GAO pen test brings the hammer down on federal rent-a-cops
I have a little personality test for you today: Which of the following GAO findings released Wednesday made you laugh hardest about the Federal Protective Service's contract security guard program?
· The armed guard photographed at a Level IV (high volume / high public contact / high sensitivity) facility asleep at his desk after taking Percocet, a bottle of which is in front of him in a photo in the GAO report;
· The checkpoint guard who put an infant in its carrier through the x-ray machine, got fired for doing so, sued, and won;
· The guard who left his post to use facility computers to manage his private for-profit "adult" site;
· The guard who discharged his firearm at work while practicing his "draw" technique in front of the bathroom mirror;
· The ten Level IV facilities GAO inspectors were able to walk into with bomb-making equipment, assembling the materials in the restrooms.
What, you're not laughing?
I'll bet you're sore about the $1 billion budgeted annually to FPS, aren't you. That pays for 1,200 full-time employees and 13,000 "contract security guards" assigned to check IDs and operate security equipment at federal facilities. Or maybe you're one of the many thousands of people who work or visit one of the 2,360 facilities guarded daily by these -- literally -- rent-a-cops. I could see how you'd be a little frustrated today, especially since those walk-in penetration tests we mentioned were conducted at just ten facilities -- that's right, a 100% success rate. (Want to watch them do it? Want to see the power of the IED they built once they got in? The GAO has video.)
Maybe you're just one of those anti-free-market crazies who doesn't like seeing phrases like "According to FPS's affidavit, in exchange for a $100 bribe, contractor officials provided a security guard with certificates of completion" in government reports. (If that seems cheap for a forged document, read on.) There's a chance you're Joe Lieberman (I - Conn.), chairman of the Senate Committee on Homeland Security and Government Affairs, who heard testimony from GAO auditors on Wednesday and is probably still popping antacids.
Maybe you're FPS Director Gary W. Schenkel, who told lawmakers in testimony on Wednesday that the agency has been "fairly distracted" (you don't say), has problems managing its 67 private contractors, and feels it has been underfunded since being shuffled to Immigrations and Customs Enforcement (and out of GSA) in 2003. If so, I'm going to need a word with you later in this article.
Or maybe, just maybe, you're one of those 13,000 contract-worker guards, 38% of whom appear to be properly certified to do their jobs. (Do the math. I'll wait. Did you come up with 62% not properly certified? Have you considered a career in technology?) Even if you're a conscientious worker, fully certified and competent, if I'm reading the report and running the numbers correctly, this job is a failboat -- and a computer system at the heart of things both makes the job hideous and ensures that screwups are not just tolerated but normative.
I'm not justifying this clusterugh, but hear me out. Through the GAO report (PDF available here -- do not miss this one), there are references to CERTS (Contract Guard Employment Requirement Tracking System), the agency's primary database system for tracking guard training and certifications. Usually those references are closely followed by the words "not fully reliable." In fact, the government's database is so bad that GAO investigators were forced to also examine databases maintained by regional FPS offices.
The problems with CERTS interlocks with problems spotted in previous inspections. DHS's Office of the Inspector General back in April found myriad problems (PDF available here) with FPS's procurement and oversight processes, including a remarkable number of instances in which a contractor failed to deliver and the FPS chose not to deduct money for such failures -- the only substantial leverage FPS has against failure to deliver contracted services.
Let's look at the cost of those services, by the way. According to the GAO report, FPS's guard program costs about $613 million, the lion's share of the budget. Let's say every cent of that $613 million goes to pay for those 13,000 contracted guards. That works out to about $47,154 per guard... but as any contract worker knows, the actual worker gets only a fraction of that. Let's say half. That's about $23,577 per year for your average guard -- about half the national average for police officers, by the way, and heaven knows we don't pay those guys very well.
Who are you recruiting at that wage? I went sniffing around sites like Wackenhut (a major federal contractor for security services, who may or may not be an FPS contractor) and I'm seeing pay rates for similar jobs in the $11-$15 range. Security folk know that money problems are a leading cause of "inside job" breaches; why wouldn't it lead, on a lesser scale, to some seriously slack contractor work habits?
One thing that's not likely to get done at those rates: Training. A look at the GAO report shows that contractors are responsible for training their people, or making sure they are trained on, every aspect of the job but the actual government-specific information (e.g., procedures or details about particular facilities) and the equipment. Judging by what the investigators found, the guards aren't getting adequate training from either side, with "post orders" (specific information about what guards are supposed to do while on duty at their facility) nearly seven years out of date in some cases and guards, when quizzed, unsure of what to do in specific situations and -- this will jump out at you -- terrified that doing the wrong thing or taking inappropriate problem-solving initiatives would cost them their jobs. (That, is, by the way, how the baby-x-rayer won that lawsuit: S/He sued claiming that s/he hadn't received training on the x-ray machine, and FPS couldn't prove otherwise.)
But back to the database, which should have at least been able to deliver information on the problem (and tell whether the x-ray training had occurred, for what that's worth now). In their report, the OIG investigators noted that "Although a record must be initiated in CERTS to begin each guard's certification process, FPS has not mandated the exclusive use of CERTS for monitoring certifications. Consequently, FPS cannot ensure that contractors are complying with recertification requirements or that contract guards retain their knowledge of required areas."
In other words, there's a big national database that's supposed to track this stuff, but FPS hasn't been ordered to standardize on it, and the five regional offices examined say (let us quote the report directly), "Updating CERTS is time consuming and they do not have the resources needed to keep up with the thousands of paper files. Consequently, these five regions were not generally relying on CERTS and instead were relying on the contractor to self-report training and certification information about its guards."
Granted, CERTS wouldn't be the first government software effort to stink so badly employees would do just about anything to avoid it. (And it's not just the inward-facing stuff. Just yesterday the General Services Administration, FPS's old home, contracted to redesign the Recovery.gov site that launched approximately four minutes ago.) But some of the resistance to making the system work is out of line when it's our money and safety at stake. The GAO report notes that some regional managers were whining that new directives to patch up the problems "appear to be based primarily on what works from a headquarters or National Capital Region perspective, not a regional perspective that reflects local conditions and limitations in staffing resources."
Oh, stop right there and cry me a river. In the wake of 9/11, regions outside DC and NYC got a frankly disproportionate amount of funding to harden their security infrastructure. Even if that funding isn't available for FPS purposes, from where the rest of us stand it's your turn in the barrel. If you're an FPS employee -- not one of the contractors -- you knew you were signing on with the feds when you handed over your resume. Do your duty.
As for the contracting companies, I'm looking forward to GAO's full report in September, when I hope we'll learn who the 67 contracting companies are and how CERTS has or has not been able to flag problems with them. (There's only so much guidance USAspending.gov can offer in these situations.) As I mentioned, the FPS procurement process is also under scrutiny; I would hope that the agency is given the political wherewithal to fire bad vendors, preferably out of a cannon. And as for the guards, I know it's hard out there when the agency is pleading poverty and the contracting firm is keeping you in poverty, but I don't care what's up with the computers or the training or even the salary: Popping a Percocet and catching a nap on the job, while strapped? Security: You're doing it wrong.
According to the preliminary report, the GAO presented FPS with a detailed briefing and a preliminary copy of the report on June 5. It's customary for the investigated agency to comment on testimony for inclusion in the preliminary report; FPS officials did not choose to. Let me help you guys out: The words you're looking for are: "I resign, and I am so very ashamed."