After the 1995 Oklahoma City bombing, the government realized it had a problem. There were no minimum security standards or an inspection regime for the thousands of federal facilities sprawled across the country. So it developed a plan, accelerated after 9/11, to test federal buildings and other sites for potential vulnerabilities. To carry out the tests, the government deployed a web-enabled software program that cost millions and failed to work. Now the program’s replacement may be even worse.
According to a report from the Government Accountability Office, the Department of Homeland Security’s police and security agency is preparing to adopt a new software tool for inspections, but one that can’t accurately measure security risks. The Federal Protective Service (FPS) also doesn’t know the extent of its inspection backlog because its data is unreliable. There are federal facilities that seemingly haven’t been inspected in years. The FPS “continues to face challenges in overseeing its approximately 12,500 contract guards,” according to the report (.pdf). And before the agency adopts the new tool, it’s using a temporary program that can hardly inspect at all.
The new tool is called the Modified Infrastructure Survey Tool, or Mist. Inspectors are currently being trained with the software, which guides inspectors through tests designed to expose security risks while examining federal buildings. A test could be as simple as checking the windows. If the windows are not made of blast-resistant glass designed to lessen the impact of an improvised explosive device, Mist takes note of it and provides recommendations. After running through a series of similar tests, inspectors upload the test data over the web into a centralized database. The FPS hopes to begin using it in actual inspections by September, after developing it at a cost of $5 million.
Mist seems to work well enough on a single building. But according to the report, Mist has a major vulnerability: It isn’t designed to compare security risks between federal facilities.
Instead, all facilities within the same security level (there are four levels, corresponding to size and number of employees) “are assumed to have the same security risk, regardless of their location.” Mist might notice the windows, but will see a vulnerable federal building in Washington as no more vulnerable than a remote facility of comparable size somewhere out in the boonies. This, according to the report, “provides limited assurance that the most critical risks at federal facilities across the country are being prioritized and mitigated.”
Mist also doesn’t factor the potential consequences of an “adverse event” like a terrorist attack. Without factoring consequences, the report says, the agency cannot effectively figure out the security risks. Or, rather, what to do about them. Mist may be able to determine some potential vulnerabilities, but without analyzing what might happen if those vulnerabilities are exploited in an attack, tenants “may not be able to make fully informed decisions” about where to put their resources.
It’s not intended to be permanent, though. Mist is actually an interim tool after the government’s previous tool also failed to work.
The failed system, called the Risk Assessment and Management Program (or Ramp), was supposed to be simple — albeit with an inflated $35 million price tag over the $21 million originally planned. Like Mist, Ramp was designed to be the primary software used to test federal buildings for vulnerabilities. List Mist, it also guided inspectors through the a series of tests before uploading the results into a database. But Ramp was, erm, unreliable.
Recorded inspections of guard posts “disappeared” from Ramp’s database “without explanation.” The software couldn’t connect to Ramp’s servers when operated in remote areas. Inspectors had no way of verifying if training and certification information from contractors was legit. At least one guard post, the report notes, duplicated paperwork for previous tests in order to spoof inspectors. The agency dumped Ramp last month. In the meantime, the FPS is using another interim system before it adopts Mist. You heard that correctly. The FPS is using an interim system before it adopts another interim system. And this one does zippo.
Currently, the interim system “will not allow FPS to generate post inspection reports, and does not include a way for FPS inspectors to check guard training and certification data during a post inspection,” according to the report. Thus, “it is now more difficult for FPS to verify that guards on post are trained and certified and that inspectors are conducting guard post inspections as required.” This follows security lapses including a bag of explosives mistakenly placed in the lost and found at a federal building in Detroit, 22 guns stolen from a federal building in Atlanta by a contract guard and a dead body discovered at a facility in Kansas City months after the person died.
Mist seems to fix the problems of inspecting contractors, which is an improvement. It’s certainly better than the stop-gap that stop nothing. But if it can’t prioritize where risks should be reduced, then it’s no better — possibly worse — than Ramp. But what this really means is that nearly 11 years after 9/11, and more than 17 years after the Oklahoma City bombing, the federal government still can’t figure out how to protect its buildings.