Wired
July 25, 2012

After the 1995 Oklahoma City bombing, the government realized it had a problem. There were no minimum security standards or an inspection regime for the thousands of federal facilities sprawled across the country. So it developed a plan, accelerated after 9/11, to test federal buildings and other sites for potential vulnerabilities. To carry out the tests, the government deployed a web-enabled software program that cost millions and failed to work. Now the program’s replacement may be even worse.

According to a report from the Government Accountability Office, the Department of Homeland Security’s police and security agency is preparing to adopt a new software tool for inspections, but one that can’t accurately measure security risks. The Federal Protective Service (FPS) also doesn’t know the extent of its inspection backlog because its data is unreliable. There are federal facilities that seemingly haven’t been inspected in years. The FPS “continues to face challenges in overseeing its approximately 12,500 contract guards,” according to the report (.pdf). And before the agency adopts the new tool, it’s using a temporary program that can hardly inspect at all.

The new tool is called the Modified Infrastructure Survey Tool, or Mist. Inspectors are currently being trained with the software, which guides inspectors through tests designed to expose security risks while examining federal buildings. A test could be as simple as checking the windows. If the windows are not made of blast-resistant glass designed to lessen the impact of an improvised explosive device, Mist takes note of it and provides recommendations. After running through a series of similar tests, inspectors upload the test data over the web into a centralized database. The FPS hopes to begin using it in actual inspections by September, after developing it at a cost of $5 million.

Mist seems to work well enough on a single building. But according to the report, Mist has a major vulnerability: It isn’t designed to compare security risks between federal facilities.

Instead, all facilities within the same security level (there are four levels, corresponding to size and number of employees) “are assumed to have the same security risk, regardless of their location.” Mist might notice the windows, but will see a vulnerable federal building in Washington as no more vulnerable than a remote facility of comparable size somewhere out in the boonies. This, according to the report, “provides limited assurance that the most critical risks at federal facilities across the country are being prioritized and mitigated.”

Read Entire Article