct?
    Mr. Malfi. Actually there was no need for us to do that in 
this investigation because nobody checked, pulled back the 
first layer. We had a system set up that in case we needed some 
verification for the fictitious stories that we laid out that 
we would have been able to provide that. But it was not 
necessary in this case.
    Mr. Barr. In other words, there was not one call or effort 
made to check out the veracity of what you told the individuals 
in order to secure the passes or the codes?
    Mr. Malfi. That is correct.
    Mr. Barr. Thank you. Mr. LaTourette.
    Mr. LaTourette. Thank you very much. Mr. Chairman.
    Mr. Malfi, did you or your team actually carry explosives 
or firearms into these buildings?
    Mr. Malfi. No, we did not.
    Mr. LaTourette. And Mr. Barr asked one of the questions, 
but all of you have extensive law enforcement experience, each 
over 20 years if I heard you correctly earlier. Some missions 
that you are assigned to I assume are very, very difficult, 
some are very, very easy, and like the three bears some are in 
the middle I guess. How would you characterize the difficulty 
that you had in accomplishing what you did here in Atlanta?
    Mr. Malfi. I would say we did not have much difficulty 
accomplishing this assignment. Even though there were some 
technical things that we had to do, we had to counterfeit the 
passes, but we used basic computerized software to do this, and 
it was not really that difficult.
    Mr. LaTourette. And again basic computer software, is there 
anything extraordinary, any lengths that you had to go to, to 
recreate the passes that you have shown us here today? 
Anything--could Mr. Barr and I do this if we knew how to work a 
computer?
    Mr. Malfi. I believe so. I mean the original pass was 
scanned, which is a common technology now that is used for 
computer printing. It was scanned in, it was worked on a little 
bit to get the colors as close as possible, and basically it 
was printed out.
    The holograms which is a security feature, which is a good 
security feature, that appeared on the genuine passes. We did 
not duplicate--I mean we could have went through a more high 
scale type of technology and could have gotten holograms 
produced. I mean you can replicate that type of technology, but 
we did not go that far. We strictly produced a flat hologram 
that had the appearance if you just looked at it one way that 
it looked like there was something there, but it did not do the 
effect that an actual hologram does, which is when it hits the 
light reflects different colors to it.
    Mr. LaTourette. In our earlier discussions with Ms. Sims 
and Mr. Shingler it came up that each building has a committee 
I guess set up to determine what security is maintained, it is 
a security committee; is that correct?
    Mr. Shingler. Yes, sir. One of the recommendations from the 
original Department of Justice vulnerability assessment that 
Congressman Barr referenced was the establishment of building 
security committees. Those committees are made up of the 
tenants of the building, and they are each represented, each 
member is represented.
    Mr. LaTourette. Is the adoption of security committees for 
each building something again that came out of this DOJ report?
    Mr. Shingler. Yes, sir.
    Mr. LaTourette. Is it required?
    Mr. Shingler. It is required, yes, sir.
    Mr. LaTourette. Let me ask you this. Could the General 
Services Administration mandate through rule or regulation what 
level of security is in each building?
    Mr. Shingler. Could we, sir?
    Mr. LaTourette. Yes.
    Mr. Shingler. Yes, sir.
    Mr. LaTourette. Are you aware of any--Ms. Sims, let me ask 
you this for the buildings that you are in charge of--are you 
aware of any security committee that has adopted a 
recommendation that everyone that enters the building go 
through the magnetometer?
    Ms. Sims. I am not aware of that recommendation.
    Mr. LaTourette. Let me ask you, Mr. Malfi, I indicated 
before where Mr. Barr and I work everybody goes through the 
machines, and the reason is that we have former staffers that 
are no longer working on the Hill that do not turn in their 
credentials and can gain access to the building, and for 
security purposes we ask everybody to go through the machines, 
and people understand that I think.
    Is there any reason that--well, let me ask you this: If 
that had been the policy at these buildings you obviously could 
not have carried in briefcases and valises and other things 
without going through the magnetometers.
    Mr. Malfi. That is correct. The whole purpose of us getting 
the building pass was after we did the surveillance on the 
buildings we realized that people that had the building passes 
were not subject to go through the magnetometers or to have 
their belongings x-rayed. So our purpose was to obtain a means 
in which we could bypass the magnetometers and x-ray so we 
could if we wanted to bring in weapons and explosives into the 
building.
    Mr. LaTourette. And you talked about the fact that you had 
been here before, before you engaged in the attempt to get 
passes, and I guess I would ask you the same question. Did you 
spend an unusually long amount of time for a law enforcement 
operation casing the joint before you reached the conclusions 
you did necessary to breach the security of these buildings?
    Mr. Malfi. No. We did this fairly quickly. I think it was 
two visits that it took us here. Manpower-wise it took about 3 
days before we were ready to come back and actually do the 
operation.
    Mr. LaTourette. Mr. Shingler, Steve Perry who is the 
Administrator of GSA has made some observations relative to the 
Federal Protective Service which is under your care and 
direction. One of the things that he has noted at least to me 
in another capacity that I have is that there is a pay 
differential that is hard the make up for the Federal 
Protective Service, and the one example that he cited was that 
there is a $10-an-hour difference between what someone can make 
working for the Capitol Hill police force as opposed to the 
starting wage in your salary. Is that an accurate observation?
    Mr. Shingler. Yes, sir, very accurate.
    Mr. LaTourette. Does that create a turnover problem for 
you?
    Mr. Shingler. Yes, sir, constantly.
    Mr. LaTourette. And likewise it is my understanding that 
you started, if not this year, a little while ago with 600 
FTEs, full time FPS workers, and now you are down to the 
neighborhood of 450?
    Mr. Shingler. Yes, sir. Turnover is tremendous.
    Mr. LaTourette. Has the GSA put together, worked with the 
administration in a way to develop legislation to help correct 
some of the deficiencies relative to first pay scale, and 
second training?
    Mr. Shingler. Yes, sir, we have.
    Mr. LaTourette. And can we anticipate that in the near 
future?
    Mr. Shingler. I would say yes, sir.
    Mr. LaTourette. And the other deficiency that came up in 
some of the hearings, and this was principally brought to our 
attention by the officers within the Federal Protective Service 
is that there is a variation in the training that some of the 
contract guards are subject to in order to be under contract. 
Is that an accurate observation?
    Mr. Shingler. Yes, sir. As a matter of fact, we have an 
active effort to bring some balance to that training effort, 
including a drastic increase to that training in what we are 
going to call our building security guards, yes, sir.
    Mr. LaTourette. And, Mr. Malfi, back to you. It is my 
understanding that the equipment was in place at all of these 
buildings, and people were in place in all of these buildings, 
and the breakdown I guess would be two, and I would like your 
comment, one is that when you have a policy that as long as you 
have one of these you can bring anything into the building that 
you want without having it checked, I would consider that to be 
a deficiency, and second of all the deficiency appears to be 
human error, that you were permitted to get through with 
credentials that were phony, and in one instance where you had 
even switched pictures with the other fellow.
    Mr. Malfi. Exactly. Basically Congressman Barr brought this 
out earlier in his opening statements, that common sense and 
diligence is really the key to security, and as long as you 
have people that are watching but not paying attention, or 
looking and not seeing these type of vulnerabilities will 
continue to be a problem.
    Mr. LaTourette. And last Mr. Shingler and Ms. Sims, it is 
not appropriate to talk about the recommendations that are 
attached in the confidential report that followed the briefing 
that you received, but I think that the fellow that issued is 
named Constable which is a good name I think for someone 
involved in law enforcement, but have you reviewed each of you 
all of the recommendations contained in that?
    Mr. Shingler. Yes, sir, we have.
    Ms. Sims. Yes, sir.
    Mr. LaTourette. OK. And I would just indicate, and again I 
do not think that we should try and surprise people, but I 
would just indicate that upon my entrance to this building, re-
entrance that I found that the recommendations contained in Mr. 
Constable's report are not being followed, and I am sure that 
you will take that to heart and do what is necessary to fix it.
    Mr. Shingler. By all means, sir.
    Mr. LaTourette. Thank you very much. Thank you, Mr. 
Chairman.
    Mr. Barr. Thank you, Mr. LaTourette.
    It is my understanding that currently FPS, or the Federal 
Protective Service is under the control of the Public Building 
Service, and does not function as a truly independent security 
advocate for Federal facilities. Has the GSA ever considered 
moving the FPS out from under the Public Building Service to 
allow it to function truly as a law enforcement agency?
    Mr. Shingler. We actually are very close to that as of this 
moment. The GSA did realign all of the regional offices, much 
as this one is, reporting to headquarters. In days past they 
used to report to the region itself. Now the Federal Protective 
Service is controlled out of the central office headquarters in 
Washington. Although we are part of the Public Building 
Service, we are a fairly integral part of that effort because a 
lot of what we do requires funding, and it is funded out of the 
Federal building fund. The Federal building fund is controlled 
by the Public Building Service. So we are a totally dedicated 
service as of this moment, and we do rely on the funding 
mechanisms of the Federal building fund which are controlled by 
the Public Building Service.
    Mr. Barr. The funding is very important, and as both Mr. 
LaTourette and I mentioned earlier, the Congress certainly has 
the responsibility there to make sure that all of these 
functions are funded properly.
    I am not so much interested in the funding mechanism as 
separating FPS out so that it truly can function as a law 
enforcement agency.
    Mr. Shingler. We have complete authority as of this moment, 
sir, to do that. I have never had--in the 2-months that I have 
been here already we have not had any interference whatsoever 
to try to do exactly as you said, to be a full-fledged at-the-
table law enforcement agency.
    Mr. Barr. Mr. Malfi, in your experience both in law 
enforcement and in these type of investigations involving 
Federal facilities do you see that it would help at all--and 
this is something we are looking at from a legislative 
standpoint as well I suppose--to separate FPS out and give it 
more autonomy as a law enforcement agency, as a separate 
entity?
    Mr. Malfi. Actually I have not thought about or looked into 
that aspect of it, and I know GAO has not looked at that, but 
based on my experience if you have people that are involved in 
law enforcement that are involved in security and they are 
answering to people of the same culture with a law enforcement 
background things normally seem to run better for that arena 
based on the culture and the experience level that you have.
    Mr. Barr. With regard to the meeting that you had 
immediately following the conclusion of the undercover phase of 
your investigation, have steps been taken, Mr. Shingler and Ms. 
Sims, since that time, just I guess a little over a month ago--
actually when was that meeting, Mr. Malfi?
    Ms. Sims. March 20th.
    Mr. Malfi. March 20th.
    Mr. Barr. So just about a month ago. And, by the way, let 
me say we appreciate your doing that, even more important than 
getting your information, or even physically getting back up to 
Washington you sat down with the agencies here because you 
perceived that there was a very serious problem, something of 
which they should be made aware of immediately, and I think 
that is very appropriate and commendable.
    In followup to that, Mr. Shingler and Ms. Sims, could you 
again without revealing any sensitive law enforcement 
techniques, tell us some of the steps that have already been 
taken to address the deficiencies that GAO discovered.
    Ms. Sims. Let me just say that during that March 20th 
meeting one of the first things that Agent Malfi said to us is 
that there has never been a facility that he has set his sights 
on that he has been unable to penetrate, and that is evidenced 
by his testimony in which he said that he has been able to 
penetrate 19 Federal facilities and two airports.
    We at the U.S. General Services Administration take no 
consolation in being lumped into that group. We do not make an 
excuse by being lumped into that group now.
    But what I will say is that within hours of that March 20th 
meeting we took immediate, decisive, and what we believed to be 
effective steps, probably a dozen steps to further improve 
security postures in the Federal facilities, and we are 
currently working on at least a dozen more. And that is in 
addition to what we have always done prior to September 11th, 
prior to the penetrations by the U.S. General Accounting 
Office.
    Some of those that we have been doing would include 
security surveys, would include occupant emergency planning, 
would include building security committee meetings, would 
include daily contact with the tenants and visitors, and 
implementing the feedback that they give us each and every day.
    Mr. Barr. Two of the items that Mr. Malfi discussed and 
that his colleagues have mentioned also, though, would seem to 
be of the sort that would not require a serious problem like 
this in order to be directive.
    Both prior to and after this investigation will all of 
those folks under GSA's or FPS's authority actually look at a 
badge physically to determine that it is in fact, or that at 
least it appears to be in fact a valid identification pass?
    Ms. Sims. Yes, sir. We employ a three-step process by which 
we look at the badge, we look at the face of the individual, 
and we look again at the badge, and we are confident that those 
strategies are currently being employed.
    Mr. Barr. That was not the case, though, obviously prior to 
the undercover investigation, that three-step process obviously 
was not used.
    Ms. Sims. I believe that it was used in most cases. 
Security is a very unforgiving discipline, and it requires 
daily iterative followup, and that includes meeting one-on-one 
with contract security guards and the contractor to reiterate 
what the ongoing policies and procedures are.
    Mr. Barr. With the particular badges that you have 
described, if somebody, Mr. Malfi, had simply looked at it even 
cursorily and seen that it did not have the proper hologram on 
it for example, how many times were collectively you all able 
to secure access to Federal buildings based on those badges?
    Mr. Malfi. I believe if they would have looked at the 
badges first of all they would have definitely caught the fact 
that I was using John's building pass because his photograph 
appeared on it, not mine.
    If they also looked at the passes, all of the counterfeit 
building passes should have been detected and those people 
should not have been not allowed entry, and a followup 
investigation should have occurred. So in all instances----
    Mr. Barr. But about how many times did that occur?
    Mr. Malfi. On almost all of the entries that we made.
    Mr. Barr. I mean a number of times?
    Mr. Malfi. We infiltrated the buildings I think on two 
occasions. We went back twice. I mean because once we got 
through then we wanted to go through at night time with the 
crew, you know, with the group, and we saw no need to 
continually, you know, for 3 weeks straight go in and out of 
these buildings. Once we penetrated it, we got inside, you 
know, that operation was over as far as we were concerned.
    So I believe there was like two penetrations for most of 
the buildings, and one penetration for another.
    Mr. Barr. By each one of you?
    Mr. Malfi. That is correct.
    Mr. Barr. So that would mean at least six penetrations?
    Mr. Malfi. Six, and then we had two other undercover agents 
that also went into the buildings.
    Mr. Barr. And in not one of those instances was the badge 
physically inspected?
    Mr. Malfi. That is correct.
    Mr. Barr. This is the problem that we have, Mr. Shingler. 
It may be your belief or your wish that in most instances that 
simple step occurs, but apparently in none of these instances--
I mean it is not as if they were stopped most of the time and 
looked; it was never looked at. Is that a concern?
    Mr. Shingler. It is deeply a concern. Policies are one 
thing, all the equipment in the world are another just as Mr. 
Malfi said. And I was at the hearing the other day that his 
counterpart was at. All the technology in the world is not 
going to do you any good if your staff is not there and trained 
to identify it and do something with it. We feel that is a key 
for us, and training and getting the proper staff is definitely 
going to be one of our major efforts. I have already spoken to 
Mr. Malfi about--the Federal Protective Service faces a lot of 
challenges. This effort has helped us focus and set priorities 
for addressing those challenges, and that is what we are 
attempting to do, sir.
    Mr. Barr. When an initial approach is made as Mr. Malfi and 
his colleagues did in order to secure an initial pass, building 
pass, and a story is told that obviously is not true, is there 
a process now in place that obviously was not in place before 
so that in every instance that story is checked out at least 
one level?
    Mr. Shingler. Yes, sir, that practice is in place now. I 
think for the most part most policies were in place, although 
we have issued further policy guidance. It was the actual doing 
the work, and it is great to talk the talk, but walking the 
walk is the thing, and we just were not totally walking the 
walk at that point, and I think we are now, sir.
    Mr. Barr. As a result of the briefing on March 20th and 
this operation generally, have you all been able to identify 
particular individuals that committed serious breaches of 
security and allowed this to happen, allowed these penetrations 
to occur and these false badges to be used?
    Mr. Shingler. I misunderstood the question, sir.
    Mr. Barr. Have you been able to identify particular 
individuals who fell short of the standard that you all 
maintain?
    Mr. Shingler. Employee-wise, or contractor-wise?
    Mr. Barr. Yes.
    Ms. Sims. Yes, sir, we have.
    Mr. Barr. And has action been taken to correct those 
situations?
    Ms. Sims. Yes, sir, it has been.
    Mr. Barr. Have persons been terminated?
    Ms. Sims. No, sir.
    Mr. Barr. Have any contract personnel been removed from 
those responsibilities?
    Ms. Sims. Yes, sir.
    Mr. LaTourette. Mr. Barr was talking about the new 
technology, and let me just ask if you are based upon your 
experience aware of any additional security technologies 
including smart cards or biometric devices that you think could 
be used to help eliminate some of the human error that was 
discovered in this operation, Ms. Sims, and then you, Mr. 
Shingler? Are any of those currently under discussion or 
consideration by the GSA relative to building security?
    Ms. Sims. Yes, sir. GSA in several regions across the 
country is currently employing pilot projects which utilize 
smart card technology. Certainly if we had our druthers the 
Nation would move toward that.
    Mr. LaTourette. And just for the benefit of those that do 
not know what a smart card is, maybe you could just explain 
what it is that those pilot projects are doing.
    Ms. Sims. Well, there are variations on it. Up in New York 
several buildings utilize smart card technology in which the 
individual's--I am sorry. Wendell, would you like to----
    Mr. Shingler. Absolutely.
    Basically what it is is it is an identification card with a 
computer chip inside, and within that computer chip could be a 
variety of pieces of information, the person's name, Social 
Security number, and a physical picture so that when it comes 
up on a computer screen and it is accessed through a reader you 
could doubly verify that it is the person on that card and in 
person in front of you. So there is a wide variety of checks 
within those pieces of equipment.
    Biometrics is another issue that we are looking at. Again 
as I said in my opening statement I do not know that there is a 
silver bullet, but it is definitely one of those items that we 
intend to work with the Interagency Security Committee which is 
also from the vulnerability assessment that is a government 
sharing of information, and that is where we will address a lot 
of those areas, especially with the Defense Department who has 
done a lot of research into those areas.
    Mr. LaTourette. I do not want to get too far afield from 
the subject of this hearing in terms of an internal 
penetration, but both what happened in Oklahoma City and at the 
World Trade Center had to do with things happening externally 
to buildings. Has GSA engaged in a study of the properties 
under its control relative to external security? Say the 
building we are sitting in today?
    Mr. Shingler. Yes, sir. We are actively doing that in two 
methods. One, the new buildings that the Hill authorizes for 
new courthouses and the like, we are looking at new 
technologies and old technologies. We are putting seismic 
things, designing them into the building that probably were not 
used in years past in other than the seismic regions such as 
the West Coast. So we are looking at those things.
    We have done a lot of research in glass. As you may be 
aware, in Oklahoma a lot of people were hurt or injured or 
killed because of flying glass, so we have done a lot in the 
scientific look-sees at glass.
    We are also using a lot to address the existing buildings. 
We are looking at set-backs, how we can increase set-backs 
using street closures or lane changes, or even just changes to 
the surfaces of the buildings. So we are actively looking at 
all of those areas.
    Mr. LaTourette. And actually one of the not-often-enough-
told stories is one of the women who lost a child in the day 
care center in the Murrah Building and started a foundation 
called People First, and it has specifically dedicated itself 
to the development and research of shatterproof glass for not 
only Federal buildings but for also other facilities, and she 
is doing wonderful work.
    And last, Mr. Malfi, maybe to impress, and I want to 
indicate that I guess what concerns me about the answer to Mr. 
Barr's question, again when I went outside the building not 
only did I get a second visitor's pass, but someone with a 
yellow pass just blew right past the guards and the 
magnetometer, no one touched the pass, nobody examined the 
pass, nobody matched up the picture, and so I know that you are 
in here and you have contracted with people to engage in 
security, but it appears to me that we are still not quite 
there, even in the fact that I assume most of the people in the 
building know what we are doing here if they watch television, 
so I would think that they would take it a little more 
seriously.
    And maybe to give the matter some seriousness, Mr. Malfi, 
what was the biggest container that you or your agents brought 
in in terms of a suitcase that you could put in an overhead 
bin, or a briefcase?
    Mr. Malfi. We took in a travel bag, a valise-type bag that 
could have been used to bring in certain equipment, certain 
explosives, anything basically we wanted to bring into the 
building.
    Mr. LaTourette. And did any of you during the 20-plus years 
that each of you had with the Secret Service, do you have 
experience with explosives training?
    Mr. Malfi. Enough to know to get away from them. That is 
about it.
    Mr. LaTourette. Are you able to estimate or guesstimate 
based upon the size of the valise that you brought in what sort 
of damage you could have done to this building if it had been 
packed for instance with C4 explosives?
    Mr. Malfi. Well, basically depending on where we would have 
placed those, how much we would have brought in. It depends. I 
mean once you have access to a building and free reign on the 
building then you can sort of accomplish basically anything you 
want to.
    I do not think anybody would have stopped us if we all 
walked in carrying two large duffel bags each. I mean we had 
the building passes that allowed us to bypass the magnetometers 
and the x-rays. The main thing is that technology is not a 
cure-all for security, money is not a cure-all for security. 
The bottom line is that due diligence is really the most vital 
factor in regards to any type of security that you have set up.
    People have to be diligent in what they are hired to do, 
they have to adhere to the policies and understand why those 
policies are in effect so that it makes sense to them so that 
they could prevent things like this from going on.
    Mr. LaTourette. And part of that is not only going over 
things, but it is training, and it is also compensating 
somebody at a rate that motivates them to do their job I would 
assume.
    Mr. Malfi. That is correct.
    Mr. LaTourette. Thank you very much.
    Mr. Barr. Going back, Mr. Malfi, to the one aspect of the 
badges, you say there was the designation on the badges that 
allowed the person, or indicated that the person possessing the 
badge could carry firearms into the building. What was done in 
order to secure that additional authority?
    Mr. Malfi. Basically Agent Cooney just did a little social 
engineering in regards to having that person put that extra 
feature on that badge.
    Mr. Barr. In other words, he just gave them a story that he 
needed to carry a firearm?
    Mr. Malfi. In the conversation it came up that he may need 
this, and he says, yeah, he says I definitely could use this, 
and they put it on. So it was volunteered, right, John?
    Mr. Cooney. Correct. I did not have to explain in detail 
what the need for a firearm was. I just said I would be coming 
in with firearms at some time, and they said ``Well, then you 
need this feature on it,'' and I said ``Yes, I would like to 
have that.'' They were very willing.
    Mr. Barr. What steps have been taken to correct that 
particular deficiency in the wake of this investigation? Ms. 
Sims.
    Ms. Sims. Would you elaborate on the question, please?
    Mr. Barr. Not really on the question, but what steps have 
been taken to address that particular deficiency? In other 
words, the ease with which the undercover officer was able to 
get the designation on the badge that allowed them to bring 
firearms in without having to explain or provide any sort of 
documentation at all.
    Ms. Sims. Without getting too detailed on our security 
protocols, there are at least a half dozen steps that we have 
taken specifically to that element of building entry. One would 
include tightening up the policies and procedures associated 
with the issuance of the badge. The actual badge issuance 
procedure has changed in terms of who issues the badge, the 
actual application for the badge has changed, and the 
validation process by which we issue the badge has changed and 
tightened up.
    Mr. Barr. We have been talking generally today very 
specifically about the facilities here in Atlanta in Region 4. 
Are the measures that we have been talking about here today 
being implemented across the country in all regions of the 
country, in all facilities under the jurisdiction and control 
and responsibility of GSA and FPS?
    Mr. Shingler. The specific ones that are being done here 
may not necessarily be, but the intent is each of Sabina's 
counterparts, the regional directors in the balance of the 
country are specifically addressing similar types of issues.
    Some of the ID card issuance procedures are different from 
location to location, but the ultimate intent of tightening up 
our security of getting in and out of buildings is definitely 
being addressed nationally, sir.
    Mr. Barr. I mean it would seem to me that what we are 
talking about here is just so basic, namely not just giving 
somebody a designation to carry a firearm into a Federal 
building without asking any questions or checking anything out, 
but the issue of simply checking to see whether the person that 
they say they are coming to see actually needs to see them, 
physically looking at a badge, and these are all so basic I am 
somewhat at a loss to understand why we cannot have the 
assurance today that they are in fact being implemented in all 
GSA regions for all Federal buildings.
    Mr. Shingler. No. Absolutely, sir. I misunderstood what you 
were asking. Yes, sir, that is happening. They have tightened 
up security nationally. I misunderstood what you were talking 
about, the holograms and one thing or another.
    Mr. Barr. So as we sit here today can you assure us in the 
Congress and the American people that at least these specific 
steps that we have identified here today as being deficiencies 
in Federal building security are being addressed, have been 
addressed, and will continue to be addressed properly?
    Mr. Shingler. Yes, sir.
    Mr. Barr. Ms. Sims.
    Ms. Sims. Absolutely.
    Mr. Barr. We talked earlier about the different levels of 
security for the Federal buildings, and we have pictures of the 
different Federal buildings, at least five of them here in the 
Atlanta area. What is the level of security for each one of 
these buildings?
    Mr. Shingler. They are all Level 4 facilities.
    Mr. Barr. And if you could just explain briefly what Level 
4 means.
    Mr. Shingler. The vulnerability assessment, the DOJ 
vulnerability assessment categorized virtually all Federal 
buildings in one of five levels. Primarily the first four, 1 
through 4, are the ones that we deal with. The fifth level are 
those agencies such as the Pentagon, or the CIA headquarters 
where they may employ their own security requirements. But the 
1 through 4 levels are based on a variety of things, primarily 
how many people are in them, the size of the building, the type 
of mission that goes on within the building, the threat 
assessments that could happen, from the shopping center type of 
recruiting office all the way to a building of this magnitude 
here in Atlanta. So that is where they range between the 1 
through 4 levels.
    Mr. Barr. The buildings earlier, in your earlier 
investigation 2 years ago, Mr. Malfi, were they all Level 4 
facilities?
    Mr. Malfi. I believe a lot of those buildings were Level 5.
    Mr. Barr. In other words, even a higher level of security 
and vulnerability associated with them?
    Mr. Malfi. That is correct.
    Mr. LaTourette. Mr. Shingler, if I could just have one more 
sort of housekeeping question, Mr. Barr was talking about where 
the money comes for the Federal Protective Service, and it does 
come from the Public Building side of GSA, and it is my 
understanding that the tenants, for instance if the Internal 
Revenue Service is in a GSA-operated building that they pay you 
so much per square foot or whatever to provide security. Am I 
right about that?
    Mr. Shingler. Yes, sir. For the most part there is an 
across-the-board charge, and each square foot of rent an X 
percent goes to security. And then there are building-specific 
charges that are added onto that which in some cases there are 
multiple entrances that they may want to have guards at, or 
anything that is above what the basic security charge covers.
    Mr. LaTourette. And GSA could by regulation--we have 
already I think said this--but GSA by regulation could require 
everybody that comes into this building to go through the 
magnetometer, but you have chosen not to do that, you have 
chosen to leave it up to the security committees.
    Mr. Shingler. Yes, sir.
    Mr. LaTourette. I think I would ask you to chat with Mr. 
Perry and see if that could be reevaluated. But likewise are 
there lease arrangements because not every building that you 
operate is a government-owned building, there are also leased 
buildings that you lease on behalf of the government. Are there 
restrictions by landlords, or are there lease restrictions that 
somehow impede your ability to protect the men and women of the 
Federal work force and the people that visit them?
    Mr. Shingler. Balancing security with openness is a primary 
issue that we are constantly addressing. One of our biggest 
challenges right now are leased facilities, but we are working 
closely with the Interagency Security Committee to come up with 
a minimal standard to implement security in leased locations.
    We are also working with organizations such as BOMA, 
Building Owners and Managers Association, to come up with 
standards that not only they can live with, but meet our needs 
of protecting our government employees. So we are actively 
addressing those issues, sir.
    Mr. LaTourette. Are any of the buildings that we are 
talking about today in Atlanta leased, or does the Federal 
Government own them all?
    Ms. Sims. We own them all.
    Mr. LaTourette. You own them all.
    Ms. Sims. Yes, sir.
    Mr. LaTourette. Thank you very much.
    Ms. Sims. Excuse me, let me correct. The Sam Nunn Atlanta 
Federal Center is a complex lease-to-own financial deal. At the 
end of a period of time we will own that facility.
    Mr. LaTourette. But do you currently on behalf of the 
Federal agencies that are located there, do you lease it from 
someone at the moment?
    Ms. Sims. Yes, sir.
    Mr. LaTourette. OK. Are there any restrictions--I guess 
that is what I want to get to--are there any restrictions in 
the lease that prevent you or hinder you from engaging in the 
security that you engage in in a wholly owned Federal building?
    Ms. Sims. At that facility no. That facility is operated as 
if it were ours from a security stance.
    Mr. LaTourette. Thank you very much.
    Ms. Sims. Sure.
    Mr. Barr. The investigation, the undercover investigation 
that took place in early March, and we have identified what I 
presume we would all agree are serious security problems, the 
failure to look at a badge, the ease with which somebody gets 
the badge based on a false pretense that was not checked out, 
the additional volunteering of the designation to be able to 
carry firearms in, agents giving an access code to these 
undercover agents without checking them out properly, would 
everybody here agree that those things should not have 
occurred?
    Ms. Sims. Yes, sir.
    Mr. Barr. What specific steps--and were those problems, 
were those errors made by both contract personnel and FPS 
employees?
    Ms. Sims. Employee singular, and contract employee 
singular. Yes, sir.
    Mr. Barr. And are there any limitations under which GSA or 
FPS now operates that would prevent effective disciplinary 
action being taken against either employees or contract 
personnel for identified security lapses such as these?
    Ms. Sims. The contract employee referenced in the scenarios 
no longer provides the service to the U.S. General Services 
Administration.
    With respect to the GSA employee, that employee has been 
reprimanded.
    Mr. Barr. Is that sufficient in your view? Are there--I 
guess I am asking a more general question. Are there any 
limitations under which you all have to operate now that would 
prevent you in any way from taking what you believe is 
effective disciplinary action against an employee that commits 
a serious error in security? Do you have sufficient authority?
    Ms. Sims. Yes, sir, we do.
    Mr. Barr. Does that include termination of an employee?
    Ms. Sims. If it were deemed appropriate, yes, sir, it most 
definitely would include up to termination.
    Mr. Barr. OK. And you do have the ability to terminate the 
services of a contractor similarly, and you have plenty of 
authority to do that?
    Ms. Sims. Unilaterally and very quickly.
    Mr. Barr. Thank you.
    Do any of you all have anything additional that you would 
like to add for the record today that we might not have gone 
over, or to supplement anything that we have touched on today?
    Mr. Shingler. We appreciate the opportunity to be here.
    Mr. Barr. Thank you.
    As I indicated--do you have anything else, Mr. LaTourette?
    Mr. LaTourette. I do not. Thank you.
    Mr. Barr. Counsel?
    As I indicated, the record will be kept open for 10 days so 
that if there are any additional materials that you would like 
to submit.
    And let me ask just one final question I forgot. With 
regard to followup measures, is this an ongoing process, Mr. 
Shingler or Ms. Sims?
    Mr. Shingler. We will constantly be following up, because 
weapons and terrorist activities have changed drastically. 
Hopefully we will never be able to sit here and say we have 
done everything we could do, because we will constantly adjust 
to that.
    Mr. Barr. Now, we have purposely not gone into in this 
public setting all of the details of the security breaches, 
which is good both from the standpoint that we have not 
indicated a specific road map or game plan that somebody could 
use, and I think people would be shocked even at some of the 
details that we did not go into here, the ease with which the 
security breaches were effectuated, but knowing, Mr. Shingler 
and Ms. Sims, as you do the full details of this undercover 
investigation here, can you assure us that if that same 
operation were carried out tomorrow it would very clearly not 
succeed?
    Mr. Shingler. Yes, sir, I can say that.
    Mr. Barr. Ms. Sims.
    Ms. Sims. I am confident that we have taken the steps that 
we need to take, and that we are continuing to take the daily 
iterative steps that we need to protect the people and the 
properties, and the daily visitors who frequent our facilities.
    Mr. Barr. I mean this is not a trick question at all. I am 
just wondering if as you sit here today you feel confident that 
if this same type of operation were carried out tomorrow that 
it would not succeed. Do you feel confident in that?
    Ms. Sims. As I said, I am confident in the fact that we 
have done everything, and we continue to do everything to 
protect the people and the properties.
    What is a little bit frustrating is that with the state of 
technology today is it difficult to discern fake 
identification.
    Mr. Barr. No, it is not. I mean that is the whole point of 
this hearing. I mean it is not. This is one that has the proper 
hologram, this is one that is not. It is not difficult to tell 
that one does not have the proper hologram and that one does.
    Yes, there certainly other aspects of falsification of 
identification that are much more difficult to discern, you are 
absolutely correct, but the undercover operation that was 
effected here is something that a high school student--I mean 
no insult to these gentlemen, but they especially and 
consciously dumbed down their operation. Is that correct, Mr. 
Malfi, that you sort of dumbed it down, you used the lowest 
level of technology to thwart the security measures; right?
    Mr. Malfi. Correct. To duplicate the building passes, like 
I said, we did not use anything that was sophisticated. We used 
something that was accessible to the general public.
    I mean we could have--with the technology that is available 
to us we could have duplicated these things very, very close to 
the originals. That was not our intent. Our intent was to give 
basically a fighting chance to show that if somebody paid 
attention to these things it would have been detected.
    Mr. Barr. And that is sort of my point, Ms. Sims, and I 
come back to it again. I am not talking about the more 
sophisticated measures that somebody might come up with and 
that we have to be continually on guard against, just with 
regard to these most elementary measures that thwarted security 
measures at Federal buildings here in Atlanta, can you give us 
your assurance that at least this level of threat has been 
taken care of and if this type of operation, not a more 
sophisticated one, and we hope the answer would be the same for 
that, but just for this level of security breach are there 
measures in place today so that if the same type of operation 
were attempted tomorrow you feel confident that it would not 
succeed?
    Ms. Sims. Yes, sir, I am confident that the scenarios 
employed would not meet with the success before, yes, sir.
    Mr. Barr. OK. We appreciate very much the time and effort 
that our witnesses from GAO put in in traveling down here, and 
we also appreciate very much the swift response and continuing 
effort by Mr. Shingler, Ms. Sims, and their colleagues and the 
other Federal agencies in addressing these problems.
    And with that I would like to thank Mr. LaTourette for 
traveling here from the great State of Ohio today and being 
with us. I appreciate counsel and the committee staff for all 
of the preparatory work here, and I hereby declare this hearing 
of the Government Reform Committee closed.
    [Whereupon at 11:55 a.m., the committee was concluded.]
    [Additional information submitted for the hearing record 
follows:]
[GRAPHIC] [TIFF OMITTED] 80883.013

[GRAPHIC] [TIFF OMITTED] 80883.014

[GRAPHIC] [TIFF OMITTED] 80883.015

[GRAPHIC] [TIFF OMITTED] 80883.016

[GRAPHIC] [TIFF OMITTED] 80883.017

[GRAPHIC] [TIFF OMITTED] 80883.018

[GRAPHIC] [TIFF OMITTED] 80883.019

[GRAPHIC] [TIFF OMITTED] 80883.020

[GRAPHIC] [TIFF OMITTED] 80883.021

[GRAPHIC] [TIFF OMITTED] 80883.022

[GRAPHIC] [TIFF OMITTED] 80883.023

[GRAPHIC] [TIFF OMITTED] 80883.024

[GRAPHIC] [TIFF OMITTED] 80883.025

[GRAPHIC] [TIFF OMITTED] 80883.026

[GRAPHIC] [TIFF OMITTED] 80883.027

[GRAPHIC] [TIFF OMITTED] 80883.028

[GRAPHIC] [TIFF OMITTED] 80883.029

[GRAPHIC] [TIFF OMITTED] 80883.030

[GRAPHIC] [TIFF OMITTED] 80883.031

[GRAPHIC] [TIFF OMITTED] 80883.032

[GRAPHIC] [TIFF OMITTED] 80883.033

[GRAPHIC] [TIFF OMITTED] 80883.034

[GRAPHIC] [TIFF OMITTED] 80883.035

[GRAPHIC] [TIFF OMITTED] 80883.036

[GRAPHIC] [TIFF OMITTED] 80883.037

[GRAPHIC] [TIFF OMITTED] 80883.038

[GRAPHIC] [TIFF OMITTED] 80883.039

[GRAPHIC] [TIFF OMITTED] 80883.040

[GRAPHIC] [TIFF OMITTED] 80883.041

[GRAPHIC] [TIFF OMITTED] 80883.042

[GRAPHIC] [TIFF OMITTED] 80883.043

[GRAPHIC] [TIFF OMITTED] 80883.044

[GRAPHIC] [TIFF OMITTED] 80883.045

[GRAPHIC] [TIFF OMITTED] 80883.046

[GRAPHIC] [TIFF OMITTED] 80883.047

[GRAPHIC] [TIFF OMITTED] 80883.048

[GRAPHIC] [TIFF OMITTED] 80883.049

[GRAPHIC] [TIFF OMITTED] 80883.050

[GRAPHIC] [TIFF OMITTED] 80883.051

[GRAPHIC] [TIFF OMITTED] 80883.052

[GRAPHIC] [TIFF OMITTED] 80883.053

[GRAPHIC] [TIFF OMITTED] 80883.054

                                   - 
