An Office of Inspector General (OIG) report has found room for improvement when protecting commercial facilities against terrorist attacks.
Within the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA) is primarily responsible for working with components and partners to defend against current threats to the commercial facilities sector and build a more secure and resilient infrastructure.
Many commercial facilities are “soft targets and crowded places” that may be vulnerable to terrorist attacks or physical threats. The shootings at Pulse, an Orlando nightclub in June 2016 (loss of 50 lives) and at a Las Vegas concert in October 2017 (loss of 59 lives) are examples of attacks within the commercial facilities sector.
OIG’s review found CISA does not effectively coordinate and share best practices to enhance security across the commercial facilities sector. Specifically, “CISA does not coordinate within DHS on security assessments to prevent potential overlap, does not always ensure completion of required After Action Reports (AARs) to share best practices with the commercial facilities sector, and does not adequately inform all commercial facility owners and operators of available DHS resources”.
CISA’s Protective Security Advisors (PSAs) learn of best practices through site visits, surveys, and other interactions with stakeholders. However, OIG found CISA’s PSAs did not always share best practices related to outreach activities with each other. Six of the 11 PSAs interviewed by OIG said there was no formal platform to share best practices with other PSAs. Although CISA personnel said they hold bi-monthly PSA calls to share best practices, OIG’s review of documentation supporting four bi-monthly calls in FY 2019 showed the calls included no such agenda items. Instead, these meetings focused on management changes to the program, operational updates, and administrative communications.
PSAs also did not always share best practices for the commercial facilities sector after special events. PSAs are required to complete AARs after special events such as the Super Bowl or the Boston Marathon. When completed and disseminated, AARs are a critical tool the PSAs use to identify vulnerabilities and share best practices and lessons learned to improve security at future special events. For example, AARs that OIG reviewed included best practices such as assigning PSAs to be on-site, having additional PSAs to appropriately cover large and geographically separated venues, and ensuring PSAs had access to systems for situational awareness and communication with other event stakeholders. OIG determined that PSAs did not complete AARs for 14 of 19 (74 percent) special events sampled from FY 2016 through FY 2019.
OIG says these shortcomings are because CISA does not have comprehensive policies and procedures to support its role as the commercial facilities’ Sector-Specific Agency (SSA).
The review also found that CISA may be missing opportunities to help commercial facility owners and operators identify threats and mitigate risks, leaving the commercial facilities sector vulnerable to terrorist attacks and physical threats that may cause serious damage and loss of life. Three of the 21 stakeholders OIG interviewed said that although they knew about the local PSA, they were unaware of the DHS services available to them. In particular, one of these three stakeholders reported paying $5,000 to contract for a site assessment, which a PSA could have performed free of charge.
OIG reports that CISA also did not develop procedures for updating sector resources with relevant threat information. According to the Commercial Facilities Sector-Specific Plan, CISA must ensure the sector has access to timely, actionable, and threat-specific information and analysis. However, OIG found that the plan does not include a process or specific timeframes for updating these critical tools and resources. It only includes a requirement to update the Commercial Facilities Sector-Specific Plan every four years.
The report sets out three recommendations, all of which CISA has agreed with:
- Work with the Acting Secretary, Department of Homeland Security, to develop comprehensive policies and procedures to support its role as the commercial facilities’ Sector-Specific Agency. Specifically: provide convening authority and clear expectations to ensure the agency can fulfill its responsibility as the designated Sector-Specific Agency; develop methods to share best practices; ensure effective coordination across the Department’s components and update all critical resource documents—including the Private Sector Resource Catalog—as required; and develop procedures to ensure comprehensive analysis of data.
- Develop and implement a process to oversee completion of required report reviews, including After Action Reports for supporting special events.
- Develop policy and a process to review and update the site security survey methodology and tool annually.
CISA aims to complete work to meet the first and third recommendations by December 31 2020 – although rather than update the site survey annually it intends to update every other year. In response to the second recommendation, CISA will establish an after-action program to consistently assess its special event security support. Each AAR will include an overview of CISA’s support for an event as well as recommendations for enhancing capabilities to better support special event organizers. The estimated completion date for this work is January 29, 2021.