NASA OIG: NASA’s Security Management Practices
NASA is home to numerous irreplaceable assets that support space flight, aeronautics missions, and planetary research. These resources include one-of-a-kind space flight hardware, astronaut training facilities, planetary samples, assembly buildings, specialized aircraft, wind tunnels, launch pads, specialized research laboratories, pyrotechnic and munitions materials, and simulation facilities. These assets, coupled with NASA’s high-profile mission and extensive physical footprint, make its facilities an attractive target for those who wish to do harm to the Agency. The NASA Office of Protective Services (OPS) and Center Protective Services Offices (PSO) are responsible for securing NASA employees, contractors, and guests along with Agency assets under a decentralized, Center-based model. Protective services functions at NASA include physical security, personnel security, secure access procedures, intelligence analysis, counterintelligence and counterterrorism, handling of sensitive and classified information, firefighting, aircraft rescue, ambulance services, and emergency management. In this audit, we assessed the effectiveness of NASA’s management of its security operations—specifically, physical security, law enforcement, and fire services operations—across the Agency. We reviewed the protective services organizational structure at the Agency and Center levels, decision making authority within those structures, day-to-day operations, funding, and contract oversight. We also interviewed NASA and Center protective services, emergency management, and fire services staff, and visited the [REDACTED] . In addition, we reviewed a planned Agency-wide reorganization of security services as part of NASA’s Mission Support Future Architecture Program (MAP) to centralize management of security operations at an enterprise level that was to be implemented beginning in October 2019.
WHAT WE FOUND
While overall security policy and oversight are managed by OPS at the Agency level, implementation and funding of protective services operations remains a responsibility of Center leadership who used their resources to pursue Center- based priorities. As a result, OPS authority is marginalized and Centers, at times, develop and implement strategies that conflict with the intent of Agency directives. As part of MAP, OPS was to assume funding and day-to-day operational responsibility for protective services across the Agency. However, in August 2019 NASA changed its plans to centralize management of the physical security portion of the Agency’s protective services operations and as of the time of this report the impact of this decision on the Agency’s overall approach to security management remains unclear. Despite our concerns that OPS was not well positioned to manage such a change because it currently lacks an organizational or governance structure to implement and oversee such enterprise-level responsibilities, we do believe several planned initiatives, if properly implemented, could leverage economies of scale and improve protective services operations.
In addition, we found that managers at the [REDACTED] Centers we visited made security staffing and infrastructure protection decisions based primarily on current and projected budget allocations rather than an assessment of critical security threats or risks, an approach that while understandable is contradictory with federal and NASA requirements. Moreover, because the Assistant Administrator (AA) for OPS does not control Center-based security funding, we found that OPS could only recommend that Center Directors perform corrective actions to mitigate deficiencies identified in Center functional reviews and facility security assessments, and the results were not always used to inform decision making.
We also found the current Center-focused operational structure for OPS has resulted in an inconsistent application of a wide range of security practices across the Centers, including federal arrest authority, legislative jurisdiction, firearms policy, and fire services. Federal arrest authority allows authorized NASA security personnel to arrest an individual without a warrant for any offense against the United States committed in their presence, yet not every Center allows security personnel to make arrests despite standardization efforts across the Agency. NASA Centers also operate under a jurisdictional mix of federal, state, and/or local authorities. While some Centers fall under a single jurisdiction, others are covered by multiple jurisdictions. As a result, implementation of security policies and the responsibilities of security personnel vary across the Agency and has resulted in confusion, hesitation, and uncertainty among local law enforcement and protective services personnel. In addition, while NASA policy describes the authority, requirements, and training necessary for protective services personnel to carry firearms, it fails to articulate an Agency-wide standard for arming these civil servants. Consequently, this decision is left to the discretion of each Center and has led to differences across the Agency regarding whether Center personnel are authorized to carry firearms. Similarly, responsibility and authority over fire services is fragmented as fire services report to the protective services organization at some Centers while others are managed by the Center’s safety and mission assurance organization, resulting in unclear and inconsistent lines of authority, conflicting interpretations of standards and policies, and Centers not meeting National Fire Protection Association staffing and equipment standards.
Finally, at Centers with substantial tenant populations, PSOs are challenged by increasing workloads and shifting policing responsibilities coupled with a lack of funding proportionate to the increased services provided to tenants. NASA has entered into lease agreements that authorize the use of underutilized real property at its Centers to outside organizations, and revenues received from those agreements may be used to cover Center costs related to those leases. However, the Agency has no standard for determining the cost of providing protective services to tenants and therefore Centers use differing methods to calculate such costs. Furthermore, although Center PSOs are required to maintain oversight of all Center security activities, they are not consistently involved in assessing the level of effort, costs, or personnel demands necessitated by tenants’ use of NASA properties.
WHAT WE RECOMMENDED
To improve NASA’s security management across the Agency, we recommended the AA for OPS: (1) establish and implement an enterprise-level governance structure and fund applicable countermeasures to mitigate or formally accept risk; (2) standardize and streamline the facility security assessment process across the Agency; (3) research federal arrest authority in conjunction with the Office of the General Counsel, formulate a unified response, and implement a consistent policy across the Agency; (4) evaluate Agency-wide jurisdictions to determine if it is feasible for all Centers to be under the same jurisdiction or at least if individual Centers should have all of their property under the same type of jurisdiction; (5) coordinate with the Office of the General Counsel to standardize the carrying of firearms by NASA civil servants in an Agency-wide policy while also addressing the appropriate situations when NASA contractors may carry their government-issued weapons off NASA property; (6) in collaboration with the Office of Safety and Mission Assurance, evaluate fire services policies and functions Agency-wide, reconcile duties and responsibilities, and determine whether these responsibilities should reside under protective services or safety and mission; (7) establish an Agency-wide policy on calculating protective services costs associated with tenant reimbursable expenses; and (8) develop procedures that require Center protective services officials to be a stakeholder in the planning process to meet protective services requirements for existing and new tenants.
We provided a draft of this report to NASA management who concurred with the recommendations and described planned actions to address them. We consider the proposed actions responsive to our recommendations and will close the recommendations upon completion and verification of the proposed actions.
