[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]






    SECURING FEDERAL FACILITIES: AN EXAMINATION OF FPS PROGRESS IN 
                 IMPROVING OVERSIGHT AND ASSESSING RISK

=======================================================================

                                HEARING

                               before the

                     SUBCOMMITTEE ON CYBERSECURITY,
                       INFRASTRUCTURE PROTECTION,
                       AND SECURITY TECHNOLOGIES

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             SECOND SESSION

                               __________

                             JULY 24, 2012

                               __________

                           Serial No. 112-108

                               __________

       Printed for the use of the Committee on Homeland Security
                                     


[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]




                                     

      Available via the World Wide Web: http://www.gpo.gov/fdsys/

                               __________

                                _____

                  U.S. GOVERNMENT PRINTING OFFICE

80-850 PDF                WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2104  Mail: Stop SSOP, Washington, DC 
20402-0001





                     COMMITTEE ON HOMELAND SECURITY

                   Peter T. King, New York, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Daniel E. Lungren, California        Loretta Sanchez, California
Mike Rogers, Alabama                 Sheila Jackson Lee, Texas
Michael T. McCaul, Texas             Henry Cuellar, Texas
Gus M. Bilirakis, Florida            Yvette D. Clarke, New York
Paul C. Broun, Georgia               Laura Richardson, California
Candice S. Miller, Michigan          Danny K. Davis, Illinois
Tim Walberg, Michigan                Brian Higgins, New York
Chip Cravaack, Minnesota             Cedric L. Richmond, Louisiana
Joe Walsh, Illinois                  Hansen Clarke, Michigan
Patrick Meehan, Pennsylvania         William R. Keating, Massachusetts
Ben Quayle, Arizona                  Kathleen C. Hochul, New York
Scott Rigell, Virginia               Janice Hahn, California
Billy Long, Missouri                 Ron Barber, Arizona
Jeff Duncan, South Carolina
Tom Marino, Pennsylvania
Blake Farenthold, Texas
Robert L. Turner, New York
            Michael J. Russell, Staff Director/Chief Counsel
               Kerry Ann Watkins, Senior Policy Director
                    Michael S. Twinchek, Chief Clerk
                I. Lanier Avant, Minority Staff Director

                                 ------                                

SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY 
                              TECHNOLOGIES

                Daniel E. Lungren, California, Chairman
Michael T. McCaul, Texas             Yvette D. Clarke, New York
Tim Walberg, Michigan, Vice Chair    Laura Richardson, California
Patrick Meehan, Pennsylvania         Cedric L. Richmond, Louisiana
Billy Long, Missouri                 William R. Keating, Massachusetts
Tom Marino, Pennsylvania             Bennie G. Thompson, Mississippi 
Peter T. King, New York (Ex              (Ex Officio)
    Officio)
                    Coley C. O'Brien, Staff Director
                 Zachary D. Harris, Subcommittee Clerk
        Chris Schepis, Minority Senior Professional Staff Member












                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Daniel E. Lungren, a Representative in Congress 
  From the State of California, and Chairman, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Security 
  Technologies:
  Oral Statement.................................................     1
  Prepared Statement.............................................     3
The Honorable Yvette D. Clarke, a Representative in Congress From 
  the State of New York, and Ranking Member, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Security 
  Technologies:
  Oral Statement.................................................     4
  Prepared Statement.............................................     5

                               Witnesses

General L. Eric Patterson, Director, Federal Protective Service, 
  Department of Homeland Security:
  Oral Statement.................................................     7
  Prepared Statement.............................................     8
Mr. Mark L. Goldstein, Director, Physical Infrastructure Issues, 
  Government Accountability Office:
  Oral Statement.................................................    11
  Prepared Statement.............................................    12
Dr. James P. Peerenboom, Director, Infrastructure Assurance 
  Center, Associate Director, Decision and Information Sciences 
  Division, Argonne National Laboratory:
  Oral Statement.................................................    18
  Prepared Statement.............................................    19

                                Appendix

Questions From Chairman Daniel E. Lungren for L. Eric Patterson..    33
Questions From Ranking Member Yvette D. Clarke for L. Eric 
  Patterson......................................................    33
Questions From Ranking Member Yvette D. Clarke for Mark L. 
  Goldstein......................................................    34
Questions From Ranking Member Yvette D. Clarke for James P. 
  Peerenboom.....................................................    35

 
    SECURING FEDERAL FACILITIES: AN EXAMINATION OF FPS PROGRESS IN 
                 IMPROVING OVERSIGHT AND ASSESSING RISK

                              ----------                              


                         Tuesday, July 24, 2012

             U.S. House of Representatives,
                    Committee on Homeland Security,
 Subcommittee on Cybersecurity, Infrastructure Protection, 
                                 and Security Technologies,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:09 a.m., in 
Room 311, Cannon House Office Building, Hon. Daniel E. Lungren 
[Chairman of the subcommittee] presiding.
    Present: Representatives Lungren, Walberg, Clarke, 
Richmond, and Keating.
    Mr. Lungren. The Committee on Homeland Security, 
Subcommittee on Cybersecurity, Infrastructure Protection, and 
Security Technologies will come to order. The subcommittee is 
meeting today to examine the Federal Protective Service and the 
possible need for reform.
    Ms. Clarke will be here shortly, and so I am just going to 
give my opening statement and when she arrives she will be able 
to give her opening statement.
    Thank you very much for being here, all three of our 
witnesses. This is an important hearing.
    The Federal Protective Service is a vital part of the 
Department of Homeland Security. It is the largest operational 
component within the National Protection and Programs 
Directorate.
    The FPS mission is to protect over 9,000 Government 
buildings and their 1.4 million occupants, which are essential 
to the day-to-day operations of the Federal Government. Recent 
incidents at Federal facilities such as the failed improvised 
explosive device, as well as the bombing of Oklahoma City's 
Murrah Federal Building in 1995, remind us the Federal 
facilities remain attractive terrorist targets.
    This subcommittee has conducted rigorous oversight over the 
Federal Protective Service this Congress. Last July we held a 
hearing which identified some of the perennial problems 
plaguing the FPS.
    In that hearing we discussed failures of contract guard 
oversight and their training program, including the egregious 
mishandling of an IED in Detroit. We also discussed the failed 
development of FPS's risk management program, known as RAMP, 
which cost the Federal Government $35 million over 4 years. I 
am hopeful and cautiously optimistic that these problems 
represent the low-water mark for FPS.
    Since 2008 GAO has made 32 recommendations to improve FPS 
security vulnerabilities and other operational problems, five 
of which have been implemented and 20 which are in the process 
of implementation.
    From the outset I do want to commend Director Patterson for 
his leadership. I believe the recent successes in implementing 
GAO recommendations are in part the result of improved dialogue 
and outreach with the private sector as well as the efforts of 
FPS's own workforce.
    I think this dialogue is extremely important as FPS works 
to address the remaining GAO recommendations, especially in its 
two core areas of responsibility: First, its ability to conduct 
risk assessments of Federal buildings; and second, to provide 
necessary oversight and training for its contract guard force.
    Regarding the first responsibility, FPS began operational 
testing this last spring for a new risk assessment tool, known 
as the modified infrastructure survey tool, or MIST, which was 
developed in partnership with the Argonne National Laboratory. 
MIST is intended to be an interim tool that FPS inspectors use 
to conduct vulnerability assessments in the aftermath of the 
RAMP failure.
    I understand, am informed that there is a disagreement 
between FPS and GAO with regard to the limitations and benefits 
of MIST and I look forward to hearing from our witnesses 
regarding these differences. I am aware of some of the 
limitations identified by GAO that MIST does not account for 
consequence information and therefore does not provide FPS the 
comprehensive ability to manage risk. I also understand GAO has 
concerns that MIST is neither compliant with the National 
infrastructure protection plan framework nor compliant with 
standards developed by the Interagency Security Committee.
    I think these are very legitimate questions raised by GAO 
and important standards FPS should meet when it develops a 
longer-term solution. Nonetheless, I do consider MIST 
development a step in the right direction for an agency that 
has taken a series of steps in the wrong direction over the 
last decade.
    FPS has always stated that MIST is intended to serve as an 
interim tool until a longer-term solution is developed. 
However, FPS has never stated what the longer-term solution 
will be. So I look forward to hearing from Director Patterson 
on his vision for MIST's future as a risk management tool.
    I also look forward to learning about what FPS is doing to 
address GAO's findings about unnecessary duplication of risk 
assessments by several FPS customers who in some instances have 
expressed dissatisfaction with FPS's assessments--for instance, 
the IRS, FEMA, and EPA.
    Providing oversight and training of the contract guard 
program is also a critical responsibility of FPS. At last 
summer's hearing Director Patterson stated that he was looking 
at different ways that FPS may be able to improve delivery of 
X-ray and magnetometer training.
    I look forward to hearing more about how these ideas have 
developed since last year. I also understand there has been 
outreach to the private sector regarding better training 
options and I commend you for those efforts.
    Finally, FPS has undergone significant transition since 
joining the Department of Homeland Security. After initially 
being placed under ICE, after the creation of DHS, FPS moved to 
NPPD in 2010, and last summer NPPD notified the committee that 
it was once again considering reorganizing the directorate. Is 
reorganization being contemplated, and if so, how will this 
impact FPS?
    I want to thank all of our witnesses for being here this 
morning, and I look forward to your testimony on the progress 
made by the FPS in securing our Nation's Federal facilities.
    [The statement of Chairman Lungren follows:]
                Statement of Chairman Daniel E. Lungren
                             July 24, 2012
    The Federal Protective Service (FPS) is a vital part of the 
Department of Homeland Security and is the largest operational 
component within the National Protection and Programs Directorate 
(NPPD). Its mission to protect some 9,000 Government buildings and its 
1.4 million occupants is essential for the Federal Government to 
continue day-to-day operations. Recent incidents at Federal facilities 
such as the failed IED attempt in Detroit, and the bombing of Oklahoma 
City's Murrah Federal Building in 1995, remind us that Federal 
facilities remain significant symbolic targets for terrorists.
    This subcommittee has conducted rigorous oversight over the Federal 
Protective Service this Congress. Last July we held a hearing which 
identified some of the perennial problems plaguing the FPS. In that 
hearing we discussed failures of contract guard oversight and training, 
including the egregious mishandling of an attempted Improvised 
Explosive Devise in Detroit, and the failed development of a risk 
management program known as RAMP, which after 5 years of development, 
cost the Federal Government somewhere between $35-57 million with 
little to show for. I am hopeful that these incidents represent the 
low-water mark for FPS, and I am cautiously optimistic about FPS's 
future.
    Last July the GAO had issued a total of 28 recommendations for FPS 
to address, yet at the time none were implemented. Today, I am 
encouraged to note that while GAO has recommended 32 recommendations, 
to date, 5 have been implemented and 20 are in the process of 
implementation. This represents significant progress.
    From the outset, I want to commend Director Patterson for his 
leadership and the agency's recent successes. These successes, I 
believe are in part the result of improved dialogue and substantial 
outreach with private-sector partners as well FPS's own workforce. I 
think this dialogue is extremely important as FPS works to address 
important recommendations made by the Government Accountability Office, 
especially as it works to improve two of its core areas of 
responsibility: (1) Its ability to conduct risk assessments of Federal 
buildings; and (2) provide necessary oversight and training for its 
Contract Guard Program.
    Regarding this first responsibility, FPS began operational testing 
this last spring for a new risk assessment tool, known as the Modified 
Infrastructure Survey Tool or MIST, which was developed in partnership 
with the Argonne National Laboratory. MIST is intended to be an interim 
tool FPS inspectors use to conduct facility security assessments, in 
the aftermath of RAMP's failure.
    I understand there is some pretty substantial disagreement between 
FPS and GAO with regard to the limitations and benefits of MIST and I 
look forward to hearing from our witnesses regarding these differences. 
I am aware of some of the limitations identified by GAO, such as that 
MIST does not account for ``consequence'' information, and therefore 
does not provide FPS the comprehensive ability to manage risk. I also 
understand GAO has concerns that MIST is neither compliant with the 
National Infrastructure Protection Plan framework nor compliant with 
standards developed by the Interagency Security Committee. I think 
these are very legitimate questions raised by GAO, and are important 
standards FPS should meet when it develops a longer-term solution.
    Nonetheless, I consider MIST's development a step in the right 
direction for an agency that has taken a series of steps in the wrong 
direction over the last decade. FPS has always stated that MIST is 
intended to serve as an interim tool until a longer-term solution is 
developed. However, FPS has never stated what the longer-term solution 
will be. I look forward to hearing from Director Patterson on his 
vision for MIST's future as a risk management tool. I also look forward 
to learning about what FPS is doing to address GAO's finding about 
unnecessary duplication of risk assessments by several FPS customers, 
who in some instances, are dissatisfied by assessments provided by FPS.
    Providing oversight and training of the contract guard program is 
also a critical responsibility of FPS. At last summer's hearing 
Director Patterson stated that he was looking at different ways FPS may 
be able to improve delivery of X-ray and magnetometer training. I look 
forward to hearing more about how these ideas have developed since last 
year. I understand there has been significant outreach with the private 
sector that may be able to better deliver training, and I commend you 
for putting an emphasis on training in your tenure at FPS.
    Finally, FPS has undergone significant transition since joining the 
Department of Homeland Security. After initially being placed under ICE 
after the creation of DHS, FPS moved to NPPD in 2010. Last summer, NPPD 
notified the committee that it was once again considering reorganizing 
the agency which FPS was assigned. However, since last summer, the 
Department has been silent on its plans to reorganize NPPD, so I am 
very much looking forward to hearing from Director Patterson on his 
thoughts on reorganization, and if we can expect any more information 
on this soon.
    I want to thank all of our witnesses for being here this morning 
and look forward to their testimony on progress made by the FPS 
securing our Nation's Federal facilities. I now recognize the gentle 
lady from New York, the Ranking Member of this subcommittee, Ms. 
Clarke, for her opening statement.

    Mr. Lungren. I now have the pleasure of recognizing the 
gentle lady from New York, the Ranking Member of the 
subcommittee, Ms. Clarke, for her opening statement.
    Ms. Clarke. Thank you, Mr. Chairman, and thank you for 
holding this hearing today. Today's hearing will allow the 
subcommittee to hear from witnesses about the Federal 
Protective Service's progress in improving its ability to 
provide adequate protection to the Federal Government's more 
than 9,000 facilities.
    Given the numerous studies that FPS has undertaken by the 
Government Accountability Office and the multiple hearings held 
by this committee, the subcommittee is interested in learning 
about the actions FPS has taken to upgrade its ability to 
conduct facility security assessments, better manage its 
contract guard staff, and to enhance funding for its 
operations. We need a more clear explanation of the 
implementation and utility of the modern infrastructure survey 
tool, or MIST, and how it compares, hopefully surpasses, the 
failed risk assessment and management program, or RAMP.
    The subcommittee must be assured that after investing 
approximately $35 million RAMP without yielding any 
demonstrable outcomes FPS is indeed expending its resources 
effectively and scaling up MIST. We need assurances that MIST 
is working as an interim solution, and we need to know what 
FPS's long-term strategy to replace RAMP. Also, as the 
designated leader of the Federal Government facilities sector 
FPS has an important role to play in assuring that the Federal 
critical infrastructure both secure--that the--excuse me--the 
Federal critical infrastructure is both secure and resilient in 
the event of a catastrophic occurrence.
    In August GAO will issue a report at Ranking Member 
Thompson's request that evaluates the Department's activities 
regarding the Government facilities sector with a particular 
emphasis on FPS's role as the designated sector leader. I look 
forward to the release of that report and hope that we are able 
to revisit this subject at that time.
    Finally, Mr. Chairman, I am concerned that FPS is forced to 
bear the cost of developing and implementing a program capable 
of completing security assessments of Federal buildings. It 
seems to me that as the landlord for most Federal buildings, 
the General Services Administration benefits from these 
security assessments. I look forward to hearing from our 
witnesses today about the role of GSA in sharing the cost of 
the assessment program.
    Having said that, thank you, Mr. Chairman, and I yield 
back.
    [The statement of Ranking Member Clarke follows:]
              Statement of Ranking Member Yvette D. Clarke
                             July 26, 2012
    Mr. Chairman, thank you for holding this hearing to discuss 
developments in the Domestic Nuclear Detection Office Strategy, and the 
Global Nuclear Detection Architecture.
    It has been said before, the enormous devastation that would result 
if terrorists use a nuclear weapon or nuclear materials successfully, 
requires us to do all we can to prevent them from entering or moving 
through the United States.
    This subcommittee, in its oversight capacity, has held hearings 
starting in 2005, and continuing through 2012, regarding the 
development and implementation of the GNDA and in the decision-making 
process that involves costly investments in it.
    The overarching issues include the balance between investment in 
near-term and long-term solutions for architecture gaps, the degree and 
efficiency of Federal agency coordination, the mechanism for setting 
agency investment priorities in the architecture, and the efforts DNDO 
has undertaken to retain institutional knowledge regarding this 
sustained effort.
    In the policy and strategy documents of the GNDA, DNDO is 
responsible for developing the global strategy for nuclear detection, 
and each Federal agency that has a role in combating nuclear smuggling 
is responsible for implementing its own programs. DNDO identified 73 
Federal programs, which are primarily funded by DOD, DOE, and DRS that 
engage in radiological and nuclear detection activities.
    With the publication of an overall DNDO strategy document and the 
release of the Global Nuclear Detection Architecture and implementation 
plan, Congress will have a better idea of how to judge the DNDO's 
policy, strategy operations, tactics, and implementation.
    But we need to know more about their R&D activities, their resource 
requests, and their asset allocations. And I know that I might sound 
like a broken record before the day is through, but from the very start 
of the ASP program which was officially cancelled just 10 days ago, 
July 16, DNDO seemed to push for acquisition decisions well before the 
technology had demonstrated that it could live up to its promise.
    On July 14, 2006, Secretary of Homeland Security Michael Chertoff 
and the then-Director of DNDO, Mr. Oxford, one of our witnesses today, 
announced contract awards to three companies worth an estimated $1.2 
billion to develop ASPs, including the Raytheon Company from 
Massachusetts, the Thermo Electron Company from Santa Fe, New Mexico, 
and Canberra Industries from Connecticut. Both Secretary Chertoff and 
Oxford held a press conference to announce the billion-dollar contract 
awards just a few months after highly critical reviews of the ASPs' 
abilities by the GAO and the National Institute of Standards and 
Technology (NIST).
    I hope we don't see that kind of decision making again in DNDO.
    Within DNDO, policy and strategy have historically not been 
adequately translated into operations, tactics, and implementation. 
Overlapping missions, especially in the field of nuclear detection, 
worsen this.
    Since 2009, DNDO has made important changes under Secretary 
Napolitano, and made especially good progress in nuclear forensics. And 
I hope that our Congressional oversight has had an effect, a positive 
one, in bringing to light decisions that cost the taxpayers a lot of 
money, with little to show.
    In 2010, the Science and Technology (S&T) Directorate requested 
$109.000 million for the Transformational Research and Development 
Radiological and Nuclear Division. This research was to be transferred 
from DNDO to the S&T Directorate,\1\ and the Democratic committee 
Members supported the transition of radiological and nuclear research 
away from DNDO into S&T. The committee, under then-Chairman Thompson, 
worked to make this transition happen, and we believe that research and 
development, and operations and procurement, are best left to separate 
organizations in order to avoid the obvious conflict of interest.
---------------------------------------------------------------------------
    \1\ DHS Fiscal Year 2011 Budget in Brief, ICE 10-2647.000474. p. 
139.
---------------------------------------------------------------------------
    What I hope we are going to hear today is how DNDO's mission can be 
better-defined. Some claim there is still confusion as to whether it is 
an end-to-end RDT&E and procurement entity for all things nuclear/
radiological, a development entity, or an operational entity, and 
question whether there is an inherent conflict of interest when an 
agency is both an R&D workshop and a procurement platform.
    Let me finish with this thought, completely out of the policy 
arena. On the ground, and every day, our nuclear deterrence effort 
requires motivated and vigilant officers supplied with the best 
equipment and intelligence we can give them. Customs and Border Patrol 
officers working at our Nation's ports of entry have an extremely 
complex and difficult job.
    Thousands of decisions are made every day to clear a container or 
personal vehicle for transit into the United States, require further 
inspection, or even deny entry or interdict such a vehicle or person, 
and that is the hard, cold, every-day reality of our mission to prevent 
this kind of violent nuclear attack.
    We must do our best.
    I look forward to hearing from our witnesses today and with that, 
Mr. Chairman, I yield back.

    Mr. Lungren. I thank the gentlelady for her comments, and I 
think the panel can tell that we are on the same page at 
looking at what the progress has been since our last hearing.
    General L. Eric Patterson was appointed director of the 
Federal Protective Service, a subcomponent of the National 
Protective--Protection and Programs Directorate, in September 
2010. He previously served as the deputy director of the 
Defense Counterintelligence HUMINT Center at the Defense 
Intelligence Agency.
    Prior to joining DIA Mr. Patterson served as a principal 
with Booz Allen Hamilton where he supported two of the Defense 
Technical Information Center analysis centers, one focused on 
information assurance and the other on the survivability and 
vulnerability of defense systems. He is a retired United States 
Air Force brigadier general with 30 years of service.
    Mr. Mark Goldstein is the director of physical 
infrastructure issues at GAO. Mr. Goldstein is responsible for 
the agency's work in Federal property and telecommunications. A 
former award-winning journalist and author, his other public 
service work has included roles as chief of staff to the D.C. 
Financial Control Board and senior investigative staff to the 
Senate Committee on Governmental Affairs.
    Dr. James Peerenboom is the associate director of the 
decision and information sciences division at the Argonne 
National Laboratory, near Chicago, Illinois. In this role he is 
responsible for leading multidisciplinary teams of scientists 
and engineers in developing innovative solutions for 
infrastructure assurance, systems analysis, decision and risk 
analysis, and advanced modeling and simulation problems.
    For the past 15 years he has focused on critical 
infrastructure protection and resilience issues, providing 
technical support to the Departments of Energy and Homeland 
Security, the President's commission on critical infrastructure 
protection, and White House Office of Science and Technology 
Policy. He received his Ph.D in energy and environmental 
systems from the Institute of Environmental Studies and an M.S. 
and B.S. in nuclear engineering from the University of 
Wisconsin at Madison.
    Gentlemen, we ask you--well, we would first indicate that 
your written testimony will be made a part of the record and 
would ask that you summarize your testimony with any additions 
as you wish in 5 minutes, and then we will have a round of 
questioning.
    So the Chairman would recognize Director Patterson to 
begin.

 STATEMENT OF L. ERIC PATTERSON, DIRECTOR, FEDERAL PROTECTIVE 
            SERVICE, DEPARTMENT OF HOMELAND SECURITY

    General Patterson. Good morning. Thank you, Chairman 
Lungren, Ranking Member Clarke.
    My name is Eric Patterson and I am the director of the 
Federal Protective Service within the Department of Homeland 
Security's National Protection and Programs Directorate. I am 
honored to appear before you today to discuss FPS's progress in 
addressing some historically identified challenges.
    FPS's mission is to protect more than 9,000 Federal 
buildings throughout the United States and its territories and 
the 1.4 million Federal employees and visitors who occupy and 
conduct business in them every day. We execute this mission by 
providing proactive law enforcement, investigations, protective 
intelligence, incident response, security planning, and 
stakeholder engagement.
    Based upon my experience in the ever-changing threat 
environment, my belief is that risk assessment is a continuous 
process and not a static event. Our law enforcement and 
physical security professionals continually provide access risk 
and implement mitigation strategies through their daily 
activities.
    During fiscal year 2011 FPS investigated and mitigated more 
than 1,300 threats and assaults directed towards Federal 
facilities and their occupants, made close to 2,000 arrests, 
responded to 53,000 incidents, and prevented the entry of 
hundreds of thousands of prohibited items into Federal 
facilities. FPS also conducted 1,800 Operation Shield 
exercises, 150 Covert Test operations, over 80,000 post 
inspections, and also validated the training of thousands of 
protective security officers that we oversee.
    Over the past year FPS developed an important partnership 
with Argonne National Lab resulting in the completed 
development and current deployment of a new facility security 
assessment tool, called the modified infrastructure survey 
tool, or MIST. MIST will enable comprehensive and consistent 
FSAs that will allow Federal tenant agencies to make informed 
security and risk management decisions. The MIST tool is a 
welcome addition to FPS's portfolio of on-going facility 
assessment efforts and strategies.
    As GAO has indicated, FPS employed the best project 
management principles in the development of MIST. MIST 
requirements were developed leveraging the knowledge obtained 
from our long-standing relationships with the General Services 
Administration, the Facility Security Committee, and other 
customers.
    As we move to measure and assure the successful performance 
of MIST my plan is to build upon this foundation to improve 
FPS's management of other significant programs--for example, 
our protective security officer program. Just as technology is 
enhancing our risk assessment processes, I plan to better 
leverage technology to allow for more effective oversight of 
our contract PSOs.
    A key enabler of these actions will come from the good work 
of our collaboration with the Systems Engineering and Design 
Institute, SEDI, a Federally-funded research and development 
center. We have engaged the SEDI to produce a full mapping of 
FPS activities and to then align them with FPS's current fee 
structure. That work will be used to produce an activity-based 
cost model for FPS.
    These efforts are designed to result in a more efficient 
revenue structure for FPS and greater transparency on security 
costs for FPS stakeholders.
    I am also pleased to note that some of our recent progress 
includes an increased participation in the important work of 
the Interagency Security Committee to include chairing a new 
ISC working group which will look at the future of Federal 
workplace security and the newly reconstituted Training 
Subcommittee.
    FPS's program--progress in the past year and our path 
forward leveraging partnerships and technology is clearly in 
direct support of our long-term vision. It will continue to 
take time, deliberate planning, and the dedication of our 
employees and partners to fully realize our vision and I look 
forward to keeping you apprised of our progress.
    Again, thank you for the opportunity to discuss FPS with 
you today, and I would be happy to answer any questions you 
might have.
    [The prepared statement of Mr. Patterson follows:]
                Prepared Statement of L. Eric Patterson
                             July 24, 2012
    Thank you Chairman Lungren, Ranking Member Clarke, and the 
distinguished Members of the subcommittee. My name is Eric Patterson, 
and I am the Director of the Federal Protective Service (FPS) within 
the Department of Homeland Security's (DHS) National Protection and 
Programs Directorate (NPPD).
    I am honored to appear before you today to discuss NPPD/FPS's 
progress in utilizing key protection and risk management practices such 
as allocation of resources, leveraging technology, and enhancing 
information sharing and coordination.
    The GAO has raised several areas that have historically represented 
challenges for FPS including:
    1. Absence of a risk management program;
    2. Addressing key human capital issues through a strategic human 
        capital plan;
    3. Contract Guard workforce management and oversight; and
    4. Need for a review of FPS's fee design.
    Today's hearing is an opportunity to address the progress FPS has 
made during the past year in working to address these challenges, and 
to also provide information on the topics addressed in GAO's new report 
related to risk assessment and Protective Security Officer (PSO) 
program management and oversight.
                             fps background
    FPS's mission is to protect more than 9,000 Federal buildings and 
the 1.4 million Federal employees and visitors who occupy them 
throughout the country every day by leveraging the intelligence and 
information resources of its network of public and private-sector 
partners. Specifically, FPS executes its mission by providing proactive 
law enforcement, investigation and protective intelligence and 
information sharing services, incident response, security planning, and 
stakeholder engagement. Prior to its transfer to NPPD in 2009, FPS was 
organized under Immigration and Customs Enforcement and prior to that, 
under the General Services Administration (GSA).
    Part of our core mission is to assess the threat picture for the 
Government Facilities Sector (GFS) and share that information with 
stakeholders as appropriate. For example, FPS leverages the Homeland 
Security Information Network (HSIN), a secure, trusted web-based portal 
to share information with our more than 900 Government and industry 
partners. One of the recent information-sharing initiatives FPS has 
implemented to assist in the protection of facilities and their 
occupants is the Federal Facility Threat Picture (FFTP), which is an 
unclassified assessment of the current known threats to the facilities 
FPS protects. Produced quarterly, the FFTP supports the threat 
component of a Federal Security Assessments (FSA) and informs our 
stakeholders of potential threats to Government facilities. The FFTP 
focuses on the threats posed by a variety of actors that may seek to 
attack or exploit elements of the GFS. The information used in the FFTP 
comes from intelligence and law enforcement community reporting.
    During fiscal year 2011, FPS:
   Investigated and mitigated more than 1,300 threats and 
        assaults directed towards Federal facilities and their 
        occupants;
   Disseminated 331 threat- and intelligence-based products to 
        our stakeholders, 142 of which were FPS-produced;
   Conducted 81,125 post inspections;
   Interdicted more than 680,000 weapons/prohibited items 
        including knives, brass knuckles, pepper spray, and other items 
        that could be used as weapons or are contraband such as illegal 
        drugs, at Federal facility entrances during routine checks;
   Made 1,975 arrests;
   Responded to 53,000 incidents involving people or property; 
        and
   Conducted more than 1,800 high-visibility operations under 
        Operation Shield and 150 risk-based Covert Test operations, 
        ensuring the protection of Federal buildings and 
        infrastructure.
              fps is developing a risk management program
    In terms of a risk management program, FPS's operational activities 
are organized by the National Infrastructure Protection Plan's (NIPP) 
Risk Management Framework, which calls for the following steps: Set 
Security Goals, Identify Assets and Functions, Assess Risks, 
Prioritize, Implement Protective Programs, and Measure Effectiveness. 
One area of recent significant progress related to risk assessment and 
the implementation of a risk management program is the on-going 
implementation of FPS's solution for conducting FSAs using an automated 
assessment tool. In May 2011, the decision was made to cease 
development of the legacy application known as the Risk Assessment and 
Management Program (RAMP) and to pursue a stand-alone assessment tool, 
in order to provide completed FSAs to customers. That decision has 
since been affirmed by the Department's Office of Inspector General 
(OIG).
    In the interim period, our employees have continued their daily 
interactions with tenant agencies and oversight of facility security. 
Our personnel have been completing Pre-Modified Infrastructure Survey 
Tool (MIST) worksheets to enable complete FSA reports, and are 
constantly assessing risks to Federal facilities. Specifically, the 
pre-MIST worksheet allows the inspector to collect key information that 
will be populated into MIST and used in generating a final FSA report. 
Such data includes facility information, vulnerability assessments, and 
existing protective measures.
    After consideration of several alternatives, FPS partnered with 
NPPD's Office of Infrastructure Protection (IP) to leverage a proven 
assessment methodology called the Infrastructure Survey Tool (IST). In 
October 2011, NPPD issued a task order to Argonne National Laboratory 
(ANL) through the Department of Energy to modify the existing Link 
Encrypted Network System (LENS) and IST for FPS use to conduct FSAs. 
Because this project leveraged existing tools and had limited resources 
and time constraints, the acquisition life cycle was tailored to meet 
delivery deadlines.
    I am pleased to note that in its draft report, GAO noted FPS's use 
of project management principles in the development of MIST. Throughout 
the project, the MIST Users Working Group has remained engaged to 
ensure user involvement in the process. User feedback from field 
testing was uniformly positive about MIST and the FPS Gateway, 
confirming suitability to support the FPS mission. The MIST and FPS 
Gateway development efforts were completed on schedule, with ANL 
delivering the system to the Government on March 30, 2012. In April 
2012, and the decision was made to proceed and deploy MIST. It is 
important to note that throughout the development and testing of MIST, 
field employees and our union were involved and actively participated 
as subject matter experts in the process.
    FPS developed and is currently implementing a distance learning-
based training program for each MIST user, as GAO commended in its 
draft report. Supervisors completed this training in April 2012 and 
Inspectors began their virtual training in May 2012, with completion of 
all training anticipated for late September 2012. This provides a 
hands-on learning environment for our Inspectors; they will receive 
virtual instruction as they use the tool in the learning environment. 
Once an Inspector completes the training and successfully briefs his or 
her supervisor on a completed FSA, that Inspector will be able to 
proceed with conducting FSAs and reporting the results to a Facility 
Security Committee.
    In leveraging existing technology in developing MIST, FPS was able 
to incorporate the ability to illustrate the impact of alternative 
countermeasures on a particular vulnerability. MIST will also show how 
a facility is or is not meeting the baseline level of protection for 
its Facility Security Level as set forth in the ISC's Physical Security 
Criteria for Federal Facilities standard and the ISC's Design Basis 
Threat report. This will lead to a more informed and better dialogue 
with tenants and Facility Security committees as FSA results are 
discussed and alternatives are explored. Additionally, FPS recently 
disseminated guidance Nation-wide on the commencement of the use of 
MIST to generate FSAs upon completion of inspector training. The 
anticipated results of the use of MIST are consistent assessment 
results Nation-wide and informed decision-making regarding security 
investments on the part of tenant agencies.
  fps is addressing key human capital issues through development of a 
                      strategic human capital plan
    In order to ensure that human resource requirements are aligned 
appropriately with FPS's overall mission, a Strategic Human Capital 
Plan is being developed in conjunction with NPPD's Human Capital 
Office. We are working to finalize the document; we intend to provide 
the plan and brief the committee when it is finalized.
 fps is working to improve its protective security officer management 
                             and oversight
    FPS is working to improve management and oversight of our over 
13,000 Protective Security Officer (PSO) force. We have reviewed our 
operations Nation-wide and have taken steps at the National program 
level to ensure that performances under contracts are advantageous to 
the Government. We are actively working to implement the 
recommendations resulting from GAO and OIG reviews across the 
organization. Additionally, an Integrated Project Team (IPT) conducted 
a comprehensive review of how FPS resources the PSO oversight function 
and our current oversight policy.
    FPS is also working with DHS's Science and Technology Directorate 
to develop a system for contract guard oversight and explore means of 
leveraging technology to ensure effective oversight of PSOs, such as 
automated tracking of guard post staff levels and PSO possession of the 
necessary credentials to stand post. Additionally, our training team is 
working closely with industry and Federal partners in developing a more 
effective training strategy for our PSOs.
   fps is examining its fee structure in order to review current fee 
                                 design
    FPS operates through fee-based funding revenue, which is calculated 
based on the Federal facility tenant's square footage of occupancy and 
on the collection of services associated with the provisioning of 
reimbursable protective countermeasures. This fee-based financial 
structure is unique among Federal law-enforcement agencies and requires 
a greater degree of understanding internal operations to ensure it is 
properly aligned with FPS's costs.
    To address this challenge, FPS is implementing a two-pronged 
strategy to better understand its activities and costs and recommend 
options for a new revenue structure. In January 2012, FPS collaborated 
with the Department's Systems Engineering and Design Institute (SEDI), 
a Federally Funded Research and Development Center managed by the DHS 
Science and Technology Directorate, to produce a full mapping of FPS 
activities and then align them with costs. That work will be used to 
produce Activity-Based Cost (ABC) models for FPS. Both of these efforts 
are designed to result in a more efficient revenue structure for FPS 
and greater transparency in security costs for FPS stakeholders.
                               conclusion
    Thank you again for the opportunity to provide you with an update 
on the progress FPS is making on a number of fronts. FPS aspires to be 
an exemplary law enforcement and strategic critical infrastructure 
protection organization. This is a vision uniformly shared by FPS 
leadership and operational staff, both at headquarters and in the 
field. I would be happy to answer any questions you might have.

    Mr. Lungren. Thank you very much, Director Patterson. You 
stayed within the time wonderfully. A new record here.
    Now, Mr. Goldstein, please.

      STATEMENT OF MARK L. GOLDSTEIN, DIRECTOR, PHYSICAL 
    INFRASTRUCTURE ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Goldstein. Thank you, Mr. Chairman and Ranking Member 
Clarke. We are pleased to be here this morning to testify on 
the Federal Protective Service and its efforts to improve its 
security of Federal property, employees, and citizens who use 
these facilities.
    FPS provides security and law enforcement services to over 
9,000 Federal facilities managed by GSA. GAO has reported that 
FPS faces challenges providing security services, particularly 
completing FSAs and managing its contract guard program.
    To address these challenges FPS spent about $35 million in 
4 years developing RAMP, essentially a risk assessment and 
guard oversight tool. However, RAMP ultimately could not be 
used to do either because of system problems.
    My testimony today is based on preliminary work for you, 
Mr. Chairman, and discusses the extent to which FPS is 
completing risk assessments, developing a tool to complete 
FSAs, and managing its contract guard workforce.
    Our preliminary results indicate that: No. 1, the 
Department of Homeland Security's DHS Federal Protective 
Service is not assessing risks at Federal facilities in a 
manner that is consistent with standards such as the National 
infrastructure protection plan's risk management framework as 
FPS originally planned. Instead of conducting risk assessments, 
since September 2011 FPS's inspectors have collected 
information such as location, purpose, agency contacts, and 
current countermeasures.
    This information notwithstanding, FPS has a backlog of 
Federal facilities that have not been assessed for several 
years. According to FPS's own data, more than 5,000 facilities 
were to be assessed in fiscal years 2010 through 2012.
    However, GAO was not able to determine the extent of FPS's 
facility security assessment backlog because the data was 
unreliable. Multiple agencies have expended resources to 
conduct risk assessments themselves even though they also 
already pay FPS for this service.
    Second, FPS has an interim vulnerability assessment tool, 
referred to as MIST, which it plans to use to assess Federal 
facilities until it develops a longer-term solution. In 
developing MIST, FPS generally followed project management best 
practices that GAO had developed, such as conducting user 
acceptance testing.
    However, our preliminary analysis indicates that MIST has 
some limitations. Most notably, MIST does not estimate the 
consequences of an undesirable event occurring at a facility.
    Several of the risk assessment experts GAO spoke with 
agreed that a tool that does not estimate consequences does not 
allow for an agency to fully assess risk. FPS officials stated 
that they did not include consequence information in MIST 
because it was not part of the original design and thus 
requires more time to validate.
    MIST also was not designed to compare risk across Federal 
facilities. Thus, FPS has a limited assurance if critical risks 
at Federal facilities are being prioritized and mitigated. We 
have made recommendations in this area in the past.
    Third, GAO's preliminary work indicates that FPS continues 
to face challenges in overseeing its contract guard program. 
FPS developed the risk assessment and management program, RAMP, 
to help it oversee its contract guard workforce by verifying 
that guards are trained and certified and for conducting guard 
post inspections.
    However, FPS faced challenges using RAMP for guard 
oversight, such as verifying guard training and certification 
information, and has recently determined that it would no 
longer use RAMP. Without a comprehensive system it is more 
difficult for FPS to oversee its contract guard workforce.
    FPS is verifying guard certification and training 
information by conducting monthly audits of guard training and 
certification information. However, FPS does not independently 
verify the contractors' information.
    Additionally, FPS recently decided to deploy a new interim 
method to record post inspections that replaced RAMP. We have 
not reviewed this system.
    This concludes my opening remarks, Mr. Chairman. I would be 
pleased to address any questions you or Members of the 
subcommittee have. Thank you.
    [The prepared statement of Mr. Goldstein follows:]
                Prepared Statement of Mark L. Goldstein
                             July 24, 2012
                             gao highlights
    Highlights of GAO-12-943T, testimony before the Subcommittee on 
Cybersecurity, Infrastructure Protection, and Security Technologies of 
the House Committee on Homeland Security.
Why GAO Did This Study
    FPS provides security and law enforcement services to over 9,000 
Federal facilities managed by the General Services Administration 
(GSA). GAO has reported that FPS faces challenges providing security 
services, particularly completing FSAs and managing its contract guard 
program. To address these challenges, FPS spent about $35 million and 4 
years developing RAMP--essentially a risk assessment and guard 
oversight tool. However, RAMP ultimately could not be used to do either 
because of system problems.
    This testimony is based on preliminary work for the Chairman and 
discusses the extent to which FPS is: (1) Completing risk assessments, 
(2) developing a tool to complete FSAs, and (3) managing its contract 
guard workforce. GAO reviewed FPS documents, conducted site visits at 3 
of FPS's 11 regions and interviewed officials from FPS, Argonne 
National Laboratory, GSA, Department of Veterans Affairs, the Federal 
Highway Administration, Immigration and Customs Enforcement, and guard 
companies; as well as 4 risk management experts.
What GAO Recommends
    GAO is not making any recommendations in this testimony. GAO plans 
to finalize its analysis and report to the Chairman in August 2012, 
including recommendations. GAO discussed the information in this 
statement with FPS and incorporated technical comments as appropriate.
 federal protective service.--preliminary results on efforts to assess 
               facility risks and oversee contract guards
What GAO Found
    GAO's preliminary results indicate that the Department of Homeland 
Security's (DHS) Federal Protective Service (FPS) is not assessing 
risks at Federal facilities in a manner consistent with standards such 
as the National Infrastructure Protection Plan's (NIPP) risk management 
framework, as FPS originally planned. Instead of conducting risk 
assessments, since September 2011, FPS's inspectors have collected 
information, such as the location, purpose, agency contacts, and 
current countermeasures (e.g., perimeter security, access controls, and 
closed-circuit television systems). This information notwithstanding, 
FPS has a backlog of Federal facilities that have not been assessed for 
several years. According to FPS's data, more than 5,000 facilities were 
to be assessed in fiscal years 2010 through 2012. However, GAO was not 
able to determine the extent of FPS's facility security assessment 
(FSA) backlog because the data were unreliable. Multiple agencies have 
expended resources to conduct risk assessments, even though they also 
already pay FPS for this service.
    FPS has an interim vulnerability assessment tool, referred to as 
the Modified Infrastructure Survey Tool (MIST), which it plans to use 
to assess Federal facilities until it develops a longer-term solution. 
In developing MIST, FPS generally followed GAO's project management 
best practices, such as conducting user acceptance testing. However, 
our preliminary analysis indicates that MIST has some limitations. Most 
notably, MIST does not estimate the consequences of an undesirable 
event occurring at a facility. Three of the four risk assessment 
experts GAO spoke with generally agreed that a tool that does not 
estimate consequences does not allow an agency to fully assess risks. 
FPS officials stated that they did not include consequence information 
in MIST because it was not part of the original design and thus 
requires more time to validate. MIST also was not designed to compare 
risks across Federal facilities. Thus, FPS has limited assurance that 
critical risks at Federal facilities are being prioritized and 
mitigated.
    GAO's preliminary work indicates that FPS continues to face 
challenges in overseeing its approximately 12,500 contract guards. FPS 
developed the Risk Assessment and Management Program (RAMP) to help it 
oversee its contract guard workforce by verifying that guards are 
trained and certified and for conducting guard post inspections. 
However, FPS faced challenges using RAMP for guard oversight, such as 
verifying guard training and certification information, and has 
recently determined that it would no longer use RAMP. Without a 
comprehensive system, it is more difficult for FPS to oversee its 
contract guard workforce. FPS is verifying guard certification and 
training information by conducting monthly audits of guard information 
maintained by guard contractors. However, FPS does not independently 
verify the contractor's information. Additionally, according to FPS 
officials, FPS recently decided to deploy a new interim method to 
record post inspections that replaces RAMP.
    Chairman Lungren, Ranking Member Clarke, and Members of the 
subcommittee: We are pleased to be here today to discuss the Department 
of Homeland Security's (DHS) Federal Protective Service's (FPS) efforts 
to complete risk assessments of the over 9,000 Federal facilities under 
the custody and control of the General Services Administration (GSA) 
and oversee its contract guards in the absence of its Risk Assessment 
and Management Program (RAMP), a web-enabled facility security 
assessment (FSA) and guard management system. As we reported in July 
2011, FPS had spent about $35 million and taken almost 4 years to 
develop RAMP--$14 million and 2 years more than planned--but still 
could not use RAMP to complete FSAs because of several factors, 
including that FPS did not verify the accuracy of the Federal facility 
data used.\1\ As a result, FPS's Director decided to stop using RAMP to 
conduct FSAs and instead pursue an interim tool to replace it. FPS also 
experienced difficulty using RAMP to ensure that its guards met 
training and certification requirements, primarily because of 
challenges in verifying guards' data.\2\ In June 2012, FPS also decided 
to stop using RAMP to help oversee its contract guard program.
---------------------------------------------------------------------------
    \1\ GAO, Federal Protective Service: Actions Needed to Resolve 
Delays and Inadequate Oversight Issues with FPS's Risk Assessment and 
Management Program, GAO-11-705R (Washington, DC: July 15, 2011).
    \2\ GAO-11-705R.
---------------------------------------------------------------------------
    For fiscal year 2012, FPS has a budget of $1.3 billion, with over 
1,200 full-time employees and about 12,500 contract security guards, to 
achieve its mission to protect Federal facilities. As part of the FSA 
process, FPS generally attempts to gather and review facility 
information; conduct and record interviews with tenant agencies; assess 
threats, vulnerabilities, and consequences to facilities, employees, 
and the public; and recommend countermeasures to Federal tenant 
agencies. FPS's contract guards are responsible for controlling access 
to Federal facilities, screening access areas to prevent the 
introduction of weapons and explosives, enforcing property rules and 
regulations, detecting and reporting criminal acts, and responding to 
emergency situations involving facility safety and security. FPS relies 
on the fees it charges Federal tenant agencies in GSA-controlled 
facilities to fund its security services.\3\
---------------------------------------------------------------------------
    \3\ 40 U.S.C.  586; 41 C.F.R.  102-85.35; Pub. L. No. 111-83, 123 
Stat. 2142, 2156-57 (2009).
---------------------------------------------------------------------------
    This testimony is based on preliminary results of work we conducted 
for a report that we plan to issue to the Chairman in August 2012. That 
report will contain our final evaluation and recommendations. 
Consistent with the report's objectives, this statement addresses the 
extent to which FPS is: (1) Completing risk assessments, (2) developing 
a tool to complete FSAs, and (3) managing its contract guard workforce. 
To examine the extent to which FPS is completing risk assessments and 
overseeing guards without RAMP, we reviewed, among other things, FPS's 
current FSA procedures and data on completed and planned FSAs for 
fiscal years 2010 to 2012. Specifically, we reviewed FPS's FSA data 
aggregated from its 11 regions to determine the extent of its FSA 
backlog. However, we could not determine the extent of the backlog 
because FPS's data contained a number of missing and incorrect values 
which made the data unreliable. We also visited 3 of FPS's 11 regions 
and interviewed internal and external stakeholders including, among 
others, FPS, GSA, Department of Veterans Affairs, the Federal Highway 
Administration, Immigration and Customs Enforcement, and guard 
companies. We selected these 3 regions based on the number of Federal 
facilities in the region and their security levels, the number of 
contract guards in the region, and geographic dispersion. Our work is 
not generalizable to all FPS regions. To determine the status of FPS's 
efforts to develop an FSA tool, we reviewed, among other things, 
relevant project documents and Federal physical security standards, 
such as DHS's National Infrastructure Protection Plan's (NIPP) risk 
management framework. We also interviewed FPS officials, 
representatives from Argonne National Laboratory, and four risk 
management experts. We selected our four risk assessment experts from a 
list of individuals who participated in the Comptroller General's 2007 
risk management forum.\4\ This work is being conducted in accordance 
with generally accepted Government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and 
conclusions based on our audit objectives. We believe that the evidence 
obtained provides a reasonable basis for our findings and conclusions 
based on our audit objectives.
---------------------------------------------------------------------------
    \4\ GAO, Highlights of a Forum: Strengthening the Use of Risk 
Management Principles in Homeland Security, GAO-08-627SP (Washington, 
DC: April 2008).
---------------------------------------------------------------------------
fps does not currently assess risks at federal facilities but multiple 
             agencies are conducting their own assessments
    Our preliminary results indicate that, in the absence of RAMP, FPS 
currently is not assessing risk at the over 9,000 Federal facilities 
under the custody and control of GSA in a manner consistent with 
Federal standards such as NIPP's risk management framework, as FPS 
originally planned. According to this framework, to be considered 
credible a risk assessment must specifically address the three 
components of risk: Threat, vulnerability, and consequence. As a 
result, FPS has accumulated a backlog of Federal facilities that have 
not been assessed for several years. According to FPS data, more than 
5,000 facilities were to be assessed in fiscal years 2010 through 2012. 
However, we were not able to determine the extent of the FSA backlog 
because we found FPS's FSA data to be unreliable. Specifically, our 
analysis of FPS's December 2011 assessment data showed nearly 800 (9 
percent) of the approximately 9,000 Federal facilities did not have a 
date for when the last FSA was completed. We have reported that timely 
and comprehensive risk assessments play a critical role in protecting 
Federal facilities by helping decision makers identify and evaluate 
potential threats so that countermeasures can be implemented to help 
prevent or mitigate the facilities' vulnerabilities.\5\
---------------------------------------------------------------------------
    \5\ GAO, Homeland Security: Greater Attention to Key Practices 
Would Improve the Federal Protective Service's Approach to Facility 
Protection, GAO-10-142 (Washington, DC: Oct. 23, 2009).
---------------------------------------------------------------------------
    Although FPS is not currently assessing risk at Federal facilities, 
FPS officials stated that the agency is taking steps to ensure Federal 
facilities are safe. According to FPS officials, its inspectors (also 
referred to as law enforcement security officers) monitor the security 
posture of Federal facilities by responding to incidents, testing 
countermeasures, and conducting guard post inspections. In addition, 
since September 2011, FPS's inspectors have collected information--such 
as location, purpose, agency contacts, and current countermeasures 
(e.g., perimeter security, access controls, and closed-circuit 
television systems) at over 1,400 facilities--which will be used as a 
starting point to complete FPS's fiscal year 2012 assessments. However, 
FPS officials acknowledged that this approach is not consistent with 
NIPP's risk management framework. Moreover, several FPS inspectors told 
us that they received minimal training or guidance on how to collect 
this information, and expressed concern that the facility information 
collected could become outdated by the time it is used to complete an 
FSA.
Multiple Federal Agencies Are Conducting Their Own Risk Assessments
    We reported in February 2012 that multiple Federal agencies have 
been expending additional resources to conduct their own risk 
assessments, in part because they have not been satisfied with FPS's 
past assessments.\6\ These assessments are taking place even though, 
according to FPS's Chief Financial Officer, FPS received $236 million 
in basic security fees from Federal agencies to conduct FSAs and other 
security services in fiscal year 2011.\7\ For example, officials we 
spoke with at the Internal Revenue Service, Federal Emergency 
Management Agency, Environmental Protection Agency, and the U.S. Army 
Corps of Engineers stated that they conduct their own risk assessments. 
GSA is also expending additional resources to assess risk. We reported 
in October 2010 that GSA officials did not always receive timely FPS 
risk assessments for facilities GSA considered leasing.\8\ GSA seeks to 
have these assessments completed before it takes possession of a 
property and leases it to tenant agencies. However, our preliminary 
work indicates that as of June 2012, FPS has not coordinated with GSA 
and other Federal agencies to reduce or prevent duplication of its 
assessments.
---------------------------------------------------------------------------
    \6\ GAO, 2012 Annual Report: Opportunities to Reduce Duplication, 
Overlap, and Fragmentation, Achieve Savings, and Enhance Revenue, GAO-
12-342SP (Washington, DC: February 2012).
    \7\ FPS currently charges tenant agencies in properties under GSA 
control a basic security fee of $0.74 per square foot per year for its 
security services including physical security and law enforcement 
activities as per 41 C.F.R.  102-85.35.
    \8\ GAO-10-142.
---------------------------------------------------------------------------
    fps efforts to develop a risk assessment tool are evolving, but 
                           challenges remain
    In September 2011, FPS signed an interagency agreement with Argonne 
National Laboratory for about $875,000 to develop an interim tool for 
conducting vulnerability assessments by June 30, 2012.\9\ According to 
FPS officials, on March 30, 2012, Argonne National Laboratory delivered 
this tool, called the Modified Infrastructure Survey Tool (MIST), to 
FPS on time and within budget. MIST is an interim vulnerability 
assessment tool that FPS plans to use until it can develop a permanent 
solution to replace RAMP. According to MIST project documents and FPS 
officials, among other things, MIST will:
---------------------------------------------------------------------------
    \9\ As of March 2012, FPS's total life cycle cost for MIST was 
estimated at $5 million.
---------------------------------------------------------------------------
   allow FPS's inspectors to review and document a facility's 
        security posture, current level of protection, and recommend 
        countermeasures;
   provide FPS's inspectors with a standardized way for 
        gathering and recording facility data; and
   allow FPS to compare a facility's existing countermeasures 
        against the Interagency Security Committee's (ISC) 
        countermeasure standards based on the ISC's predefined threats 
        to Federal facilities (e.g., blast-resistant windows for a 
        facility designed to counter the threat of an explosive device) 
        to create the facility's vulnerability report.\10\
---------------------------------------------------------------------------
    \10\ The ISC is comprised of representatives from more than 50 
Federal agencies and departments, establishes standards and best 
practices for Federal security professionals responsible for protecting 
non-military Federal facilities in the United States. FPS is a member 
agency of the Interagency Security Committee in the Department of 
Homeland Security, along with other Federal agencies such as the 
General Services Administration, the Federal Aviation Administration, 
the Environmental Protection Agency, and other components within the 
Department of Homeland Security. The ISC has defined 31 different 
threats to Federal facilities including vehicle-borne improvised 
explosive devices, workplace violence, and theft.
---------------------------------------------------------------------------
    According to FPS officials, MIST will provide several potential 
improvements over FPS's prior assessment tools, such as using a 
standard way of collecting facility information and allowing edits to 
GSA's facility data when FPS inspectors find it is inaccurate. In 
addition, according to FPS officials, after completing a MIST 
vulnerability assessment, inspectors will use additional threat 
information gathered outside of MIST by FPS's Threat Management 
Division as well as local crime statistics to identify any additional 
threats and generate a threat assessment report. FPS plans to provide 
the facility's threat and vulnerability reports along with any 
countermeasure recommendations to the Federal tenant agencies.
    In May 2012, FPS began training inspectors on MIST and how to use 
the threat information obtained outside MIST and expects to complete 
the training by the end of September 2012. According to FPS officials, 
inspectors will be able to use MIST once they have completed training 
and a supervisor has determined, based on professional judgment, that 
the inspector is capable of using MIST. At that time, an inspector will 
be able to use MIST to assess level I or II facilities.\11\ According 
to FPS officials, once these assessments are approved, FPS will 
subsequently determine which level III and IV facilities the inspector 
may assess with MIST.
---------------------------------------------------------------------------
    \11\ FPS uses the ISC's Facility Security Level Determination for 
Federal Facilities to determine the facility security level (FSL). The 
ISC recommends that level I and II facilities be assessed every 5 years 
and level III and IV facilities every 3 years. According to the ISC's 
criteria, a level I facility may be 10,000 or fewer square feet, have 
fewer than 100 employees, provide administrative or direct service 
activities, and have little to no public contact; a level II facility 
may be 100,000 or fewer square feet, have 250 or fewer employees, be 
readily identifiable as a Federal facility, and provide district or 
State-wide services; a level III facility may be 250,000 or fewer 
square feet, have 750 or fewer employees, be an agency's headquarters, 
and be located in an area of moderate crime; and a level IV facility 
may exceed 250,000 square feet, have more than 750 employees, house 
National leadership, and be located in or near a popular tourist 
destination.
---------------------------------------------------------------------------
FPS Increased Its Use of Project Management Best Practices in 
        Developing MIST
    Our preliminary analysis indicates that in developing MIST, FPS 
increased its use of GAO's project management best practices, including 
alternatives analysis, managing requirements, and conducting user 
acceptance testing.\12\ For example, FPS completed, although it did not 
document, an alternatives analysis prior to selecting MIST as an 
interim tool to replace RAMP. It appears that FPS also better managed 
MIST's requirements. Specifically, FPS's Director required that MIST be 
an FSA-exclusive tool and thus helped avoid changes in requirements 
that could have resulted in cost or schedule increases during 
development. In March 2012, FPS completed user acceptance testing of 
MIST with some inspectors and supervisors, as we recommended in 
2011.\13\ According to FPS officials, user feedback on MIST was 
positive from the user acceptance test, and MIST produced the necessary 
output for FPS's FSA process. However, FPS did not obtain GSA or 
Federal tenant agencies' input in developing MIST's requirements. 
Without this input, FPS's customers may not receive the information 
they need to make well-informed countermeasure decisions.
---------------------------------------------------------------------------
    \12\ GAO-11-705R.
    \13\ GAO-11-705R.
---------------------------------------------------------------------------
MIST Has Limitations as an Assessment Tool
    FPS has yet to decide what tool, if any, will replace MIST, which 
is intended to be an interim vulnerability assessment tool. According 
to FPS officials, the agency plans to use MIST for at least the next 18 
months. Consequently, until FPS decides what tool, if any, will replace 
MIST and RAMP, it will still not be able to assess risk at Federal 
facilities in a manner consistent with NIPP, as we previously 
mentioned. Our preliminary work suggests that MIST has several 
limitations:
   Assessing Consequence.--FPS did not design MIST to estimate 
        consequence, a critical component of a risk assessment. 
        Assessing consequence is important because it combines 
        vulnerability and threat information to evaluate the potential 
        effects of an adverse event on a Federal facility. Three of the 
        four risk assessment experts we spoke with generally agreed 
        that a tool that does not estimate consequences does not allow 
        an agency to fully assess the risks to a Federal facility. 
        However, FPS officials stated that incorporating consequence 
        information into an assessment tool is a complex task. FPS 
        officials stated that they did not include consequence 
        assessment in MIST's design because it would have required 
        additional time to develop, validate, and test MIST. As a 
        result, while FPS may be able to identify a facility's 
        vulnerabilities to different threats using MIST, without 
        consequence information, Federal tenant agencies may not be 
        able to make fully-informed decisions about how to allocate 
        resources to best protect Federal facilities. FPS officials do 
        not know if this capability can be developed in the future, but 
        they said that they are working with the ISC and DHS's Science 
        and Technology Directorate to explore the possibility.
   Comparing Risk Across Federal Facilities.--FPS did not 
        design MIST to present comparisons of risk assessment results 
        across Federal facilities. Consequently, FPS cannot take a 
        comprehensive approach to managing risk across its portfolio of 
        9,000 facilities to prioritize recommended countermeasures to 
        Federal tenant agencies. Instead, FPS takes a facility-by-
        facility approach to risk management where all facilities with 
        the same security level are assumed to have the same security 
        risk, regardless of their location.\14\ We reported in 2010 
        that FPS's approach to risk management provides limited 
        assurance that the most critical risks at Federal facilities 
        across the country are being prioritized and mitigated.\15\ FPS 
        recognized the importance of having such a comprehensive 
        approach to its FSA program when it developed RAMP and FPS 
        officials stated that they may develop this capability for the 
        next version of MIST.
---------------------------------------------------------------------------
    \14\ GAO-10-142.
    \15\ GAO, Homeland Security: Addressing Weaknesses with Facility 
Security Committees Would Enhance Protection of Federal Facilities, 
GAO-10-901 (Washington, DC: August 5, 2010).
---------------------------------------------------------------------------
   Measuring Performance.--FPS has not developed metrics to 
        measure MIST's performance, such as feedback surveys from 
        tenant agencies. Measuring performance allows organizations to 
        track progress toward their goals and, gives managers critical 
        information on which to base decisions for improving their 
        programs. This is a necessary component of effective 
        management, and should provide agency managers with timely, 
        action-oriented information.\16\ Without such metrics, FPS's 
        ability to improve MIST will be hampered. FPS officials stated 
        that they are planning to develop performance measures for 
        MIST, but did not give a time frame for when they will do so.
---------------------------------------------------------------------------
    \16\ GAO, Homeland Security: The Federal Protective Service Faces 
Several Challenges That Hamper its Ability to Protect Federal 
Facilities, GAO-08-683 (Washington, DC: June 11, 2008).
---------------------------------------------------------------------------
         fps faces challenges in overseeing its contract guards
    Our work to date indicates that FPS does not have a comprehensive 
and reliable system to oversee its approximately 12,500 contract 
guards. In addition to conducting FSAs, FPS developed RAMP as a 
comprehensive system to help oversee two aspects of its contract guard 
program: (1) Verifying that guards are trained and certified to be on 
post in Federal facilities; and (2) conducting and documenting guard 
post inspections.\17\ However, FPS experienced difficulty with RAMP 
because the contract guard training and certification information in 
RAMP was not reliable. Additionally, FPS faced challenges using RAMP to 
conduct and document post inspections.\18\ For example, FPS inspectors 
we interviewed reported they had difficulty connecting to RAMP's 
servers in remote areas and that recorded post inspections disappeared 
from RAMP's database without explanation. Although we reported some of 
these challenges in 2011, FPS did not stop using RAMP for guard 
oversight until June 2012 when the RAMP operations and maintenance 
contract was due to expire.
---------------------------------------------------------------------------
    \17\ A post is a guard's area of responsibility in a Federal 
facility.
    \18\ FPS's inspection requirement for level I and II facilities is 
two annual inspections of all posts, all shifts. The inspection 
requirement for level III facilities is biweekly inspections of two 
posts, any shift, and for level IV, weekly inspections of two posts, 
any shift.
---------------------------------------------------------------------------
    In the absence of RAMP, in June 2012, FPS decided to deploy an 
interim method to enable inspectors to record post inspections. FPS 
officials said this capability is separate from MIST, will not allow 
FPS to generate post inspection reports, and does not include a way for 
FPS inspectors to check guard training and certification data during a 
post inspection. FPS officials acknowledged that this method is not a 
comprehensive system for guard oversight. Consequently, it is now more 
difficult for FPS to verify that guards on post are trained and 
certified and that inspectors are conducting guard post inspections as 
required.
    Although FPS collects guard training and certification information 
from the companies that provide contract guards, it appears that FPS 
does not independently verify that information. FPS currently requires 
its guard contractors to maintain their own files containing guard 
training and certification information and began requiring them to 
submit a monthly report with this information to FPS's regions in July 
2011.\19\ To verify the guard companies' reports, FPS conducts monthly 
audits. As part of its monthly audit process, FPS's regional staff 
visits the contractor's office to select 10 percent of the contractor's 
guard files and check them against the reports guard companies send FPS 
each month. In addition, in October 2011, FPS undertook a month-long 
audit of every guard file to verify that guards had up-to-date training 
and certification information for its 110 contracts across its 11 
regions. FPS provided preliminary October 2011 data showing that 1,152 
(9 percent) of the 12,274 guard files FPS reviewed at that time were 
deficient, meaning that they were missing one or more of the required 
certification document(s). However, FPS does not have a final report on 
the results of the Nation-wide audit that includes an explanation of 
why the files were deficient and whether deficiencies were resolved.
---------------------------------------------------------------------------
    \19\ For example, guard training and certifications include 
firearms qualification, cardiopulmonary resuscitation, first aid, baton 
certification, and X-ray and magnetometer training.
---------------------------------------------------------------------------
    FPS's monthly audits of contractor data provide limited assurance 
that qualified guards are standing post, as FPS is verifying that the 
contractor-provided information matches the information in the 
contractor's files. We reported in 2010 that FPS's reliance on 
contractors to self-report guard training and certification information 
without a reliable tracking system of its own may have contributed to a 
situation in which a contractor allegedly falsified training 
information for its guards.\20\ In addition, officials at one FPS 
region told us they maintain a list of the files that have been audited 
previously to avoid reviewing the same files, but FPS has no way of 
ensuring that the same guard files are not repeatedly reviewed during 
the monthly audits, while others are never reviewed. In the place of 
RAMP, FPS plans to continue using its administrative audit process and 
the monthly contractor-provided information to verify that qualified 
contract guards are standing post in Federal facilities.
---------------------------------------------------------------------------
    \20\ GAO, Homeland Security: Federal Protective Service's Contract 
Guard Program Requires More Oversight and Reassessment of Use of 
Contract Guards, GAO-10-341 (Washington, DC: April 13, 2010).
---------------------------------------------------------------------------
    We plan to finalize our analysis and report to the Chairman in 
August 2012, including recommendations. We discussed the information in 
this statement with FPS and incorporated technical comments as 
appropriate. Chairman Lungren, Ranking Member Clarke, and Members of 
the subcommittee, this completes my prepared statement. I would be 
happy to respond to any questions you may have at this time.

    Mr. Lungren. Thank you very much, Mr. Goldstein.
    The Chairman now recognizes Dr. Peerenboom to testify.

  STATEMENT OF JAMES P. PEERENBOOM, DIRECTOR, INFRASTRUCTURE 
ASSURANCE CENTER, ASSOCIATE DIRECTOR, DECISION AND INFORMATION 
         SCIENCES DIVISION, ARGONNE NATIONAL LABORATORY

    Mr. Peerenboom. Good morning. Thank you, Chairman Lungren, 
Representative Clarke, and the Members of the subcommittee for 
your invitation to testify here today.
    In early October 2011 the Federal Protective Service 
engaged Argonne by funding the development of a software 
application called a Modified Infrastructure Survey Tool, or 
MIST, to be used by FPS on an interim basis to conduct facility 
security assessments. MIST uses a tailored set of questions 
that helps FPS establish a security baseline and allows for 
comparisons of facilities being surveyed against security 
standards. The MIST provides a standardized way of collecting 
and reporting facility information to inform decisions about 
security measures.
    Argonne's work involved five tasks: Working with FPS to 
develop the MIST methodology; implementing the methodology as a 
release called MIST Release 1.0; developing a host site for 
MIST Release, called the FPS Gateway; assisting FPS, as 
requested, in training functions; and finally, providing help 
desk support to MIST operation.
    By working closely with FPS inspectors, contract management 
staff, and leadership throughout the period of performance 
Argonne was able to meet all the defined requirements in the 
statement of work. MIST Release 1.0 and the FPS Gateway were 
delivered to FPS on March 30, 2012, 6 months after the program 
began. The products were delivered on time and within the 
defined budget.
    Argonne greatly appreciates the opportunity to work with 
FPS in a collaborative manner to develop the MIST as a useful 
and usable interim tool for FPS personnel. Knowledgeable FPS 
leadership and staff were actively involved in all tasks and 
feedback was provided by FPS personnel in a timely manner to 
guide development activities. In addition, regular meetings 
were held with FPS director, Director Patterson, and his staff 
to review schedules and deliverables and to ensure that any 
problems encountered were identified and quickly resolved.
    Finally, Argonne also wishes to thank the DHS Office of 
Infrastructure Protection, part of NPPD, their Protective 
Security Coordination Division in particular, for their 
collaboration with FPS, willingness to share methodologies, 
technology, and experience.
    I appreciate this opportunity to summarize the MIST 
development activities at Argonne and I look forward to your 
questions. Thank you.
    [The prepared statement of Mr. Peerenboom follows:]
               Prepared Statement of James P. Peerenboom
                             July 24, 2012
    Thank you Chairman Lungren, Representative Clarke, and the 
distinguished Members of the subcommittee for your invitation to 
testify here today.
    My name is James Peerenboom, and I am the Director of the 
Infrastructure Assurance Center and the Associate Director of the 
Decision and Information Sciences Division at Argonne National 
Laboratory. Argonne is located just outside of Chicago and is one of 
the U.S. Department of Energy's largest National laboratories for 
scientific and engineering research. Argonne has been providing 
technical support to the U.S. Department of Homeland Security (DHS) 
since the Department was established in March 2003.
                               background
    In late March 2011, the Federal Protective Service (FPS) requested 
a meeting with Argonne to discuss the potential for leveraging 
technical work that had been underway at the laboratory since 2007. The 
work that FPS was seeking to leverage was funded by the DHS National 
Protection and Programs Directorate's Office of Infrastructure 
Protection (NPPD/IP). Specifically, FPS was interested in exploring the 
option to modify an existing survey tool that Argonne had developed for 
NPPD/IP called the Infrastructure Survey Tool (IST). This security 
survey has been successfully deployed and used by DHS and its 
Protective Security Advisors (PSAs) to identify security measures at 
various critical infrastructure assets across the Nation. Argonne first 
met with FPS representatives in April 2011 to demonstrate IST 
functionality; discuss the purpose, scope, and limitations of the tool; 
and discuss FPS assessment needs. A series of subsequent discussions 
and meetings with FPS took place from April through September 2011.
                           description of ist
    The IST is a survey tool that employs a tailored set of questions 
to identify for infrastructure owners and operators some of the 
potential security weaknesses at a given facility, establish an index 
value of protective measures at the facility, and provide comparisons 
with similar facilities. It is not a vulnerability or risk assessment 
tool. Rather, as a survey tool, the IST provides a consistent, 
transparent, and integrated assessment of a facility's current security 
posture. It was designed for application to many types of critical 
infrastructure assets--from refineries, railroad lines, and power 
plants to financial centers--to enable owners and operators to see how 
the security measures at their facilities stack up against those at 
facilities like theirs. While the IST is not intended to compare a 
facility's security to specific standards, it does provide a 
comparative measure to similar facilities.
    The DHS customers for IST survey data are infrastructure owners and 
operators. The survey data, presented in an interactive dashboard, 
allows them to visualize how certain security-related changes, such as 
adding security cameras or installing fencing, alters the protective 
measures index value and may contribute to improved security. On the 
basis of feedback from the PSA community, the interactive dashboard in 
use by NPPD/IP has been well received by infrastructure owners and 
operators. In addition to providing insight and valuable feedback to 
owners and operators, the IST data are also used by DHS to benchmark 
security measures, identify protective measure gaps, and develop 
infrastructure protection strategies.
                             fps work scope
    In early October 2011, FPS engaged Argonne by funding the 
development of a software application, called the Modified 
Infrastructure Survey Tool (MIST), to be used by FPS on an interim 
basis to conduct facility security assessments. As the name implies, 
the MIST is a modification of the existing IST developed by Argonne and 
deployed by NPPD/IP. The MIST uses a tailored set of questions that 
helps FPS establish a security baseline and allows for comparison of 
the facility being surveyed against security standards. MIST's 
methodology involves the gathering of data via an assessment question 
set, processing the data through an algorithm to convert the data to 
vulnerability measures, and the generation of outputs such as a report 
of those measures. Although the MIST was not designed to be an 
Interagency Security Committee (ISC)-compliant tool, it adheres to the 
ISC process and guidance as much as possible and captures elements of 
ISC standards. The MIST provides a standardized way of collecting and 
reporting facility information to inform decisions about security 
measures.
    Argonne's work was funded through an existing Interagency Agreement 
(IAA) with NPPD/IP that encompassed IST-related tasks. Funds were 
committed under the IAA to develop, test, deliver, and support MIST 
Release 1.0. More than half of the funds were used for hardware and 
software to establish a web portal, called the FPS Gateway, that allows 
for sharing of information products and knowledge in real time. The FPS 
Gateway leverages the architecture and hardware/software technology of 
the Linking Encrypted Network System (LENS), a similar portal that 
Argonne developed for NPPD/IP.
    Argonne's statement of work under the IAA with FPS included five 
tasks, all of which involved leveraging the experience, expertise, and 
technology used in developing the IST:
   Working with FPS to develop the MIST methodology;
   Implementing the methodology as MIST Release 1.0 (software 
        development);
   Developing a host site for MIST Release 1.0 (i.e., the FPS 
        Gateway);
   Assisting FPS, as requested, in training functions; and
   Providing ``help desk'' support for MIST operation.
                            project results
    By working closely with FPS inspectors, contract management staff, 
and leadership throughout the period of performance, Argonne was able 
to meet all defined requirements in the statement of work. MIST Release 
1.0 and the FPS Gateway were delivered to FPS on March 30, 2012. The 
products were delivered on time and within the defined budget. Argonne 
continues to provide help desk support to FPS. Feedback from FPS about 
the MIST as an interim survey tool has been very positive.
                            acknowledgments
    Argonne appreciates the opportunity to work with FPS in a 
collaborative manner to develop the MIST as a useful and usable interim 
tool for FPS personnel. Knowledgeable FPS leadership and staff were 
actively engaged in all tasks, and feedback was provided by FPS 
personnel in a timely manner to guide development. In addition, regular 
meetings with the FPS Director also were held to review schedules and 
deliverables and to ensure that any problems encountered were 
identified and quickly resolved. Argonne also wishes to thank the NPPD/
IP Protective Security Coordination Division staff for their 
collaboration with FPS, willingness to explain and share methodologies 
and technology, and thorough IAA oversight.

    Mr. Lungren. Thank you very much.
    I think we may have set a record for brevity of the three 
panelists, and we appreciate that. I am sure all my colleagues 
have questions. We will start of round of questioning, and I 
will start with the first 5 minutes.
    General Patterson, in your previous jobs, precision, 
accuracy, attention to detail has been extremely important. We 
have had concerns prior to the time you got there with the lack 
of those things in some of the functions that you are supposed 
to--that your operation is supposed to carry out.
    Last July when you testified you indicated your, I think, 
frustration at where FPS was at that time. So how would you 
assess FPS's progress to address deficiencies in the ability to 
conduct facility security assessments and conduct oversight and 
training of the contract guard program?
    As I am sure you heard Mr. Goldstein, you have seen the 
testimony that he gave. There seems to be some concern that he 
expresses there. How would you judge where you are versus where 
you think you need to be and where you want to be in those 
areas?
    General Patterson. Thank you, sir.
    Well, to begin, we are at the beginning. RAMP unfortunately 
did not produce results that the agency had hoped that it 
would. So after careful review, as you are aware, I made the 
decision that we were no longer going to follow that path and 
develop a new path.
    I spent quite a bit of time with our sister activity 
component within Homeland Security, I.P., to talk about how 
they look at threats, how they look at vulnerability within the 
private and commercial sector, and how we could leverage what 
they do and bring that about as quickly as we can to look how 
we might do that in the Federal sector.
    Once I was able to look across the--at what they were doing 
and some of the things that some of our other partners might--
were doing at the time, because we also looked at systems 
within S&T, and I think GSA also had a system that we were 
evaluating. But at the time I believe that I.P. offered us the 
best product, if you will, for us to move forward. That was 
when I was introduced to Argonne Labs and the work that they 
were doing for I.P. to support I.P.
    I spent quite a bit of time with I.P. and Argonne Labs to 
assess whether or not that would be the right direction for us. 
In fact, that was the right--I believe that it is the right 
direction for us.
    Now, to get to the point of our folks within the GAO 
assessment, it is correct that our MIST tool does not look at 
consequence. However, what we do is we look at vulnerability 
and we look at threat. We do that in a couple of ways.
    In the vulnerability, we collect a lot of data to assess 
and to determine how vulnerable these--our facilities are to 
the threats that are being posed by--in a number of areas, 
whether it be natural disaster, whether it be criminal threat, 
or whether it be from the threat of terrorism.
    I have also developed a very robust activity within FPS 
that looks at the threat picture every day. We have folks who 
are working with the ODNI, the Office of Director of National 
Intelligence, who are working with I&A at DHS, who are working 
with the FBI. I have several folks across the country who are 
working at the JTTFs as well as the fusion centers across the 
country to help us better understand the threat picture as we 
move forward pulling vulnerability and threat together.
    Relative to the consequence piece, each one of the Federal 
agencies has a--what we call a COOP plan. It is a plan as to 
when there is a problem--a disaster or something the must 
respond to--how they will reorganize, how they will 
reconstitute once that event has happened. They also have 
something called an occupational emergency plan that we work 
with them--that they can leverage, and that plan is developed 
when an agency is either--when they have stood up--or when they 
occupy a facility, or as we go in to perform our assessments.
    So we have what we believe to be a fairly robust scenario, 
if you will, of bringing vulnerability, threat, and 
consequences together not necessarily in a single document, but 
in a process, in a plan. So when an assessment is done my MIST 
tool brings me the vulnerability piece; my intelligence folks--
my RIAs, is what we call them, regional intelligence folks, 
bring forth the threat piece, and combine that with the COOP 
plan and the emergency occupant plan to, I think, to bring 
together a fairly robust product and assessment of 
vulnerabilities and threats to our Federal facilities.
    Mr. Lungren. Mr. Goldstein, would you have any comments on 
that?
    Mr. Goldstein. Thank you, Mr. Chairman.
    You know, we were very pleased that FPS has made progress. 
Don't get me wrong, we feel that they have made some progress. 
The development of MIST is certainly a way forward out of the 
past, whether it was from the original tools of FSRS, or 
whether it was through the more recent tools, where they use an 
Excel spreadsheet and then they had the whole RAMP program. 
This is a way forward, and we do believe that by finally having 
a program the inspectors can use where they are not 
subjectively determining vulnerability on their own is 
important. We discussed it in our report.
    But we do think that being able to include consequence 
information, as the National infrastructure program requires, 
is really important. In my opinion----
    Mr. Lungren. Mr. Patterson suggests that COOP, I believe it 
is, or these other elements that their clients have fulfills 
that role. You have a disagreement with that?
    Mr. Goldstein. What I would tell you is I think that you 
can't have a robust program without consequence information 
because what you are doing is essentially telling people that 
you have set the dinner table without telling them what the 
food is going to be----
    Mr. Lungren. No, I understand. I mean, I have always looked 
at risk, you know, that simple equation of threat, 
vulnerability, and consequence. What I was trying to get at is 
Mr. Patterson has suggested, or stated, that he believes that 
you reach that with this other component of information that he 
receives from what I refer to as the clients--you might use 
another term. Is that something you would still quarrel with at 
this point?
    Mr. Goldstein. I don't think it provides agencies and their 
clients the kind of information they need to make robust 
decisions about which countermeasures they are going to adopt 
and which they aren't, which have more priority than others.
    Mr. Lungren. Okay.
    Ms. Clarke.
    Ms. Clarke. Thank you, Mr. Chairman.
    Director Patterson, FPS chose to modify the current Office 
of Infrastructure Protection's infrastructure survey tool for 
its new interim risk assessment tool. What other tools did FPS 
consider and why weren't they selected?
    General Patterson. Yes, ma'am. I don't have the specific 
names of the other tools but there were a couple other tools. I 
know one specifically that was being developed by the Office of 
Science and Technology. The challenge with that particular tool 
was that it was still in the development phase and it was being 
beta tested.
    One of the challenges that I believe that we were going to 
have was that we were not involved in setting the requirements 
for the tool. So therefore, we would had to have started from 
the very beginning to figure out, you know, whether or not our 
requirements were going to be met, and then if they weren't, 
how we were going to incorporate that.
    I felt that I needed to deliver something. We had spent 
time, a bit of time, on RAMP. I felt that we needed to do, to 
move forth quickly to try to do something to ensure that we 
were providing our customers, our clients, an assessment 
product--okay, not just an assessment, but an assessment 
product--and I thought MIST would be the best way to do that.
    Ms. Clarke. How does FPS plan to address the limitations 
that GAO identified for MIST?
    General Patterson. Yes, ma'am. For me, this is about being 
a marathon and not a sprint. We are going to work aggressively 
with the ISC, the Interagency Security Committee, to look at 
how we productively and efficiently and effectively incorporate 
all those things that the GAO has recommended and we agree that 
should be considered to be in the tool.
    Part of the challenge that we have is that we need to look 
at this very, if you will, judiciously. When we evaluate or 
assess a facility sometimes there are 10 tenants in that 
facility, okay, so we have to be--we have to ensure that when 
we produce a report that the consequence piece of that, if you 
will, is going to have relevance to all of the folks in that 
particular facility.
    So I am not exactly sure that trying to put a consequence 
piece into every assessment is the right avenue. So we are 
going to work with the ISC to see how we might develop that and 
work forward and move in that direction.
    Ms. Clarke. How was the decision made to award Argonne 
National Laboratory the contract to develop MIST? Were there 
other entities considered as well?
    General Patterson. Yes. We were required to--the 
acquisition process required us to consider other avenues for 
that, and they were--the decision was to go with Argonne.
    Ms. Clarke. Okay.
    Mr. Goldstein, when do you estimate that FPS will have a 
more robust guard oversight tool in place that can track guard 
certification information and offer FPS management with greater 
insight as to whether all of the post inspections that need to 
be conducted are, in fact, occurring?
    Mr. Goldstein. I would judicially say that that is a work 
in progress. I think the Federal Protective Service has 
recognized that there are some vulnerabilities in their 
process.
    They recently stopped, as of June 2012, any use of RAMP for 
that process; it was the last part of RAMP that was being used 
and they notified offices not to be using that anymore. Much of 
the information in that system had never been revalidated from 
the old cert system so there were many problems with it.
    I think it is going to take some time. We have some on-
going work for this committee, taking a look at guard programs, 
and this will be something that we evaluate how others do it 
and try to bring some of that information back to you and to 
FPS to help them as they go forward. It is not a short-term 
project.
    Ms. Clarke. So would you say--yes, I mean, I recognize 
that. But would you say they are just at the advent of----
    Mr. Goldstein. I think they are at the beginning of trying 
to determine what they need and how to independently verify 
certification as well as post inspection, yes, ma'am.
    Ms. Clarke. Okay. How does FPS now track the implementation 
of security countermeasures that are recommended for inclusion 
in the facility security assessments?
    General Patterson. I am sorry, ma'am. Can you repeat that, 
please?
    Ms. Clarke. Yes, sure. How does FPS now track the 
implementation of security countermeasures that are recommended 
for inclusion in the facility security assessments?
    General Patterson. Yes, ma'am. Currently we don't have a 
tracking tool. It is all done manually, if you will, paper. As 
our inspectors go out and interface with the committees, the 
security committees, the facility security committees to 
discuss--or the agencies to discuss what countermeasures might 
be necessary or what--that we might recommend, at that point we 
work with the FSCs to implement those requirements and it is 
documented, but it is documented on paper at this point because 
don't have a digital system, if you will, to account for that.
    Ms. Clarke. Thank you, Mr. Chairman. I yield back.
    Mr. Lungren. Gentlelady yields back.
    Mr. Walberg is recognized for 5 minutes.
    Mr. Walberg. Thank you, Mr. Chairman.
    Thanks to the panel for being here.
    Mr. Goldstein, you have noted that MIST, as an interim 
tool, falls short of providing FPS the ability to do many of 
the things that RAMP was intended to provide. You also noted 
that MIST is neither compliant with DHS's own National 
infrastructure protection plan and the framework that it has 
nor standards developed by the Interagency Security Committee.
    So the question I would initially ask is, why are these 
standards so important?
    Mr. Goldstein. I think the standards are important 
principally because they will create a baseline, but they will 
also allow that baseline to be examined across the host of the 
Government's portfolio. FPS does not have the ability today to 
look at the portfolio of Government properties that it 
protects--some 9,000 GSA buildings--and to determine at various 
levels which of those facilities require the most resources.
    They protect everyone, everything essentially at each level 
in the same way, regardless of where it is and what its 
function is. So therefore we have a very static approach, 
building by building, to protecting our Federal infrastructure 
when resources are obviously very tight, and you can't leverage 
the resources and priorities effectively that way.
    Mr. Walberg. I mean, that being the suggestion then, I 
guess, Mr. Patterson, does FPS believe ISC or NIPP standards 
are important criteria to meet?
    General Patterson. Oh, absolutely, sir. They are important. 
We are baselining those criteria.
    The challenge that we have is right now, is developing, if 
you will, a tool that will bring all that into play----
    Mr. Walberg. But the present tool isn't compliant with any 
of those standards, is it?
    General Patterson. It is not ISC-compliant because it does 
not take into consideration the consequence piece of the 
assessment, okay? However, the tool isn't compliant but our 
process is compliant, okay, and the process----
    Mr. Walberg. Explain that a little further.
    General Patterson. Yes, sir. I will. The tool is no more 
than a product that we provide to our customer. It is a 
snapshot in time of what we believe to be the vulnerability, 
the threat, and in this case, the consequence at a particular 
facility, okay? We discuss each one of those elements at the 
out-brief when we have completed an assessment.
    All right, now, that MIST tool--that MIST product--will not 
cover all three, but that doesn't mean that we haven't covered 
that with our customers, all right? So what we are trying to do 
is we are trying to work with the ISC to develop a product, a 
tool, a product that we can deliver at the end of the day, at 
the end of the assessment that allows them to capture all of 
that into one document. We can't do that today.
    Mr. Walberg. What is the time period you are expecting this 
tool to be developed and then fully implemented?
    General Patterson. In my discussions with the ISC, to their 
knowledge there is no one out there today that has a tool that 
will do that, that has been proven to do that. I understand 
that there might be a few folks out there who think they may 
have a tool to do that, but no one at this point has 
demonstrated that they have an effective tool that brings into 
play vulnerability, threat, and consequence into one document, 
or into a process that will bring all that together and you can 
provide that to our clients.
    So we are working aggressively with GSA, with the ISC, and 
others to look at how we might do that and how the community--
how we can work together with the community to make that 
happen.
    Mr. Walberg. Mr. Goldstein, would you concur with that, 
that there is not a tool capable at this time, or----
    Mr. Goldstein. We haven't looked at that specifically, sir. 
We are doing some work for this committee--just beginning that 
work--taking a look at assessment tools across the Federal 
Government and out in the broader community, and we will 
hopefully be able to report back on that on the near future.
    Mr. Walberg. Okay.
    Mr. Patterson, I understand that MIST was developed as an 
interim tool to replace RAMP. What is FPS's long-term plan to 
replace RAMP and what is the time line for that implementation?
    General Patterson. Yes, sir. The long-term plan is to 
create a tool that is ISC-compliant. I currently don't have a--
I don't have a time line for that.
    Again, we are going to--we are actively working with the 
ISC and collaborating with the ISC. We are actively 
collaborating with GSA to begin to look at how we will do that: 
What is the next step? Because we want to build upon what we 
have at MIST, what we have created with MIST, so that we are 
not recreating every time we decide to develop a new tool or a 
new process. We don't want to recreate that every time.
    So the bottom line is is that we are going to work with the 
ISC and the community to look at how we move forward. I wish I 
could give you a better answer but I don't have a better answer 
at this point until we can collaboratively come together and 
begin to figure out the path forward.
    Mr. Walberg. Well, I see my time has expired.
    Mr. Lungren. Mr. Richmond----
    Mr. Walberg. Thank you, Mr. Chairman.
    Mr. Lungren [continuing]. Is recognized for 5 minutes.
    Mr. Richmond. Mr. Patterson, I guess I need you to make a 
connection for me and monitor the conversation with my 
colleague, and you said that MIST, or whatever you are using 
now, the program does not have consequence in it but your 
process has consequence in it. Did I hear that right?
    General Patterson. Yes.
    Mr. Richmond. I guess I am falling short that if the 
process has consequence in it why can't we develop a tool that 
puts vulnerability, threat, and consequence into one thing? I 
guess I am lost on that. Can you----
    General Patterson. Sure.
    Mr. Richmond. Can you help me on that?
    General Patterson. I am not debating that we can. I am just 
saying that I haven't found a way to do that today.
    My work to this point--our research to this point--has 
taken us through vulnerability and threat, but incorporating 
the consequence piece, as we would have it within the Federal 
sector, is very different than you incorporate consequence 
necessarily into the private sector. So what we are trying to 
do is when we do that we want to make sure that we develop a 
tool that is usable, that has got credibility, and we just 
haven't reached that point yet.
    So when I talk about the consequence piece in the process, 
the process is is that when we sit down and talk with our 
customers and with our clients we talk about their ability to 
reconstitute, their ability to perform if there is an event, 
okay, and there are certain things that they have already done.
    For instance, IRS has a COOP plan. If there is an IRS--if 
there is an event--for instance, the airplane that flew into 
the IRS facility in Austin, Texas a few years ago, well the IRS 
had a way to reconstitute. They knew exactly what they needed 
to do in order to move those functions from that facility to 
another facility, okay?
    So for them it wasn't about us bringing something to them, 
all right? They knew exactly what they wanted to do. They had a 
plan. They have a plan.
    Most Federal agencies have a plan if there is a problem, if 
there is an event that happens that takes them away from their 
facility.
    Mr. Richmond. You said most of them do. Do----
    General Patterson. That is an assumption. I would hope all 
do.
    Mr. Richmond. Okay. I guess that was going to be my next 
question: Do we have a good take on who has and who does not 
have----
    General Patterson. No. We work with every agency--every 
facility, every agency that we do an assessment, we work with 
them on what they call the occupant emergency plan, and that is 
a plan to do just what we are talking about. If there is a 
problem--if it is a natural disaster, if it is a criminal event 
or a terrorism event, what will you do? We go through a myriad 
of scenarios with them as to what they would do. Through every 
assessment we work with every tenant in the facility on that 
plan.
    Mr. Richmond. I remember from the last hearing we talked 
about that there was the inability, or we were not in a 
position to verify the--that the guards that were on post were 
trained and certified. Have we developed something to better 
assess whether they are trained, certified, and present on 
our--in our Federal buildings?
    General Patterson. Yes. What we are doing now--we don't--
clearly we need a better process. Right now it is a pen-and-
paper process for us.
    We were hoping--the agency was hoping that RAMP was going 
to resolve this or help us get a little closer to a better 
solution. When that didn't evolve, when that didn't work, what 
I had directed all of my regions to do is revert back to a 
paper process, if you will, working with--as our PSOs are 
brought on for their time to do work, or when a client--not a 
client, but when our contractors, if you will, when they hire a 
PSO to work there is a package of certifications that each of 
our PSOs must have. That package--those certifications are 
maintained by the contractor.
    However, that information that is contained in those 
certification packages are then forwarded--is then forwarded to 
every one of my regions. So we have on file in our regions, if 
you will, that information.
    Now, the challenge is how often we can get through there 
and continue to recertify that their certifications are up-to-
date. We have 13 certifications in those files that must be 
certified every year, or recertified every year. So it is a 
huge administrative task for us to go through that and we are 
looking for ways that we can digitize that, we can use 
technology to help us with that; we are just not there yet.
    Mr. Richmond. I see that my time has expired so I yield 
back. Thank you, Mr. Chairman.
    Mr. Lungren. Thank you.
    We might have time for a quick second round if anybody is 
interested.
    Let me just recognized myself in the first instance, and 
that is, Mr. Goldstein, you heard Mr. Patterson's response to 
the question about consequence. Here is my concern--I will have 
Mr. Patterson answer after I ask your thoughts--when Mr. 
Patterson described it he talked about some of the clients, 
such as IRS, having an ability to reconstitute themselves. That 
is what they have. That is their part of this consequence.
    But I thought this tool that we were trying to develop, or 
tools, to do threat assessment was for the purpose of 
establishing, by FPS, what the levels of security would be so 
that you would have them more in line with what the overall 
risk assessment was. In that regard, a consequence piece would 
help Mr. Patterson and his organization decide the level of 
security as opposed to, as you suggested, I thought, in your 
testimony, that it is kind of an across-the-board, everybody is 
treated the same.
    Am I correct in what you said and the reason why the lack 
of consequence would affect their ability to make those 
decisions?
    Mr. Goldstein. Yes, sir. Mr. Patterson's discussion of COOP 
is an important element of, obviously, responding to any 
disaster or any attack but it isn't directly related, I would 
submit, to what we are talking about, in that the need to have 
consequence information as part of this program, which he 
agrees they will eventually develop and we are simply bringing 
that point out, is so that agencies working with the Federal 
Protective Service will have guidance on how to prioritize 
protecting facilities themselves over a period of time.
    Mr. Lungren. Mr. Patterson, that is what I have found is a 
disconnect in what you are saying. I understand--I am happy 
that IRS knew how to reconstitute itself, but in terms of your 
assessment of your operation's ability to manage your resources 
in tough budget times, to decide where you need to put your 
emphasis, where you need to have more, where you need to have 
less, that that assessment tool or tools are to allow you to do 
that as opposed to you determining exactly what IRS ought to do 
at this place or one of your other clients.
    General Patterson. Yes, sir. Again, it is--from our 
perspective it is a huge challenge as to how we incorporate 
consequence into any tool.
    For instance, as I stated before, every facility is 
different. Some facilities, they are just stand-alone agencies; 
and other facilities, much like the Reagan Building, there 
might be literally 10 to 20 different agencies with different 
requirements--having different requirements, and having much 
more, if you will, at risk than some of the other agencies in 
there.
    So as we look across the spectrum of facilities that we 
have to assess what I am trying to get away from is a one-size-
fits-all kind of a tool.
    Mr. Lungren. I don't want you to do that. That is why I am 
trying to figure out----
    General Patterson. Yes, sir.
    Mr. Lungren [continuing]. Why consequence couldn't be 
incorporated into the tool that you use, or you have some 
integration at some point in time of two tools so that you have 
those three things together in making your risk assessment to 
aid you in a determination of the level of security and the 
prioritizing of your resources. That is all I am trying to 
figure out.
    General Patterson. Yes, sir. Again, it is our intent to 
incorporate consequence; we are just trying to figure out, how 
do we do that?
    Mr. Lungren. Okay. Ms. Clarke.
    Ms. Clarke. Thank you, Mr. Chairman.
    This question is for Director Patterson and Mr. Goldstein: 
How does FPS track the effectiveness and performance of the 
security countermeasures that it has recommended? How do you 
actually----
    General Patterson. We have our inspectors who visit our 
sites routinely, who visit Federal facilities routinely to 
assess the effectiveness of our PSOs. When we do post 
inspections that is an assessment of our contract guard force.
    We also visit our camera facilities to look at whether or 
not they are operating, and when they are not to look, and 
working with the FSC to get them repaired. So this is on an on-
going and continual basis, looking at all of our 
countermeasures on a routine basis to ensure that they are 
operating efficiently and effectively.
    Ms. Clarke. Would you say it is a cyclical type of regimen 
that your inspectors are engaged in? Because I would imagine 
when you look at various facilities the landscape around those 
facilities may change from time to time with infrastructure 
changes, with----
    General Patterson. Right. I mean, you know, we can--we--
from time to time we will have different tenants who move in 
who have different requirements, or they, like, as you just 
stated, ma'am, where there are facilities that may come up next 
to or where we have to assess whether or not--what that impact 
might be on a bus station, let's say, moving in next to one of 
our facilities. So absolutely.
    But that is a continuing process for us. We don't wait for 
the assessment period to do that. If, in fact, we know that the 
city is building--has new construction going up to one of our 
GSA facilities we engage immediately with GSA and the tenant to 
find out what--and the city--to find out what is going up and 
what the impact might be, and what we may need to do to answer 
the--to see if there is going to be an additional security 
standard that we may have to set out as a result of that.
    Ms. Clarke. Is there, baked into the MIST system, a way of 
keeping track of that information?
    General Patterson. I am sorry. Let me--is there going to be 
a way----
    Ms. Clarke. Yes, of, you know--over time you are going to 
maybe have overlays----
    General Patterson. Yes. Yes. Our MIST system, yes, as MIST 
is rolled out and as we are incorporating all that information, 
yes, ma'am, that all will be digitized into MIST so we can go 
back immediately and determine, you know, what systems are 
there and then how we need to correct, or adjust, or whatever 
we need to do to those systems, yes.
    Ms. Clarke. Dr. Peerenboom, what capabilities, if any, 
would a more permanent tool have over FPS's interim MIST tool?
    Mr. Peerenboom. Well, as stated by Director Patterson and 
Mr. Goldstein, MIST is not a risk tool. It focuses on 
vulnerabilities. But it was based on work done for the Office 
of Infrastructure Protection at DHS, the infrastructure survey 
tool. That provides a platform or basis by which one could 
expand.
    In fact, within I.P. they are looking at single assessment 
methodologies to pull together tools and capabilities that 
address risk in a holistic fashion to inform decisions about 
security investments. The customers of Office of Infrastructure 
Protection are slightly different; they are the owners and 
operators. The IST tool that we developed and modified for FPS 
is applicable to all 18 critical infrastructures, so it has a 
broader base.
    But the subset of questions and things that apply to 
Federal facilities is what was done for MIST.
    Ms. Clarke. What makes these capabilities necessary?
    Mr. Peerenboom. The Office of Infrastructure Protection has 
a mission to provide protection and risk analysis for critical 
infrastructure, and so their sets of tools are designed to 
encompass that broad spectrum. The IST that we developed MIST 
from addresses part of the equation, and there are efforts 
underway to expand that base within Office of Infrastructure 
Protection. It provides a point of leverage for FPS should they 
decide to use that.
    Ms. Clarke. So when the risk or the vulnerabilities seem to 
be evolving, how do--how effective is the MIST tool, in terms 
of indicating for FPS what new measures need to be taken? Is it 
dynamic, in other words?
    Mr. Peerenboom. Well, that is really--I should let Director 
Patterson speak to that issue, but MIST provides a basis for 
looking at the vulnerabilities to the facility and the 
inspectors can add in their recommendations and their 
understanding of the consequences of protective measures that 
would--not consequences, excuse me--the countermeasures that 
would be applicable to that facility.
    The MIST tool is partly compliant with the ISC standards 
but it is not an ISC-compliant tool. But we certainly took that 
into account, and over time, should FPS decide to do that, 
technically it is possible to address those standards.
    Ms. Clarke. All right. Thank you.
    Mr. Lungren. Mr. Walberg.
    Mr. Walberg. Thank you, Mr. Chairman.
    Drilling down in the same board again, Mr. Peerenboom, can 
MIST be developed to capture consequence? Is it capable?
    Mr. Peerenboom. Technically the answer is yes.
    Mr. Walberg. Go a little further on why you would say 
technically the answer is yes.
    Mr. Peerenboom. Well, there are capabilities, as I 
indicated earlier, that are being developed within the Office 
of Infrastructure Protection, to enhance the capabilities of 
the infrastructure survey tool that provides the basis that 
MIST was developed on, and we have the capabilities to 
incorporate elements of consequence, but that is a decision 
that obviously is not ours. But technically it is feasible.
    Mr. Walberg. It is feasible, but would you say it is not 
the best tool?
    Mr. Peerenboom. It depends on requirements. No, I didn't 
say that.
    Mr. Walberg. Okay. Okay. Thank you.
    Mr. Patterson, I would applaud you and commend you for 
putting an emphasis on training in your tenure at FPS, and I 
agree that training is a key for your force's morale and 
effectiveness in the process.
    Last summer you stated that you were looking at different 
ways FPS may be able to deliver X-ray and magnetometer and 
weapons training. I understand there has been significant 
dialogue and outreach between FPS and the private sector, which 
may be able to better deliver the training.
    Could you enlighten us at this point in time on the on-
going dialogue with industry to improve guard training?
    General Patterson. Yes, sir. Well, first of all, one of the 
things that I needed to do was hire a senior deputy director 
for training to--who could focus in on this full-time and not 
be a part-time duty. So I have done that. So now I have someone 
who is looking across the board at all the training within FPS 
full-time.
    Now, as we look at training for our PSO force, we are 
actively working with NASCO, the National Association of 
Security Companies, to work with them and look at how we can 
proliferate training across 13,000 PSOs that support FPS and 
all of our Federal partners. It is a huge task, because when 
you are talking about providing services in 50 States that all 
have different, if you will, training requirements, okay, we 
have to ensure that we are doing it in such a way that we are 
getting the best bang for our buck.
    One of the things in the National Weapons Detection 
Program, in magnetometers and X-ray machines, that I knew that 
we needed to do was to ensure that our inspectors were 
adequately trained, and we have done that--we are doing it. We 
are just about completed all of our training for our inspectors 
for the magnetometers and X-ray machines----
    Mr. Walberg. The additional 8 hours of training that you 
were----
    General Patterson. Yes.
    Mr. Walberg [continuing]. Proposing?
    General Patterson. That is going to be cascaded by our 
inspectors, by a team of our inspectors to the--to our PSO 
force. Working with the--kind of in a deal where we do kind-of 
a trained-to-trainer kind-of a thing as well so that we can 
also work with our--within the contractor force, within the 
contractor structure to, in such, certify our contractors so 
that they can provide some of the training, as well.
    Mr. Walberg. You feel that FPS is capable of delivering 
consistent training across, as you say, the 50 States and the 
uniqueness of each of those?
    General Patterson. Yes, sir. Absolutely.
    Mr. Walberg. Mr. Goldstein, would you concur with that?
    Mr. Goldstein. We remain concerned, sir, because the 
problem that brought on the need for the additional training is 
now more than 3 years old when GAO was able to bring bomb-
making materials into 10 Federal facilities without anyone 
knowing and building those bombs. It has been 3 years, and the 
contract guards who are there to prevent things like that from 
happening haven't had that additional training in all of that 
time.
    I understand that the agency is resource-constrained, but 
it would seem to me that this would have been a matter of the 
highest priority, sir.
    Mr. Walberg. Within 3 years?
    Mr. Goldstein. Yes, sir.
    Mr. Walberg. Thank you.
    Mr. Lungren. Thank you very much.
    I thank all the Members for their participation.
    I want to thank the witnesses for your valuable testimony. 
The Members of the committee may have some additional questions 
for our witnesses, and so we would ask you to respond to those 
in writing. The hearing record will be held open for 10 days, 
and this subcommittee stands adjourned.
    [Whereupon, at 11:09 a.m., the subcommittee was adjourned.]


                            A P P E N D I X

                              ----------                              

    Questions From Chairman Daniel E. Lungren for L. Eric Patterson
    Question 1. In testimony before the House Committee on Homeland 
Security in November 2009, NPPD Under Secretary Rand Beers testified 
that NPPD was conducting a workforce needs analysis for FPS, at the 
request of Secretary Napolitano, to ensure that FPS has ``the right 
resources and staffing levels to match the missions FPS currently 
has.'' Under Secretary Beers further stated that when the results of 
the study were complete, Congress would be notified.
    What were the results of the analysis?
    Answer. The Federal Protective Service (FPS) conducted a workforce 
needs analysis between 2009 and 2010 and the results were used 
internally within the Department of Homeland Security. The results were 
a first step but did not fully meet the needs of the Service. FPS 
currently has a Federally Funded Research and Development Center on 
contract to conduct an activities analysis to refresh the past 
assumptions and requirements so that FPS may evaluate staffing levels 
in future years. FPS will brief the committee on the completion of the 
updated analysis.
    Question 2a. While FPS is taking positive steps to improve the 
standardization and consistency of FPS, there are still concerns that 
FPS operates differently from region to region and lacks consistent 
standards.
    Is consistency throughout the regions a concern of yours?
    Question 2b. What steps are being taken to improve consistency of 
FPS from region to region?
    Question 2c. Is headquarters assignment a prerequisite for 
promotion at FPS, and if not, do you think that would improve 
standardization and consistency of FPS policies?
    Answer. The Federal Protective Service (FPS) is performing an 
activities analysis to understand and document where it should 
introduce or modify policies to increase operational effectiveness and 
reduce risk. Several variables, including geography, law, threat, and a 
specific customer, could warrant differences in operational activities 
across regions. Through FPS's current detailed review of functions and 
activities, it is identifying commonalities and best practices to 
inform uniform National policies where it makes sense to do so. FPS 
would be pleased to provide a detailed briefing on this effort and 
highlight policy and process improvements that are being implemented 
Nation-wide.
    In addition, FPS has taken steps to realign its workforce to 
effectively map personnel resources to program functions. The result of 
this effort was the creation of an Area Management Concept, which 
compartmentalizes reporting for 11 regional-level offices into three 
Field Operations. Each Field Operation, led by a Senior Executive 
Service-level Assistant Director, provides oversight for multiple 
regional offices to help ensure standardization and consistency across 
the service. This area concept is a geographic-based structure that 
streamlines operational reporting through consolidation of information 
channels.
    An assignment to headquarters is not a prerequisite for promotion 
at FPS. The creation of the Area Management Concept, led by three 
Senior Executive Service-level and field-based Assistant Directors, is 
providing standardization and consistency across the service.
  Questions From Ranking Member Yvette D. Clarke for L. Eric Patterson
    Question 1. According to GAO, FPS spent $795 million on its 
contract guards in fiscal year 2011 which represented 90% of the 
agency's procurement budget. How much is FPS obligated to spend on its 
contract guards in fiscal year 2012, and what are the projected 
expenditures for fiscal year 2013?
    Answer. The Federal Protective Service (FPS) obligated $755.6 
million on its guard contracts in fiscal year 2011, which represented 
approximately 91 percent of its total contract obligations. FPS 
projects that it will obligate approximately $764.6 million in this 
program in fiscal year 2012. This projection is based on the known 
fiscal year 2012 obligations to date ($750.9 million as of August, 10, 
2012), plus additional expected obligations through September 30, 2012, 
totaling $13.7 million for recurring guard services and pending 
modifications and/or equitable adjustments under existing contracts. 
FPS projects that it will obligate approximately $784.4 million in 
fiscal year 2013. This projection is based on the estimated escalation 
of the fiscal year 2012 obligation by 2.6 percent, which accounts for 
estimated inflationary factors such as Service Contract Act wage 
adjustments. However, FPS may obligate additional amounts in fiscal 
year 2013 as necessary to account for emerging requirements for 
existing and new customers and any changes that may arise concerning 
guard requirements.
    Question 2. Why is it that as of June 2012, a total of $652,000 was 
spent on MIST, which appears to be useful so far, while RAMP has 
yielded no tangible results after four years and $35 million or more in 
expenditures?
    Answer. The Risk Assessment and Management Program (RAMP) 
experienced significant programmatic and technical issues, primarily 
related to insufficient user involvement in the requirements definition 
and testing of the application, as well as the lack of an approved 
program baseline to control and measure program progress.
    The efforts to develop and field the Modified Infrastructure Survey 
Tool (MIST) have been more successful because the program benefited 
from leveraging an existing software application already in service 
with the Office of Infrastructure Protection. MIST and its development 
addressed the shortcomings experienced within RAMP by instituting 
program management best practices to provide adequate controls on the 
development effort, and ensuring user involvement in the development 
and testing of MIST.
    Question 3. Given that FPS had a June 2012 deadline to decide what 
to do with the data remaining within RAMP, what decision has been made? 
If a decision has yet to be made, what are the next steps?
    Answer. The June 2012 deadline was tied to the expiration of the 
sustainment support contract for the legacy Risk Assessment and 
Management Program (RAMP) application. The expiration of that contract 
does not equate to a loss of data, as the Government owns the rights to 
the software and RAMP is currently installed within the Department of 
Homeland Security (DHS) Data Center 1 production environment.
    The Federal Protective Service (FPS) has examined the data within 
RAMP and identified three major data sets that needed to be retained: 
The RAMP repository, which is a library of historical assessments and 
policy documents; Protective Security Officer (contract guard) 
contracting information; and guard post inspection reports. Data from 
all other modules within RAMP is either resident elsewhere within FPS 
or lacks value due to problems with RAMP functionality.
    FPS has decommissioned RAMP as of July 12, 2012. With user access 
no longer available, the final data set was copied to FPS servers to 
ensure retention of the data. FPS will continue to work to dispose of 
the RAMP application during the fourth quarter of fiscal year 2012 and 
remove the application and all data from the DHS Data Center 1.
  Questions From Ranking Member Yvette D. Clarke for Mark L. Goldstein
    Question 1. How will the security of Federal facilities be affected 
if FPS inspectors and law enforcement security officers are not 
adequately trained to use MIST?
    Answer. The protection of Federal facilities may be significantly 
hampered if FPS's law enforcement security officers do not receive 
training on the Modified Infrastructure Survey Tool (MIST). As we 
reported in August 2012, FPS is not assessing risk at Federal 
facilities but plans to resume assessing Federal facilities 
vulnerabilities with MIST. However, if FPS's law enforcement security 
officers do not receive MIST training and no other alternative 
assessment tool is used, the backlog of facilities not assessed will 
increase significantly. According to FPS data, more than 5,000 
facilities were to be assessed in fiscal years 2010 through 2012.
    Question 2. What tools or options would be available to FPS in the 
event that MIST training is not completed?
    Answer. FPS may be able to use other tools if it cannot use MIST to 
assess Federal facilities. For example, one tool is the Federal 
Security Risk Manager (FSRM), which FPS used from 2000 to 2009. 
However, FPS has experienced problems using FSRM. Another potential 
tool is the Integrated Rapid Visual Screening developed by DHS's 
Science and Technology Directorate (S&T). The IRVS is a risk assessment 
tool that assesses risk using threat, vulnerability, and consequence. 
According to an S&T official, the IRVS is available to FPS at no cost.
    Question 3. Will the implementation of MIST and other FPS 
activities allow for enhanced compliance with the Interagency Security 
Committee standards?
    Answer. FPS has taken some steps to better align MIST with the 
Interagency Security Committee (ISC) standards. For example, MIST uses 
the ISC recommended countermeasures for defined threat scenarios for 
each facility security level.
 Questions From Ranking Member Yvette D. Clarke for James P. Peerenboom
    Question 1. What are the costs associated with developing and 
implementing MIST as the interim replacement for RAMP?
    Answer. Argonne developed the Modified Infrastructure Survey Tool 
(MIST) under an existing Interagency Agreement (IAA) with the U.S. 
Department of Homeland Security National Protection and Programs 
Directorate's Office of Infrastructure Protection (NPPD/IP). Similar 
methodologies and technologies developed by Argonne for NPPD/IP, such 
as the Infrastructure Survey Tool (IST), were leveraged to reduce MIST 
development time, cost, and risk. A total of $850,000 was committed 
under the IAA to build on the foundation established for the IST to 
develop, test, and deliver MIST Release 1.0. More than half of the 
funds were used for hardware and software to establish a web portal, 
called the FPS Gateway, that allows for sharing of information products 
and knowledge in real time. The FPS Gateway leverages the architecture 
and hardware/software technology of the Linking Encrypted Network 
System (LENS), a similar platform that Argonne also developed for NPPD/
IP. Work on the project was initiated on October 3, 2011. Argonne 
delivered MIST Release 1.0 and the FPS Gateway to FPS on March 30, 
2012.
    Question 2. Are there any features within RAMP that can be adapted 
for use with MIST?
    Answer. Argonne was not tasked to evaluate RAMP and its features.
    Question 3. What are the projected costs and time table for the 
completion of MIST?
    Answer. The scope of work for MIST development was completed, and 
MIST Release 1.0 and the FPS Gateway were delivered to FPS, on March 
30, 2012. The products were delivered on time and within the defined 
budget. Future enhancements to MIST, if any, and Argonne's potential 
role in completing such enhancements are unknown.
    Question 4. Do you anticipate any cost overruns with regard to 
MIST?
    Answer. No cost overruns were associated with Argonne's development 
and delivery of MIST Release 1.0 and the FPS Gateway.

                                 
