What GAO Found
Federal entities on the National Mall are assessing the physical security risks to their respective U.S. assets. In doing so, they are demonstrating that they are taking a risk management approach to meet the demands of a complex security environment, specifically:
-
To assess the risks to the icons—the Washington Monument and the Jefferson and Lincoln Memorials—the Department of the Interior (Interior) follows a departmental policy that reflects government-wide homeland security objectives for critical infrastructure. Among other things, Interior's policy establishes minimum security requirements for safeguarding critical infrastructure such as the icons.
-
To assess the risks to the museums and galleries on the National Mall, the Smithsonian Institution (Smithsonian) and the National Gallery of Art (National Gallery) voluntarily follow government-wide standards set forth by the Interagency Security Committee (ISC)—an interagency organization chaired by the Department of Homeland Security (DHS). These standards are designed to minimize risk to federal facilities and help nonmilitary federal entities meet recommended levels of protection. Interior's, the Smithsonian's, and the National Gallery's adherence to these policies and standards, and the related steps that the entities follow, shows the considerable extent to which these entities use risk assessments as an analytical tool in their physical security programs. Nonetheless, the threat to federal facilities is significant, and ISC standards require the documentation of risk management decisions—such as decisions to defer actions to mitigate risk due to cost or other factors. Documenting risk management decisions is also a necessary part of an effective internal-control system and important in order to retain institutional knowledge and inform decision-making. GAO found that the National Gallery, which follows ISC standards voluntarily, lacked such documentation.
Interior, the Smithsonian, and the National Gallery collect information on various aspects of the performance of their physical security programs and are making efforts to use goals, measures, and testing to assess the performance of their physical security programs; however, each could benefit from taking additional steps. ISC and GAO have reported that it is necessary to establish goals and link performance measures to those goals to assess progress. While Interior, the Smithsonian, and the National Gallery intend to link performance measures to goals, they have not done so yet or established firm time frames for completing these efforts. Ensuring that plans include both goals and performance measures linked to those goals, as well as developing timelines for completion, could help these entities develop a more strategic view of their physical security programs and better position them to prioritize their needs. These entities also test aspects of their physical security programs, such as to ensure that security systems are operational and that guards are attending to their duties. While the entities have reached out to others to improve their overall programs, they did not focus on testing as part of that outreach. Seeking input from others with expertise is consistent with key practices GAO has identified for physical security and could help these entities target where their testing efforts need improvement.
Why GAO Did This Study
The National Mall is one of the most recognizable landscapes in the United States. It is home to memorials to our nation's history and some of the most visited museums in the world. Threats to these assets—whether acts of terrorism, violence, or vandalism or theft of artifacts or art—could result not only in the loss of life but also the loss of iconic monuments or irreplaceable items from the Smithsonian's or National Gallery's collections.
GAO was asked to review the steps Interior, the Smithsonian, and the National Gallery are taking to protect U.S. assets, employees, and the visiting public. This report examines: (1) the extent to which these entities assess physical security risks and (2) the extent to which the entities use goals, measures, and testing to assess their physical security programs. This is a public version of a sensitive report that GAO issued in May 2017.
GAO reviewed applicable federal requirements; Interior-, Smithsonian-, and National Gallery-specific policies and related documents; and interviewed officials.
What GAO Recommends
In the sensitive report, GAO recommended that (1) the National Gallery document its risk management decisions and that (2) Interior, the Smithsonian, and the National Gallery link performance measures with security goals and seek input to enhance their testing programs. Interior, the Smithsonian, and the National Gallery agreed with GAO's recommendations and indicated they will begin taking steps to address them.
For more information, contact Lori Rectanus at (202) 512-2834 or RectanusL@gao.gov.
