FAA facilities have not completed security risk assessments

Share this article: FacebooktwitterlinkedinFacebooktwitterlinkedin

FAA Headquarters

 Rep Gowdy asks GAO to assess risks of Federal Agencies

  FAA does not get good grades 

One of  the joys of being a large federal agency with a high profile mission is that the various oversight bodies ( DOT OIG, House Oversight & Investigation Committee, GAO and others) lead to more than your share of critical reports. Among this universe of omniscient authorities, the GAO tends to be more reasonable in its analysis.

OIG, O&R, GAO

Is Your Office Secure? Not Necessarily If You Work at These 4 Agencies
Rep. Gowdy

Rep. Trey Gowdy, R-S.C., chairman of the House Oversight and Government Reform Committee, asked the GAO to assess facility vulnerability standards based on risk criteria for such threats as shootings, arson, vandalism and explosions. The preface to its report highlighted the following comment/justification:

faa-regional-hq-in-des-moines“Several incidents—such as armed citizens taking over a federal wildlife refuge in Oregon for about 40 days in 2016; the active shooter incident at the Washington FAA ZOANavy Yard in Washington, D.C., in 2013 that resulted in several deaths; and the fatal shooting at the Anderson Federal Building in Long Beach, California, in 2012—demonstrate that government facilities and their employees continue to be targets of potential harm.”

The author concluded that four agencies failed to fully align their countermeasures with the risk assessments and standards set by the Homeland Security Department-chaired Interagency Security Committee. One of the deficient agencies was the FAA.

“[It} used methodologies that included some [Interagency Security Committee] requirements when conducting assessments…[It}]“improved ..[its] methodologies to better align with the ISC Standard, but the ,,[FAA] had not yet incorporated the methodologies into …[its]policies and procedures. Without updated policies and procedures requiring a methodology that adheres to the ISC Standard… agencies may not collect the information needed to assess risk and determine priorities for improved security,” the report said.

The lapses varied by agency. For example, … the FAA assessed vulnerabilities but not threats and consequences…

The omissions often occurred “because of competing priorities and resource constraints,” the audit said, noting that some lacked a timeline with milestones and a place to centralize data. “We also found that agencies reported facing challenges in monitoring their physical security programs because their policies did not specify data collection or monitoring requirements, as required by Standards for Internal Control.”

As remedies, GAO recommended some general and some agency-specific steps. For example, the …FAA should update policies to require the use of methodologies fully aligned with the ISC Standard, it said..”

Clearly not the “sky is falling” level of fault, but with the example of the attack on the Aurora Center, this is not just a theoretical exercise. The FAA owns and operates so many facilities over six time zones. Many are occupied by people, a very vulnerable target, but most of those office buildings are located where local police and first responders add to the layers of security.

3 FAA buildings in cities

There are many, many FAA equipment stations, which are located in remote locations, without significant surveillance and with high mission significance. There have been incidents in which innocent “fun” knocked out the function of these critical instruments. designing an ICS standard protection strategy may not be as easy to define.

Those, who regularly visit the Orville or Wilbur Wright buildings, a Regional Office, a FSDO or whatever, should be aware of the GAO found deficiencies and as DHS reminds us “if you see something, say something”.

 

Share this article: FacebooktwitterlinkedinFacebooktwitterlinkedin

Be the first to comment on "FAA facilities have not completed security risk assessments"

Leave a comment

Your email address will not be published.