Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
GAO, FPS disagree over ability to assess federal building risk
Wednesday - 7/25/2012, 5:51am EDT
The Federal Protective Service and the Government Accountability Office are at odds over a new software tool to protect federal buildings.
FPS is replacing the failed Risk Assessment and Management Program (RAMP) with an interim technology, the Modified Infrastructure Survey Tool (MIST).
Agency director David Patterson told a House Homeland Security Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee hearing Tuesday that he's aware of MIST's shortcomings in including the consequences of security incidents into the process agencies use to assess requirements for protecting their facilities.
New technology needed
The eventual solution is to develop a tool that incorporates consequence analysis into its risk assessment, Patterson said. But no such technology currently exists, so it would be impossible to give the committee more specifics on what the final solution could be, he said.
"I'm not debating that we can't. I'm just saying I haven't found a way to do that today," he said. "My work to this point, our research to this point, has taken us through vulnerability and threat. But incorporating the consequence piece, as we would have it within the federal sector, is very different than [how] you incorporate consequence … in the private sector."
But GAO said without that critical feature, FPS cannot adequately address building vulnerabilities, said Mark Goldstein, director of physical infrastructure issues at the Government Accountability Office.
"I don't think [MIST] provides agencies and their clients the kind of information they need to make robust decisions about which countermeasures they're going to adopt and which they aren't," Goldstein said. "You can't have a robust program without consequence information, because what you're doing is essentially telling people that you've set the dinner table without telling them what the food is going to be."
Despite GAO's findings, Patterson said the FPS makes up for what the tool lacks through agency procedures.
He said FPS can fill in the gaps and adequately assess vulnerability, risk and consequence at federal facilities, he told the committee.
"The tool isn't compliant, but our process is compliant. The tool is no more than a product that we provide to our customer," he said. "We discuss each one of those elements at the outbrief when we have completed an assessment. Now, that MIST product will not cover all three, but that doesn't mean that we haven't covered that with our customers."
Consequence analysis is key
Committee Chairman Rep. Dan Lungren (R-Calif.) said consequence analysis is key to assessing risk at federal facilities. But "nonetheless, I do consider MIST development a step in the right direction for an agency that has taken a series of steps in the wrong direction over the last decade," he said.
FPS developed MIST as a temporary solution to replace its failed RAMP, which agency leaders launched in 2008. The agency spent $35 million developing RAMP but abandoned it in June after determining the system was ineffective for conducting security assessments.
Agency leaders hope MIST will help clean up the agency's spotty past in protecting federal facilities. In 2009, GAO investigators smuggled bomb parts into a federal building, assembled them in the restroom and walked around the facility undetected. And in 2011, the agency failed to detect explosives that went unnoticed for three weeks in a Detroit building's lost and found area.
"FPS has always stated that MIST is intended to serve as an interim tool until a longer-term solution is developed. However, FPS has never stated what the longer-term solution will be," Lungren said.
Goldstein said GAO hasn't looked into Patterson's claim specifically, but that GAO did recently begin looking at assessment tools across federal government and will report its findings to the committee in the near future.
Keith BieryGolick is an intern at Federal News Radio