b"<html>\n<title> - SECURING FEDERAL FACILITIES: AN EXAMINATION OF FPS PROGRESS IN IMPROVING OVERSIGHT AND ASSESSING RISK</title>\n<body><pre>[House Hearing, 112 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n\n    SECURING FEDERAL FACILITIES: AN EXAMINATION OF FPS PROGRESS IN \n                 IMPROVING OVERSIGHT AND ASSESSING RISK\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                     SUBCOMMITTEE ON CYBERSECURITY,\n                       INFRASTRUCTURE PROTECTION,\n                       AND SECURITY TECHNOLOGIES\n\n                                 of the\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                      ONE HUNDRED TWELFTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             JULY 24, 2012\n\n                               __________\n\n                           Serial No. 112-108\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n\n\n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]\n\n\n\n\n                                     \n\n      Available via the World Wide Web: http://www.gpo.gov/fdsys/\n\n                               __________\n\n                                _____\n\n                  U.S. GOVERNMENT PRINTING OFFICE\n\n80-850 PDF                WASHINGTON : 2013\n-----------------------------------------------------------------------\nFor sale by the Superintendent of Documents, U.S. Government Printing \nOffice Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC \narea (202) 512-1800 Fax: (202) 512-2104  Mail: Stop SSOP, Washington, DC \n20402-0001\n\n\n\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n                   Peter T. King, New York, Chairman\nLamar Smith, Texas                   Bennie G. Thompson, Mississippi\nDaniel E. Lungren, California        Loretta Sanchez, California\nMike Rogers, Alabama                 Sheila Jackson Lee, Texas\nMichael T. McCaul, Texas             Henry Cuellar, Texas\nGus M. Bilirakis, Florida            Yvette D. Clarke, New York\nPaul C. Broun, Georgia               Laura Richardson, California\nCandice S. Miller, Michigan          Danny K. Davis, Illinois\nTim Walberg, Michigan                Brian Higgins, New York\nChip Cravaack, Minnesota             Cedric L. Richmond, Louisiana\nJoe Walsh, Illinois                  Hansen Clarke, Michigan\nPatrick Meehan, Pennsylvania         William R. Keating, Massachusetts\nBen Quayle, Arizona                  Kathleen C. Hochul, New York\nScott Rigell, Virginia               Janice Hahn, California\nBilly Long, Missouri                 Ron Barber, Arizona\nJeff Duncan, South Carolina\nTom Marino, Pennsylvania\nBlake Farenthold, Texas\nRobert L. Turner, New York\n            Michael J. Russell, Staff Director/Chief Counsel\n               Kerry Ann Watkins, Senior Policy Director\n                    Michael S. Twinchek, Chief Clerk\n                I. Lanier Avant, Minority Staff Director\n\n                                 ------                                \n\nSUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY \n                              TECHNOLOGIES\n\n                Daniel E. Lungren, California, Chairman\nMichael T. McCaul, Texas             Yvette D. Clarke, New York\nTim Walberg, Michigan, Vice Chair    Laura Richardson, California\nPatrick Meehan, Pennsylvania         Cedric L. Richmond, Louisiana\nBilly Long, Missouri                 William R. Keating, Massachusetts\nTom Marino, Pennsylvania             Bennie G. Thompson, Mississippi \nPeter T. King, New York (Ex              (Ex Officio)\n    Officio)\n                    Coley C. O'Brien, Staff Director\n                 Zachary D. Harris, Subcommittee Clerk\n        Chris Schepis, Minority Senior Professional Staff Member\n\n\n\n\n\n\n\n\n\n\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable Daniel E. Lungren, a Representative in Congress \n  From the State of California, and Chairman, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Security \n  Technologies:\n  Oral Statement.................................................     1\n  Prepared Statement.............................................     3\nThe Honorable Yvette D. Clarke, a Representative in Congress From \n  the State of New York, and Ranking Member, Subcommittee on \n  Cybersecurity, Infrastructure Protection, and Security \n  Technologies:\n  Oral Statement.................................................     4\n  Prepared Statement.............................................     5\n\n                               Witnesses\n\nGeneral L. Eric Patterson, Director, Federal Protective Service, \n  Department of Homeland Security:\n  Oral Statement.................................................     7\n  Prepared Statement.............................................     8\nMr. Mark L. Goldstein, Director, Physical Infrastructure Issues, \n  Government Accountability Office:\n  Oral Statement.................................................    11\n  Prepared Statement.............................................    12\nDr. James P. Peerenboom, Director, Infrastructure Assurance \n  Center, Associate Director, Decision and Information Sciences \n  Division, Argonne National Laboratory:\n  Oral Statement.................................................    18\n  Prepared Statement.............................................    19\n\n                                Appendix\n\nQuestions From Chairman Daniel E. Lungren for L. Eric Patterson..    33\nQuestions From Ranking Member Yvette D. Clarke for L. Eric \n  Patterson......................................................    33\nQuestions From Ranking Member Yvette D. Clarke for Mark L. \n  Goldstein......................................................    34\nQuestions From Ranking Member Yvette D. Clarke for James P. \n  Peerenboom.....................................................    35\n\n \n    SECURING FEDERAL FACILITIES: AN EXAMINATION OF FPS PROGRESS IN \n                 IMPROVING OVERSIGHT AND ASSESSING RISK\n\n                              ----------                              \n\n\n                         Tuesday, July 24, 2012\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\n Subcommittee on Cybersecurity, Infrastructure Protection, \n                                 and Security Technologies,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 10:09 a.m., in \nRoom 311, Cannon House Office Building, Hon. Daniel E. Lungren \n[Chairman of the subcommittee] presiding.\n    Present: Representatives Lungren, Walberg, Clarke, \nRichmond, and Keating.\n    Mr. Lungren. The Committee on Homeland Security, \nSubcommittee on Cybersecurity, Infrastructure Protection, and \nSecurity Technologies will come to order. The subcommittee is \nmeeting today to examine the Federal Protective Service and the \npossible need for reform.\n    Ms. Clarke will be here shortly, and so I am just going to \ngive my opening statement and when she arrives she will be able \nto give her opening statement.\n    Thank you very much for being here, all three of our \nwitnesses. This is an important hearing.\n    The Federal Protective Service is a vital part of the \nDepartment of Homeland Security. It is the largest operational \ncomponent within the National Protection and Programs \nDirectorate.\n    The FPS mission is to protect over 9,000 Government \nbuildings and their 1.4 million occupants, which are essential \nto the day-to-day operations of the Federal Government. Recent \nincidents at Federal facilities such as the failed improvised \nexplosive device, as well as the bombing of Oklahoma City's \nMurrah Federal Building in 1995, remind us the Federal \nfacilities remain attractive terrorist targets.\n    This subcommittee has conducted rigorous oversight over the \nFederal Protective Service this Congress. Last July we held a \nhearing which identified some of the perennial problems \nplaguing the FPS.\n    In that hearing we discussed failures of contract guard \noversight and their training program, including the egregious \nmishandling of an IED in Detroit. We also discussed the failed \ndevelopment of FPS's risk management program, known as RAMP, \nwhich cost the Federal Government $35 million over 4 years. I \nam hopeful and cautiously optimistic that these problems \nrepresent the low-water mark for FPS.\n    Since 2008 GAO has made 32 recommendations to improve FPS \nsecurity vulnerabilities and other operational problems, five \nof which have been implemented and 20 which are in the process \nof implementation.\n    From the outset I do want to commend Director Patterson for \nhis leadership. I believe the recent successes in implementing \nGAO recommendations are in part the result of improved dialogue \nand outreach with the private sector as well as the efforts of \nFPS's own workforce.\n    I think this dialogue is extremely important as FPS works \nto address the remaining GAO recommendations, especially in its \ntwo core areas of responsibility: First, its ability to conduct \nrisk assessments of Federal buildings; and second, to provide \nnecessary oversight and training for its contract guard force.\n    Regarding the first responsibility, FPS began operational \ntesting this last spring for a new risk assessment tool, known \nas the modified infrastructure survey tool, or MIST, which was \ndeveloped in partnership with the Argonne National Laboratory. \nMIST is intended to be an interim tool that FPS inspectors use \nto conduct vulnerability assessments in the aftermath of the \nRAMP failure.\n    I understand, am informed that there is a disagreement \nbetween FPS and GAO with regard to the limitations and benefits \nof MIST and I look forward to hearing from our witnesses \nregarding these differences. I am aware of some of the \nlimitations identified by GAO that MIST does not account for \nconsequence information and therefore does not provide FPS the \ncomprehensive ability to manage risk. I also understand GAO has \nconcerns that MIST is neither compliant with the National \ninfrastructure protection plan framework nor compliant with \nstandards developed by the Interagency Security Committee.\n    I think these are very legitimate questions raised by GAO \nand important standards FPS should meet when it develops a \nlonger-term solution. Nonetheless, I do consider MIST \ndevelopment a step in the right direction for an agency that \nhas taken a series of steps in the wrong direction over the \nlast decade.\n    FPS has always stated that MIST is intended to serve as an \ninterim tool until a longer-term solution is developed. \nHowever, FPS has never stated what the longer-term solution \nwill be. So I look forward to hearing from Director Patterson \non his vision for MIST's future as a risk management tool.\n    I also look forward to learning about what FPS is doing to \naddress GAO's findings about unnecessary duplication of risk \nassessments by several FPS customers who in some instances have \nexpressed dissatisfaction with FPS's assessments--for instance, \nthe IRS, FEMA, and EPA.\n    Providing oversight and training of the contract guard \nprogram is also a critical responsibility of FPS. At last \nsummer's hearing Director Patterson stated that he was looking \nat different ways that FPS may be able to improve delivery of \nX-ray and magnetometer training.\n    I look forward to hearing more about how these ideas have \ndeveloped since last year. I also understand there has been \noutreach to the private sector regarding better training \noptions and I commend you for those efforts.\n    Finally, FPS has undergone significant transition since \njoining the Department of Homeland Security. After initially \nbeing placed under ICE, after the creation of DHS, FPS moved to \nNPPD in 2010, and last summer NPPD notified the committee that \nit was once again considering reorganizing the directorate. Is \nreorganization being contemplated, and if so, how will this \nimpact FPS?\n    I want to thank all of our witnesses for being here this \nmorning, and I look forward to your testimony on the progress \nmade by the FPS in securing our Nation's Federal facilities.\n    [The statement of Chairman Lungren follows:]\n                Statement of Chairman Daniel E. Lungren\n                             July 24, 2012\n    The Federal Protective Service (FPS) is a vital part of the \nDepartment of Homeland Security and is the largest operational \ncomponent within the National Protection and Programs Directorate \n(NPPD). Its mission to protect some 9,000 Government buildings and its \n1.4 million occupants is essential for the Federal Government to \ncontinue day-to-day operations. Recent incidents at Federal facilities \nsuch as the failed IED attempt in Detroit, and the bombing of Oklahoma \nCity's Murrah Federal Building in 1995, remind us that Federal \nfacilities remain significant symbolic targets for terrorists.\n    This subcommittee has conducted rigorous oversight over the Federal \nProtective Service this Congress. Last July we held a hearing which \nidentified some of the perennial problems plaguing the FPS. In that \nhearing we discussed failures of contract guard oversight and training, \nincluding the egregious mishandling of an attempted Improvised \nExplosive Devise in Detroit, and the failed development of a risk \nmanagement program known as RAMP, which after 5 years of development, \ncost the Federal Government somewhere between $35-57 million with \nlittle to show for. I am hopeful that these incidents represent the \nlow-water mark for FPS, and I am cautiously optimistic about FPS's \nfuture.\n    Last July the GAO had issued a total of 28 recommendations for FPS \nto address, yet at the time none were implemented. Today, I am \nencouraged to note that while GAO has recommended 32 recommendations, \nto date, 5 have been implemented and 20 are in the process of \nimplementation. This represents significant progress.\n    From the outset, I want to commend Director Patterson for his \nleadership and the agency's recent successes. These successes, I \nbelieve are in part the result of improved dialogue and substantial \noutreach with private-sector partners as well FPS's own workforce. I \nthink this dialogue is extremely important as FPS works to address \nimportant recommendations made by the Government Accountability Office, \nespecially as it works to improve two of its core areas of \nresponsibility: (1) Its ability to conduct risk assessments of Federal \nbuildings; and (2) provide necessary oversight and training for its \nContract Guard Program.\n    Regarding this first responsibility, FPS began operational testing \nthis last spring for a new risk assessment tool, known as the Modified \nInfrastructure Survey Tool or MIST, which was developed in partnership \nwith the Argonne National Laboratory. MIST is intended to be an interim \ntool FPS inspectors use to conduct facility security assessments, in \nthe aftermath of RAMP's failure.\n    I understand there is some pretty substantial disagreement between \nFPS and GAO with regard to the limitations and benefits of MIST and I \nlook forward to hearing from our witnesses regarding these differences. \nI am aware of some of the limitations identified by GAO, such as that \nMIST does not account for ``consequence'' information, and therefore \ndoes not provide FPS the comprehensive ability to manage risk. I also \nunderstand GAO has concerns that MIST is neither compliant with the \nNational Infrastructure Protection Plan framework nor compliant with \nstandards developed by the Interagency Security Committee. I think \nthese are very legitimate questions raised by GAO, and are important \nstandards FPS should meet when it develops a longer-term solution.\n    Nonetheless, I consider MIST's development a step in the right \ndirection for an agency that has taken a series of steps in the wrong \ndirection over the last decade. FPS has always stated that MIST is \nintended to serve as an interim tool until a longer-term solution is \ndeveloped. However, FPS has never stated what the longer-term solution \nwill be. I look forward to hearing from Director Patterson on his \nvision for MIST's future as a risk management tool. I also look forward \nto learning about what FPS is doing to address GAO's finding about \nunnecessary duplication of risk assessments by several FPS customers, \nwho in some instances, are dissatisfied by assessments provided by FPS.\n    Providing oversight and training of the contract guard program is \nalso a critical responsibility of FPS. At last summer's hearing \nDirector Patterson stated that he was looking at different ways FPS may \nbe able to improve delivery of X-ray and magnetometer training. I look \nforward to hearing more about how these ideas have developed since last \nyear. I understand there has been significant outreach with the private \nsector that may be able to better deliver training, and I commend you \nfor putting an emphasis on training in your tenure at FPS.\n    Finally, FPS has undergone significant transition since joining the \nDepartment of Homeland Security. After initially being placed under ICE \nafter the creation of DHS, FPS moved to NPPD in 2010. Last summer, NPPD \nnotified the committee that it was once again considering reorganizing \nthe agency which FPS was assigned. However, since last summer, the \nDepartment has been silent on its plans to reorganize NPPD, so I am \nvery much looking forward to hearing from Director Patterson on his \nthoughts on reorganization, and if we can expect any more information \non this soon.\n    I want to thank all of our witnesses for being here this morning \nand look forward to their testimony on progress made by the FPS \nsecuring our Nation's Federal facilities. I now recognize the gentle \nlady from New York, the Ranking Member of this subcommittee, Ms. \nClarke, for her opening statement.\n\n    Mr. Lungren. I now have the pleasure of recognizing the \ngentle lady from New York, the Ranking Member of the \nsubcommittee, Ms. Clarke, for her opening statement.\n    Ms. Clarke. Thank you, Mr. Chairman, and thank you for \nholding this hearing today. Today's hearing will allow the \nsubcommittee to hear from witnesses about the Federal \nProtective Service's progress in improving its ability to \nprovide adequate protection to the Federal Government's more \nthan 9,000 facilities.\n    Given the numerous studies that FPS has undertaken by the \nGovernment Accountability Office and the multiple hearings held \nby this committee, the subcommittee is interested in learning \nabout the actions FPS has taken to upgrade its ability to \nconduct facility security assessments, better manage its \ncontract guard staff, and to enhance funding for its \noperations. We need a more clear explanation of the \nimplementation and utility of the modern infrastructure survey \ntool, or MIST, and how it compares, hopefully surpasses, the \nfailed risk assessment and management program, or RAMP.\n    The subcommittee must be assured that after investing \napproximately $35 million RAMP without yielding any \ndemonstrable outcomes FPS is indeed expending its resources \neffectively and scaling up MIST. We need assurances that MIST \nis working as an interim solution, and we need to know what \nFPS's long-term strategy to replace RAMP. Also, as the \ndesignated leader of the Federal Government facilities sector \nFPS has an important role to play in assuring that the Federal \ncritical infrastructure both secure--that the--excuse me--the \nFederal critical infrastructure is both secure and resilient in \nthe event of a catastrophic occurrence.\n    In August GAO will issue a report at Ranking Member \nThompson's request that evaluates the Department's activities \nregarding the Government facilities sector with a particular \nemphasis on FPS's role as the designated sector leader. I look \nforward to the release of that report and hope that we are able \nto revisit this subject at that time.\n    Finally, Mr. Chairman, I am concerned that FPS is forced to \nbear the cost of developing and implementing a program capable \nof completing security assessments of Federal buildings. It \nseems to me that as the landlord for most Federal buildings, \nthe General Services Administration benefits from these \nsecurity assessments. I look forward to hearing from our \nwitnesses today about the role of GSA in sharing the cost of \nthe assessment program.\n    Having said that, thank you, Mr. Chairman, and I yield \nback.\n    [The statement of Ranking Member Clarke follows:]\n              Statement of Ranking Member Yvette D. Clarke\n                             July 26, 2012\n    Mr. Chairman, thank you for holding this hearing to discuss \ndevelopments in the Domestic Nuclear Detection Office Strategy, and the \nGlobal Nuclear Detection Architecture.\n    It has been said before, the enormous devastation that would result \nif terrorists use a nuclear weapon or nuclear materials successfully, \nrequires us to do all we can to prevent them from entering or moving \nthrough the United States.\n    This subcommittee, in its oversight capacity, has held hearings \nstarting in 2005, and continuing through 2012, regarding the \ndevelopment and implementation of the GNDA and in the decision-making \nprocess that involves costly investments in it.\n    The overarching issues include the balance between investment in \nnear-term and long-term solutions for architecture gaps, the degree and \nefficiency of Federal agency coordination, the mechanism for setting \nagency investment priorities in the architecture, and the efforts DNDO \nhas undertaken to retain institutional knowledge regarding this \nsustained effort.\n    In the policy and strategy documents of the GNDA, DNDO is \nresponsible for developing the global strategy for nuclear detection, \nand each Federal agency that has a role in combating nuclear smuggling \nis responsible for implementing its own programs. DNDO identified 73 \nFederal programs, which are primarily funded by DOD, DOE, and DRS that \nengage in radiological and nuclear detection activities.\n    With the publication of an overall DNDO strategy document and the \nrelease of the Global Nuclear Detection Architecture and implementation \nplan, Congress will have a better idea of how to judge the DNDO's \npolicy, strategy operations, tactics, and implementation.\n    But we need to know more about their R&D activities, their resource \nrequests, and their asset allocations. And I know that I might sound \nlike a broken record before the day is through, but from the very start \nof the ASP program which was officially cancelled just 10 days ago, \nJuly 16, DNDO seemed to push for acquisition decisions well before the \ntechnology had demonstrated that it could live up to its promise.\n    On July 14, 2006, Secretary of Homeland Security Michael Chertoff \nand the then-Director of DNDO, Mr. Oxford, one of our witnesses today, \nannounced contract awards to three companies worth an estimated $1.2 \nbillion to develop ASPs, including the Raytheon Company from \nMassachusetts, the Thermo Electron Company from Santa Fe, New Mexico, \nand Canberra Industries from Connecticut. Both Secretary Chertoff and \nOxford held a press conference to announce the billion-dollar contract \nawards just a few months after highly critical reviews of the ASPs' \nabilities by the GAO and the National Institute of Standards and \nTechnology (NIST).\n    I hope we don't see that kind of decision making again in DNDO.\n    Within DNDO, policy and strategy have historically not been \nadequately translated into operations, tactics, and implementation. \nOverlapping missions, especially in the field of nuclear detection, \nworsen this.\n    Since 2009, DNDO has made important changes under Secretary \nNapolitano, and made especially good progress in nuclear forensics. And \nI hope that our Congressional oversight has had an effect, a positive \none, in bringing to light decisions that cost the taxpayers a lot of \nmoney, with little to show.\n    In 2010, the Science and Technology (S&T) Directorate requested \n$109.000 million for the Transformational Research and Development \nRadiological and Nuclear Division. This research was to be transferred \nfrom DNDO to the S&T Directorate,\\1\\ and the Democratic committee \nMembers supported the transition of radiological and nuclear research \naway from DNDO into S&T. The committee, under then-Chairman Thompson, \nworked to make this transition happen, and we believe that research and \ndevelopment, and operations and procurement, are best left to separate \norganizations in order to avoid the obvious conflict of interest.\n---------------------------------------------------------------------------\n    \\1\\ DHS Fiscal Year 2011 Budget in Brief, ICE 10-2647.000474. p. \n139.\n---------------------------------------------------------------------------\n    What I hope we are going to hear today is how DNDO's mission can be \nbetter-defined. Some claim there is still confusion as to whether it is \nan end-to-end RDT&E and procurement entity for all things nuclear/\nradiological, a development entity, or an operational entity, and \nquestion whether there is an inherent conflict of interest when an \nagency is both an R&D workshop and a procurement platform.\n    Let me finish with this thought, completely out of the policy \narena. On the ground, and every day, our nuclear deterrence effort \nrequires motivated and vigilant officers supplied with the best \nequipment and intelligence we can give them. Customs and Border Patrol \nofficers working at our Nation's ports of entry have an extremely \ncomplex and difficult job.\n    Thousands of decisions are made every day to clear a container or \npersonal vehicle for transit into the United States, require further \ninspection, or even deny entry or interdict such a vehicle or person, \nand that is the hard, cold, every-day reality of our mission to prevent \nthis kind of violent nuclear attack.\n    We must do our best.\n    I look forward to hearing from our witnesses today and with that, \nMr. Chairman, I yield back.\n\n    Mr. Lungren. I thank the gentlelady for her comments, and I \nthink the panel can tell that we are on the same page at \nlooking at what the progress has been since our last hearing.\n    General L. Eric Patterson was appointed director of the \nFederal Protective Service, a subcomponent of the National \nProtective--Protection and Programs Directorate, in September \n2010. He previously served as the deputy director of the \nDefense Counterintelligence HUMINT Center at the Defense \nIntelligence Agency.\n    Prior to joining DIA Mr. Patterson served as a principal \nwith Booz Allen Hamilton where he supported two of the Defense \nTechnical Information Center analysis centers, one focused on \ninformation assurance and the other on the survivability and \nvulnerability of defense systems. He is a retired United States \nAir Force brigadier general with 30 years of service.\n    Mr. Mark Goldstein is the director of physical \ninfrastructure issues at GAO. Mr. Goldstein is responsible for \nthe agency's work in Federal property and telecommunications. A \nformer award-winning journalist and author, his other public \nservice work has included roles as chief of staff to the D.C. \nFinancial Control Board and senior investigative staff to the \nSenate Committee on Governmental Affairs.\n    Dr. James Peerenboom is the associate director of the \ndecision and information sciences division at the Argonne \nNational Laboratory, near Chicago, Illinois. In this role he is \nresponsible for leading multidisciplinary teams of scientists \nand engineers in developing innovative solutions for \ninfrastructure assurance, systems analysis, decision and risk \nanalysis, and advanced modeling and simulation problems.\n    For the past 15 years he has focused on critical \ninfrastructure protection and resilience issues, providing \ntechnical support to the Departments of Energy and Homeland \nSecurity, the President's commission on critical infrastructure \nprotection, and White House Office of Science and Technology \nPolicy. He received his Ph.D in energy and environmental \nsystems from the Institute of Environmental Studies and an M.S. \nand B.S. in nuclear engineering from the University of \nWisconsin at Madison.\n    Gentlemen, we ask you--well, we would first indicate that \nyour written testimony will be made a part of the record and \nwould ask that you summarize your testimony with any additions \nas you wish in 5 minutes, and then we will have a round of \nquestioning.\n    So the Chairman would recognize Director Patterson to \nbegin.\n\n STATEMENT OF L. ERIC PATTERSON, DIRECTOR, FEDERAL PROTECTIVE \n            SERVICE, DEPARTMENT OF HOMELAND SECURITY\n\n    General Patterson. Good morning. Thank you, Chairman \nLungren, Ranking Member Clarke.\n    My name is Eric Patterson and I am the director of the \nFederal Protective Service within the Department of Homeland \nSecurity's National Protection and Programs Directorate. I am \nhonored to appear before you today to discuss FPS's progress in \naddressing some historically identified challenges.\n    FPS's mission is to protect more than 9,000 Federal \nbuildings throughout the United States and its territories and \nthe 1.4 million Federal employees and visitors who occupy and \nconduct business in them every day. We execute this mission by \nproviding proactive law enforcement, investigations, protective \nintelligence, incident response, security planning, and \nstakeholder engagement.\n    Based upon my experience in the ever-changing threat \nenvironment, my belief is that risk assessment is a continuous \nprocess and not a static event. Our law enforcement and \nphysical security professionals continually provide access risk \nand implement mitigation strategies through their daily \nactivities.\n    During fiscal year 2011 FPS investigated and mitigated more \nthan 1,300 threats and assaults directed towards Federal \nfacilities and their occupants, made close to 2,000 arrests, \nresponded to 53,000 incidents, and prevented the entry of \nhundreds of thousands of prohibited items into Federal \nfacilities. FPS also conducted 1,800 Operation Shield \nexercises, 150 Covert Test operations, over 80,000 post \ninspections, and also validated the training of thousands of \nprotective security officers that we oversee.\n    Over the past year FPS developed an important partnership \nwith Argonne National Lab resulting in the completed \ndevelopment and current deployment of a new facility security \nassessment tool, called the modified infrastructure survey \ntool, or MIST. MIST will enable comprehensive and consistent \nFSAs that will allow Federal tenant agencies to make informed \nsecurity and risk management decisions. The MIST tool is a \nwelcome addition to FPS's portfolio of on-going facility \nassessment efforts and strategies.\n    As GAO has indicated, FPS employed the best project \nmanagement principles in the development of MIST. MIST \nrequirements were developed leveraging the knowledge obtained \nfrom our long-standing relationships with the General Services \nAdministration, the Facility Security Committee, and other \ncustomers.\n    As we move to measure and assure the successful performance \nof MIST my plan is to build upon this foundation to improve \nFPS's management of other significant programs--for example, \nour protective security officer program. Just as technology is \nenhancing our risk assessment processes, I plan to better \nleverage technology to allow for more effective oversight of \nour contract PSOs.\n    A key enabler of these actions will come from the good work \nof our collaboration with the Systems Engineering and Design \nInstitute, SEDI, a Federally-funded research and development \ncenter. We have engaged the SEDI to produce a full mapping of \nFPS activities and to then align them with FPS's current fee \nstructure. That work will be used to produce an activity-based \ncost model for FPS.\n    These efforts are designed to result in a more efficient \nrevenue structure for FPS and greater transparency on security \ncosts for FPS stakeholders.\n    I am also pleased to note that some of our recent progress \nincludes an increased participation in the important work of \nthe Interagency Security Committee to include chairing a new \nISC working group which will look at the future of Federal \nworkplace security and the newly reconstituted Training \nSubcommittee.\n    FPS's program--progress in the past year and our path \nforward leveraging partnerships and technology is clearly in \ndirect support of our long-term vision. It will continue to \ntake time, deliberate planning, and the dedication of our \nemployees and partners to fully realize our vision and I look \nforward to keeping you apprised of our progress.\n    Again, thank you for the opportunity to discuss FPS with \nyou today, and I would be happy to answer any questions you \nmight have.\n    [The prepared statement of Mr. Patterson follows:]\n                Prepared Statement of L. Eric Patterson\n                             July 24, 2012\n    Thank you Chairman Lungren, Ranking Member Clarke, and the \ndistinguished Members of the subcommittee. My name is Eric Patterson, \nand I am the Director of the Federal Protective Service (FPS) within \nthe Department of Homeland Security's (DHS) National Protection and \nPrograms Directorate (NPPD).\n    I am honored to appear before you today to discuss NPPD/FPS's \nprogress in utilizing key protection and risk management practices such \nas allocation of resources, leveraging technology, and enhancing \ninformation sharing and coordination.\n    The GAO has raised several areas that have historically represented \nchallenges for FPS including:\n    1. Absence of a risk management program;\n    2. Addressing key human capital issues through a strategic human \n        capital plan;\n    3. Contract Guard workforce management and oversight; and\n    4. Need for a review of FPS's fee design.\n    Today's hearing is an opportunity to address the progress FPS has \nmade during the past year in working to address these challenges, and \nto also provide information on the topics addressed in GAO's new report \nrelated to risk assessment and Protective Security Officer (PSO) \nprogram management and oversight.\n                             fps background\n    FPS's mission is to protect more than 9,000 Federal buildings and \nthe 1.4 million Federal employees and visitors who occupy them \nthroughout the country every day by leveraging the intelligence and \ninformation resources of its network of public and private-sector \npartners. Specifically, FPS executes its mission by providing proactive \nlaw enforcement, investigation and protective intelligence and \ninformation sharing services, incident response, security planning, and \nstakeholder engagement. Prior to its transfer to NPPD in 2009, FPS was \norganized under Immigration and Customs Enforcement and prior to that, \nunder the General Services Administration (GSA).\n    Part of our core mission is to assess the threat picture for the \nGovernment Facilities Sector (GFS) and share that information with \nstakeholders as appropriate. For example, FPS leverages the Homeland \nSecurity Information Network (HSIN), a secure, trusted web-based portal \nto share information with our more than 900 Government and industry \npartners. One of the recent information-sharing initiatives FPS has \nimplemented to assist in the protection of facilities and their \noccupants is the Federal Facility Threat Picture (FFTP), which is an \nunclassified assessment of the current known threats to the facilities \nFPS protects. Produced quarterly, the FFTP supports the threat \ncomponent of a Federal Security Assessments (FSA) and informs our \nstakeholders of potential threats to Government facilities. The FFTP \nfocuses on the threats posed by a variety of actors that may seek to \nattack or exploit elements of the GFS. The information used in the FFTP \ncomes from intelligence and law enforcement community reporting.\n    During fiscal year 2011, FPS:\n  <bullet> Investigated and mitigated more than 1,300 threats and \n        assaults directed towards Federal facilities and their \n        occupants;\n  <bullet> Disseminated 331 threat- and intelligence-based products to \n        our stakeholders, 142 of which were FPS-produced;\n  <bullet> Conducted 81,125 post inspections;\n  <bullet> Interdicted more than 680,000 weapons/prohibited items \n        including knives, brass knuckles, pepper spray, and other items \n        that could be used as weapons or are contraband such as illegal \n        drugs, at Federal facility entrances during routine checks;\n  <bullet> Made 1,975 arrests;\n  <bullet> Responded to 53,000 incidents involving people or property; \n        and\n  <bullet> Conducted more than 1,800 high-visibility operations under \n        Operation Shield and 150 risk-based Covert Test operations, \n        ensuring the protection of Federal buildings and \n        infrastructure.\n              fps is developing a risk management program\n    In terms of a risk management program, FPS's operational activities \nare organized by the National Infrastructure Protection Plan's (NIPP) \nRisk Management Framework, which calls for the following steps: Set \nSecurity Goals, Identify Assets and Functions, Assess Risks, \nPrioritize, Implement Protective Programs, and Measure Effectiveness. \nOne area of recent significant progress related to risk assessment and \nthe implementation of a risk management program is the on-going \nimplementation of FPS's solution for conducting FSAs using an automated \nassessment tool. In May 2011, the decision was made to cease \ndevelopment of the legacy application known as the Risk Assessment and \nManagement Program (RAMP) and to pursue a stand-alone assessment tool, \nin order to provide completed FSAs to customers. That decision has \nsince been affirmed by the Department's Office of Inspector General \n(OIG).\n    In the interim period, our employees have continued their daily \ninteractions with tenant agencies and oversight of facility security. \nOur personnel have been completing Pre-Modified Infrastructure Survey \nTool (MIST) worksheets to enable complete FSA reports, and are \nconstantly assessing risks to Federal facilities. Specifically, the \npre-MIST worksheet allows the inspector to collect key information that \nwill be populated into MIST and used in generating a final FSA report. \nSuch data includes facility information, vulnerability assessments, and \nexisting protective measures.\n    After consideration of several alternatives, FPS partnered with \nNPPD's Office of Infrastructure Protection (IP) to leverage a proven \nassessment methodology called the Infrastructure Survey Tool (IST). In \nOctober 2011, NPPD issued a task order to Argonne National Laboratory \n(ANL) through the Department of Energy to modify the existing Link \nEncrypted Network System (LENS) and IST for FPS use to conduct FSAs. \nBecause this project leveraged existing tools and had limited resources \nand time constraints, the acquisition life cycle was tailored to meet \ndelivery deadlines.\n    I am pleased to note that in its draft report, GAO noted FPS's use \nof project management principles in the development of MIST. Throughout \nthe project, the MIST Users Working Group has remained engaged to \nensure user involvement in the process. User feedback from field \ntesting was uniformly positive about MIST and the FPS Gateway, \nconfirming suitability to support the FPS mission. The MIST and FPS \nGateway development efforts were completed on schedule, with ANL \ndelivering the system to the Government on March 30, 2012. In April \n2012, and the decision was made to proceed and deploy MIST. It is \nimportant to note that throughout the development and testing of MIST, \nfield employees and our union were involved and actively participated \nas subject matter experts in the process.\n    FPS developed and is currently implementing a distance learning-\nbased training program for each MIST user, as GAO commended in its \ndraft report. Supervisors completed this training in April 2012 and \nInspectors began their virtual training in May 2012, with completion of \nall training anticipated for late September 2012. This provides a \nhands-on learning environment for our Inspectors; they will receive \nvirtual instruction as they use the tool in the learning environment. \nOnce an Inspector completes the training and successfully briefs his or \nher supervisor on a completed FSA, that Inspector will be able to \nproceed with conducting FSAs and reporting the results to a Facility \nSecurity Committee.\n    In leveraging existing technology in developing MIST, FPS was able \nto incorporate the ability to illustrate the impact of alternative \ncountermeasures on a particular vulnerability. MIST will also show how \na facility is or is not meeting the baseline level of protection for \nits Facility Security Level as set forth in the ISC's Physical Security \nCriteria for Federal Facilities standard and the ISC's Design Basis \nThreat report. This will lead to a more informed and better dialogue \nwith tenants and Facility Security committees as FSA results are \ndiscussed and alternatives are explored. Additionally, FPS recently \ndisseminated guidance Nation-wide on the commencement of the use of \nMIST to generate FSAs upon completion of inspector training. The \nanticipated results of the use of MIST are consistent assessment \nresults Nation-wide and informed decision-making regarding security \ninvestments on the part of tenant agencies.\n  fps is addressing key human capital issues through development of a \n                      strategic human capital plan\n    In order to ensure that human resource requirements are aligned \nappropriately with FPS's overall mission, a Strategic Human Capital \nPlan is being developed in conjunction with NPPD's Human Capital \nOffice. We are working to finalize the document; we intend to provide \nthe plan and brief the committee when it is finalized.\n fps is working to improve its protective security officer management \n                             and oversight\n    FPS is working to improve management and oversight of our over \n13,000 Protective Security Officer (PSO) force. We have reviewed our \noperations Nation-wide and have taken steps at the National program \nlevel to ensure that performances under contracts are advantageous to \nthe Government. We are actively working to implement the \nrecommendations resulting from GAO and OIG reviews across the \norganization. Additionally, an Integrated Project Team (IPT) conducted \na comprehensive review of how FPS resources the PSO oversight function \nand our current oversight policy.\n    FPS is also working with DHS's Science and Technology Directorate \nto develop a system for contract guard oversight and explore means of \nleveraging technology to ensure effective oversight of PSOs, such as \nautomated tracking of guard post staff levels and PSO possession of the \nnecessary credentials to stand post. Additionally, our training team is \nworking closely with industry and Federal partners in developing a more \neffective training strategy for our PSOs.\n   fps is examining its fee structure in order to review current fee \n                                 design\n    FPS operates through fee-based funding revenue, which is calculated \nbased on the Federal facility tenant's square footage of occupancy and \non the collection of services associated with the provisioning of \nreimbursable protective countermeasures. This fee-based financial \nstructure is unique among Federal law-enforcement agencies and requires \na greater degree of understanding internal operations to ensure it is \nproperly aligned with FPS's costs.\n    To address this challenge, FPS is implementing a two-pronged \nstrategy to better understand its activities and costs and recommend \noptions for a new revenue structure. In January 2012, FPS collaborated \nwith the Department's Systems Engineering and Design Institute (SEDI), \na Federally Funded Research and Development Center managed by the DHS \nScience and Technology Directorate, to produce a full mapping of FPS \nactivities and then align them with costs. That work will be used to \nproduce Activity-Based Cost (ABC) models for FPS. Both of these efforts \nare designed to result in a more efficient revenue structure for FPS \nand greater transparency in security costs for FPS stakeholders.\n                               conclusion\n    Thank you again for the opportunity to provide you with an update \non the progress FPS is making on a number of fronts. FPS aspires to be \nan exemplary law enforcement and strategic critical infrastructure \nprotection organization. This is a vision uniformly shared by FPS \nleadership and operational staff, both at headquarters and in the \nfield. I would be happy to answer any questions you might have.\n\n    Mr. Lungren. Thank you very much, Director Patterson. You \nstayed within the time wonderfully. A new record here.\n    Now, Mr. Goldstein, please.\n\n      STATEMENT OF MARK L. GOLDSTEIN, DIRECTOR, PHYSICAL \n    INFRASTRUCTURE ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Mr. Goldstein. Thank you, Mr. Chairman and Ranking Member \nClarke. We are pleased to be here this morning to testify on \nthe Federal Protective Service and its efforts to improve its \nsecurity of Federal property, employees, and citizens who use \nthese facilities.\n    FPS provides security and law enforcement services to over \n9,000 Federal facilities managed by GSA. GAO has reported that \nFPS faces challenges providing security services, particularly \ncompleting FSAs and managing its contract guard program.\n    To address these challenges FPS spent about $35 million in \n4 years developing RAMP, essentially a risk assessment and \nguard oversight tool. However, RAMP ultimately could not be \nused to do either because of system problems.\n    My testimony today is based on preliminary work for you, \nMr. Chairman, and discusses the extent to which FPS is \ncompleting risk assessments, developing a tool to complete \nFSAs, and managing its contract guard workforce.\n    Our preliminary results indicate that: No. 1, the \nDepartment of Homeland Security's DHS Federal Protective \nService is not assessing risks at Federal facilities in a \nmanner that is consistent with standards such as the National \ninfrastructure protection plan's risk management framework as \nFPS originally planned. Instead of conducting risk assessments, \nsince September 2011 FPS's inspectors have collected \ninformation such as location, purpose, agency contacts, and \ncurrent countermeasures.\n    This information notwithstanding, FPS has a backlog of \nFederal facilities that have not been assessed for several \nyears. According to FPS's own data, more than 5,000 facilities \nwere to be assessed in fiscal years 2010 through 2012.\n    However, GAO was not able to determine the extent of FPS's \nfacility security assessment backlog because the data was \nunreliable. Multiple agencies have expended resources to \nconduct risk assessments themselves even though they also \nalready pay FPS for this service.\n    Second, FPS has an interim vulnerability assessment tool, \nreferred to as MIST, which it plans to use to assess Federal \nfacilities until it develops a longer-term solution. In \ndeveloping MIST, FPS generally followed project management best \npractices that GAO had developed, such as conducting user \nacceptance testing.\n    However, our preliminary analysis indicates that MIST has \nsome limitations. Most notably, MIST does not estimate the \nconsequences of an undesirable event occurring at a facility.\n    Several of the risk assessment experts GAO spoke with \nagreed that a tool that does not estimate consequences does not \nallow for an agency to fully assess risk. FPS officials stated \nthat they did not include consequence information in MIST \nbecause it was not part of the original design and thus \nrequires more time to validate.\n    MIST also was not designed to compare risk across Federal \nfacilities. Thus, FPS has a limited assurance if critical risks \nat Federal facilities are being prioritized and mitigated. We \nhave made recommendations in this area in the past.\n    Third, GAO's preliminary work indicates that FPS continues \nto face challenges in overseeing its contract guard program. \nFPS developed the risk assessment and management program, RAMP, \nto help it oversee its contract guard workforce by verifying \nthat guards are trained and certified and for conducting guard \npost inspections.\n    However, FPS faced challenges using RAMP for guard \noversight, such as verifying guard training and certification \ninformation, and has recently determined that it would no \nlonger use RAMP. Without a comprehensive system it is more \ndifficult for FPS to oversee its contract guard workforce.\n    FPS is verifying guard certification and training \ninformation by conducting monthly audits of guard training and \ncertification information. However, FPS does not independently \nverify the contractors' information.\n    Additionally, FPS recently decided to deploy a new interim \nmethod to record post inspections that replaced RAMP. We have \nnot reviewed this system.\n    This concludes my opening remarks, Mr. Chairman. I would be \npleased to address any questions you or Members of the \nsubcommittee have. Thank you.\n    [The prepared statement of Mr. Goldstein follows:]\n                Prepared Statement of Mark L. Goldstein\n                             July 24, 2012\n                             gao highlights\n    Highlights of GAO-12-943T, testimony before the Subcommittee on \nCybersecurity, Infrastructure Protection, and Security Technologies of \nthe House Committee on Homeland Security.\nWhy GAO Did This Study\n    FPS provides security and law enforcement services to over 9,000 \nFederal facilities managed by the General Services Administration \n(GSA). GAO has reported that FPS faces challenges providing security \nservices, particularly completing FSAs and managing its contract guard \nprogram. To address these challenges, FPS spent about $35 million and 4 \nyears developing RAMP--essentially a risk assessment and guard \noversight tool. However, RAMP ultimately could not be used to do either \nbecause of system problems.\n    This testimony is based on preliminary work for the Chairman and \ndiscusses the extent to which FPS is: (1) Completing risk assessments, \n(2) developing a tool to complete FSAs, and (3) managing its contract \nguard workforce. GAO reviewed FPS documents, conducted site visits at 3 \nof FPS's 11 regions and interviewed officials from FPS, Argonne \nNational Laboratory, GSA, Department of Veterans Affairs, the Federal \nHighway Administration, Immigration and Customs Enforcement, and guard \ncompanies; as well as 4 risk management experts.\nWhat GAO Recommends\n    GAO is not making any recommendations in this testimony. GAO plans \nto finalize its analysis and report to the Chairman in August 2012, \nincluding recommendations. GAO discussed the information in this \nstatement with FPS and incorporated technical comments as appropriate.\n federal protective service.--preliminary results on efforts to assess \n               facility risks and oversee contract guards\nWhat GAO Found\n    GAO's preliminary results indicate that the Department of Homeland \nSecurity's (DHS) Federal Protective Service (FPS) is not assessing \nrisks at Federal facilities in a manner consistent with standards such \nas the National Infrastructure Protection Plan's (NIPP) risk management \nframework, as FPS originally planned. Instead of conducting risk \nassessments, since September 2011, FPS's inspectors have collected \ninformation, such as the location, purpose, agency contacts, and \ncurrent countermeasures (e.g., perimeter security, access controls, and \nclosed-circuit television systems). This information notwithstanding, \nFPS has a backlog of Federal facilities that have not been assessed for \nseveral years. According to FPS's data, more than 5,000 facilities were \nto be assessed in fiscal years 2010 through 2012. However, GAO was not \nable to determine the extent of FPS's facility security assessment \n(FSA) backlog because the data were unreliable. Multiple agencies have \nexpended resources to conduct risk assessments, even though they also \nalready pay FPS for this service.\n    FPS has an interim vulnerability assessment tool, referred to as \nthe Modified Infrastructure Survey Tool (MIST), which it plans to use \nto assess Federal facilities until it develops a longer-term solution. \nIn developing MIST, FPS generally followed GAO's project management \nbest practices, such as conducting user acceptance testing. However, \nour preliminary analysis indicates that MIST has some limitations. Most \nnotably, MIST does not estimate the consequences of an undesirable \nevent occurring at a facility. Three of the four risk assessment \nexperts GAO spoke with generally agreed that a tool that does not \nestimate consequences does not allow an agency to fully assess risks. \nFPS officials stated that they did not include consequence information \nin MIST because it was not part of the original design and thus \nrequires more time to validate. MIST also was not designed to compare \nrisks across Federal facilities. Thus, FPS has limited assurance that \ncritical risks at Federal facilities are being prioritized and \nmitigated.\n    GAO's preliminary work indicates that FPS continues to face \nchallenges in overseeing its approximately 12,500 contract guards. FPS \ndeveloped the Risk Assessment and Management Program (RAMP) to help it \noversee its contract guard workforce by verifying that guards are \ntrained and certified and for conducting guard post inspections. \nHowever, FPS faced challenges using RAMP for guard oversight, such as \nverifying guard training and certification information, and has \nrecently determined that it would no longer use RAMP. Without a \ncomprehensive system, it is more difficult for FPS to oversee its \ncontract guard workforce. FPS is verifying guard certification and \ntraining information by conducting monthly audits of guard information \nmaintained by guard contractors. However, FPS does not independently \nverify the contractor's information. Additionally, according to FPS \nofficials, FPS recently decided to deploy a new interim method to \nrecord post inspections that replaces RAMP.\n    Chairman Lungren, Ranking Member Clarke, and Members of the \nsubcommittee: We are pleased to be here today to discuss the Department \nof Homeland Security's (DHS) Federal Protective Service's (FPS) efforts \nto complete risk assessments of the over 9,000 Federal facilities under \nthe custody and control of the General Services Administration (GSA) \nand oversee its contract guards in the absence of its Risk Assessment \nand Management Program (RAMP), a web-enabled facility security \nassessment (FSA) and guard management system. As we reported in July \n2011, FPS had spent about $35 million and taken almost 4 years to \ndevelop RAMP--$14 million and 2 years more than planned--but still \ncould not use RAMP to complete FSAs because of several factors, \nincluding that FPS did not verify the accuracy of the Federal facility \ndata used.\\1\\ As a result, FPS's Director decided to stop using RAMP to \nconduct FSAs and instead pursue an interim tool to replace it. FPS also \nexperienced difficulty using RAMP to ensure that its guards met \ntraining and certification requirements, primarily because of \nchallenges in verifying guards' data.\\2\\ In June 2012, FPS also decided \nto stop using RAMP to help oversee its contract guard program.\n---------------------------------------------------------------------------\n    \\1\\ GAO, Federal Protective Service: Actions Needed to Resolve \nDelays and Inadequate Oversight Issues with FPS's Risk Assessment and \nManagement Program, GAO-11-705R (Washington, DC: July 15, 2011).\n    \\2\\ GAO-11-705R.\n---------------------------------------------------------------------------\n    For fiscal year 2012, FPS has a budget of $1.3 billion, with over \n1,200 full-time employees and about 12,500 contract security guards, to \nachieve its mission to protect Federal facilities. As part of the FSA \nprocess, FPS generally attempts to gather and review facility \ninformation; conduct and record interviews with tenant agencies; assess \nthreats, vulnerabilities, and consequences to facilities, employees, \nand the public; and recommend countermeasures to Federal tenant \nagencies. FPS's contract guards are responsible for controlling access \nto Federal facilities, screening access areas to prevent the \nintroduction of weapons and explosives, enforcing property rules and \nregulations, detecting and reporting criminal acts, and responding to \nemergency situations involving facility safety and security. FPS relies \non the fees it charges Federal tenant agencies in GSA-controlled \nfacilities to fund its security services.\\3\\\n---------------------------------------------------------------------------\n    \\3\\ 40 U.S.C. \x06 586; 41 C.F.R. \x06 102-85.35; Pub. L. No. 111-83, 123 \nStat. 2142, 2156-57 (2009).\n---------------------------------------------------------------------------\n    This testimony is based on preliminary results of work we conducted \nfor a report that we plan to issue to the Chairman in August 2012. That \nreport will contain our final evaluation and recommendations. \nConsistent with the report's objectives, this statement addresses the \nextent to which FPS is: (1) Completing risk assessments, (2) developing \na tool to complete FSAs, and (3) managing its contract guard workforce. \nTo examine the extent to which FPS is completing risk assessments and \noverseeing guards without RAMP, we reviewed, among other things, FPS's \ncurrent FSA procedures and data on completed and planned FSAs for \nfiscal years 2010 to 2012. Specifically, we reviewed FPS's FSA data \naggregated from its 11 regions to determine the extent of its FSA \nbacklog. However, we could not determine the extent of the backlog \nbecause FPS's data contained a number of missing and incorrect values \nwhich made the data unreliable. We also visited 3 of FPS's 11 regions \nand interviewed internal and external stakeholders including, among \nothers, FPS, GSA, Department of Veterans Affairs, the Federal Highway \nAdministration, Immigration and Customs Enforcement, and guard \ncompanies. We selected these 3 regions based on the number of Federal \nfacilities in the region and their security levels, the number of \ncontract guards in the region, and geographic dispersion. Our work is \nnot generalizable to all FPS regions. To determine the status of FPS's \nefforts to develop an FSA tool, we reviewed, among other things, \nrelevant project documents and Federal physical security standards, \nsuch as DHS's National Infrastructure Protection Plan's (NIPP) risk \nmanagement framework. We also interviewed FPS officials, \nrepresentatives from Argonne National Laboratory, and four risk \nmanagement experts. We selected our four risk assessment experts from a \nlist of individuals who participated in the Comptroller General's 2007 \nrisk management forum.\\4\\ This work is being conducted in accordance \nwith generally accepted Government auditing standards. Those standards \nrequire that we plan and perform the audit to obtain sufficient, \nappropriate evidence to provide a reasonable basis for our findings and \nconclusions based on our audit objectives. We believe that the evidence \nobtained provides a reasonable basis for our findings and conclusions \nbased on our audit objectives.\n---------------------------------------------------------------------------\n    \\4\\ GAO, Highlights of a Forum: Strengthening the Use of Risk \nManagement Principles in Homeland Security, GAO-08-627SP (Washington, \nDC: April 2008).\n---------------------------------------------------------------------------\nfps does not currently assess risks at federal facilities but multiple \n             agencies are conducting their own assessments\n    Our preliminary results indicate that, in the absence of RAMP, FPS \ncurrently is not assessing risk at the over 9,000 Federal facilities \nunder the custody and control of GSA in a manner consistent with \nFederal standards such as NIPP's risk management framework, as FPS \noriginally planned. According to this framework, to be considered \ncredible a risk assessment must specifically address the three \ncomponents of risk: Threat, vulnerability, and consequence. As a \nresult, FPS has accumulated a backlog of Federal facilities that have \nnot been assessed for several years. According to FPS data, more than \n5,000 facilities were to be assessed in fiscal years 2010 through 2012. \nHowever, we were not able to determine the extent of the FSA backlog \nbecause we found FPS's FSA data to be unreliable. Specifically, our \nanalysis of FPS's December 2011 assessment data showed nearly 800 (9 \npercent) of the approximately 9,000 Federal facilities did not have a \ndate for when the last FSA was completed. We have reported that timely \nand comprehensive risk assessments play a critical role in protecting \nFederal facilities by helping decision makers identify and evaluate \npotential threats so that countermeasures can be implemented to help \nprevent or mitigate the facilities' vulnerabilities.\\5\\\n---------------------------------------------------------------------------\n    \\5\\ GAO, Homeland Security: Greater Attention to Key Practices \nWould Improve the Federal Protective Service's Approach to Facility \nProtection, GAO-10-142 (Washington, DC: Oct. 23, 2009).\n---------------------------------------------------------------------------\n    Although FPS is not currently assessing risk at Federal facilities, \nFPS officials stated that the agency is taking steps to ensure Federal \nfacilities are safe. According to FPS officials, its inspectors (also \nreferred to as law enforcement security officers) monitor the security \nposture of Federal facilities by responding to incidents, testing \ncountermeasures, and conducting guard post inspections. In addition, \nsince September 2011, FPS's inspectors have collected information--such \nas location, purpose, agency contacts, and current countermeasures \n(e.g., perimeter security, access controls, and closed-circuit \ntelevision systems) at over 1,400 facilities--which will be used as a \nstarting point to complete FPS's fiscal year 2012 assessments. However, \nFPS officials acknowledged that this approach is not consistent with \nNIPP's risk management framework. Moreover, several FPS inspectors told \nus that they received minimal training or guidance on how to collect \nthis information, and expressed concern that the facility information \ncollected could become outdated by the time it is used to complete an \nFSA.\nMultiple Federal Agencies Are Conducting Their Own Risk Assessments\n    We reported in February 2012 that multiple Federal agencies have \nbeen expending additional resources to conduct their own risk \nassessments, in part because they have not been satisfied with FPS's \npast assessments.\\6\\ These assessments are taking place even though, \naccording to FPS's Chief Financial Officer, FPS received $236 million \nin basic security fees from Federal agencies to conduct FSAs and other \nsecurity services in fiscal year 2011.\\7\\ For example, officials we \nspoke with at the Internal Revenue Service, Federal Emergency \nManagement Agency, Environmental Protection Agency, and the U.S. Army \nCorps of Engineers stated that they conduct their own risk assessments. \nGSA is also expending additional resources to assess risk. We reported \nin October 2010 that GSA officials did not always receive timely FPS \nrisk assessments for facilities GSA considered leasing.\\8\\ GSA seeks to \nhave these assessments completed before it takes possession of a \nproperty and leases it to tenant agencies. However, our preliminary \nwork indicates that as of June 2012, FPS has not coordinated with GSA \nand other Federal agencies to reduce or prevent duplication of its \nassessments.\n---------------------------------------------------------------------------\n    \\6\\ GAO, 2012 Annual Report: Opportunities to Reduce Duplication, \nOverlap, and Fragmentation, Achieve Savings, and Enhance Revenue, GAO-\n12-342SP (Washington, DC: February 2012).\n    \\7\\ FPS currently charges tenant agencies in properties under GSA \ncontrol a basic security fee of $0.74 per square foot per year for its \nsecurity services including physical security and law enforcement \nactivities as per 41 C.F.R. \x06 102-85.35.\n    \\8\\ GAO-10-142.\n---------------------------------------------------------------------------\n    fps efforts to develop a risk assessment tool are evolving, but \n                           challenges remain\n    In September 2011, FPS signed an interagency agreement with Argonne \nNational Laboratory for about $875,000 to develop an interim tool for \nconducting vulnerability assessments by June 30, 2012.\\9\\ According to \nFPS officials, on March 30, 2012, Argonne National Laboratory delivered \nthis tool, called the Modified Infrastructure Survey Tool (MIST), to \nFPS on time and within budget. MIST is an interim vulnerability \nassessment tool that FPS plans to use until it can develop a permanent \nsolution to replace RAMP. According to MIST project documents and FPS \nofficials, among other things, MIST will:\n---------------------------------------------------------------------------\n    \\9\\ As of March 2012, FPS's total life cycle cost for MIST was \nestimated at $5 million.\n---------------------------------------------------------------------------\n  <bullet> allow FPS's inspectors to review and document a facility's \n        security posture, current level of protection, and recommend \n        countermeasures;\n  <bullet> provide FPS's inspectors with a standardized way for \n        gathering and recording facility data; and\n  <bullet> allow FPS to compare a facility's existing countermeasures \n        against the Interagency Security Committee's (ISC) \n        countermeasure standards based on the ISC's predefined threats \n        to Federal facilities (e.g., blast-resistant windows for a \n        facility designed to counter the threat of an explosive device) \n        to create the facility's vulnerability report.\\10\\\n---------------------------------------------------------------------------\n    \\10\\ The ISC is comprised of representatives from more than 50 \nFederal agencies and departments, establishes standards and best \npractices for Federal security professionals responsible for protecting \nnon-military Federal facilities in the United States. FPS is a member \nagency of the Interagency Security Committee in the Department of \nHomeland Security, along with other Federal agencies such as the \nGeneral Services Administration, the Federal Aviation Administration, \nthe Environmental Protection Agency, and other components within the \nDepartment of Homeland Security. The ISC has defined 31 different \nthreats to Federal facilities including vehicle-borne improvised \nexplosive devices, workplace violence, and theft.\n---------------------------------------------------------------------------\n    According to FPS officials, MIST will provide several potential \nimprovements over FPS's prior assessment tools, such as using a \nstandard way of collecting facility information and allowing edits to \nGSA's facility data when FPS inspectors find it is inaccurate. In \naddition, according to FPS officials, after completing a MIST \nvulnerability assessment, inspectors will use additional threat \ninformation gathered outside of MIST by FPS's Threat Management \nDivision as well as local crime statistics to identify any additional \nthreats and generate a threat assessment report. FPS plans to provide \nthe facility's threat and vulnerability reports along with any \ncountermeasure recommendations to the Federal tenant agencies.\n    In May 2012, FPS began training inspectors on MIST and how to use \nthe threat information obtained outside MIST and expects to complete \nthe training by the end of September 2012. According to FPS officials, \ninspectors will be able to use MIST once they have completed training \nand a supervisor has determined, based on professional judgment, that \nthe inspector is capable of using MIST. At that time, an inspector will \nbe able to use MIST to assess level I or II facilities.\\11\\ According \nto FPS officials, once these assessments are approved, FPS will \nsubsequently determine which level III and IV facilities the inspector \nmay assess with MIST.\n---------------------------------------------------------------------------\n    \\11\\ FPS uses the ISC's Facility Security Level Determination for \nFederal Facilities to determine the facility security level (FSL). The \nISC recommends that level I and II facilities be assessed every 5 years \nand level III and IV facilities every 3 years. According to the ISC's \ncriteria, a level I facility may be 10,000 or fewer square feet, have \nfewer than 100 employees, provide administrative or direct service \nactivities, and have little to no public contact; a level II facility \nmay be 100,000 or fewer square feet, have 250 or fewer employees, be \nreadily identifiable as a Federal facility, and provide district or \nState-wide services; a level III facility may be 250,000 or fewer \nsquare feet, have 750 or fewer employees, be an agency's headquarters, \nand be located in an area of moderate crime; and a level IV facility \nmay exceed 250,000 square feet, have more than 750 employees, house \nNational leadership, and be located in or near a popular tourist \ndestination.\n---------------------------------------------------------------------------\nFPS Increased Its Use of Project Management Best Practices in \n        Developing MIST\n    Our preliminary analysis indicates that in developing MIST, FPS \nincreased its use of GAO's project management best practices, including \nalternatives analysis, managing requirements, and conducting user \nacceptance testing.\\12\\ For example, FPS completed, although it did not \ndocument, an alternatives analysis prior to selecting MIST as an \ninterim tool to replace RAMP. It appears that FPS also better managed \nMIST's requirements. Specifically, FPS's Director required that MIST be \nan FSA-exclusive tool and thus helped avoid changes in requirements \nthat could have resulted in cost or schedule increases during \ndevelopment. In March 2012, FPS completed user acceptance testing of \nMIST with some inspectors and supervisors, as we recommended in \n2011.\\13\\ According to FPS officials, user feedback on MIST was \npositive from the user acceptance test, and MIST produced the necessary \noutput for FPS's FSA process. However, FPS did not obtain GSA or \nFederal tenant agencies' input in developing MIST's requirements. \nWithout this input, FPS's customers may not receive the information \nthey need to make well-informed countermeasure decisions.\n---------------------------------------------------------------------------\n    \\12\\ GAO-11-705R.\n    \\13\\ GAO-11-705R.\n---------------------------------------------------------------------------\nMIST Has Limitations as an Assessment Tool\n    FPS has yet to decide what tool, if any, will replace MIST, which \nis intended to be an interim vulnerability assessment tool. According \nto FPS officials, the agency plans to use MIST for at least the next 18 \nmonths. Consequently, until FPS decides what tool, if any, will replace \nMIST and RAMP, it will still not be able to assess risk at Federal \nfacilities in a manner consistent with NIPP, as we previously \nmentioned. Our preliminary work suggests that MIST has several \nlimitations:\n  <bullet> Assessing Consequence.--FPS did not design MIST to estimate \n        consequence, a critical component of a risk assessment. \n        Assessing consequence is important because it combines \n        vulnerability and threat information to evaluate the potential \n        effects of an adverse event on a Federal facility. Three of the \n        four risk assessment experts we spoke with generally agreed \n        that a tool that does not estimate consequences does not allow \n        an agency to fully assess the risks to a Federal facility. \n        However, FPS officials stated that incorporating consequence \n        information into an assessment tool is a complex task. FPS \n        officials stated that they did not include consequence \n        assessment in MIST's design because it would have required \n        additional time to develop, validate, and test MIST. As a \n        result, while FPS may be able to identify a facility's \n        vulnerabilities to different threats using MIST, without \n        consequence information, Federal tenant agencies may not be \n        able to make fully-informed decisions about how to allocate \n        resources to best protect Federal facilities. FPS officials do \n        not know if this capability can be developed in the future, but \n        they said that they are working with the ISC and DHS's Science \n        and Technology Directorate to explore the possibility.\n  <bullet> Comparing Risk Across Federal Facilities.--FPS did not \n        design MIST to present comparisons of risk assessment results \n        across Federal facilities. Consequently, FPS cannot take a \n        comprehensive approach to managing risk across its portfolio of \n        9,000 facilities to prioritize recommended countermeasures to \n        Federal tenant agencies. Instead, FPS takes a facility-by-\n        facility approach to risk management where all facilities with \n        the same security level are assumed to have the same security \n        risk, regardless of their location.\\14\\ We reported in 2010 \n        that FPS's approach to risk management provides limited \n        assurance that the most critical risks at Federal facilities \n        across the country are being prioritized and mitigated.\\15\\ FPS \n        recognized the importance of having such a comprehensive \n        approach to its FSA program when it developed RAMP and FPS \n        officials stated that they may develop this capability for the \n        next version of MIST.\n---------------------------------------------------------------------------\n    \\14\\ GAO-10-142.\n    \\15\\ GAO, Homeland Security: Addressing Weaknesses with Facility \nSecurity Committees Would Enhance Protection of Federal Facilities, \nGAO-10-901 (Washington, DC: August 5, 2010).\n---------------------------------------------------------------------------\n  <bullet> Measuring Performance.--FPS has not developed metrics to \n        measure MIST's performance, such as feedback surveys from \n        tenant agencies. Measuring performance allows organizations to \n        track progress toward their goals and, gives managers critical \n        information on which to base decisions for improving their \n        programs. This is a necessary component of effective \n        management, and should provide agency managers with timely, \n        action-oriented information.\\16\\ Without such metrics, FPS's \n        ability to improve MIST will be hampered. FPS officials stated \n        that they are planning to develop performance measures for \n        MIST, but did not give a time frame for when they will do so.\n---------------------------------------------------------------------------\n    \\16\\ GAO, Homeland Security: The Federal Protective Service Faces \nSeveral Challenges That Hamper its Ability to Protect Federal \nFacilities, GAO-08-683 (Washington, DC: June 11, 2008).\n---------------------------------------------------------------------------\n         fps faces challenges in overseeing its contract guards\n    Our work to date indicates that FPS does not have a comprehensive \nand reliable system to oversee its approximately 12,500 contract \nguards. In addition to conducting FSAs, FPS developed RAMP as a \ncomprehensive system to help oversee two aspects of its contract guard \nprogram: (1) Verifying that guards are trained and certified to be on \npost in Federal facilities; and (2) conducting and documenting guard \npost inspections.\\17\\ However, FPS experienced difficulty with RAMP \nbecause the contract guard training and certification information in \nRAMP was not reliable. Additionally, FPS faced challenges using RAMP to \nconduct and document post inspections.\\18\\ For example, FPS inspectors \nwe interviewed reported they had difficulty connecting to RAMP's \nservers in remote areas and that recorded post inspections disappeared \nfrom RAMP's database without explanation. Although we reported some of \nthese challenges in 2011, FPS did not stop using RAMP for guard \noversight until June 2012 when the RAMP operations and maintenance \ncontract was due to expire.\n---------------------------------------------------------------------------\n    \\17\\ A post is a guard's area of responsibility in a Federal \nfacility.\n    \\18\\ FPS's inspection requirement for level I and II facilities is \ntwo annual inspections of all posts, all shifts. The inspection \nrequirement for level III facilities is biweekly inspections of two \nposts, any shift, and for level IV, weekly inspections of two posts, \nany shift.\n---------------------------------------------------------------------------\n    In the absence of RAMP, in June 2012, FPS decided to deploy an \ninterim method to enable inspectors to record post inspections. FPS \nofficials said this capability is separate from MIST, will not allow \nFPS to generate post inspection reports, and does not include a way for \nFPS inspectors to check guard training and certification data during a \npost inspection. FPS officials acknowledged that this method is not a \ncomprehensive system for guard oversight. Consequently, it is now more \ndifficult for FPS to verify that guards on post are trained and \ncertified and that inspectors are conducting guard post inspections as \nrequired.\n    Although FPS collects guard training and certification information \nfrom the companies that provide contract guards, it appears that FPS \ndoes not independently verify that information. FPS currently requires \nits guard contractors to maintain their own files containing guard \ntraining and certification information and began requiring them to \nsubmit a monthly report with this information to FPS's regions in July \n2011.\\19\\ To verify the guard companies' reports, FPS conducts monthly \naudits. As part of its monthly audit process, FPS's regional staff \nvisits the contractor's office to select 10 percent of the contractor's \nguard files and check them against the reports guard companies send FPS \neach month. In addition, in October 2011, FPS undertook a month-long \naudit of every guard file to verify that guards had up-to-date training \nand certification information for its 110 contracts across its 11 \nregions. FPS provided preliminary October 2011 data showing that 1,152 \n(9 percent) of the 12,274 guard files FPS reviewed at that time were \ndeficient, meaning that they were missing one or more of the required \ncertification document(s). However, FPS does not have a final report on \nthe results of the Nation-wide audit that includes an explanation of \nwhy the files were deficient and whether deficiencies were resolved.\n---------------------------------------------------------------------------\n    \\19\\ For example, guard training and certifications include \nfirearms qualification, cardiopulmonary resuscitation, first aid, baton \ncertification, and X-ray and magnetometer training.\n---------------------------------------------------------------------------\n    FPS's monthly audits of contractor data provide limited assurance \nthat qualified guards are standing post, as FPS is verifying that the \ncontractor-provided information matches the information in the \ncontractor's files. We reported in 2010 that FPS's reliance on \ncontractors to self-report guard training and certification information \nwithout a reliable tracking system of its own may have contributed to a \nsituation in which a contractor allegedly falsified training \ninformation for its guards.\\20\\ In addition, officials at one FPS \nregion told us they maintain a list of the files that have been audited \npreviously to avoid reviewing the same files, but FPS has no way of \nensuring that the same guard files are not repeatedly reviewed during \nthe monthly audits, while others are never reviewed. In the place of \nRAMP, FPS plans to continue using its administrative audit process and \nthe monthly contractor-provided information to verify that qualified \ncontract guards are standing post in Federal facilities.\n---------------------------------------------------------------------------\n    \\20\\ GAO, Homeland Security: Federal Protective Service's Contract \nGuard Program Requires More Oversight and Reassessment of Use of \nContract Guards, GAO-10-341 (Washington, DC: April 13, 2010).\n---------------------------------------------------------------------------\n    We plan to finalize our analysis and report to the Chairman in \nAugust 2012, including recommendations. We discussed the information in \nthis statement with FPS and incorporated technical comments as \nappropriate. Chairman Lungren, Ranking Member Clarke, and Members of \nthe subcommittee, this completes my prepared statement. I would be \nhappy to respond to any questions you may have at this time.\n\n    Mr. Lungren. Thank you very much, Mr. Goldstein.\n    The Chairman now recognizes Dr. Peerenboom to testify.\n\n  STATEMENT OF JAMES P. PEERENBOOM, DIRECTOR, INFRASTRUCTURE \nASSURANCE CENTER, ASSOCIATE DIRECTOR, DECISION AND INFORMATION \n         SCIENCES DIVISION, ARGONNE NATIONAL LABORATORY\n\n    Mr. Peerenboom. Good morning. Thank you, Chairman Lungren, \nRepresentative Clarke, and the Members of the subcommittee for \nyour invitation to testify here today.\n    In early October 2011 the Federal Protective Service \nengaged Argonne by funding the development of a software \napplication called a Modified Infrastructure Survey Tool, or \nMIST, to be used by FPS on an interim basis to conduct facility \nsecurity assessments. MIST uses a tailored set of questions \nthat helps FPS establish a security baseline and allows for \ncomparisons of facilities being surveyed against security \nstandards. The MIST provides a standardized way of collecting \nand reporting facility information to inform decisions about \nsecurity measures.\n    Argonne's work involved five tasks: Working with FPS to \ndevelop the MIST methodology; implementing the methodology as a \nrelease called MIST Release 1.0; developing a host site for \nMIST Release, called the FPS Gateway; assisting FPS, as \nrequested, in training functions; and finally, providing help \ndesk support to MIST operation.\n    By working closely with FPS inspectors, contract management \nstaff, and leadership throughout the period of performance \nArgonne was able to meet all the defined requirements in the \nstatement of work. MIST Release 1.0 and the FPS Gateway were \ndelivered to FPS on March 30, 2012, 6 months after the program \nbegan. The products were delivered on time and within the \ndefined budget.\n    Argonne greatly appreciates the opportunity to work with \nFPS in a collaborative manner to develop the MIST as a useful \nand usable interim tool for FPS personnel. Knowledgeable FPS \nleadership and staff were actively involved in all tasks and \nfeedback was provided by FPS personnel in a timely manner to \nguide development activities. In addition, regular meetings \nwere held with FPS director, Director Patterson, and his staff \nto review schedules and deliverables and to ensure that any \nproblems encountered were identified and quickly resolved.\n    Finally, Argonne also wishes to thank the DHS Office of \nInfrastructure Protection, part of NPPD, their Protective \nSecurity Coordination Division in particular, for their \ncollaboration with FPS, willingness to share methodologies, \ntechnology, and experience.\n    I appreciate this opportunity to summarize the MIST \ndevelopment activities at Argonne and I look forward to your \nquestions. Thank you.\n    [The prepared statement of Mr. Peerenboom follows:]\n               Prepared Statement of James P. Peerenboom\n                             July 24, 2012\n    Thank you Chairman Lungren, Representative Clarke, and the \ndistinguished Members of the subcommittee for your invitation to \ntestify here today.\n    My name is James Peerenboom, and I am the Director of the \nInfrastructure Assurance Center and the Associate Director of the \nDecision and Information Sciences Division at Argonne National \nLaboratory. Argonne is located just outside of Chicago and is one of \nthe U.S. Department of Energy's largest National laboratories for \nscientific and engineering research. Argonne has been providing \ntechnical support to the U.S. Department of Homeland Security (DHS) \nsince the Department was established in March 2003.\n                               background\n    In late March 2011, the Federal Protective Service (FPS) requested \na meeting with Argonne to discuss the potential for leveraging \ntechnical work that had been underway at the laboratory since 2007. The \nwork that FPS was seeking to leverage was funded by the DHS National \nProtection and Programs Directorate's Office of Infrastructure \nProtection (NPPD/IP). Specifically, FPS was interested in exploring the \noption to modify an existing survey tool that Argonne had developed for \nNPPD/IP called the Infrastructure Survey Tool (IST). This security \nsurvey has been successfully deployed and used by DHS and its \nProtective Security Advisors (PSAs) to identify security measures at \nvarious critical infrastructure assets across the Nation. Argonne first \nmet with FPS representatives in April 2011 to demonstrate IST \nfunctionality; discuss the purpose, scope, and limitations of the tool; \nand discuss FPS assessment needs. A series of subsequent discussions \nand meetings with FPS took place from April through September 2011.\n                           description of ist\n    The IST is a survey tool that employs a tailored set of questions \nto identify for infrastructure owners and operators some of the \npotential security weaknesses at a given facility, establish an index \nvalue of protective measures at the facility, and provide comparisons \nwith similar facilities. It is not a vulnerability or risk assessment \ntool. Rather, as a survey tool, the IST provides a consistent, \ntransparent, and integrated assessment of a facility's current security \nposture. It was designed for application to many types of critical \ninfrastructure assets--from refineries, railroad lines, and power \nplants to financial centers--to enable owners and operators to see how \nthe security measures at their facilities stack up against those at \nfacilities like theirs. While the IST is not intended to compare a \nfacility's security to specific standards, it does provide a \ncomparative measure to similar facilities.\n    The DHS customers for IST survey data are infrastructure owners and \noperators. The survey data, presented in an interactive dashboard, \nallows them to visualize how certain security-related changes, such as \nadding security cameras or installing fencing, alters the protective \nmeasures index value and may contribute to improved security. On the \nbasis of feedback from the PSA community, the interactive dashboard in \nuse by NPPD/IP has been well received by infrastructure owners and \noperators. In addition to providing insight and valuable feedback to \nowners and operators, the IST data are also used by DHS to benchmark \nsecurity measures, identify protective measure gaps, and develop \ninfrastructure protection strategies.\n                             fps work scope\n    In early October 2011, FPS engaged Argonne by funding the \ndevelopment of a software application, called the Modified \nInfrastructure Survey Tool (MIST), to be used by FPS on an interim \nbasis to conduct facility security assessments. As the name implies, \nthe MIST is a modification of the existing IST developed by Argonne and \ndeployed by NPPD/IP. The MIST uses a tailored set of questions that \nhelps FPS establish a security baseline and allows for comparison of \nthe facility being surveyed against security standards. MIST's \nmethodology involves the gathering of data via an assessment question \nset, processing the data through an algorithm to convert the data to \nvulnerability measures, and the generation of outputs such as a report \nof those measures. Although the MIST was not designed to be an \nInteragency Security Committee (ISC)-compliant tool, it adheres to the \nISC process and guidance as much as possible and captures elements of \nISC standards. The MIST provides a standardized way of collecting and \nreporting facility information to inform decisions about security \nmeasures.\n    Argonne's work was funded through an existing Interagency Agreement \n(IAA) with NPPD/IP that encompassed IST-related tasks. Funds were \ncommitted under the IAA to develop, test, deliver, and support MIST \nRelease 1.0. More than half of the funds were used for hardware and \nsoftware to establish a web portal, called the FPS Gateway, that allows \nfor sharing of information products and knowledge in real time. The FPS \nGateway leverages the architecture and hardware/software technology of \nthe Linking Encrypted Network System (LENS), a similar portal that \nArgonne developed for NPPD/IP.\n    Argonne's statement of work under the IAA with FPS included five \ntasks, all of which involved leveraging the experience, expertise, and \ntechnology used in developing the IST:\n  <bullet> Working with FPS to develop the MIST methodology;\n  <bullet> Implementing the methodology as MIST Release 1.0 (software \n        development);\n  <bullet> Developing a host site for MIST Release 1.0 (i.e., the FPS \n        Gateway);\n  <bullet> Assisting FPS, as requested, in training functions; and\n  <bullet> Providing ``help desk'' support for MIST operation.\n                            project results\n    By working closely with FPS inspectors, contract management staff, \nand leadership throughout the period of performance, Argonne was able \nto meet all defined requirements in the statement of work. MIST Release \n1.0 and the FPS Gateway were delivered to FPS on March 30, 2012. The \nproducts were delivered on time and within the defined budget. Argonne \ncontinues to provide help desk support to FPS. Feedback from FPS about \nthe MIST as an interim survey tool has been very positive.\n                            acknowledgments\n    Argonne appreciates the opportunity to work with FPS in a \ncollaborative manner to develop the MIST as a useful and usable interim \ntool for FPS personnel. Knowledgeable FPS leadership and staff were \nactively engaged in all tasks, and feedback was provided by FPS \npersonnel in a timely manner to guide development. In addition, regular \nmeetings with the FPS Director also were held to review schedules and \ndeliverables and to ensure that any problems encountered were \nidentified and quickly resolved. Argonne also wishes to thank the NPPD/\nIP Protective Security Coordination Division staff for their \ncollaboration with FPS, willingness to explain and share methodologies \nand technology, and thorough IAA oversight.\n\n    Mr. Lungren. Thank you very much.\n    I think we may have set a record for brevity of the three \npanelists, and we appreciate that. I am sure all my colleagues \nhave questions. We will start of round of questioning, and I \nwill start with the first 5 minutes.\n    General Patterson, in your previous jobs, precision, \naccuracy, attention to detail has been extremely important. We \nhave had concerns prior to the time you got there with the lack \nof those things in some of the functions that you are supposed \nto--that your operation is supposed to carry out.\n    Last July when you testified you indicated your, I think, \nfrustration at where FPS was at that time. So how would you \nassess FPS's progress to address deficiencies in the ability to \nconduct facility security assessments and conduct oversight and \ntraining of the contract guard program?\n    As I am sure you heard Mr. Goldstein, you have seen the \ntestimony that he gave. There seems to be some concern that he \nexpresses there. How would you judge where you are versus where \nyou think you need to be and where you want to be in those \nareas?\n    General Patterson. Thank you, sir.\n    Well, to begin, we are at the beginning. RAMP unfortunately \ndid not produce results that the agency had hoped that it \nwould. So after careful review, as you are aware, I made the \ndecision that we were no longer going to follow that path and \ndevelop a new path.\n    I spent quite a bit of time with our sister activity \ncomponent within Homeland Security, I.P., to talk about how \nthey look at threats, how they look at vulnerability within the \nprivate and commercial sector, and how we could leverage what \nthey do and bring that about as quickly as we can to look how \nwe might do that in the Federal sector.\n    Once I was able to look across the--at what they were doing \nand some of the things that some of our other partners might--\nwere doing at the time, because we also looked at systems \nwithin S&T, and I think GSA also had a system that we were \nevaluating. But at the time I believe that I.P. offered us the \nbest product, if you will, for us to move forward. That was \nwhen I was introduced to Argonne Labs and the work that they \nwere doing for I.P. to support I.P.\n    I spent quite a bit of time with I.P. and Argonne Labs to \nassess whether or not that would be the right direction for us. \nIn fact, that was the right--I believe that it is the right \ndirection for us.\n    Now, to get to the point of our folks within the GAO \nassessment, it is correct that our MIST tool does not look at \nconsequence. However, what we do is we look at vulnerability \nand we look at threat. We do that in a couple of ways.\n    In the vulnerability, we collect a lot of data to assess \nand to determine how vulnerable these--our facilities are to \nthe threats that are being posed by--in a number of areas, \nwhether it be natural disaster, whether it be criminal threat, \nor whether it be from the threat of terrorism.\n    I have also developed a very robust activity within FPS \nthat looks at the threat picture every day. We have folks who \nare working with the ODNI, the Office of Director of National \nIntelligence, who are working with I&A at DHS, who are working \nwith the FBI. I have several folks across the country who are \nworking at the JTTFs as well as the fusion centers across the \ncountry to help us better understand the threat picture as we \nmove forward pulling vulnerability and threat together.\n    Relative to the consequence piece, each one of the Federal \nagencies has a--what we call a COOP plan. It is a plan as to \nwhen there is a problem--a disaster or something the must \nrespond to--how they will reorganize, how they will \nreconstitute once that event has happened. They also have \nsomething called an occupational emergency plan that we work \nwith them--that they can leverage, and that plan is developed \nwhen an agency is either--when they have stood up--or when they \noccupy a facility, or as we go in to perform our assessments.\n    So we have what we believe to be a fairly robust scenario, \nif you will, of bringing vulnerability, threat, and \nconsequences together not necessarily in a single document, but \nin a process, in a plan. So when an assessment is done my MIST \ntool brings me the vulnerability piece; my intelligence folks--\nmy RIAs, is what we call them, regional intelligence folks, \nbring forth the threat piece, and combine that with the COOP \nplan and the emergency occupant plan to, I think, to bring \ntogether a fairly robust product and assessment of \nvulnerabilities and threats to our Federal facilities.\n    Mr. Lungren. Mr. Goldstein, would you have any comments on \nthat?\n    Mr. Goldstein. Thank you, Mr. Chairman.\n    You know, we were very pleased that FPS has made progress. \nDon't get me wrong, we feel that they have made some progress. \nThe development of MIST is certainly a way forward out of the \npast, whether it was from the original tools of FSRS, or \nwhether it was through the more recent tools, where they use an \nExcel spreadsheet and then they had the whole RAMP program. \nThis is a way forward, and we do believe that by finally having \na program the inspectors can use where they are not \nsubjectively determining vulnerability on their own is \nimportant. We discussed it in our report.\n    But we do think that being able to include consequence \ninformation, as the National infrastructure program requires, \nis really important. In my opinion----\n    Mr. Lungren. Mr. Patterson suggests that COOP, I believe it \nis, or these other elements that their clients have fulfills \nthat role. You have a disagreement with that?\n    Mr. Goldstein. What I would tell you is I think that you \ncan't have a robust program without consequence information \nbecause what you are doing is essentially telling people that \nyou have set the dinner table without telling them what the \nfood is going to be----\n    Mr. Lungren. No, I understand. I mean, I have always looked \nat risk, you know, that simple equation of threat, \nvulnerability, and consequence. What I was trying to get at is \nMr. Patterson has suggested, or stated, that he believes that \nyou reach that with this other component of information that he \nreceives from what I refer to as the clients--you might use \nanother term. Is that something you would still quarrel with at \nthis point?\n    Mr. Goldstein. I don't think it provides agencies and their \nclients the kind of information they need to make robust \ndecisions about which countermeasures they are going to adopt \nand which they aren't, which have more priority than others.\n    Mr. Lungren. Okay.\n    Ms. Clarke.\n    Ms. Clarke. Thank you, Mr. Chairman.\n    Director Patterson, FPS chose to modify the current Office \nof Infrastructure Protection's infrastructure survey tool for \nits new interim risk assessment tool. What other tools did FPS \nconsider and why weren't they selected?\n    General Patterson. Yes, ma'am. I don't have the specific \nnames of the other tools but there were a couple other tools. I \nknow one specifically that was being developed by the Office of \nScience and Technology. The challenge with that particular tool \nwas that it was still in the development phase and it was being \nbeta tested.\n    One of the challenges that I believe that we were going to \nhave was that we were not involved in setting the requirements \nfor the tool. So therefore, we would had to have started from \nthe very beginning to figure out, you know, whether or not our \nrequirements were going to be met, and then if they weren't, \nhow we were going to incorporate that.\n    I felt that I needed to deliver something. We had spent \ntime, a bit of time, on RAMP. I felt that we needed to do, to \nmove forth quickly to try to do something to ensure that we \nwere providing our customers, our clients, an assessment \nproduct--okay, not just an assessment, but an assessment \nproduct--and I thought MIST would be the best way to do that.\n    Ms. Clarke. How does FPS plan to address the limitations \nthat GAO identified for MIST?\n    General Patterson. Yes, ma'am. For me, this is about being \na marathon and not a sprint. We are going to work aggressively \nwith the ISC, the Interagency Security Committee, to look at \nhow we productively and efficiently and effectively incorporate \nall those things that the GAO has recommended and we agree that \nshould be considered to be in the tool.\n    Part of the challenge that we have is that we need to look \nat this very, if you will, judiciously. When we evaluate or \nassess a facility sometimes there are 10 tenants in that \nfacility, okay, so we have to be--we have to ensure that when \nwe produce a report that the consequence piece of that, if you \nwill, is going to have relevance to all of the folks in that \nparticular facility.\n    So I am not exactly sure that trying to put a consequence \npiece into every assessment is the right avenue. So we are \ngoing to work with the ISC to see how we might develop that and \nwork forward and move in that direction.\n    Ms. Clarke. How was the decision made to award Argonne \nNational Laboratory the contract to develop MIST? Were there \nother entities considered as well?\n    General Patterson. Yes. We were required to--the \nacquisition process required us to consider other avenues for \nthat, and they were--the decision was to go with Argonne.\n    Ms. Clarke. Okay.\n    Mr. Goldstein, when do you estimate that FPS will have a \nmore robust guard oversight tool in place that can track guard \ncertification information and offer FPS management with greater \ninsight as to whether all of the post inspections that need to \nbe conducted are, in fact, occurring?\n    Mr. Goldstein. I would judicially say that that is a work \nin progress. I think the Federal Protective Service has \nrecognized that there are some vulnerabilities in their \nprocess.\n    They recently stopped, as of June 2012, any use of RAMP for \nthat process; it was the last part of RAMP that was being used \nand they notified offices not to be using that anymore. Much of \nthe information in that system had never been revalidated from \nthe old cert system so there were many problems with it.\n    I think it is going to take some time. We have some on-\ngoing work for this committee, taking a look at guard programs, \nand this will be something that we evaluate how others do it \nand try to bring some of that information back to you and to \nFPS to help them as they go forward. It is not a short-term \nproject.\n    Ms. Clarke. So would you say--yes, I mean, I recognize \nthat. But would you say they are just at the advent of----\n    Mr. Goldstein. I think they are at the beginning of trying \nto determine what they need and how to independently verify \ncertification as well as post inspection, yes, ma'am.\n    Ms. Clarke. Okay. How does FPS now track the implementation \nof security countermeasures that are recommended for inclusion \nin the facility security assessments?\n    General Patterson. I am sorry, ma'am. Can you repeat that, \nplease?\n    Ms. Clarke. Yes, sure. How does FPS now track the \nimplementation of security countermeasures that are recommended \nfor inclusion in the facility security assessments?\n    General Patterson. Yes, ma'am. Currently we don't have a \ntracking tool. It is all done manually, if you will, paper. As \nour inspectors go out and interface with the committees, the \nsecurity committees, the facility security committees to \ndiscuss--or the agencies to discuss what countermeasures might \nbe necessary or what--that we might recommend, at that point we \nwork with the FSCs to implement those requirements and it is \ndocumented, but it is documented on paper at this point because \ndon't have a digital system, if you will, to account for that.\n    Ms. Clarke. Thank you, Mr. Chairman. I yield back.\n    Mr. Lungren. Gentlelady yields back.\n    Mr. Walberg is recognized for 5 minutes.\n    Mr. Walberg. Thank you, Mr. Chairman.\n    Thanks to the panel for being here.\n    Mr. Goldstein, you have noted that MIST, as an interim \ntool, falls short of providing FPS the ability to do many of \nthe things that RAMP was intended to provide. You also noted \nthat MIST is neither compliant with DHS's own National \ninfrastructure protection plan and the framework that it has \nnor standards developed by the Interagency Security Committee.\n    So the question I would initially ask is, why are these \nstandards so important?\n    Mr. Goldstein. I think the standards are important \nprincipally because they will create a baseline, but they will \nalso allow that baseline to be examined across the host of the \nGovernment's portfolio. FPS does not have the ability today to \nlook at the portfolio of Government properties that it \nprotects--some 9,000 GSA buildings--and to determine at various \nlevels which of those facilities require the most resources.\n    They protect everyone, everything essentially at each level \nin the same way, regardless of where it is and what its \nfunction is. So therefore we have a very static approach, \nbuilding by building, to protecting our Federal infrastructure \nwhen resources are obviously very tight, and you can't leverage \nthe resources and priorities effectively that way.\n    Mr. Walberg. I mean, that being the suggestion then, I \nguess, Mr. Patterson, does FPS believe ISC or NIPP standards \nare important criteria to meet?\n    General Patterson. Oh, absolutely, sir. They are important. \nWe are baselining those criteria.\n    The challenge that we have is right now, is developing, if \nyou will, a tool that will bring all that into play----\n    Mr. Walberg. But the present tool isn't compliant with any \nof those standards, is it?\n    General Patterson. It is not ISC-compliant because it does \nnot take into consideration the consequence piece of the \nassessment, okay? However, the tool isn't compliant but our \nprocess is compliant, okay, and the process----\n    Mr. Walberg. Explain that a little further.\n    General Patterson. Yes, sir. I will. The tool is no more \nthan a product that we provide to our customer. It is a \nsnapshot in time of what we believe to be the vulnerability, \nthe threat, and in this case, the consequence at a particular \nfacility, okay? We discuss each one of those elements at the \nout-brief when we have completed an assessment.\n    All right, now, that MIST tool--that MIST product--will not \ncover all three, but that doesn't mean that we haven't covered \nthat with our customers, all right? So what we are trying to do \nis we are trying to work with the ISC to develop a product, a \ntool, a product that we can deliver at the end of the day, at \nthe end of the assessment that allows them to capture all of \nthat into one document. We can't do that today.\n    Mr. Walberg. What is the time period you are expecting this \ntool to be developed and then fully implemented?\n    General Patterson. In my discussions with the ISC, to their \nknowledge there is no one out there today that has a tool that \nwill do that, that has been proven to do that. I understand \nthat there might be a few folks out there who think they may \nhave a tool to do that, but no one at this point has \ndemonstrated that they have an effective tool that brings into \nplay vulnerability, threat, and consequence into one document, \nor into a process that will bring all that together and you can \nprovide that to our clients.\n    So we are working aggressively with GSA, with the ISC, and \nothers to look at how we might do that and how the community--\nhow we can work together with the community to make that \nhappen.\n    Mr. Walberg. Mr. Goldstein, would you concur with that, \nthat there is not a tool capable at this time, or----\n    Mr. Goldstein. We haven't looked at that specifically, sir. \nWe are doing some work for this committee--just beginning that \nwork--taking a look at assessment tools across the Federal \nGovernment and out in the broader community, and we will \nhopefully be able to report back on that on the near future.\n    Mr. Walberg. Okay.\n    Mr. Patterson, I understand that MIST was developed as an \ninterim tool to replace RAMP. What is FPS's long-term plan to \nreplace RAMP and what is the time line for that implementation?\n    General Patterson. Yes, sir. The long-term plan is to \ncreate a tool that is ISC-compliant. I currently don't have a--\nI don't have a time line for that.\n    Again, we are going to--we are actively working with the \nISC and collaborating with the ISC. We are actively \ncollaborating with GSA to begin to look at how we will do that: \nWhat is the next step? Because we want to build upon what we \nhave at MIST, what we have created with MIST, so that we are \nnot recreating every time we decide to develop a new tool or a \nnew process. We don't want to recreate that every time.\n    So the bottom line is is that we are going to work with the \nISC and the community to look at how we move forward. I wish I \ncould give you a better answer but I don't have a better answer \nat this point until we can collaboratively come together and \nbegin to figure out the path forward.\n    Mr. Walberg. Well, I see my time has expired.\n    Mr. Lungren. Mr. Richmond----\n    Mr. Walberg. Thank you, Mr. Chairman.\n    Mr. Lungren [continuing]. Is recognized for 5 minutes.\n    Mr. Richmond. Mr. Patterson, I guess I need you to make a \nconnection for me and monitor the conversation with my \ncolleague, and you said that MIST, or whatever you are using \nnow, the program does not have consequence in it but your \nprocess has consequence in it. Did I hear that right?\n    General Patterson. Yes.\n    Mr. Richmond. I guess I am falling short that if the \nprocess has consequence in it why can't we develop a tool that \nputs vulnerability, threat, and consequence into one thing? I \nguess I am lost on that. Can you----\n    General Patterson. Sure.\n    Mr. Richmond. Can you help me on that?\n    General Patterson. I am not debating that we can. I am just \nsaying that I haven't found a way to do that today.\n    My work to this point--our research to this point--has \ntaken us through vulnerability and threat, but incorporating \nthe consequence piece, as we would have it within the Federal \nsector, is very different than you incorporate consequence \nnecessarily into the private sector. So what we are trying to \ndo is when we do that we want to make sure that we develop a \ntool that is usable, that has got credibility, and we just \nhaven't reached that point yet.\n    So when I talk about the consequence piece in the process, \nthe process is is that when we sit down and talk with our \ncustomers and with our clients we talk about their ability to \nreconstitute, their ability to perform if there is an event, \nokay, and there are certain things that they have already done.\n    For instance, IRS has a COOP plan. If there is an IRS--if \nthere is an event--for instance, the airplane that flew into \nthe IRS facility in Austin, Texas a few years ago, well the IRS \nhad a way to reconstitute. They knew exactly what they needed \nto do in order to move those functions from that facility to \nanother facility, okay?\n    So for them it wasn't about us bringing something to them, \nall right? They knew exactly what they wanted to do. They had a \nplan. They have a plan.\n    Most Federal agencies have a plan if there is a problem, if \nthere is an event that happens that takes them away from their \nfacility.\n    Mr. Richmond. You said most of them do. Do----\n    General Patterson. That is an assumption. I would hope all \ndo.\n    Mr. Richmond. Okay. I guess that was going to be my next \nquestion: Do we have a good take on who has and who does not \nhave----\n    General Patterson. No. We work with every agency--every \nfacility, every agency that we do an assessment, we work with \nthem on what they call the occupant emergency plan, and that is \na plan to do just what we are talking about. If there is a \nproblem--if it is a natural disaster, if it is a criminal event \nor a terrorism event, what will you do? We go through a myriad \nof scenarios with them as to what they would do. Through every \nassessment we work with every tenant in the facility on that \nplan.\n    Mr. Richmond. I remember from the last hearing we talked \nabout that there was the inability, or we were not in a \nposition to verify the--that the guards that were on post were \ntrained and certified. Have we developed something to better \nassess whether they are trained, certified, and present on \nour--in our Federal buildings?\n    General Patterson. Yes. What we are doing now--we don't--\nclearly we need a better process. Right now it is a pen-and-\npaper process for us.\n    We were hoping--the agency was hoping that RAMP was going \nto resolve this or help us get a little closer to a better \nsolution. When that didn't evolve, when that didn't work, what \nI had directed all of my regions to do is revert back to a \npaper process, if you will, working with--as our PSOs are \nbrought on for their time to do work, or when a client--not a \nclient, but when our contractors, if you will, when they hire a \nPSO to work there is a package of certifications that each of \nour PSOs must have. That package--those certifications are \nmaintained by the contractor.\n    However, that information that is contained in those \ncertification packages are then forwarded--is then forwarded to \nevery one of my regions. So we have on file in our regions, if \nyou will, that information.\n    Now, the challenge is how often we can get through there \nand continue to recertify that their certifications are up-to-\ndate. We have 13 certifications in those files that must be \ncertified every year, or recertified every year. So it is a \nhuge administrative task for us to go through that and we are \nlooking for ways that we can digitize that, we can use \ntechnology to help us with that; we are just not there yet.\n    Mr. Richmond. I see that my time has expired so I yield \nback. Thank you, Mr. Chairman.\n    Mr. Lungren. Thank you.\n    We might have time for a quick second round if anybody is \ninterested.\n    Let me just recognized myself in the first instance, and \nthat is, Mr. Goldstein, you heard Mr. Patterson's response to \nthe question about consequence. Here is my concern--I will have \nMr. Patterson answer after I ask your thoughts--when Mr. \nPatterson described it he talked about some of the clients, \nsuch as IRS, having an ability to reconstitute themselves. That \nis what they have. That is their part of this consequence.\n    But I thought this tool that we were trying to develop, or \ntools, to do threat assessment was for the purpose of \nestablishing, by FPS, what the levels of security would be so \nthat you would have them more in line with what the overall \nrisk assessment was. In that regard, a consequence piece would \nhelp Mr. Patterson and his organization decide the level of \nsecurity as opposed to, as you suggested, I thought, in your \ntestimony, that it is kind of an across-the-board, everybody is \ntreated the same.\n    Am I correct in what you said and the reason why the lack \nof consequence would affect their ability to make those \ndecisions?\n    Mr. Goldstein. Yes, sir. Mr. Patterson's discussion of COOP \nis an important element of, obviously, responding to any \ndisaster or any attack but it isn't directly related, I would \nsubmit, to what we are talking about, in that the need to have \nconsequence information as part of this program, which he \nagrees they will eventually develop and we are simply bringing \nthat point out, is so that agencies working with the Federal \nProtective Service will have guidance on how to prioritize \nprotecting facilities themselves over a period of time.\n    Mr. Lungren. Mr. Patterson, that is what I have found is a \ndisconnect in what you are saying. I understand--I am happy \nthat IRS knew how to reconstitute itself, but in terms of your \nassessment of your operation's ability to manage your resources \nin tough budget times, to decide where you need to put your \nemphasis, where you need to have more, where you need to have \nless, that that assessment tool or tools are to allow you to do \nthat as opposed to you determining exactly what IRS ought to do \nat this place or one of your other clients.\n    General Patterson. Yes, sir. Again, it is--from our \nperspective it is a huge challenge as to how we incorporate \nconsequence into any tool.\n    For instance, as I stated before, every facility is \ndifferent. Some facilities, they are just stand-alone agencies; \nand other facilities, much like the Reagan Building, there \nmight be literally 10 to 20 different agencies with different \nrequirements--having different requirements, and having much \nmore, if you will, at risk than some of the other agencies in \nthere.\n    So as we look across the spectrum of facilities that we \nhave to assess what I am trying to get away from is a one-size-\nfits-all kind of a tool.\n    Mr. Lungren. I don't want you to do that. That is why I am \ntrying to figure out----\n    General Patterson. Yes, sir.\n    Mr. Lungren [continuing]. Why consequence couldn't be \nincorporated into the tool that you use, or you have some \nintegration at some point in time of two tools so that you have \nthose three things together in making your risk assessment to \naid you in a determination of the level of security and the \nprioritizing of your resources. That is all I am trying to \nfigure out.\n    General Patterson. Yes, sir. Again, it is our intent to \nincorporate consequence; we are just trying to figure out, how \ndo we do that?\n    Mr. Lungren. Okay. Ms. Clarke.\n    Ms. Clarke. Thank you, Mr. Chairman.\n    This question is for Director Patterson and Mr. Goldstein: \nHow does FPS track the effectiveness and performance of the \nsecurity countermeasures that it has recommended? How do you \nactually----\n    General Patterson. We have our inspectors who visit our \nsites routinely, who visit Federal facilities routinely to \nassess the effectiveness of our PSOs. When we do post \ninspections that is an assessment of our contract guard force.\n    We also visit our camera facilities to look at whether or \nnot they are operating, and when they are not to look, and \nworking with the FSC to get them repaired. So this is on an on-\ngoing and continual basis, looking at all of our \ncountermeasures on a routine basis to ensure that they are \noperating efficiently and effectively.\n    Ms. Clarke. Would you say it is a cyclical type of regimen \nthat your inspectors are engaged in? Because I would imagine \nwhen you look at various facilities the landscape around those \nfacilities may change from time to time with infrastructure \nchanges, with----\n    General Patterson. Right. I mean, you know, we can--we--\nfrom time to time we will have different tenants who move in \nwho have different requirements, or they, like, as you just \nstated, ma'am, where there are facilities that may come up next \nto or where we have to assess whether or not--what that impact \nmight be on a bus station, let's say, moving in next to one of \nour facilities. So absolutely.\n    But that is a continuing process for us. We don't wait for \nthe assessment period to do that. If, in fact, we know that the \ncity is building--has new construction going up to one of our \nGSA facilities we engage immediately with GSA and the tenant to \nfind out what--and the city--to find out what is going up and \nwhat the impact might be, and what we may need to do to answer \nthe--to see if there is going to be an additional security \nstandard that we may have to set out as a result of that.\n    Ms. Clarke. Is there, baked into the MIST system, a way of \nkeeping track of that information?\n    General Patterson. I am sorry. Let me--is there going to be \na way----\n    Ms. Clarke. Yes, of, you know--over time you are going to \nmaybe have overlays----\n    General Patterson. Yes. Yes. Our MIST system, yes, as MIST \nis rolled out and as we are incorporating all that information, \nyes, ma'am, that all will be digitized into MIST so we can go \nback immediately and determine, you know, what systems are \nthere and then how we need to correct, or adjust, or whatever \nwe need to do to those systems, yes.\n    Ms. Clarke. Dr. Peerenboom, what capabilities, if any, \nwould a more permanent tool have over FPS's interim MIST tool?\n    Mr. Peerenboom. Well, as stated by Director Patterson and \nMr. Goldstein, MIST is not a risk tool. It focuses on \nvulnerabilities. But it was based on work done for the Office \nof Infrastructure Protection at DHS, the infrastructure survey \ntool. That provides a platform or basis by which one could \nexpand.\n    In fact, within I.P. they are looking at single assessment \nmethodologies to pull together tools and capabilities that \naddress risk in a holistic fashion to inform decisions about \nsecurity investments. The customers of Office of Infrastructure \nProtection are slightly different; they are the owners and \noperators. The IST tool that we developed and modified for FPS \nis applicable to all 18 critical infrastructures, so it has a \nbroader base.\n    But the subset of questions and things that apply to \nFederal facilities is what was done for MIST.\n    Ms. Clarke. What makes these capabilities necessary?\n    Mr. Peerenboom. The Office of Infrastructure Protection has \na mission to provide protection and risk analysis for critical \ninfrastructure, and so their sets of tools are designed to \nencompass that broad spectrum. The IST that we developed MIST \nfrom addresses part of the equation, and there are efforts \nunderway to expand that base within Office of Infrastructure \nProtection. It provides a point of leverage for FPS should they \ndecide to use that.\n    Ms. Clarke. So when the risk or the vulnerabilities seem to \nbe evolving, how do--how effective is the MIST tool, in terms \nof indicating for FPS what new measures need to be taken? Is it \ndynamic, in other words?\n    Mr. Peerenboom. Well, that is really--I should let Director \nPatterson speak to that issue, but MIST provides a basis for \nlooking at the vulnerabilities to the facility and the \ninspectors can add in their recommendations and their \nunderstanding of the consequences of protective measures that \nwould--not consequences, excuse me--the countermeasures that \nwould be applicable to that facility.\n    The MIST tool is partly compliant with the ISC standards \nbut it is not an ISC-compliant tool. But we certainly took that \ninto account, and over time, should FPS decide to do that, \ntechnically it is possible to address those standards.\n    Ms. Clarke. All right. Thank you.\n    Mr. Lungren. Mr. Walberg.\n    Mr. Walberg. Thank you, Mr. Chairman.\n    Drilling down in the same board again, Mr. Peerenboom, can \nMIST be developed to capture consequence? Is it capable?\n    Mr. Peerenboom. Technically the answer is yes.\n    Mr. Walberg. Go a little further on why you would say \ntechnically the answer is yes.\n    Mr. Peerenboom. Well, there are capabilities, as I \nindicated earlier, that are being developed within the Office \nof Infrastructure Protection, to enhance the capabilities of \nthe infrastructure survey tool that provides the basis that \nMIST was developed on, and we have the capabilities to \nincorporate elements of consequence, but that is a decision \nthat obviously is not ours. But technically it is feasible.\n    Mr. Walberg. It is feasible, but would you say it is not \nthe best tool?\n    Mr. Peerenboom. It depends on requirements. No, I didn't \nsay that.\n    Mr. Walberg. Okay. Okay. Thank you.\n    Mr. Patterson, I would applaud you and commend you for \nputting an emphasis on training in your tenure at FPS, and I \nagree that training is a key for your force's morale and \neffectiveness in the process.\n    Last summer you stated that you were looking at different \nways FPS may be able to deliver X-ray and magnetometer and \nweapons training. I understand there has been significant \ndialogue and outreach between FPS and the private sector, which \nmay be able to better deliver the training.\n    Could you enlighten us at this point in time on the on-\ngoing dialogue with industry to improve guard training?\n    General Patterson. Yes, sir. Well, first of all, one of the \nthings that I needed to do was hire a senior deputy director \nfor training to--who could focus in on this full-time and not \nbe a part-time duty. So I have done that. So now I have someone \nwho is looking across the board at all the training within FPS \nfull-time.\n    Now, as we look at training for our PSO force, we are \nactively working with NASCO, the National Association of \nSecurity Companies, to work with them and look at how we can \nproliferate training across 13,000 PSOs that support FPS and \nall of our Federal partners. It is a huge task, because when \nyou are talking about providing services in 50 States that all \nhave different, if you will, training requirements, okay, we \nhave to ensure that we are doing it in such a way that we are \ngetting the best bang for our buck.\n    One of the things in the National Weapons Detection \nProgram, in magnetometers and X-ray machines, that I knew that \nwe needed to do was to ensure that our inspectors were \nadequately trained, and we have done that--we are doing it. We \nare just about completed all of our training for our inspectors \nfor the magnetometers and X-ray machines----\n    Mr. Walberg. The additional 8 hours of training that you \nwere----\n    General Patterson. Yes.\n    Mr. Walberg [continuing]. Proposing?\n    General Patterson. That is going to be cascaded by our \ninspectors, by a team of our inspectors to the--to our PSO \nforce. Working with the--kind of in a deal where we do kind-of \na trained-to-trainer kind-of a thing as well so that we can \nalso work with our--within the contractor force, within the \ncontractor structure to, in such, certify our contractors so \nthat they can provide some of the training, as well.\n    Mr. Walberg. You feel that FPS is capable of delivering \nconsistent training across, as you say, the 50 States and the \nuniqueness of each of those?\n    General Patterson. Yes, sir. Absolutely.\n    Mr. Walberg. Mr. Goldstein, would you concur with that?\n    Mr. Goldstein. We remain concerned, sir, because the \nproblem that brought on the need for the additional training is \nnow more than 3 years old when GAO was able to bring bomb-\nmaking materials into 10 Federal facilities without anyone \nknowing and building those bombs. It has been 3 years, and the \ncontract guards who are there to prevent things like that from \nhappening haven't had that additional training in all of that \ntime.\n    I understand that the agency is resource-constrained, but \nit would seem to me that this would have been a matter of the \nhighest priority, sir.\n    Mr. Walberg. Within 3 years?\n    Mr. Goldstein. Yes, sir.\n    Mr. Walberg. Thank you.\n    Mr. Lungren. Thank you very much.\n    I thank all the Members for their participation.\n    I want to thank the witnesses for your valuable testimony. \nThe Members of the committee may have some additional questions \nfor our witnesses, and so we would ask you to respond to those \nin writing. The hearing record will be held open for 10 days, \nand this subcommittee stands adjourned.\n    [Whereupon, at 11:09 a.m., the subcommittee was adjourned.]\n\n\n                            A P P E N D I X\n\n                              ----------                              \n\n    Questions From Chairman Daniel E. Lungren for L. Eric Patterson\n    Question 1. In testimony before the House Committee on Homeland \nSecurity in November 2009, NPPD Under Secretary Rand Beers testified \nthat NPPD was conducting a workforce needs analysis for FPS, at the \nrequest of Secretary Napolitano, to ensure that FPS has ``the right \nresources and staffing levels to match the missions FPS currently \nhas.'' Under Secretary Beers further stated that when the results of \nthe study were complete, Congress would be notified.\n    What were the results of the analysis?\n    Answer. The Federal Protective Service (FPS) conducted a workforce \nneeds analysis between 2009 and 2010 and the results were used \ninternally within the Department of Homeland Security. The results were \na first step but did not fully meet the needs of the Service. FPS \ncurrently has a Federally Funded Research and Development Center on \ncontract to conduct an activities analysis to refresh the past \nassumptions and requirements so that FPS may evaluate staffing levels \nin future years. FPS will brief the committee on the completion of the \nupdated analysis.\n    Question 2a. While FPS is taking positive steps to improve the \nstandardization and consistency of FPS, there are still concerns that \nFPS operates differently from region to region and lacks consistent \nstandards.\n    Is consistency throughout the regions a concern of yours?\n    Question 2b. What steps are being taken to improve consistency of \nFPS from region to region?\n    Question 2c. Is headquarters assignment a prerequisite for \npromotion at FPS, and if not, do you think that would improve \nstandardization and consistency of FPS policies?\n    Answer. The Federal Protective Service (FPS) is performing an \nactivities analysis to understand and document where it should \nintroduce or modify policies to increase operational effectiveness and \nreduce risk. Several variables, including geography, law, threat, and a \nspecific customer, could warrant differences in operational activities \nacross regions. Through FPS's current detailed review of functions and \nactivities, it is identifying commonalities and best practices to \ninform uniform National policies where it makes sense to do so. FPS \nwould be pleased to provide a detailed briefing on this effort and \nhighlight policy and process improvements that are being implemented \nNation-wide.\n    In addition, FPS has taken steps to realign its workforce to \neffectively map personnel resources to program functions. The result of \nthis effort was the creation of an Area Management Concept, which \ncompartmentalizes reporting for 11 regional-level offices into three \nField Operations. Each Field Operation, led by a Senior Executive \nService-level Assistant Director, provides oversight for multiple \nregional offices to help ensure standardization and consistency across \nthe service. This area concept is a geographic-based structure that \nstreamlines operational reporting through consolidation of information \nchannels.\n    An assignment to headquarters is not a prerequisite for promotion \nat FPS. The creation of the Area Management Concept, led by three \nSenior Executive Service-level and field-based Assistant Directors, is \nproviding standardization and consistency across the service.\n  Questions From Ranking Member Yvette D. Clarke for L. Eric Patterson\n    Question 1. According to GAO, FPS spent $795 million on its \ncontract guards in fiscal year 2011 which represented 90% of the \nagency's procurement budget. How much is FPS obligated to spend on its \ncontract guards in fiscal year 2012, and what are the projected \nexpenditures for fiscal year 2013?\n    Answer. The Federal Protective Service (FPS) obligated $755.6 \nmillion on its guard contracts in fiscal year 2011, which represented \napproximately 91 percent of its total contract obligations. FPS \nprojects that it will obligate approximately $764.6 million in this \nprogram in fiscal year 2012. This projection is based on the known \nfiscal year 2012 obligations to date ($750.9 million as of August, 10, \n2012), plus additional expected obligations through September 30, 2012, \ntotaling $13.7 million for recurring guard services and pending \nmodifications and/or equitable adjustments under existing contracts. \nFPS projects that it will obligate approximately $784.4 million in \nfiscal year 2013. This projection is based on the estimated escalation \nof the fiscal year 2012 obligation by 2.6 percent, which accounts for \nestimated inflationary factors such as Service Contract Act wage \nadjustments. However, FPS may obligate additional amounts in fiscal \nyear 2013 as necessary to account for emerging requirements for \nexisting and new customers and any changes that may arise concerning \nguard requirements.\n    Question 2. Why is it that as of June 2012, a total of $652,000 was \nspent on MIST, which appears to be useful so far, while RAMP has \nyielded no tangible results after four years and $35 million or more in \nexpenditures?\n    Answer. The Risk Assessment and Management Program (RAMP) \nexperienced significant programmatic and technical issues, primarily \nrelated to insufficient user involvement in the requirements definition \nand testing of the application, as well as the lack of an approved \nprogram baseline to control and measure program progress.\n    The efforts to develop and field the Modified Infrastructure Survey \nTool (MIST) have been more successful because the program benefited \nfrom leveraging an existing software application already in service \nwith the Office of Infrastructure Protection. MIST and its development \naddressed the shortcomings experienced within RAMP by instituting \nprogram management best practices to provide adequate controls on the \ndevelopment effort, and ensuring user involvement in the development \nand testing of MIST.\n    Question 3. Given that FPS had a June 2012 deadline to decide what \nto do with the data remaining within RAMP, what decision has been made? \nIf a decision has yet to be made, what are the next steps?\n    Answer. The June 2012 deadline was tied to the expiration of the \nsustainment support contract for the legacy Risk Assessment and \nManagement Program (RAMP) application. The expiration of that contract \ndoes not equate to a loss of data, as the Government owns the rights to \nthe software and RAMP is currently installed within the Department of \nHomeland Security (DHS) Data Center 1 production environment.\n    The Federal Protective Service (FPS) has examined the data within \nRAMP and identified three major data sets that needed to be retained: \nThe RAMP repository, which is a library of historical assessments and \npolicy documents; Protective Security Officer (contract guard) \ncontracting information; and guard post inspection reports. Data from \nall other modules within RAMP is either resident elsewhere within FPS \nor lacks value due to problems with RAMP functionality.\n    FPS has decommissioned RAMP as of July 12, 2012. With user access \nno longer available, the final data set was copied to FPS servers to \nensure retention of the data. FPS will continue to work to dispose of \nthe RAMP application during the fourth quarter of fiscal year 2012 and \nremove the application and all data from the DHS Data Center 1.\n  Questions From Ranking Member Yvette D. Clarke for Mark L. Goldstein\n    Question 1. How will the security of Federal facilities be affected \nif FPS inspectors and law enforcement security officers are not \nadequately trained to use MIST?\n    Answer. The protection of Federal facilities may be significantly \nhampered if FPS's law enforcement security officers do not receive \ntraining on the Modified Infrastructure Survey Tool (MIST). As we \nreported in August 2012, FPS is not assessing risk at Federal \nfacilities but plans to resume assessing Federal facilities \nvulnerabilities with MIST. However, if FPS's law enforcement security \nofficers do not receive MIST training and no other alternative \nassessment tool is used, the backlog of facilities not assessed will \nincrease significantly. According to FPS data, more than 5,000 \nfacilities were to be assessed in fiscal years 2010 through 2012.\n    Question 2. What tools or options would be available to FPS in the \nevent that MIST training is not completed?\n    Answer. FPS may be able to use other tools if it cannot use MIST to \nassess Federal facilities. For example, one tool is the Federal \nSecurity Risk Manager (FSRM), which FPS used from 2000 to 2009. \nHowever, FPS has experienced problems using FSRM. Another potential \ntool is the Integrated Rapid Visual Screening developed by DHS's \nScience and Technology Directorate (S&T). The IRVS is a risk assessment \ntool that assesses risk using threat, vulnerability, and consequence. \nAccording to an S&T official, the IRVS is available to FPS at no cost.\n    Question 3. Will the implementation of MIST and other FPS \nactivities allow for enhanced compliance with the Interagency Security \nCommittee standards?\n    Answer. FPS has taken some steps to better align MIST with the \nInteragency Security Committee (ISC) standards. For example, MIST uses \nthe ISC recommended countermeasures for defined threat scenarios for \neach facility security level.\n Questions From Ranking Member Yvette D. Clarke for James P. Peerenboom\n    Question 1. What are the costs associated with developing and \nimplementing MIST as the interim replacement for RAMP?\n    Answer. Argonne developed the Modified Infrastructure Survey Tool \n(MIST) under an existing Interagency Agreement (IAA) with the U.S. \nDepartment of Homeland Security National Protection and Programs \nDirectorate's Office of Infrastructure Protection (NPPD/IP). Similar \nmethodologies and technologies developed by Argonne for NPPD/IP, such \nas the Infrastructure Survey Tool (IST), were leveraged to reduce MIST \ndevelopment time, cost, and risk. A total of $850,000 was committed \nunder the IAA to build on the foundation established for the IST to \ndevelop, test, and deliver MIST Release 1.0. More than half of the \nfunds were used for hardware and software to establish a web portal, \ncalled the FPS Gateway, that allows for sharing of information products \nand knowledge in real time. The FPS Gateway leverages the architecture \nand hardware/software technology of the Linking Encrypted Network \nSystem (LENS), a similar platform that Argonne also developed for NPPD/\nIP. Work on the project was initiated on October 3, 2011. Argonne \ndelivered MIST Release 1.0 and the FPS Gateway to FPS on March 30, \n2012.\n    Question 2. Are there any features within RAMP that can be adapted \nfor use with MIST?\n    Answer. Argonne was not tasked to evaluate RAMP and its features.\n    Question 3. What are the projected costs and time table for the \ncompletion of MIST?\n    Answer. The scope of work for MIST development was completed, and \nMIST Release 1.0 and the FPS Gateway were delivered to FPS, on March \n30, 2012. The products were delivered on time and within the defined \nbudget. Future enhancements to MIST, if any, and Argonne's potential \nrole in completing such enhancements are unknown.\n    Question 4. Do you anticipate any cost overruns with regard to \nMIST?\n    Answer. No cost overruns were associated with Argonne's development \nand delivery of MIST Release 1.0 and the FPS Gateway.\n\n                                 <all>\n\x1a\n</pre></body></html>\n"