Government Through the CracksGP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-11-01T04:00:00Z, Lilly Chapa<p>​Federal, state, and local law enforcement agencies will soon have their pick of surplus U.S. military gear, including grenade launchers and high-caliber weapons, after U.S. President Donald Trump rolled back an Obama-era action curtailing the transfer of military equipment to police.</p><p>The U.S. Department of Defense (DoD) Law Enforcement Support Office (LESO) program was reined in by then President Obama in 2015 after a spate of killings by police sparked public outrage. </p><p>Law enforcement agencies could still acquire medical supplies, training devices, protective gear, and some lethal weapons through the reduced LESO program, but the full range of excess military equipment was unavailable.</p><p>The program has been fully reinstated. Concerns about the program’s ability to properly disseminate the military equipment were raised even before Trump expanded the policy. While investigating the LESO program, a congressional watchdog agency stumbled upon an “ineligible entity” that had categorized itself as a federal agency and successfully gained access to military equipment. The U.S. Government Accountability Office (GAO) notified DoD and learned that the case was already being investigated. </p><p>But at one point the entity had been approved to use the LESO program. So in late 2016, GAO decided to figure out how this happened by creating its own fraudulent federal agency and applying to the LESO program. The investigation ended up going much further than researchers initially expected.</p><p>“We noticed that one of the participants in the program had a somewhat unusual name, and we weren’t aware of a federal agency having that particular name,” explains Zina Merritt, director of GAO’s Defense Capabilities and Management Team. “We kept looking at the processes through which DoD provided this equipment to federal agencies, and we decided that it would be appropriate to task the internal controls through using our investigative capabilities to see how vulnerable the program potentially was.”</p><p>The Defense Logistics Agency (DLA) manages the LESO program, which has provided more than $6 billion in excess DoD property to more than 8,600 agencies since 1991. While GAO was investigating the program, before Trump expanded access to equipment, about 4 to 7 percent of the property was sensitive and could not be released to the public. GAO has studied the LESO program before, and upon the most recent review found that most policy enhancements had occurred at the state and local level; few had been made in regard to federal agencies.</p><p>GAO researchers submitted a fake application that included a fictitious agency name, number of employees, point of contact, and physical location. They were surprised when, in early 2017, the nonexistent agency was approved to participate in the LESO program. </p><p>“We thought they would have noticed that our Web address was not a .gov address,” Merritt says. “We thought they would probably call us and verify some of the information, and they did not—correspondence was mostly by email. They asked us for the statute that created our particular organization, and we sent them a bogus statute, but they didn’t catch that. We left them a lot of bread crumbs but we didn’t get caught, and we thought we would get caught along the way—we were hoping that we would get caught.”</p><p>The investigators were given access to the program’s online portal to request property and selected more than 100 items, including night vision goggles, simulated rifles, and pipe bomb trainers—items that could be made lethal if modified with commercially available items. </p><p>When researchers went to pick up the items from a disposition site, they were able to pass security checks and enter the warehouse—two of the three sites did not check the investigator’s identification. They also were given more items than they were approved to receive.</p><p>When Merritt and her team disclosed their investigation, she says DLA officials were surprised by the results. </p><p>“Not only could we gain access to the program, but, we identified other weaknesses at the disposition sites, such as people not checking IDs or people not counting the items we were provided,” she says. “You have to keep in mind that we could have gotten other items such as actual rifles, Humvees, and things like that—we just opted not to get those things. But once approved, you can get lethal items as well.”</p><p>Merritt notes that in the midst of the GAO investigation, however, DLA officials had already begun to strengthen the LESO application process. </p><p>“They were creating memorandums of understanding with the federal agencies applying; that’s something they didn’t have prior,” Merritt tells Security Management. “However, they just had not gone a step further to actually have federal coordinators for the federal participating agencies. That’s a step they did after we completed the review.”</p><p>Following the GAO report’s release in July, Merritt testified before a U.S. House of Representatives subcommittee about the findings and further recommendations, including revising procedures for approving applications, conducting a fraud risk assessment to mitigate risk, and ensuring that officials verify the identification of people picking up items as well as the number of items retrieved. Merritt has seen other improvements to the program already, including in-person visits to LESO-involved agencies and making sure applicants are eligible to take part in the program.</p><p>“I think now, at least with the process of applications, they are ensuring they’re legitimate agencies—that’s where the principal breakdown was,” Merritt explains. “The first step was at least having better oversight and processes to prevent entities that were not eligible to participate to gain access in the first place.”</p><p>The flow of military equipment isn’t just a problem in the United States. DoD runs another program that provides military equipment to Iraqi security forces, including the Kurdistan Regional Government forces, to fight ISIS. </p><p>Since 2015, about $2 billion in equipment, such as weapons and vehicles, was funded through the Iraq Train and Equip Fund (ITEF), sent overseas, and transferred to the governments. However, another GAO report found that the transfer of equipment has not been properly documented due to data reporting and interoperability issues.</p><p>The report, DoD Needs to Improve Visibility and Accountability Over Equipment Provided to Iraq’s Security Forces, looks at how DoD tracks the status of the equipment from acquisition through transfer to foreign governments. </p><p>Jessica Farb, director of internal affairs and trade at GAO, tells Security Management that personnel were not properly using the Security Cooperation Information Portal (SCIP), a Web-based tool that tracks the equipment flow.</p><p>“What we found was that by not using the SCIP, which is not just for Iraq but all cooperation matériel that we provide to partnered nations, DoD broadly could not have complete visibility and be able to account for everything that was going on because the system had missing information,” Farb says. </p><p>Of the 566 requisitions marked complete that GAO studied, fewer than half had the arrival date of the equipment at the point of departure in the United States recorded, and none had information on when the equipment was shipped from the United States, when it arrived in Kuwait or Iraq, or when it was transferred to the foreign governments. </p><p>Additionally, the report found missing documentation from equipment transfers to Iraq and Kurdistan governments—more than half of the forms were missing the date of transfer and case identifier information. Officials said they issued verbal orders requiring case identifier information to be included on the forms, but GAO noted that the program’s standard operating procedures do not include that requirement.</p><p>“By not capturing the transfer dates of ITEF-funded equipment..., DoD components’ visibility over the amount of ITEF-funded equipment transferred to the government of Iraq is limited,” the report explains. The missing transit information means that DoD cannot ensure that the equipment has reached its intended destination.</p><p>GAO didn’t issue any recommendations because it could not pin down why SCIP was not being used to document the transfer of equipment. The system itself may not be importing data correctly from other DoD data systems, but there is also a lack of clear procedures for reporting the data, the report notes. </p><p>“Essentially, that’s why we made a recommendation about DoD looking at the root causes, because it wasn’t easy for them or for us to identify what the single cause was,” Farb explains. “Was it people not entering information, or was it interoperability issues? We didn’t really come to the conclusion that one is the biggest or the single most important issue.”</p><p>Greg Schneider, CPP, president of security consultation company Battle Tested Solutions, LLC, says both reports demonstrate the lack of control measures in such military equipment supply chains. Transferring American-made weapons to foreign governments has been a quagmire for many decades, he says, because of how easily they can fall into the wrong hands.</p><p>“Sometimes weapons that are funded for one cause can get retasked and repurposed, or sometimes go missing, because sometimes no one wants to leave any traces if they want to get arms into the hands of other people,” Schneider notes. “In Iraq and Kurdistan, there are so many different parties at play, and you have other parties on the outside that are watching with great interest the whole process of the United States delivering weapons to the Kurds because maybe they don’t like the Kurds.” </p><p>Meanwhile, Farb says GAO will continue to help DoD figure out why transfer dates for ITEF-funded equipment aren’t being recorded. Current ITEF funding ends next fall, and Farb notes that the new administration has set up a program that would both equip and train Iraq and Syria to oppose adversaries. </p><p>As for the LESO program, Merritt says GAO does not take a position on the recent change in policy, but reaffirms that as long as the program continues, the agency will be paying close attention to DOD’s efforts to rectify the lapses in security. </p><p>“The way we view it is one item of this type getting into the wrong hands is one item too many,” she says. “We just can’t emphasize that enough.” </p><p>​ASIS International's <a href="" target="_blank">Supply Chain Risk Management Standard ​</a>helps organizations address operational risks in their supply chains, including risks to tangible and intangible assets, developed by a global, cross-disciplinary technical team and in partnership with the Supply Chain Security Council.  ​</p>

Government Through the Cracks 2017 Industry News: Supporting the Troops Evacuations 2017 Industry News Next Tase Phase Vote for Biometrics the Public Interest Head Start on Insider Threats Lessons of Flint News October 2015 Military Heroes to Security Assets Navy Yard On Lockdown After Reports of Shooter Tries to Cage Corruption Lab Safety New Point of View Lab Manual States Charges China in First Criminal Cyber Espionage Case National Infrastructure Protection Plan Released Are Security Clearances Necessary? Really Needs A Security Clearance?

 You May Also Like... Review: Insider Threat<p><em>Insider Threat: Prevention, Detection, Mitigation, and Deterrence. </em>​ Butterworth-Heinemann;; 252 pages; $49.95.​<br></p><p>​Organizations face an increasing number of risks in today's uncertain and complex world. Security has become even more challenging with the digital transformation of the business environment. These challenges are not limited to external threats, so it is equally important to manage and mitigate threats within the organization.</p><p><em>Insider Threat: Prevention, Detection, Mitigation, and Deterrence </em>aims to provide a people-centric and technology-enabled approach for creating a program to identify and mitigate the risk of insider threats. Author Michael G. Gelles sets the stage with a clear conceptualization of the insider threat, the motivations underlying the behavior, the challenges for maturing a program, and the changing nature of the phenomenon over time. </p><p>Each of the 15 chapters, with contributions by various specialists, provides insights and strategies on key segments for building a holistic and risk-based program. Topical contributions relate to data analytics, information security, cyber and supply chain risks, just to name a few. The reader will find information on risk tolerance as well as the use of potential risk indicators. In addition, attention is given to governance, ownership, and stakeholder management.</p><p>Overall, the book is well structured and well written. The visuals throughout the book and key takeaways at the end of each chapter are practical and insightful. The manuscript taps into developments in regulatory requirements, offers advice for developing resilience against insider threats; and builds upon the wide experience, practices, and solutions of multiple well-qualified contributors.</p><p><em>Insider Threat</em> is of great value to the professional who manages or aspires to manage the prevention, detection, response, and deterrence of insider threats.</p><p><em><strong>Reviewer: Rachid Kerkab</strong> has almost two decades of experience in criminology, security, risk, and resilience. He is a member of ASIS.</em></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Performance Trends<p>​</p><div>On December 24, 2003, a woman broke into an exhibit case in Kentucky’s Owensboro Medical Health System and stole a case of 50 antique glass eyes. The theft was an unwelcome Christmas present that could’ve been a black eye for the hospital, but fortunately, the security team had the right detection measures in place. The woman, who had the unlikely but appropriate name of Wink, was recorded stealing the goods by the hospital’s CCTV cameras and was quickly caught.</div><div><br> </div><div>Apprehensions are one mark of the security department’s effectiveness. But the security department at the Owensboro Medical Center—which has some 447 beds and which handled more than 60,000 emergency-room visits last year—wanted a more comprehensive way to measure its performance on a day-to-day basis. It chose as its metric average hours per incident.</div><div><br> </div><div>Selecting an indictor. In developing a system for looking at how well security resources are deployed and how effective they are, the first challenge was identifying what exactly should be monitored. While security incidents are easy to count, we wanted to go beyond whether incidents were trending up or down. We also wanted to go beyond simply looking at whether costs per square feet were up or down.</div><div><br> </div><div>The goal was to select and define an indicator that could be used to measure the level of security and the effectiveness of preventive activities. The indicator chosen was time per incident.</div><div><br> </div><div>The first step was to quantify the time devoted to each reported incident as a way to establish a baseline for security coverage. As the security supervisor, I planned to correlate each new measurement against this baseline as a workable measure of security performance.</div><div><br> </div><div>Measurement components. There are two components of the performance measurement. First is the hours devoted to security. This factor only includes regular and overtime hours that the security staff is actually working—it doesn’t include any other hours, such as vacation or sick time.</div><div><br> </div><div>Second are the incidents and activities themselves. In a healthcare setting, incidents might include disturbances caused by visitors or patients, medical detentions, or safety-related occurrences such as fire drills. A comprehensive risk assessment will help define the types of incidents a facility will need to track.</div><div><br> </div><div>Activities may encompass routine duties that security staff carry out, such as patrolling the grounds, escorting visitors, or bringing articles to or from the safe. All of these specific incident responses and routine activities are collectively called incidents for simplicity sake throughout this article.</div><div><br> </div><div>To determine a measure of performance, the total number of security hours was correlated to the number of incidents to provide a ratio of hours to the total number of tasks completed. This is not a measure of the amount of time devoted to each security assignment—which can range from a few minutes for a safe run to a full shift for an officer sitting with a detained patient—rather, it is a global statistical ratio of total hours worked to total security actions handled.</div><div><br> </div><div>Graphing results. By graphing this relationship of total hours to total incidents each month, we developed a curve that represented a level of performance for the facility. While I can't go into the specifics from my own organization for confidentiality reasons, the point is illustrated with two years of hypothetical numbers. </div><div><br> </div><div>Year 1 (see chart) shows typical statistics for a facility with a security staff of about 10 full-time officers with a representative number of incidents recorded each month during the year. You can see that towards the end of the year there is an alarming downward trend in the curve; that is, there were fewer hours spent on each incident. </div><div><br> </div><div>There were several possible explanations for this. For example, the fictional organization might have been expanding, such as by adding a new medical office building. As a result, officers would have had more areas to patrol.</div><div><br> </div><div>Perhaps the hours of outpatient services were extended as well, meaning that there were more people in the building than in earlier months. Since the number of security officers remained the same despite the larger facility and the extended hours, there would have been more incidents to respond to within the same time frame, thus causing the downward trend.</div><div><br> </div><div>Benchmark. At Owensboro, we chose a baseline of 12 hours per incident. Because the system was still under development, this number was chosen provisionally after reviewing the existing data. It served as a benchmark against which future data could be analyzed.</div><div><br> </div><div>If this number proved to be off the mark as a reasonable baseline, we could adjust it later. But as long as it was the baseline, the goal would be to track trends against this number, and where the results rose or fell, to find out why and to take steps to reallocate resources so that the average hours per incident would stay in the range of 12.</div><div><br> </div><div>If the number of hours per incident rose, that might indicate that we had a reduction in the number of incidents. Alternatively, it might simply be because more hours were available thanks to overtime or fewer sick days. We analyzed the data each month to determine the underlying cause of the shift and to put the findings into proper context for our own use and for management.</div><div><br> </div><div>When hours per incident are up, the security department can reallocate resources to improve overall performance. For example, security officers could be directed to devote more time to making rounds, thus providing a more visible presence to deter crime. Additionally, they could be more available to defuse potentially volatile situations before they could escalate, and to work closely with the public, patients, families, and visitors to increase customer satisfaction by attending to their needs, such as escorting visitors or staff to parking areas.</div><div><br> </div><div>Conversely, if security hours decrease or incidents increase, the number of hours per incident will decline, as happens in the example chart. By examining the underlying data about incidents and staff time, the security department can assess the cause and take corrective action or use the numbers to justify a request for more staff.</div><div><br> </div><div>In our case, we were expanding the facility, and our analysis showed that the addition of one-half full-time employee (FTE) to patrol the added space would bring our hours per incident back into compliance. This calculation showed a whole FTE was not necessary, particularly when an adjustment in fixed factors was made, such as a revision of lockdown procedures and the installation of new cameras and signage in the new medical office building. Not having to hire a full FTE would save the department money, but because the metrics showed that we were maintaining our benchmark goal, we knew that we were not sacrificing the level of security in the process.</div><div><br> </div><div>It’s interesting to note that if we had used the more traditional indicators such as hours per square foot, we could have argued that the facility needed a whole FTE as opposed to one-half FTE. By using the performance measurement formula, and making improvements in fixed security factors, our goal was obtainable while still keeping within budget constraints.</div><div><br> </div><div>The increase in security coverage raised the curve back to the desired security level even though there were actually more incidents reported in some months. The Year 2 graph shows how implementing this type of improvement plan could affect the numbers.</div><div><br> </div><div>Working with this model over the past couple of years has helped us to establish the appropriate staffing levels for the area we presently cover. As we expand our medical office areas and build a new cancer treatment center, we will continually reevaluate our staffing requirements.</div><div><br> </div><div>PDCA. Creating a system to benchmark security performance was an important element, but it was only part of our overall solution. Our facility uses the Plan-Do-Check-Act (PDCA) cycle for performance improvement to comply with Joint Commission on Accreditation of Healthcare Organizations’ performance standards. Our PDCA performance improvement model was developed as follows.</div><div><br> </div><div>Plan. Our plan was to monitor the level of our security by trending the number of hours as a function of total security responses to determine a level of security performance, with a goal of maintaining an average of 12 hours per incident.</div><div><br> </div><div>Do. Officers fill out a security incident report for each security incident. This report describes the security incident, the actions taken by officers, and the results of that action. This security log is put in a box in the security office, and subsequent security shifts review it to see what’s going on in the facility.</div><div><br> </div><div>We expanded our camera system and redirected several cameras. We enhanced security by securing access to the building after hours, and we are reviewing our lockdown procedures as they apply to both staff and visitors. We are currently upgrading our badge-access entry points to the building to limit access to the building during off hours.</div><div><br> </div><div>We created a dedicated security office near the ER from which to centralize security operations. And a security officer now makes a proactive effort to reduce security incidents by making a presentation at new employee orientation about parking and personal security habits.</div><div><br> </div><div>Check. We checked our progress by using the security incident reports as source documents for reporting all incident statistics to the Environment of Care committee each month and at year-end. This information is graphed along with hourly payroll statistics to allow us to see our progress.</div><div><br> </div><div>Act. We acted on the results by changing coverage and modifying protocols as required to meet these issues. We adjusted our staffing levels to accommodate our new service offerings and expanded facilities.</div><div><br> </div><div>The final piece consisted of reporting our performance to the Environment of Care Committee and including the performance results in the annual security evaluation submitted to the hospital’s governing body each year.</div><div><br> </div><div>What’s ahead. Despite the benchmarking tool’s effectiveness so far, it’s still in its formative stages. One thing that has become clear is that not all incidents are the same, so there needs to be a way to weigh each one and to add those weighted values to the mix. This is an effort I am working on presently.</div><div><br> </div><div>For now the tool allows us to benchmark our security performance, and it gives us a way of communicating to management what level of security is being provided. It also provides a basis for funding requests in an era of increased competition for available resources.</div><div><br> </div><div>The net outcome is that we now have a much better confidence level in our security coverage because we have a simple method of visually presenting our level of security that management and security staff can identify with, and one that helps justify requests for security enhancements when new security challenges arise. </div><div><br> </div><div>Stephen Wall supervises security and communications at Owensboro Medical Health System in Owensboro, Kentucky, which services western Kentucky and southern Indiana. He has nine years of experience in coordinating environment-of-care issues for their facility.</div><div> </div>GP0|#28ae3eb9-d865-484b-ac9f-3dfacb4ce997;L0|#028ae3eb9-d865-484b-ac9f-3dfacb4ce997|Strategic Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Needed To Better Manage Physical Security Risks To The National Mall<p>​Stakeholder actions are needed to better manage physical security risks to the National Mall in Washington, D.C., the U.S. Government Accountability Office (GAO) found in a recent investigation.</p><p>The National Mall is a destination for more than 24 million people ever year and home to some of America’s most iconic symbols, including the Washington Monument and the Lincoln Memorial, and major museums.</p><p>“Threats to these assets—whether acts of terrorism, violence, or vandalism or theft of artifacts or art—could result not only in the loss of life but also the loss of iconic monuments or irreplaceable items from the Smithsonian’s or National Gallery’s collections,” GAO explained.<br></p><p>In a<a href="" target="_blank"> public version of a classified report</a> released this week, GAO found that federal entities on the Mall are assessing the physical security risks to their respective assets—demonstrating that they are taking a risk management approach to security. <br></p><p>The U.S. Department of Interior, the Smithsonian Institution, and the National Gallery of Art collect information on aspects of their physical security programs’ performance and use that information to create goals, measures, and tests to assess the performance of their systems. <br></p><p>GAO, however, found that each stakeholder would benefit from taking additional steps to manage their physical security risks. <br></p><p>For instance, the National Gallery is assessing security risks to its galleries by voluntarily following the <em>Risk Management Process for Federal Facilities: An Interagency Security Committee Standard (RMP),</em> but does not have complete documentation of its risk management decisions—a requirement of the <em>RMP.</em><br></p><p>“Without documentation, decision makers may not effectively understand the rationale behind decisions—or, in the case of risk management—make important security-related decisions and direct resources to address unmitigated risks,” the report said.<br></p><p>During GAO’s audit of the National Gallery, officials told GAO investigators that a lack of complete documentation limited their institutional knowledge of the National Gallery’s risk management decisions related to physical security. <br></p><p>“Because of a lack of documentation, [GAO] received inconsistent or incomplete information throughout that review,” according to the report. “While National Gallery officials agreed to address the concerns we raised to them, we believe there is an opportunity for the National Gallery to address gaps in its institutional knowledge and help ensure more informed decision-making—specifically, by developing a process to document its risk management decisions.”<br></p><p>GAO also found that U.S. Park Police, the Smithsonian, and the National Gallery can all take a “more strategic approach to performance measurement,” the report explained. <br></p><p>For example, GAO recommended each stakeholder develop goals where needed and link performance measures to those goals to assess the effectiveness of their security programs. <br></p><p>“Linking performance measures and goals could help these entities monitor and evaluate their efforts, which is an essential part of risk management,” GAO said. “The information the entities can gain from performance measures that are aligned with goals could also provide these entities with a clearer view of the effectiveness of their physical security programs and better position them to prioritize security needs.”<br></p><p>The Department of Interior, the Smithsonian, and the National Gallery agreed with GAO’s recommendations and said they will begin to take steps to address them.<br></p><p><br></p>GP0|#cd529cb2-129a-4422-a2d3-73680b0014d8;L0|#0cd529cb2-129a-4422-a2d3-73680b0014d8|Physical Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465